Banca Ifis Logo

Internal control system and risk management

The internal control system comprises the rules, procedures and organisational structures that aim to guarantee compliance with corporate strategies, the effectiveness and efficiency of processes, and the conformity of transactions with the regulatory framework and corporate regulations.

The internal control system

The internal control system plays a key role in the organisation of Banca Ifis. It plays a fundamental role in monitoring corporate risks and favours the dissemination of a correct culture of risk, legality and corporate values.

It represents a key element of expertise for the corporate bodies in order to:

  • Guarantee full awareness of the situation and an effective monitoring of company risks and their interrelations;
  • Influence changes to strategic lines and company policies;
  • Consistently adapt the context of the organisation;
  • Oversee the functionality of the management systems and compliance with prudential supervisory institutions;
  • Encourage the dissemination of a correct culture of risk, legality and corporate values.

Banca Ifis, in compliance with the provisions of supervisory regulations and the rules on the investment services provided, pursues the following general principles of organisation:

  • The decision-making processes and the assignment of tasks to personnel are formalised and allow univocal identification of duties and responsibilities, and are suited to preventing any conflict of interest. Additionally, the necessary separation between operating and control functions is ensured;
  • The human resource management policies and procedures ensure that all personnel are equipped with the skills and expertise needed to perform the responsibilities assigned to them;
  • The risk management process is effectively integrated. Indeed:
    • There is a common language for risk management at all levels;
    • The methods and tools used for the detection and assessment of risks are mutually consistent;
    • Risk reporting models are defined in order to facilitate their understanding and correct assessment, also as part of an integrated logic;
    • Coordination sessions are held for each activity;
    • There is an ongoing exchange of information between the various functions on the results of their respective control activities;
    • The identified remedial actions are shared;
  • The processes and methods for evaluating corporate assets and liabilities, also for accounting purposes, are reliable and integrated with the risk management process. To this end: definition and validation of valuation methods are entrusted to different units; the valuation methods are robust, tested under stress and do not rely excessively on any single source of information; valuation of financial instruments is entrusted to an independent unit rather than the unit trading said instrument;
  • The operating and control procedures minimise the risks related to fraud or employee disloyalty, prevent, or where this is not possible, mitigate, potential conflicts of interest and, furthermore, prevent involvement, even unconsciously, in money laundering, usury or terrorism financing;
  • The IT system complies with the requirements of supervisory regulations currently in force;
  • The guaranteed levels of business continuity are suitable and comply with the requirements of supervisory regulations currently in force.

Role of the company’s bodies:

  • The Board of Directors approves the document of the “Group Guidelines on the Internal Control System”, updated last in February 2022. It verifies that the guidelines are consistent with the established strategic guidelines and risk appetite and that they can follow the evolution of business risks and the interaction between them. Approves the Risk Appetite Framework and risk management policies;
  • The Risk Management and Internal Control Committee  is responsible for supporting, the Board of Directors in making assessments and decisions relating to the internal control and risk management system;
  • The Board of Statutory Auditors plays a fundamental role in supervising the adequacy and functionality of the internal control system;
  • The CEO is the director in charge of overseeing the functionality of the internal control and risk management system.

The correct functioning of the internal control system is based on successful interaction between corporate bodies, any committees formed within corporate bodies, external auditors and control functions.

In particular, the Risk Management and Internal Control Committee and the Board of Statutory Auditors interact frequently during their meetings, and, as needed, with the CEO, the Manager responsible for drafting accounting and corporate documents, the Auditing Firm, the Chief Risk Officer, the Head of Compliance and the Head of Anti-Money Laundering. They also systematically interact with the Head of Internal Audit who, usually, attends the meetings of both bodies.

All corporate activities are subject to controls, articulated in three levels:

  • Line controls (first level): business areas, owners of the various processes and activities;
  • Second level controls: Risk Management, Compliance and Anti-Money Laundering corporate functions;
  • Third level controls: Internal Audit.

The heads of the control organisational units liaise with each other, coordinating and collaborating, to avoid overlapping, to develop synergies and to optimise partnership.

Taxonomy of Risks

Banca Ifis has defined a Risk Taxonomy which describes the logic followed in identifying the current and/or potential risks to which the Group could be exposed in pursuing its strategies and achieving its business objectives.

This document is shared with the Internal Audit department and is approved, after sharing with the CEO and with the subsequent favourable opinion of the Risk Management and Internal Control Committee, by the Parent Company’s Board of Directors.

After receiving guidance from the Control Functions, the Financial Reporting Officer and the Organisational Office, the Chief Executive notifies the Parent Company’s Board of Directors of any requirements to update this document following regulatory, strategic and organisational changes.

Risk Management

Risk Management identifies the risks the Parent and the Group companies are exposed to and measures and monitors them on a regular basis through specific risk indicators, planning potential actions to mitigate material risks. The goal is to provide a unitary and comprehensive view of the risks the Group is exposed to, ensuring an adequate reporting to governance bodies.

The overall governance and risk management structure at Group level is governed by the Risk Appetite Framework.

In 2022, the Banca Ifis Group launched a project to integrate environmental factors into its corporate strategies, governance and control systems, risk management framework and disclosure system.

Among the activities already undertaken by Banca Ifis is the materiality assessment exercise, which is instrumental in identifying climate risk factors and the causal mechanisms by which these factors are transferred to traditional risks (transmission channels).

The findings of the materiality assessment exercise indicate an overall moderate exposure to climate and environmental risks. In line with project activities and supervisory expectations related to climate risks, it is planned to structurally integrate the above considerations, which are still at the study and analysis stage, related to quantifying the impacts of climate risks (transition and physical risks) into the credit risk assessment process.


The audit work performed by the Compliance function (systematic audits and inspections) is based on the plans approved by the Board of Directors and seeks to evaluate the effectiveness of the required, proposed or implemented organisational measures intended to manage the risk of non-compliance.

The audit findings are formally presented in reports shared with the relevant business structures, which must provide feedback on the remedial actions identified and the relevant implementation time line.

Anti-Money Laundering

The corporate Anti-Money Laundering function carries out systematic second-level controls in relation to the risk of money laundering and terrorist financing, aimed at verifying the correct application of procedures to operational processes.

Internal Audit

The audit work performed by the Internal Audit department concerns all processes and consists in regularly monitoring the application of all the Bank’s operational policies, procedures and practices to identify potential anomalies or violations of internal rules as well as evaluate the effectiveness of the internal control system as a whole.

Internal Audit operates on the schedule approved by the Board of Directors; in addition to this, it also performs unplanned audits as specifically necessary and/or required by the main corporate bodies or external supervisory bodies. The results of the audits are shared with the reference organisational unit and with the second-level audit functions and then sent to the Board of Statutory Auditors and the Control and Risks Committee.

In 2023, the Internal Audit function planned and launched, among others, a verification activity aimed at ensuring the adequacy and compliance with laws and regulations on the protection and management of personal data of the Group’s privacy policy, in particular with regard to the Guarantor’s Provision No. 2 of 16/6/2004.

Credit risk

Given the particular business of the Group’s companies, credit risk is the most important element to consider as far as the general risks assumed by the Group are concerned. Maintaining an effective credit risk management is a strategic objective for the Banca Ifis Group, pursued by adopting integrated tools and processes that ensure proper credit risk management at all stages (preparation, lending, monitoring and management, and interventions on troubled loans).

Credit risk is continuously monitored with the help of procedures and tools that allow for the timely identification of positions that present particular anomalies. Over time, the Banca Ifis Group has implemented instruments and procedures allowing to specifically evaluate and monitor risks for each type of customer and product.

The Banca Ifis Group pays particular attention to the concentration of credit risk with reference to all Group companies, at both individual and consolidated level. Banca Ifis’s Board of Directors has mandated the Top Management to take action to contain major risks. In line with the directives of the Board, those positions that are at risk and engage the Group to a considerable extent are subject to systematic monitoring.

Credit risk mitigation techniques

Credit risk mitigation techniques include those instruments that help limit the loss the Group would suffer should the counterparty default; specifically, these are the collateral and personal guarantees pledged by customers, and any agreements that could potentially reduce credit risk.

In general, as part of the credit granting and management process, for certain types of credit lines, customers are encouraged to provide suitable guarantees in order to reduce their risk. These may consist of collateral, such as liens on financial assets, mortgages on residential or non-residential property, and/or personal guarantees (usually sureties) provided by a third party, where an individual or legal entity takes responsibility for the customer’s obligations in the event of insolvency.

In particular:

  • as part of factoring operations, when the type and/or quality of factored receivables do not fully satisfy requirements or, more generally, the invoice seller is not sufficiently creditworthy, the bank’s established practice is to hedge the credit risk assumed by the Group by obtaining additional surety bonds from the shareholders or directors of the invoice seller. As regards the assigned debtors in factoring relationships, where it is believed that the evaluation elements available on the assigned debtor do not enable a correct evaluation/assumption of the credit risk connected to the debtor counterparty, or that the risk amount proposed exceeds limits identified when assessing the counterparty, the default risk of the assigned debtor is suitably hedged. Guarantees issued by correspondent factors and/or insurance policies underwritten with specialised operators are the main hedge against non-domestic account debtors in non-recourse operations;
  • in the area of loans to companies, where possible, suitable guarantees are acquired from the Central Guarantee Fund or from other companies within the public sphere such as SACE S.p.A .;
  • in regard to Structured Finance, collateral is acquired according to the counterparty’s standing as well as the term and type of the facility. Said collateral includes mortgage guarantees, liens on plant and equipment, pledges, surety bonds, credit insurance, and collateral deposits;
  • as for finance leases, the credit risk is mitigated by the leased asset. The lessor maintains the ownership until the purchase option is exercised, ensuring a higher recovery rate in the event the client defaults;
  • in relation to financial leases, it should be noted that the credit risk is mitigated by the presence of the leased asset. The Lessor maintains the ownership until the final purchase option becomes available, thus ensuring for itself a greater recovery rate in case of a default by the customer;
  • in relation to transactions involving non-performing loans and the purchase of tax receivables from insolvency proceedings, and the related business model, no actions are normally taken to hedge against credit risks;
  • salary-backed loans have a low-risk technical form, considering the characteristics of this product which necessarily requires insurance coverage against the risk of death and/or loss of employment and the constraint, as a greater guarantee of the loan, on the Severance Pay accrued by the customer.
  • the operation of financing to pharmacies involves an advance payment combined with a transfer or a mandate for the collection of receivables with the possibility of using the subsequent advances to reduce existing loans.

In line with the provisions of the  Liquidity Decree (Italian Legislative Decree no. 23 of 8 April 2020) the Group took advantage of the guarantees offered by the state Guarantee Fund for the type of customers and loans provided for by the Decree, with coverage that can reach up to 100%. This guarantee allows for a reduction in RWAs relating to credit risk, in proportion to the amount of exposure covered by the Fund.

The acquired NPL portfolios include positions secured by mortgages on properties that present a lower risk than the overall acquired portfolio.

When calculating the overall credit limit for an individual customer and/or legal and economic group, the Bank considers specific criteria when weighing the different categories of risks and guarantees. Specifically, when measuring collateral, it applies prudential ‘spreads’ differentiated by type of guarantee.

The Group continuously checks the quality and adequacy of guarantees acquired on the loan portfolio, with second-level controls carried out by the Parent Company’s Risk Management function and performed in the Single File Review (SFR) area.

For further information, please refer to the 2023 consolidated reports and financial statements.

Market risk

Interest rate risk and price risk – supervisory trading book

Market risk represents the risk of loss due to adverse movements in market prices (share prices, interest rates, foreign exchange rates, commodity prices, volatility of risk factors, and so on) in connection with the trading book for Supervisory purposes (position, settlement and concentration risks) and with the Bank’s entire budget (exchange rate and position risk on commodities).

In 2023, the investment strategy continued, as regulated in the “Banca Ifis Proprietary Portfolio Management Policy” and in the “Policy for Managing Securitisation & Structured Solutions investment operations” is structured to coincide with the risk appetite formulated by the Board of Directors under the scope of the Risk Appetite Framework (RAF) and laid out in the “Group Market Risk Management Policy”, as well as with the system of objectives and limits. In keeping with the ‘conservative stance’ outlined in the above-mentioned documents, the overall investment strategy focused for the best part of the year on risk containment. This was implemented mainly by seeking out securities characterised by high liquidity and a strategy of steady returns over the medium term.

The component relating to the “trading book” from which the market risk in question originates was marginal with respect to the total investments in the banking book both in absolute terms of the risk values recorded and with respect to the established limits. The trading book mainly comprises options and futures deriving from hedging transactions and ancillary enhancements to the investment strategy in assets that are part of the “banking book” and “discretionary trading” portfolio, characterised by short-term speculation and marginal exposure.

The trading book also contains residual transactions from the Corporate Banking operations, as part of which clients were offered derivative contracts hedging the financial risks they assumed. In order to remove market risk, all outstanding transactions are hedged with “back to back” trades, in which the Bank assumes a position opposite to the one sold to corporate clients with independent market counterparties.

Interest rate risk and price risk – banking book

As a general principle, the Group does not assume significant interest rate risks. In terms of breakdown of the balance sheet with reference to the types of risk in question, in respect of the liabilities, the main funding source is still the on-line savings accounts and the Rendimax current account, structured into the technical forms of fixed-rate customer deposit accounts for the restricted component and the non index-linked variable rate that can be unilaterally revised by the Group Bank in respect of the rules and contracts, for the technical forms of unrestricted demand and on-call current accounts. The other main components of funding concern fixed-rate bond funding, variable-rate securitisation operations, repurchase agreements at both fixed and variable rate and loans with the Eurosystem (referred to as TLTRO and LTRO) at variable rates.

With regard to assets, customer loans remain mainly at variable rates, both with regard to the commercial credit component and to corporate loans.

As for the operations concerning distressed retail loans carried out by the subsidiaries Ifis Npl Investing, Revalea and Ifis Npl Servicing, the first two are characterised by a business model focused on acquiring receivables at prices lower than their nominal amount, and there is a potential interest rate risk also associated with the uncertainty about when the receivables will be collected.

At 31 December 2023, the comprehensive bond portfolio mainly comprises government securities for a percentage of 66%; the modified average duration and average maturity of the portfolio total 2,2 years and 2,9 years.

The Capital Markets function is appointed to guarantee the rate risk management, which, in line with the risk appetite established, defines what action is necessary to pursue this. The Risk Management function is responsible for proposing the risk appetite, identifying the most appropriate risk indicators and monitoring the relevant performance of the assets and liabilities in connection with the pre-set limits. Each year, the Top Management proposes to the Board of Directors of the Banca Ifis Parent Company its lending and funding policies and its interest rate risk management policies. It also suggests any appropriate action to ensure that it carries out its activities in accordance with the risk policies approved by the Group.

The Risk Management department periodically reports to the Parent Company’s Board of Directors on the interest rate risk position as part of the specific monthly reports prepared by the Risk Management department for top management.

For further information, please refer to the 2023 consolidated reports and financial statements.

Currency risk

The assumption of currency risk, intended as an operating element that could potentially improve treasury performance, represents an operation that is not part of the Group’s policies. The Banca Ifis Group’s foreign currency operations largely involve collections and payments associated with factoring operations and in hedging assets in foreign currencies, like units of UCITS. In this sense, the assets in question are generally hedged with deposits and/or loans from other banks in the same currency, thus eliminating for the most part the risk of losses associated with exchange rate fluctuations. In some cases, synthetic instruments are used as hedging instruments.

A residual currency risk arises as a natural consequence of the mismatch between the clients’ borrowings and the Capital Markets function’s funding operations in foreign currency. Such mismatches are mainly a result of the difficulty in correctly anticipating financial trends connected with factoring operations, with particular reference to cash flows from account debtors vis-à-vis the maturities of loans granted to customers, as well as the effect of interest on them.

However, the Capital Markets function strives to minimise such mismatches every day, constantly realigning the size and timing of foreign currency positions.

Currency risk related to the Bank’s business is assumed and managed according to the risk policies and limits set by the Parent Company’s Board of Directors, with precise delegations of power limiting the autonomy of those authorised to operate, as well as especially strict limits on the daily net currency position.

The business functions responsible for ensuring the currency risk is managed correctly are: the Capital Markets function, which, amongst other duties, directly manages the Bank’s funding operations and currency position; the Risk Management function, responsible for selecting the most appropriate risk indicators and monitoring them with reference to pre-set limits; and the Top Management, which every year, based on the Capital Markets function’s proposals, shall consider these suggestions and make proposals to the Banca Ifis Board of Directors regarding policies on funding and the management of currency risk, as well as suggest appropriate actions during the year in order to ensure that operations are conducted consistently with the risk policies approved by the Group.

For further information, please refer to the 2023 consolidated reports and financial statements.

Liquidity risk

The liquidity risk refers to the possibility that the Group fails to service its debt obligations due to the inability to raise funds or sell enough assets on the market to address liquidity needs. The liquidity risk also refers to the inability to secure new adequate financial resources, in terms of amount and cost, to meet its operating needs and opportunities, hence forcing the Group to either slow down or stop its operations or incur excessive funding costs in order to service its obligations, significantly affecting its profitability.

At 31 December 2023, financial sources mainly consisted of equity, online funding (Rendimax product), including on-demand and time deposits, medium/long-term bonds issued as part of the EMTN programme, medium/long-term securitisation transactions, as well as funding from corporate customers. Funding in the form of repurchase agreements, entered into with leading banks, continued to be a significant source of funding in 2023.

Finally, with regard to the Eurosystem’s funding (TLTRO), it remained an important form of funding at the end of 2023. However, also in view of the fact that 2024 will see the natural end of maturity of these instruments, it was decided to bring forward the redemption of 500 million Euro already to the end of 2023, bringing the amount used from approximately 2 billion Euro to about 1,5 billion Euro.

The Group is constantly engaged in the harmonious development of its financial resources, both in terms of size and costs, in order to have available liquidity reserves adequate for the current and future business volumes.

The corporate functions of the Parent Company responsible for ensuring the correct application of the liquidity policy are the Capital Markets function, which handles the direct management of liquidity, and the Risk Management function, which proposes the risk appetite, identifying the most appropriate risk indicators and monitoring their trend in relation to the pre-set limits and supporting the activities of Top Management. The latter, together with the Capital Markets function, proposes funding and liquidity risk management policies to the Board of Directors on an annual basis, and suggests any appropriate actions during the year to ensure that activities are carried out in full compliance with the approved risk policies. As part of the ongoing process of adapting liquidity risk procedures and policies and taking into account the evolution of the prudential supervisory provisions of reference, the Parent Company uses an internal framework for the governance, monitoring and management of liquidity risk at Group level.
In compliance with supervisory provisions, the Group also has a Contingency Funding Plan aimed at protecting itself from losses or threats arising from a potential liquidity crisis and guaranteeing business continuity even in the midst of a serious emergency arising from its own internal organisation and/or the market situation.
The Risk Management function periodically reports on the liquidity risk position by means of a Dashboard prepared for the Board of Directors of Banca Ifis.
With reference to the Polish and Romanian subsidiary, the treasury activity is coordinated by the Parent Company.

For further information, please refer to the 2023 consolidated reports and financial statements.

Impacts deriving from the macroeconomic environment

The Covid-19-related health emergency in early March 2020 generated unprecedented impacts on global economic growth. This circumstance prompted intermediaries to consider possible impacts on credit risk produced by such extraordinary risk factors not adequately captured by the expected loss (ECL) calculation models in use. This, coupled with the need to capture expectations of a rapid deterioration in macroeconomic conditions from a forward-looking perspective, led the Group to introduce prudential adjustments (“management overlays”) over time in the determination of expected losses (ECL); these adjustments were aimed in particular at capturing the risks associated with exposures to counterparties belonging to the economic sectors that are potentially the most vulnerable to the health emergency.

After 2021 and in particular during 2022 and 2023, as a result of geopolitical tensions related to the Russia-Ukraine conflict and the conflict in the Middle East, the inflationary scenario and the slowdown in economic growth, the prudential adjustments applied and previously described were replaced and restated with the aim of factoring in the risks emerging from the macroeconomic context of reference.

In particular, a number of new prudential adjustments were introduced to take into account the macroeconomic context strongly influenced by geopolitical tensions, the impact of rising energy prices, inflationary dynamics, and the significant increase in interest rates in order to intercept risk factors relating to counterparties belonging to sectors considered particularly exposed to new emerging risks; in particular, companies in the manufacturing, agricultural, transport, trading and energy sectors. The approach and criteria used have been made progressively more analytical and consistent over time through refinements introduced to reflect the Group’s improved perception of the evolution of related risks.

For further information, please refer to the 2023 consolidated reports and financial statements.

Operational risks

The operational risk is defined as the risk of suffering losses resulting from inadequate or dysfunctional processes, human resources, internal systems or external events. This definition does not include strategic risk and reputational risk, but it does include legal risk (i.e. the risk of losses deriving from failure to comply with laws or regulations, contractual or extra-contractual liability, or other disputes), IT risk, risk of non- compliance, fraud risk, risk of money laundering and terrorist financing, and the risk of financial misstatement.

The main sources of operational risk are operational errors, the inefficiency or inadequacy of operational processes and of related controls/safeguards, internal and external fraud, lack of internal regulation compliance with external regulations, the outsourcing of company functions, quality level of physical and logical security, inadequacy or unavailability of hardware and software systems, increasing use of automation, insufficient number of personnel compared to the size of operations and lastly inadequacy of personnel management and training policies.

The Banca Ifis Group has for some time now defined – in line with the appropriate regulatory requirements and best practices in the sector – the overall framework for the management of operational risk, represented by a set of rules, procedures, resources (human, technological and organisational) and control activities aimed at identifying, assessing, monitoring, preventing or mitigating and communicating to the appropriate hierarchical levels all the operational risks assumed or that can be assumed in the various organisational units. The key processes for proper operational risk management are the following:

  • Loss Data Collection activity has now been consolidated, also thanks to Risk Management’s constant efforts to disseminate a culture of pro-actively managing and raising awareness of operational risks among the various structures;
  • by the prospective self-assessment of risk exposure through the execution of periodic Risk Self Assessment and Model Risk Self Assessment campaigns, aimed at obtaining an overall view of risks in terms of frequency and/or potential financial impact and of the related organisational safeguards.

With specific reference to the monitoring of the evolution of ICT and Security risk and the assessment of the effectiveness of ICT resource protection measures, the Banca Ifis Group, in compliance with the regulatory requirement has opted for a shared responsibility model, assigning tasks to the Risk Management and Compliance corporate control functions, in relation to the roles, responsibilities and competences of each of the two functions. In particular, the Risk Management function conducts ICT and security risk analysis processes in accordance with the organisational and methodological framework approved by the Board of Directors in order, for example, to verify compliance with the ICT and security risk propensity level, the related risk objectives that the Group intends to achieve, and the resulting operational limits. If the level of ICT and security risk exceeds the defined threshold value, in order to bring it back within the acceptable risk threshold, measures are identified to deal with it, which flow into the “Treatment Plan” that identifies responsibilities for implementing individual corrective actions. 

The results of the above-mentioned analyses are reported in the “Summary Report on the ICT and Security Risk Situation” subject to annual approval by the CEO in his capacity as the body with management functions. 

In addition to the activities described above, according to its operational risk management framework (including the ICT and Security risk), the Group defines a set of measures that can promptly identify the presence of vulnerabilities in the exposure of the Bank and its subsidiaries to operational risks. These indicators are continuously monitored and disclosed in periodic reports by means of summary risk measures that are shared with the competent structures and bodies: events such as the breach of certain thresholds or the emergence of anomalies trigger specific escalation processes aimed at defining and implementing appropriate mitigation actions. In addition, as part of the definition of the Risk Appetite Framework (RAF) and the preparation of the Recovery Plan and ICAAP Report, the Risk Management function performs analyses to assess its exposure to exceptional but plausible operational risk events. These are called stress analyses and help to identify the resilience of the Group by simulating the impacts of adverse situations in terms of riskiness under the assumption of adverse scenarios.

It should also be noted that, in order to prevent and manage operational risk, the Parent Company’s Risk Management function works with other corporate functions to supervise the risks associated with the outsourcing of simple, essential or important operational functions; to assess the risks associated with the introduction of new products and services; and to carry out a preliminary assessment of the impact, in operational terms, of significant changes to the economic and contractual conditions of products.

Concerning the Companies of the Banca IFIS Group, please note that the management of operational risks is guaranteed by the strong involvement of the Parent Company, which makes decisions in terms of risk management.

For the purposes of determining the capital requirement for operational risks, the Group has adopted the so-called Basic Method set out by prudential regulations.

For further information, please refer to the 2023 consolidated reports and financial statements.