Your browser version is not updated, please update it.

Since its listing on the Stock Exchange Poste Italiane has gradually consolidated, within the Internal Control and Risk Management System (SCIGR), a model of risk governance based on the Enterprise Risk Management (ERM) framework, in line with the Corporate Governance Code for Listed Companies and international best practice.

In the development and continual improvement of this model, which is still ongoing, the Company examined all areas - financial, insurance and business - with the aim of achieving an organic overall vision of the Group, harmonizing risk management tools and methods and reinforcing its awareness that understanding and measuring risk and identifying sustainable actions to contain it, in the various forms in which it may arise in a complex and variegated organization such as Poste Italiane, is one the priorities which can significantly impact the achievement of its strategic targets.

Among the organizational measures required for the effective surveillance and handling of corporate risks, Poste Italiane Group has begun a process to integrate all structures performing the same functions in different companies/corporate departments, with the aim of achieving tighter governance and more efficient procedures.

In the Corporate Affairs department specifically, Poste Italiane has recently set up the Group Risk Management unit, charged with the following tasks:
  • establish a structured and integrated process to identify, evaluate and monitor risks in conjunction with the other SCIGR actors;
  • guarantee harmonized and integrated models and data flows between specialist second level control units, group companies and supervisory bodies through the implementation of an integrated platform across departments to manage and monitor risk at Group level;
  • oversee reporting to the Corporate Bodies with the aim of strengthening the SCIGR;
  • foster the diffusion of a risk management culture at every corporate level to systematically manage the organization's biggest risks and identify potential opportunities.

The Risk Management process of Poste Italiane Group features the following stages:

The Group’s Risk Governance unit supports the top management in effectively implementing Group-wide Enterprise Risk Management, covering all areas/types of risk, primarily identified according to a process-based rationale.
Poste Italiane group risks can be grouped into the following macro categories:
  • strategic risks: risks capable of affecting the achievement of the Strategic Plan objectives; they are identified and classified with the involvement of the Management, describing the key characteristics, triggering causes and possible consequences or effects, whether economic (i.e. losses, higher costs and / or lower revenues) or of any other kind (i.e. customer satisfaction);
  • reputational risks: risks originating from a negative perception by the Group's stakeholders, to counter which the adopted framework provides for analysis and management actions (stakeholder engagement) for evaluating the sources of risk. With the support of the Group Risks Government unit, the corporate functions responsible for analysing perception by stakeholders (Reputational Impact Specialist) detect and prioritize the reputational issues within their remit; these topics are the basis for the identification - by the company departments that directly manage them (Risk Owner) - of the risks with reputational impact, which are then assessed by taking into account the reputational metrics, for which appropriate strategies and treatment actions are identified. Within the analysis of reputational risks, ESG risks are also considered.
    The Group commits to respecting and actively promoting and disseminating the principles on human rights established by the regulations and standards issued by international organizations, which include: the Universal Declaration of Human Rights, the United Nations Conventions on the Rights of Women, the Declaration on Fundamental Principles and Rights at Work of the International Labour Organization, the United Nations Guiding Principles on Business and Human Rights and the United Nations Global Compact. In this regard, both in carrying out its activities and in relations with its partners, Poste Italiane undertakes to guarantee respect for human rights, paying particular attention to individuals potentially at risk such as minors, migrants, local communities, native populations, customers and other vulnerable subjects such as disabled people and victims of violence. In line with the sustainability strategy, the Group requires a commitment from suppliers and partners, who are required to accept the Code of Ethics and the General Principles of the Group Policy for the protection of human rights.
    Furthermore, the Company established a management system that aims to ensure that its suppliers and partners comply with these principles. Specifically, the Group's risk management model requires them to be evaluated by considering factors such as governance, reputation, the type of business activity carried out and the geographical areas of operation. The Group's risk management model establishes, through specific risk assessment procedures, the identification of Company activities and organizational areas in which potential human rights violations could occur. The identified risks are assessed and reviewed periodically (at least annually) in terms of impact and probability based on specific metrics defined; it is also evaluated the adequacy of the mitigation and remediation measures adopted in relation to these risks. The model also provides for controls to be carried out in the areas identified at greater risk within the Group and externally by suppliers and partners and the possible definition of prevention and mitigation plans. The concreteness and effectiveness of the approach used is demonstrated, for example, by the supplier qualification system adopted by the Company which considers specific social criteria for the evaluation of suppliers, with specific reference to human rights.  
    Within the risk assessment processes conducted in 2019, no current or potential human rights issues were identified. Furthermore, as a result of the effective control system adopted, no vulnerable groups were identified, and it was therefore not necessary to define corresponding mitigation plans or implement remediation actions;
  • financial and insurance risks: these include market risks (price risk, currency risk, interest rate risk and spread risk), credit risk, liquidity risk and technical risks arising out of the operating environment of the insurance sector; the relevant risk management processes are specifically regulated and monitored by the competent Authorities (Banca d'Italia and IVASS) and overseen by the respective Risk Management systems coordinated by the single representative in the Group’s Risk Governance unit;
  • operational risks: risks of loss from inadequate or failed internal processes, from Group-wide human resources and internal systems, or from external events; this category includes, among others, losses from fraud, OHS risks, IT security risks, besides cyber risks and legal risks;
  • non-compliance risks: are the risks arising out of breaches of existing regulations, such as Legislative Decree 231/01, Law 262/05, the privacy and market abuse regulations, or any other future rules and/or regulations applicable to the business sectors in which Poste Italiane Group operates. 

Poste Italiane SpA’s financial transactions primarily relate to BancoPosta’s operations, asset financing and liquidity investment, and Poste Vita SpA’s operations, investments designed to cover contractual obligations to policyholders on traditional life policies and index-linked and unit-linked policies.
The main market risk factors are: i) interest rate risk, the risk that the value of a financial instrument fluctuates as a result of movements in market interest rates, and ii) spread risk, the risk of a potential fall in the value of bonds held, following a deterioration in the creditworthiness of issuers.
Insurance risks derive from the stipulation of insurance contracts and the terms and conditions contained therein (technical bases adopted, premium calculation, terms and conditions of cash surrender, etc.). In technical terms, the main risk factors for Poste Vita SpA are mortality, i.e. any risk associated with the uncertainty of a policyholder’s life expectancy, and lapse.
A more detailed description and analysis of the relevant financial and insurance risks is contained in Poste Italiane’s Annual Report for the year ended on 31 December 2017.

Operational risks are managed by both the dedicated systems within the Group (Risk Management BancoPosta and Risk Management Poste Vita), in accordance with the regulations by the competent Supervisory Authorities, and in an integrated manner by the Group-wide Risk Governance unit.
In particular, both the BancoPosta RFC, Poste Vita and Poste Assicura  have formalised a methodological and organisational framework to identify,measure and manage the operating risk related to its products/processes. The framework, which is based on an integrated (qualitative and quantitative) measurement model, makes it possible to monitor and manage risk on an increasingly informed basis.

At Group level, the following risks, among others, are attentively monitored: i) IT risks, in particular, any risks arising out of the malfunctioning and/or security shortcomings of the IT systems that could result in the loss of information integrity, privacy and confidentiality; ii) OHS risks, particularly as a result of accidents to employees or contractors engaged in operational activities in the workplace (e.g. receiving, handling and sorting parcels and mail, or delivering mail by motorcycle or motor vehicle); iii) physical safety risks, in particular when accessing Group company premises, post offices, or restricted-access premises by persons not adequately authorized / identified, or as a result of the limited protection of Poste Italiane assets / property against predatory behaviour (burglary, theft, attacks on ATMs, acts of vandalism, etc.)

The Group Risk Management process enables the identification of various kinds of risks and their classification, based on their ultimate probability/impact within a matrix (Heat Map), for obtaining an overview of the risks to be monitored and prioritized.

The Group has also implemented an integrated Governance, Risk and Compliance (GRC) platform for surveying and filing all risks and displaying the collected data to each player in the process, consistently with the relevant profiling. The system also supports the GRG function and other players in respect of integrated risk reporting.