- The Board of Directors:
- defines the internal control and risk management system guidelines in accordance with the strategies and risk appetite. In this way, it ensures that the main risks are properly identified, measured, managed and monitored, even as they evolve over time;
- conducts assessments and takes decisions on the internal control and risk management system; appoints the heads of the control functions, approves their action plans and receives periodic reporting from them;
- approves the group’s risk appetite framework (RAF) each year, in line with the timing of the budget process and the preparation of the strategic plan to ensure that the business develops within the boundaries of the desired risk appetite.
- The Risk Committee performs advisory and consultation functions for the Board of Directors concerning risks and the internal control system.
- The Board of Statutory Auditors monitors the risk management and control system, based on the risks identified in the RAF, and the internal control system, assessing the effectiveness of all departments and functions involved and coordinating them.
Senior management is responsible for the adequacy of the internal control and risk management system: the senior managers prepare measures to ensure and continuously maintain an effective and efficient internal control system by understanding all business risks and their interdependency as part of an integrated management model.
Steering committees, each with a specific focus, have been established for risk management.
The main corporate functions involved in the internal control and risk management system are Group Audit, Compliance and Group Anti-Money Laundering and Group Risk Management, in addition to the heads of the operating units.
Group Audit carries out its activities on behalf of all Mediobanca group companies. Its mission is to oversee the regular performance of operations and the evolution of business risks, assess the completeness, adequacy, functionality and reliability of the organizational structure and other components of the internal control system and advise the group’s functions.
The internal audit activities have been centralized to strengthen the parent company’s coordination of the internal control system and improve the efficiency of the entire third-line control structure by:
- making Group Audit responsible for coordinating and directly supervising the subsidiaries;
- defining a banking group audit plan to submit for the approval of Mediobanca’s Board of Directors and then for the approval of the boards of the individual companies insofar as they are concerned;
- sharing specialized expertise (e.g., IT audit and quantitative aspects), testing methodologies and reporting standards with the corporate bodies and senior management.
Group Audit operates independently and has direct access to all useful information and the means needed to perform its duties.
Group Audit’s duties
Group Audit’s duties include:
- verifying, among other things:
- the regularity of the various business activities and the evolution of risks at the central offices and branches;
- compliance with the regulations applicable to the business at all company levels;
- compliance, in the various operating segments, with the limits established by the mechanisms for delegating duties and the full and correct use of the information available in the various activities;
- the effectiveness of the risk control function’s powers to provide advance opinions on whether the most significant transactions are consistent with the RAF;
- the adequacy and correct functioning of processes and methodologies for the assessment of company activities;
- the adequacy, overall reliability and security of the information system;
- the removal of the irregularities detected in operations and in the functioning of controls (follow-ups);
- ascertaining that the conduct of the group companies is consistent the parent company’s guidelines;
- conducting assessments, including on specific irregularities, if requested by the corporate bodies and/or senior management;
- regularly informing management of the activities performed and the results by sending specific reports;
- preparing periodic summary reports for the corporate bodies describing the main results of the tests, recommendations and any corrective action taken.
The head of Group Audit participates in the Risk Committee’s meetings, supporting it with respect to internal control system aspects. Each year, in a joint session with Board of Statutory Auditors, and the Board of Directors, Group Audit presents the Risk Committee with a report on the activities performed and an update on the resolution of critical areas. It also submits quarterly reports to immediately alert the Risk Committee to any critical areas.
The audit action plan, which is prepared in compliance with the Group Audit regulation, is carried out in accordance with the Audit Plan that the Board of Directors approves each year.
Giorgio Paleari is the head of Group Audit, reporting to the Board of Directors.
The Compliance function oversees the group’s regulatory and reputational risks, specifically verifying that the internal procedures are consistent with the goal of preventing violations of the laws and regulations applicable to the bank and the group.
For the bank, Compliance proposes and monitors the adoption of procedures to control compliance risks in the provision of banking and investment services and activities subject to MiFID and insurance brokerage, providing updates on changes in the Italian and European legislative and regulatory framework.
Compliance oversees the group’s compliance risks with the support of the subsidiaries’ managers and officers.
The Compliance function’s duties
In particular, Compliance is responsible for the following:
- checking and safeguarding the compliance of the bank’s and the group’s operations with legal and regulatory requirements, with specific regard to banking, investment service and market abuse regulations, and handling operational relationships with the authorities;
- implementing the necessary safeguards and tools for effective risk control in connection with the management of conflicts of interest;
- operational duties, proposing organizational and procedural changes to ensure adequate safeguards for compliance risks, preparing direct reports to the company bodies and departments involved;
- assisting the bank’s departments and the group companies with operational difficulties, which may entail drafting clarification memos or notes on material regulatory aspects, ensuring a continuous, up-to-date flow of information on the national and international legislative and regulatory framework;
- reporting, preparing periodic reports to the company bodies on the activities performed and any and all breaches, reporting any new compliance risks and possible corrective action.
The head of Compliance participates in the Risk Committee’s, meetings, supporting it in its controls. Each year, it submits a report to the Risk Committee, the Board of Directors and the Board of Statutory Auditors, on the activities performed. It also submits condensed quarterly reports to immediately alert them to any critical areas. For the group, it handles relationships with the supervisory authorities in the areas for which it is concerned.
Group AML is part of Compliance and is responsible for continuously verifying, for the bank and the group, that the company procedures adequately prevent and contrast compliance risks with respect to anti-money laundering and anti-terrorism financing legislation.
In 2018, the Compliance functions of the group’s Italian companies were centralised within Mediobanca, while it oversees the compliance risks of the subsidiaries using their managers and officers, who functionally report to the head of Compliance.
Massimiliano Carnevali is the head of Compliance, reporting to the CEO. Compliance functionally reports to the Risk Committee.
Andrea Verger handles Group AML, reporting to the head of Compliance.
Group Risk Management (GRM) is responsible for identifying and initiating the risk management process and its application throughout the group. It oversees the functioning of the bank’s and the group’s risk control system, defining the appropriate measurement methods for current and potential risks.
GRM ensures constant control over the group’s overall and each unit’s exposure to credit, financial, liquidity, operational and other material risks, in accordance with the limits of internal rules and supervisory regulations, with the support of the subsidiaries’ risk management departments, which, to this end, functionally report to the Group Chief Risk Officer.
The Group Chief Risk Officer is responsible for the risk management process through the development of risk management policies, which entail defining and quantifying the risk appetite, in addition to risk policies and limits at operating unit and group level.
Pierpaolo Montana is the Group Chief Risk Officer, reporting directly to the CEO. Group Risk Management functionally reports to the Risk Committee.
Operating unit heads
The operating unit heads are the risk owners and are responsible for ensuring the correct identification, assessment, management and monitoring of the risks related to their activities and for implementing adequate first-line controls.