The doValue Group has adopted an internal control and risk management system aimed at constantly monitoring the main risks associated with its activities, in order to guarantee sound and prudent business management consistent with the performance objectives and safeguarding of the company’s assets, in line with the reference standards and best practices.
These objectives are pursued through the adoption of a set of instruments, organisational structures, standards and company rules to support the process of identification, measurement, management and monitoring of company risks. The Group internal control organisational model structured by the Group ensure integration and coordination between the actors involved, in accordance with the principles of integration, proportionality and cost-effectiveness.
The primary responsibility for the completeness, adequacy, functionality and reliability of the processes lies with the governing bodies, and in particular with the Board of Directors, which is responsible for the strategic planning, management, evaluation and monitoring of the overall Internal Control System, with the support of the Risk, Related Party Transactions and Sustainability Committee. In this context Specifically, the Chief Executive Officer of doValue is the Director responsible for supervising the functionality of the internal control and risk management system, pursuant to the Code of Conduct of Borsa Italiana. It is instead the task of the Board of Statutory Auditors to ensure the completeness, adequacy and functionality of the system, ensuring the adequacy of the business departments involved, the correct execution of tasks and the adequate coordination of the same, also by promoting any corrective measures.
In line with reference best practices, the internal control system in place to monitor risks is organized in various levels:
- level one controls are aimed at ensuring the proper conduct of operations and are carried out by the company business departments which are called upon, in the context of day-to-day operations, to identify, measure, monitor and mitigate the risks arising from the company activities, in compliance with the risk management process and the applicable internal procedures;
- level two controls are aimed at ensuring the correct implementation of the risk management process to verify observance of the limits assigned to the various operating departments, to control the consistency of the operative level of the individual production areas with the risk-return objectives assigned, as well as guarantee the compliance of company operations with the rules, including those of self-regulation. The organisational structure of the Group Departments responsible for managing the main corporate risks is directly influenced by the structure of the business processes implemented in the different companies that comprise it, and by the nature and relevance of the risks associated therewith, as well as by the presence of specific regulatory requirements on risk governance.
- level three controls are aimed at periodically evaluating the completeness, functionality, adequacy and reliability in terms of the efficiency and effectiveness of the internal control system in relation to the nature and intensity of the risks of the company requirements, by also identifying any breaches of the organisational measures adopted by the Group. The Internal Audit Departments established at doValue and the main subsidiaries are assigned the direct management of internal audit activities, with a view to level three control, without prejudice to the competences and responsibilities of the respective corporate bodies.
As part of the international growth process that has affected the Group over the last two years, the overall structure of the Group’s system of internal controls and risk has experienced some changes aimed at maintaining its full effectiveness and alignment with the Group’s strategic objectives, as well as accompanying the Group itself in its path of progressive integration. The main actions carried out have therefore concerned the establishment of the following functions of the Group responsible for ensuring the transversal coordination of local control activities in the areas of its competence:
- Group Control Office, reporting hierarchically to the doValue Board of Directors. It is responsible for coordinating, for the areas of its competence, control activities aimed at ensuring a constant and independent evaluation of the overall system of internal controls and risk management, giving periodic information to the Corporate Bodies, as well as ensuring the adoption of homogeneous methodological approaches and operating models by the Group’s Internal Audit and Antimoney Laundering Departments in compliance with the requirements of independence and autonomy established by local regulations;
- Group Internal Audit, reporting hierarchically to the Chief Group Control Officer. It is responsible for defining a shared methodology for carrying out internal audit activities, identifying common tools for performing controls, structuring a common reporting system for the bodies and the management of the various Group components and ensuring its adoption by the various local Internal Audit Departments that functionally report to it;
- Group AML, reporting hierarchically to the Chief Group Control Officer. It is responsible for issuing Group guidelines and policies on the prevention of money laundering risk and for developing a common methodological approach to manage the same, as well as a common reporting for the Bodies and management of the different Group components, supervising its adoption by the various Anti-money Laundering Departments established at the local level that functionally report to it;
- Compliance & Global DPO, reporting hierarchically to the Group General Counsel. It is responsible for developing a uniform compliance framework at Group level with the aim of ensuring compliance with regulations within the relative scope (e.g., Market Abuse, Related Parties, Consob Regulations, Anti-corruption, Privacy) through the definition of common guidelines and policies, regulatory monitoring and the implementation of the necessary interventions to ensure compliance with applicable regulations, as well as the introduction of specific intra-group information flows. About data protection the Global DPO defines the Group’s organisational model and a common framework of controls, coordinates data protection activities, receives information flows from the local DPOs and, consequently, reports to the doValue Board of Directors;
- Enterprise Risk Management, reporting hierarchically to the General Manager Corporate Functions, has the task of coordinating the management of the strategic, operational, reputazional, legals and financial risks which the Group is exposed, using suitable methodological approaches, procedures and instruments and ensuring the appropriate information is provided to the Corporate Bodies;
- Group Administration & Internal Control for Financial Report, reporting hierarchically to the Group Finance Functions, inside which operates the structure Internal Control for Financial Report, responsible to support the Responsible Officer ex. L.262/2005 in carrying out its responsibilities in relation to the issuer and to all the companies of the Group included in the consolidation.
Within the Non-Financial Consolidated Statement each issue that has emerged as material for the doValue Group and its Stakeholders, are reported the risks associated, the related controls and management methods.
Click here: page 53 to 58 “Main risks linked to non-financial aspects”.
In addition to the risks associated with the material topics, the Group has identified, as anticipated in the previous section, the reputational risks which underlies business activities and is associated with the transverse risks derived from other types of risk discussed above. Reputational risk is therefore defined as risk “deriving” from other types of risk, or “level two”, as it is consequent to an event mainly due to operational risks, including those relating to computing and compliance. In particular, it can be associated with the drop in profits, or capital, resulting from a negative perception of the Intermediary image by customers, counterparties, shareholders, investors or Supervisory Authorities, cutting across all relevant subjects and all entities of the Group.