Within a context characterised by operational and regulatory complexity and the need to compete in a constantly more efficient manner in the reference markets, risk management and the related control systems assume a central role in decision-making processes and the process of creating value.
In order to promote and keep an adequate Internal Control and Risk Management System (SCIGR), Poste Italiane uses organisational, training and normative instruments which allow the main Group risks to be identified, measured, managed and monitored.
Such system represents a fundamental element of the Poste Italiane Corporate Governance as it allows the Board of Directors to pursue the priority objective of creating value in the medium/long term, also defining the nature and level of risk compatible with corporate objectives.
For this reason Poste Italiane undertook to adopt an Internal Control and Risk Management System (SCIGR) that is integrated both from the internal and external viewpoint of the System. Indeed, on the one hand its components must prove to be coordinated and interdependent with each other and on the other the System, as a whole, must be found to be integrated in the general organisational, administrative and accounting structure of the Company.
In addition to the 231 Model and the related Guidelines (which shall be described in paragraph 2.2.3), the SCIGR is divided into various components and guidelines regulating its function:
- the “Internal Control and Risk Management System Guidelines” recently approved by the BoD and applicable to the whole Group were drawn up in order to integrally govern the Poste Italiane SCIGR consistently with normative requirements, the Self-Governance Code for listed companies and the supervisory provisions applicable to BancoPosta activities;
- the “Group Risk Management Guidelines” is the document defining the Risk Management process in the Poste Italiane Group and which was updated during 2017 with regard to the identification, assessment and risk monitoring process;
- the “Group Anti-money laundering Guidelines”, issued by Poste Italiane S.p.A.in January 2018 in relation to its role in steering and coordinating the Group, identifies the principles of reference and defines the roles and responsibilities for combating the phenomena of money laundering and financing terrorism;
- the “Corporate Normative System Guidelines”, approved in February 2018 has the objective of regulating governance guidelines in the Corporate Normative System (principles of reference, architecture and lifecycle of documental categories, roles and responsibilities of the various players involved) and the management process for such System, also in conformity with the reference norms of the Integrated Management System;
- the “Supplier Qualification Guidelines”, approved in March 2018, have the purpose of indicating the criteria and methods to be observed in the qualification procedure regarding economic operators to be called for the award of works, supplies and service contracts concerning the strategic segments of the Poste Italiane Group, consistently with that established by the “Supplier Qualification System” established, according to the regulations in force, in order to equip the Poste Group with a Suppliers List such as to guarantee indispensable levels of functionality and quality of the procurements, adopting certain and transparent criteria of selection in the purchase procedures. Furthermore, the separation of the Suppliers List function from the Purchases function was brought about, the former merging into the Group Risks Governance context.
Basing itself on the international standard “Enterprise Risk Management – Integrating with Strategy and Performance”, Poste Italiane SpA chose to focus on the following factors enabling integration and rationalisation of its Internal Control and Risk Management System:
- the definition of a model which relates the various components of the Internal Control and Risk Management System to each other, enabling opportunities to improve the comprehensive coverage of such risks, the simplification and operational efficiency and the quality of risk information;
- the convergence of control functions by means of centralising control structures within the corporate functions (central steering, coordination, control and service structures) in order to ensure unified governance at Group level;
- the approach for processes, by means of implementing a reference framework that regulates behaviour and activities; such approach includes policies, guidelines and procedures defined within a pyramidal architecture involving the Board of Directors, the Managing Director, Management and all personnel in the Poste Italiane Group, realising, among other things, the integration of the Internal Control and Risk Management System in corporate processes.
In compliance with the Supervisory Provisions, the organisational and corporate governance structure of the BancoPosta Asset is based on the principle of organisational and managerial autonomy and theinternal control system.
Autonomy of the bancoposta asset control system
Consistency with corporate objectivesThe SCIGR contributes to a method of running the company oriented at sustainable development, maximising the value of the company and that is consistent with corporate objectives.
Persons involved in the SCIGR must guarantee, each one inasmuch as competent, that activities and documents regarding the process can be traced, ensuring the identification thereof and reconstruction of sources, informatory elements and controls carried out in support of the activities.
The corporate autonomy of subsidiaries is guaranteed as regards establishing and keeping an adequate and functional SCIGR, in observance of steering and coordination guidelines defined by Poste Italiane.
Corporate autonomy of the subsidiaries
The SCIGR represents a fundamental element to guaranteeing full awareness for an effective supervision of risks and their interrelations and also to direct change in strategy and the organisational context.
Knowledge and awareness
The SCIGR envisages a segregation of tasks and responsibilities, among distinct organisational units or within the latter, so as to prevent incompatible activities from being concentrated under common responsibilities.
Segregation of tasks and activities
The components of the SCIGR are inter-coordinated and inter-dependent and, as a whole, the system is in turn integrated into the general organisational, administrative and accounting structure.
According to a process-based logic, the SCIGR is based on a risk prevention approach and contributes to taking conscious decisions and translating the main risks into opportunities where possible.
Risks and processes based approach
In relation to the functions covered and in pursuit of the related objectives, the Management guarantees the adequacy of the SCIGR regarding the activities of competence, actively participating in the correct operation thereof.
Management empowerment (accountability)
The SCIGR is defined in observance of applicable regulations, the Self-Governance Code and consistently with the internal reference framework and national and international best practices.
Conformity to law and compliance with the internal reference framework
The SCIGR circulates the culture of risk and control, meant as the whole of norms of conduct giving rise to the ability of groups and individuals to identify, measure and mitigate the organisations’ current and future risks.
Risk and control culture
Each corporate body and structure avails of the information required to fulfill its responsibilities, including those regarding the SCIGR.
Communication and information
In line with the regulations and best practices of reference, the SCIGR is divided into three levels of control and involves several players who are present within the corporate organisation:
|1st level of control
|Identifies, assesses, manages and monitors the risks of competence in relation to which it
identifies and implements specific actions of treatment aimed at ensuring the correct performance
|2nd level of control
|Monitors corporate risks, proposes guidelines on related control systems and assesses the
adequacy thereof in order to ensure efficiency of the operations, adequate risk control, prudent
running of the business, reliability of information and conformity with laws, regulations and internal
procedures. The functions assigned to such controls are autonomous, independent and separate
from the operational functions.
|3rd level of control
(Internal Audit Functions)
|Provides independent assurance regarding the adequacy and effective operation of the first and
second levels of control and the SCIGR in general. Its purpose is to assess the completeness,
adequacy, functionality and reliability in terms of efficiency and efficacy of the internal control
system, as well as identifying violations in procedures and norms applicable to Poste Italiane.
Bodies and functions supervising aspects of sustainability
The Corporate governance system requires that the Board of Directors is assisted by the Control, Risks and Sustainability Committee, to which investigative functions are attributed of a propositional and advisory nature, regarding assessments and decisions concerning aspects of sustainability.
Furthermore, at managerial level within the Corporate Affairs function there are various structures which safeguard specific social and environmental issues. In particular, the Group Risk Governance function, by means of specific tasks and functions:
- Supports the Top Management in its effective implementation of the Risk Management process at Group level, with reference to all types of risks;
- Ensures the activities related to implementing and actuating management systems and the corporate documental system for corporate quality, the environment, safety at the workplace and the protection of health, secure information, anti-corruption and energy management;
- Manages the supplier qualification process for the Group;
- In collaboration with the involved functions, defines the guidelines and objectives of Corporate Social Responsibility for the Group, identifying the set of indicators for monitoring sustainability performance, in line with best practices and with the international guidelines in this regard, as well as overseeing relations with ethical ratings companies and with the stakeholders;
- Guarantees the protection of corporate reliability by means of verifying the effective compliance of the operational and commercial processes with the service levels declared in the quality and performance indicators.
- Ensuring protection of safety activities at Group level by means of identifying and realising initiatives aimed at assuring adequate levels of safety;
- Managing the definition and circulation of physical safety policies and standards for the Group, verifying the correct implementation thereof and supporting corporate functions in the definition of adequate re-entry plans;
- Ensuring, at Group level, steering, coordination and control activities concerning health and safety at the workplace and the environment, managing the design, implementation and circulation of Management systems for Safety at the Workplace and Environmental Protection, in line with the normative framework in force;
- Guaranteeing, through the coordination of the Corporate Protection Territorial Areas, the correct management of activities entailing physical safety, hygiene and safety at the workplace at territorial level;
- Ensuring activities of steering and coordination with regard to matters of secure information;
- Managing the coordination of corporate activities in relation to Cyber Security and combating cyber crime.
- Identify, assess and monitor the Group’s reputational risks from an integrated viewpoint by means of coordinating
- Use instruments and models for assessing and managing consistent reputational risks at Group level;
- Ensure integrated reporting of the Group’s reputational risks regarding the Top Management and corporate Bodies;
- Promote the circulation of a corporate culture that is more orientated towards managing reputational risks.
The document – approved by Poste Italiane S.p.A the Board of Directors. in November 2003 and updated in September 2009 – is applicable to the entire Group and is not only aimed at its directors and employees but also at those working, on a full-time or part-time basis, on its behalf.
Having the objective of integrating the codes of conduct adopted over time, during 2017 Poste Italiane began its review of the Code of Ethics, with a view to actualising and expanding the principles and rules of conduct to be followed in relations with all the stakeholders with which the Company holds relations, specifically referring to relations with suppliers, partners, the market and the Shareholders. Such review led to the approval of a new Group Code of Ethics by the Board of Directors of Poste Italiane S.p.A. in April 2018.
The Company sought to define, with greater emphasis, the fundamental principles inspiring the culture and behaviour of the directors, control bodies, management, employees and those working, on a full-time or part-time basis, in the pursuit of the objectives of the Poste Italiane Group. Moreover, criteria of conduct of a general nature were affirmed which the Company acknowledges and implements when performing its activities and in relations with the stakeholders, valorising specific provisions regarding conflict of interest, anti-corruption, anti-money laundering and anti-terrorism, as well as the protection of health, safety, the environment and privacy.
The Code defines principles and rules of conduct such as legality, impartiality and fairness, respect and valorisation of people, transparency and completeness, confidentiality as well as diligence and professionalism. It requires that the recipients of the Code abstain from activities, even occasional, which could generate conflicts with the interests of the Group or which could interfere with the ability to take decisions consistent with corporate objectives. Furthermore, the Company intends to promote the circulation of ethical principles and social responsibility among subjects pertaining to the Group’s chain of value.
Such principles are further consolidated with the adoption of the Organisational Model, drawn up pursuant to Legislative Decree 231/2001, which represents a central instrument for defining the organisational and managerial regulations favouring the observance of the main values of social responsibility in Poste Italiane. The Company also undertakes to circulate the Code of Ethics to all recipients so that they observe its contents and to prepare every possible instrument favouring a full application thereof.
Violation of the Code of Ethics gives rise to the invalidity of the relationship of trust established with Poste Italiane and can lead to legal action as well as the adoption of measures against the recipients, according to legal provisions and under the provided contractual regimes.
Go to the Ethical Code section.
Consequently, aware of the importance of having an updated internal control system capable of preventing unlawful conduct by its directors, employees and commercial partners, in 2003 it formed its own Organisational, Management and Control Model (hereinafter also “Model” or “Model 231”) in conformity with Legislative Decree 231/2001. The purpose of such Model is to build a structured and organic system of guideline principles, operational procedures and other specific measures based on the criteria of healthy corporate management and aimed, amongst others, at preventing any crimes from being committed by exponents of the Company, whether top management or under the management of third parties.
Through the adoption of the 231 Model, the Company pursues the following objectives:
- Forbid behaviours which could entail the criminal offences pursuant to the Decree, amongst which the prevention of the crime of corruption emerges;
- Circulate awareness that the violation of Model 231 and the principles of the Code of Ethics can give rise to the application of sanctionatory, pecuniary and/or injunctive measures, even against the Company;
- Circulate a corporate culture based on lawfulness;
- Give evidence of the existence of an effective organisational structure that is consistent with the adopted operational model, with particular regard to the clear attribution of powers, formation of decisions and their transparency and motivation, to control, preventive and subsequent, actions and activities, as well as the truthfulness of internal and external disclosure;
- Allow the Company, thanks to a system of measures of control and constantly monitoring the correct implementation of such system, to quickly prevent and/or counter the relevant offences pursuant to Decree 231.
Since 2003 Poste Italiane has periodically updated its Model 231 to supplement its contents with various legislative interventions that have introduced new categories of predicate offences, receiving normative updates on the matter of criminal liability of entities and acknowledging the evolution of best practices and reference Guidelines.
In January 2018, considering normative novelties5, intervening organisational changes6 as well as retracing areas of risk directly to organisational responsibilities, Poste Italiane has updated its Model 231.
Following the 231 Model update, Poste Italiane shall proceed, in compliance with such Model, with the design and the realisation of a new training path specifically dedicated to corporate management, in the context of awareness and update on the matters of Legislative Decree 231/2001, as well as an effective implementation of the Model in the corporate context, also through greater awareness of the roles and responsibilities aimed at correctly supervising the connected risks.
The specific training on the Model tailored for Poste Italiane employees is considered an important element for Model 231 to be efficiently incorporated in the Company. The aim of the training course is to inform about the implementation of the Model and its circulation within the corporate context by means of differentiating the course based on the various activities “at risk” carried out by staff. Furthermore, to the benefit of the Company employees, specific training - which envisages further exploration of the sensitive elements set out in the Poste Italiane Model 231– is given on a continuous basis, also via e-learning.
The Group assigned a Supervisory Body formed of two members extraneous to the Company and one internal member with the task of monitoring the observance of the prescriptions of the Organisational Model, verifying their actual efficacy and assessing the need for any updates. The duration in office of the Supervisory Body is three years, until May 2019. In particular, the Supervisory Body reports on the activities of its competence to the Board of Directors, Managing Director and the Control, Risks and Sustainability Committee.
5Such as the acknowledgement of the predicate crime 231 of “Unlawful intermediation and exploitation”, introduced by Law 29 October 2016 no. 199; of Legislative Decree 15 March 2017, no. 38 on the matter of combating corruption in the private sector in “Crimes of corruption, also amongst private parties and other crimes in relation with the Public Administration”; of EU Regulation no. 596/2014 of the European Parliament and the Board of 16 April 2014 in “Market Abuse” offences; of Law no. 167/2017 in “Crimes of racism and xenophobia”.
6Such as for example the acknowledgement of the organisational role attributed to the Group Risk Governance function in the context of Corporate Affairs; reviewing the composition of the role of Technical Secretary of the Supervisory Body.
As regards the reporting procedure with regard to violations of the Model, in line with the provisions provided under the Decree related to the establishment of informatory obligations concerning the Supervisory Body the Company established that the latter, delivered in writing and anonymously, can be presented both by traditional mail and via email.
The adoption of similar Models of reference is also promoted at Group level. Indeed, Poste Italiane incentivises the adoption and implementation of its organisational models by all subsidiary Companies and, to this end, it requires that each one identifies sensitive activities as well as specific measures of control which should be adopted in respect to the particular nature of their corporate reality. With regards to, it is important to emphasize that in exercising its autonomy, each Subsidiary is deemed to be directly responsible for the adoption and implementation of its Model 231.
During the implementation of the Poste Italiane S.p.A. Model, the subsidiaries assess, following the analysis of the organisational structure and corporate operations, activities at risk in relation to their characteristics. In the same way each subsidiary, in the contest of its internal regulation, assesses possible requirements for the integration of the values and principles set out in the Group codes of conduct indicated by Poste Italiane, in light of operational peculiarities and specific exposures to the risk of crimes. Lastly, in adopting its own Model, each Subsidiary defines an autonomous and independent Supervisory Body, which is exclusively responsible, in relation to the Company of pertinence, for the tasks of controlling the performance of said activities and the operation and observance of the Model to which they refer. In this context, the Company issued Guidelines identifying the general requirements of reference with which Group Companies comply when adopting and updating their own Models 231, considering the specific operations of the undertaking and its organisation. Indeed, the Company’s intention is that the Models 231 of each of the Subsidiaries, which are responsible for the related adoption and implementation, constitute an adequate measure for the purposes of correct performance of the entity’s activities.
- Analysis and assessment of fraud risk;
- Direct collaboration with the Law Enforcement Agencies (Forze dell’ordine - FF.OO.), Judicial Police (Polizia Giudiziaria -
- P.G.), Judicial Authority (Autorità Giudiziaria - A.G.);
- Support toother corporate functions such as business and anti-money laundering;
- Exploration of Digital Forensics for IT events;
- Realisation of design initiatives aimed at guaranteeing improved levels of security and monitoring prevention, mitigation
- and fraud combating activities;
- Detection, monitoring and combating fraudulent attacks on digital service customers and the physical channel;
- Monitoring and blocking suspicious/fraudulent transactions;
- Reporting aimed at monitoring performance levels and fraud trends;
- Specialist anti-fraud support for analysing and defining security requirements respect to new products and services.
Concerning the management of investigative activities on fraudulent events, of an internal and external nature, a total of 920 assignments were managed during 2017 which led to identifying 951 separate internal responsibilities, thus providing the conditions for recovery (Attributed Damage) of a comprehensive amount equal to 9,236,019 Euros (about 77% of the total damage found due to fraud, a slight decrease compared to the previous year).
Compared to observations in 2016, it emerges that against an increase in the number of managed assignments a decrease in economic damage found due to fraud is recorded (Ascertained Damage), amounting to a total of 11,947,494 Euros, about 15% less compared to the 14,090,581 Euros found in the previous year. It was possible to attribute an amount equal to 9,236,019 Euros to responsibility. The activities of prevention and transaction monitoring allowed attempts at fraud to be foiled which amounted to a prudentially estimated total of 26,611,300 Euros, of which:
- about 1.9 million Euros on secured services (equal to 52% of the recorded damage);
- about 7.5 million Euros on suspicious reports found during the customer identity assessment phase;
- about 17.1 million Euros on the preventive block of compromised accounts.
Reports can be received by email or traditional mail and may concern, for example: conflicts of interest; violation of the principles of impartiality, transparency, correctness and professionalism; violations related to the protection of workers; improper use of corporate assets; unlawful and/or fraudulent activities to the damage of customers or corporate assets in general; behaviours not consistent with ethical and deontological duties regarding employees; violations of the normative governing banking and finance activities related to BancoPosta Assets. Included therein are any reports of suspected cases of corruption.
The Poste Italiane internal system for reporting violations ensures that all the appropriate analyses are performed on the reported facts by means of initiating audits carried out by the “Internal Control” function, as well as carrying out fraud management appraisals conducted by the “Corporate Protection” function in the cases of presumed offences, or a request for further managerial examinations addressed to the competent functions. In particular, the report management process is presided over by the “Report Assessment Committee” (the “Committee” or “CVS”), coordinated by the “Internal Control” function and formed of representatives from the functions: “Human Resources”, “External Relations and Services”, “Legal and Corporate Affairs”, “Internal Control” and “BancoPosta Internal Review” (“on call member intervening only in cases concerning the Balance Sheet assets of BancoPosta, provided for by the related Regulation).
Whistleblowing principles in Poste Italiane
The internal violation reporting system adopted by Poste Italiane S.p.A. is based on the following general principles:
- Guarantee of confidentiality of personal data and protection of the reporting party. All parties receiving, examining and assessing reports, the internal reporting system manager and every other subject involved in the report management process, are bound to guaranteeing the highest confidentiality regarding reported facts, the identity of the reported party and the whistle-blower who, in any case, should be protected from retaliatory, discriminatory or in any case unfair conduct;
- Protection of the reported subject from reports made in bad faith. All subjects, employees of Poste Italiane S.p.A., are bound to respect the dignity, integrity and reputation of each person. To this end it is strictly mandatory for the reporting subject to declare if they have a private interest linked to the report. More in general, Poste Italiane S.p.A. guarantees adequate protection from reports in bad faith, censoring such conduct and notifying that reports sent for the purpose of damage or otherwise bringing prejudice as well as any other form of abuse of this document are the source of liability in disciplinary proceedings and other competent proceedings;
- Impartiality, autonomy and independence of judgement. All subjects receiving, examining and assessing the reports meet moral and professional requirements and assure that the required conditions of independence are kept, as well as due objectiveness, competence and diligence when performing their activities;
- Coordination between the activities of the Report Assessment Committee and the Supervisory Body. Without prejudice to autonomous action and independent judgement of the Supervisory Body as per Legislative Decree 231/2001, the Internal Control Functions ensures coordination between the activities performed by the Report Assessment Committee and those carried out by the Supervisory Body.