Banca Ifis Logo

Internal control system and risk management

The internal control system comprises the rules, procedures and organisational structures that aim to guarantee compliance with corporate strategies, the effectiveness and efficiency of processes, and the conformity of transactions with the regulatory framework and corporate regulations.

The internal control system

The internal control system plays a key role in the organisation of Banca Ifis. It plays a fundamental role in monitoring corporate risks and favours the dissemination of a correct culture of risk, legality and corporate values.

It represents a key element of expertise for the corporate bodies in order to:

  • Guarantee full awareness of the situation and an effective monitoring of company risks and their interrelations;
  • Influence changes to strategic lines and company policies;
  • Consistently adapt the context of the organisation;
  • Oversee the functionality of the management systems and compliance with prudential supervisory institutions;
  • Encourage the dissemination of a correct culture of risk, legality and corporate values.

Banca Ifis, in compliance with the provisions of supervisory regulations and the rules on the investment services provided, pursues the following general principles of organisation:

  • The decision-making processes and the assignment of tasks to personnel are formalised and allow univocal identification of duties and responsibilities, and are suited to preventing any conflict of interest. Additionally, the necessary separation between operating and control functions is ensured;
  • The human resource management policies and procedures ensure that all personnel are equipped with the skills and expertise needed to perform the responsibilities assigned to them;
  • The risk management process is effectively integrated. Indeed:
    • There is a common language for risk management at all levels;
    • The methods and tools used for the detection and assessment of risks are mutually consistent;
    • Risk reporting models are defined in order to facilitate their understanding and correct assessment, also as part of an integrated logic;
    • Coordination sessions are held for each activity;
    • There is an ongoing exchange of information between the various functions on the results of their respective control activities;
    • The identified remedial actions are shared;
  • The processes and methods for evaluating corporate assets and liabilities, also for accounting purposes, are reliable and integrated with the risk management process. To this end: definition and validation of valuation methods are entrusted to different units; the valuation methods are robust, tested under stress and do not rely excessively on any single source of information; valuation of financial instruments is entrusted to an independent unit rather than the unit trading said instrument;
  • The operating and control procedures minimise the risks related to fraud or employee disloyalty, prevent, or where this is not possible, mitigate, potential conflicts of interest and, furthermore, prevent involvement, even unconsciously, in money laundering, usury or terrorism financing;
  • The IT system complies with the requirements of supervisory regulations currently in force;
  • The guaranteed levels of business continuity are suitable and comply with the requirements of supervisory regulations currently in force.

Role of the company’s bodies:

  • The Board of Directors approves the document of the “Group Guidelines on the Internal Control System”, updated last in February 2022. It verifies that the guidelines are consistent with the established strategic guidelines and risk appetite and that they can follow the evolution of business risks and the interaction between them. Approves the Risk Appetite Framework and risk management policies;
  • The Risk Management and Internal Control Committee  is responsible for supporting, the Board of Directors in making assessments and decisions relating to the internal control and risk management system;
  • The Board of Statutory Auditors plays a fundamental role in supervising the adequacy and functionality of the internal control system;
  • The CEO is the director in charge of overseeing the functionality of the internal control and risk management system.

The correct functioning of the internal control system is based on successful interaction between corporate bodies, any committees formed within corporate bodies, external auditors and control functions.

In particular, the Risk Management and Internal Control Committee and the Board of Statutory Auditors interact frequently during their meetings, and, as needed, with the CEO, the Manager responsible for drafting accounting and corporate documents, the Auditing Firm, the Chief Risk Officer, the Head of Compliance and the Head of Anti-Money Laundering. They also systematically interact with the Head of Internal Audit who, usually, attends the meetings of both bodies.

All corporate activities are subject to controls, articulated in three levels:

  • Line controls (first level): business areas, owners of the various processes and activities;
  • Second level controls: Risk Management, Compliance and Anti-Money Laundering corporate functions;
  • Third level controls: Internal Audit.

The heads of the control organisational units liaise with each other, coordinating and collaborating, to avoid overlapping, to develop synergies and to optimise partnership.

Taxonomy of Risks

Banca Ifis has defined a Risk Taxonomy which describes the logic followed in identifying the current and/or potential risks to which the Group could be exposed in pursuing its strategies and achieving its business objectives.

This document is shared with the Internal Audit department and is approved, after sharing with the CEO and with the subsequent favourable opinion of the Risk Management and Internal Control Committee, by the Parent Company’s Board of Directors.

After receiving guidance from the Control Functions, the Financial Reporting Officer and the Organisational Office, the Chief Executive notifies the Parent Company’s Board of Directors of any requirements to update this document following regulatory, strategic and organisational changes.

Risk Management

Risk Management identifies the risks the Parent and the Group companies are exposed to and measures and monitors these risks on a regular basis through specific indicators, planning potential actions to mitigate material risks. The goal is to provide a holistic and comprehensive view of the risks the Group is exposed to, ensuring an adequate reporting to governance bodies.

The overall governance and risk management structure at Group level is governed by the Risk Appetite Framework.

In 2022, the Banca Ifis Group launched a project to integrate environmental factors into its corporate strategies, governance and control systems, risk management framework and disclosure system.

Among the activities already undertaken by Banca Ifis is the materiality assessment exercise, which is instrumental in identifying climate risk factors and the causal mechanisms by which these factors are transferred to traditional risks (transmission channels).

The findings of the materiality assessment exercise as well as the methodology, description of the transmission channels and the mitigation and adaptation actions taken for each identified potential risk will be published during 2023 in the TCFD report which will provide more details on the matter.


The control activities carried out by Compliance, identified on the basis of planning approved by the Board of Directors, aim to verify the effectiveness of the organizational measures required, proposed and implemented to manage the risk of non-compliance.

The audit findings are formally presented in reports shared with the relevant business structures, which must provide feedback on the remedial actions identified and the relevant implementation time line.

Anti-Money Laundering

A specific company Anti-Money Laundering function function carries out systematic second-level controls in relation to the risk of money laundering and terrorist financing, to ensure correct application of procedures to the operating processes.

Internal Audit

The audit work performed by the Internal Audit department concerns all processes and consists in regularly monitoring the application of all the Bank’s operational policies, procedures and practices to identify potential anomalies or violations of internal rules as well as evaluate the effectiveness of the internal control system as a whole.

Internal Audit operates on the basis of planning approved by the Board of Directors, and carries out unplanned audits for specific needs. Audit results are shared with the reference organizational unit and with the second level control functions, and are sent to the Board of Statutory Auditors and the Risk Management and Internal Control Committee.

Credit risk

Given the particular business of the Group’s companies, credit risk is the most important element to consider as far as the general risks assumed by the Group are concerned. Maintaining an effective credit risk management is a strategic objective for the Banca Ifis Group, pursued by adopting integrated tools and processes that ensure proper credit risk management at all stages (preparation, lending, monitoring and management, and interventions on troubled loans).

Credit risk is continuously monitored with the help of procedures and tools that allow for the timely identification of positions that present particular anomalies. Over time, the Banca Ifis Group has implemented instruments and procedures allowing to specifically evaluate and monitor risks for each type of customer and product.

The Banca Ifis Group pays particular attention to the concentration of credit risk with reference to all Group companies, at both individual and consolidated level. Banca Ifis’s Board of Directors has mandated the Top Management to take action to contain major risks. In line with the directives of the Board, those positions that are at risk and engage the Group to a considerable extent are subject to systematic monitoring.

Credit risk mitigation techniques

Credit risk mitigation techniques include those instruments that help limit the loss the Group would suffer should the counterparty default; specifically, these are the collateral and personal guarantees pledged by customers, and any agreements that could potentially reduce credit risk.

In general, as part of the credit granting and management process, for certain types of credit lines, customers are encouraged to provide suitable guarantees in order to reduce their risk. These may consist of collateral, such as liens on financial assets, mortgages on residential or non-residential property, and/or personal guarantees (usually sureties) provided by a third party, where an individual or legal entity takes responsibility for the customer’s obligations in the event of insolvency.

In particular:

  • As part of factoring operations, when the type and/or quality of factored receivables do not fully satisfy requirements or, more generally, the invoice seller is not sufficiently creditworthy, the bank’s established practice is to hedge the credit risk assumed by the Group by obtaining additional surety bonds from the shareholders or directors of the invoice seller. As regards the assigned debtors in factoring relationships, where it is believed that the evaluation elements available on the assigned debtor do not enable a correct evaluation/assumption of the credit risk connected to the debtor counterparty, or that the risk amount proposed exceeds limits identified when assessing the counterparty, the default risk of the assigned debtor is suitably hedged. Guarantees issued by correspondent factors and/or insurance policies underwritten with specialised operators are the main hedge against non-domestic account debtors in non-recourse operations;
  • In the area of loans to companies, where possible, suitable guarantees are acquired from the Central Guarantee Fund or from other companies within the public sphere such as SACE S.p.A .;
  • In relation to the Structured Finance operations, guarantees are acquired according to counterpart standing, the duration and type of loan. Said collateral includes mortgage guarantees, liens on plant and equipment, pledges, surety bonds, credit insurance, and collateral deposits;
  • In relation to financial leases, it should be noted that the credit risk is mitigated by the presence of the leased asset. The Lessor maintains the ownership until the final purchase option becomes available, thus ensuring for itself a greater recovery rate in case of a default by the customer;
  • In relation to transactions involving non-performing loans and the purchase of tax receivables from insolvency proceedings, and the related business model, no actions are normally taken to hedge against credit risks;
  • Salary-backed loans have a low-risk technical form, considering the characteristics of this product which necessarily requires insurance coverage against the risk of death and/or loss of employment and the constraint, as a greater guarantee of the loan, on the Severance Pay accrued by the customer.
  • The operation of financing to pharmacies involves an advance payment combined with a transfer or a mandate for the collection of receivables with the possibility of using the subsequent advances to reduce existing loans.

In line with the provisions of the  Liquidity Decree (Italian Legislative Decree no. 23 of 8 April 2020) the Group took advantage of the guarantees offered by the state Guarantee Fund for the type of customers and loans provided for by the Decree, with coverage that can reach up to 100%. This guarantee allows for a reduction in RWAs relating to credit risk, in proportion to the amount of exposure covered by the Fund.

The acquired NPL portfolios include positions secured by mortgages on properties that present a lower risk than the overall acquired portfolio.

When calculating the overall credit limit for an individual customer and/or legal and economic group, the Bank considers specific criteria when weighing the different categories of risks and guarantees. Specifically, when measuring collateral, it applies prudential ‘spreads’ differentiated by type of guarantee.

The Group continuously checks the quality and adequacy of guarantees acquired on the loan portfolio, with second-level controls carried out by the Parent Company’s Risk Management function and performed in the Single File Review (SFR) area.

For further information, please refer to the 2022 consolidated reports and financial statements.

Market risk

Interest rate risk and price risk – supervisory trading book

Market risk represents the risk of loss due to adverse movements in market prices (share prices, interest rates, foreign exchange rates, commodity prices, volatility of risk factors, and so on) in connection with the trading book for Supervisory purposes (position, settlement and concentration risks) and with the Bank’s entire budget (exchange rate and position risk on commodities).

In 2022, the proposed investment strategy governed by ‘the Portfolio Management Policy of Banca IFIS’ and the ‘Securitization & Structured Solutions Operations Management Policy’, is consistent with the risk appetite formulated by the Board of Directors as part of the Risk Appetite Framework (RAF) process and set out in the ‘Group Market Risks Management Policy’ and with the system of objectives and limits. In keeping with the ‘conservative stance’ outlined in the above-mentioned documents, the overall investment strategy focused for the best part of the year on risk containment. This was implemented mainly by seeking out securities characterised by high liquidity and a strategy of steady returns over the medium term.

The related assets making up this portfolio are therefore mainly valued at amortized cost or using the FVOCI (impact on overall profitability fair value measurement) method; they fall within the perimeter of the banking portfolio and therefore do not represent market risk.

In this context, the component relating to the ‘trading book’ from which the market risk in question originates was marginal both in absolute terms of the risk values recorded and with respect to the established limits. The trading portfolio is mainly composed of options and futures deriving from hedging and enhancement transactions ancillary to the investment strategy for the assets in the ‘banking book’ and the ‘discretionary trading’ book, which takes a short-term speculative approach and is characterised by marginal exposure.

Interest rate risk and price risk – banking book

As a general principle, the Group does not assume significant interest rate risks. In terms of composition of the balance sheet with reference to the type of risk in question, in relation to the liability component, the main source of funding continues to be the “Rendimax” online deposit account and “Rendimax” current accounts in the technical forms of customer accounts at a fixed rate for the binding component , and at a non-indexed floating rate, which can be reviewed unilaterally by the Bank of the Group in compliance with regulations and contracts, for the technical forms of free demand and demand current accounts. The other main funding components concern fixed rate bond deposits, a variable rate self-securitisation transactions and variable rate loans with the Eurosystem (the so-called TLTRO and LTRO).

With regard to assets, customer loans remain mainly at variable rates, both with regard to the commercial credit component and to corporate loans.

Within the sphere of non-performing loan transactions (carried out by the subsidiaries Ifis Npl Investing S.p.A. and Ifis Npl Servicing S.p.A.), the former is characterised by a business model focused on the purchase of receivables at lower values than the nominal value, there is a potential interest rate risk connected to the uncertainty over collection times.

At 31 December 2022, the total bond portfolio consisted mainly of government bonds, for a percentage of approximately 65%; the overall average modified duration is 4 years.

The Central Capital Markets function is the corporate function responsible for managing interest rate risk. In line with the established appetite for risk, it defines the actions necessary to pursue the risk. The Risk Management function is responsible for proposing the risk appetite, identifying the most appropriate risk indicators and monitoring the performance of assets and liabilities in relation to the set limits. Each year, the Top Management proposes to the Board of Directors of the Banca Ifis Parent Company its lending and funding policies and its interest rate risk management policies. It also suggests any appropriate action to ensure that it carries out its activities in accordance with the risk policies approved by the Group.

The Risk Management department periodically reports to the Parent Company’s Board of Directors on the interest rate risk position as part of the specific monthly reports prepared by the Risk Management department for top management.

For further information, please refer to the 2022 consolidated reports and financial statements.

Currency risk

The exchange rate risk is the risk of incurring losses due to adverse changes in the prices of foreign currencies on the positions held, regardless of the allocation portfolio (trading portfolio for supervisory purposes and trading portfolio).

In relation to exchange rate risk, currency transactions mainly consist of:

  • transactions entered into with customers normally related to typical factoring and lending activity, originating from both Business Units in Italy and from foreign subsidiaries (in Poland and Romania) for which the exchange risk is mitigated from the outset by resorting to funding with the same original currency;
  • Transactions that are part of the typical Treasury activity for the management of mismatching between use by customers and the related currency procurement carried out on the market.

For further information, please refer to the 2022 consolidated reports and financial statements.

Liquidity risk

The liquidity risk refers to the possibility that the Group fails to service its debt obligations due to the inability to raise funds or sell enough assets on the market to address liquidity needs. The liquidity risk also refers to the inability to secure new adequate financial resources, in terms of amount and cost, to meet its operating needs and opportunities, hence forcing the Group to either slow down or stop its operations or incur excessive funding costs in order to service its obligations, significantly affecting its profitability.

During 2022, the funding mix of the Group remained mostly stable; at 31 December 2022 the main funding sources were the Bank’s equity, online collection (Rendimax product) consisting of on-demand and term deposits, medium/long-term bonds issued as part of the EMTN programme, funding from the Eurosystem (TLTRO and LTRO), medium/long-term securitisation transactions, and collection by corporate customers.

The Group is constantly engaged in the harmonious development of its financial resources, both in terms of size and costs, in order to have available liquidity reserves adequate for the current and future business volumes.

The corporate functions of the Parent Company responsible for ensuring the correct application of the liquidity policy are the Capital Markets function, which handles the direct management of liquidity, and the Risk Management function, which proposes the risk appetite, identifying the most appropriate risk indicators and monitoring their trend in relation to the pre-set limits and supporting the activities of Top Management. The latter, together with the Capital Markets function, proposes funding and liquidity risk management policies to the Board of Directors on an annual basis, and suggests any appropriate actions during the year to ensure that activities are carried out in full compliance with the approved risk policies. As part of the ongoing process of adapting liquidity risk procedures and policies and taking into account the evolution of the prudential supervisory provisions of reference, the Parent Company uses an internal framework for the governance, monitoring and management of liquidity risk at Group level.
In compliance with supervisory provisions, the Group also has a Contingency Funding Plan aimed at protecting itself from losses or threats arising from a potential liquidity crisis and guaranteeing business continuity even in the midst of a serious emergency arising from its own internal organisation and/or the market situation.
The Risk Management function periodically reports on the liquidity risk position by means of a Dashboard prepared for the Board of Directors of Banca Ifis.
With reference to the Polish and Romanian subsidiary, the treasury activity is coordinated by the Parent Company.

For further information, please refer to the 2022 consolidated reports and financial statements.

Impacts resulting from the Covid-19 pandemic

In the period of the Covid-19 pandemic, the available and readily usable liquidity reserves remained largely sufficient with respect to the Group’s bonds, constantly recording, for the LCR and NSFR regulatory indicators, values significantly higher than the required thresholds. Also in terms of the survival period, which considers the occurrence of a severe combined stress scenario, values were found in line with the established risk appetite.

With regard to the evolution of funding volumes attributable to the effects of the pandemic, available liquidity remained at levels significantly above regulatory and internal limits.

In line with the aforementioned strategy in terms of management and risk appetite, despite the exceptional nature of the pandemic event, no violations of the risk thresholds assigned internally were detected.

The impacts of the Russia-Ukraine conflict

In recent months, geopolitical tensions have further exacerbated inflationary pressure that already existed at the end of 2021. This situation has led to an increase in interest rates, which has had both a direct and indirect impact on the Group’s liquidity profile. As for the direct impact, there was a decrease in the attractiveness of the online collection product (Rendimax) to investors, while indirect impacts generated both a tightening of the conditions inherent in the primary bond market and a reduction in the value of fixed-rate bonds in the portfolio, with a consequent negative impact on available liquidity reserves.

The Risk Management function, in this regard, monitors on a daily basis both the current and prospective size of liquidity reserves, as well as the trend in customer deposits, for which additional specific monitoring was implemented in 2022.

For further information, please refer to the 2022 consolidated reports and financial statements.

Operational risks

The operational risk is defined as the risk of suffering losses resulting from inadequate or dysfunctional processes, human resources, internal systems or external events. This definition does not include strategic risk and reputational risk, but it does include legal risk (i.e. the risk of losses deriving from failure to comply with laws or regulations, contractual or extra-contractual liability, or other disputes), IT risk, risk of non- compliance, fraud risk, risk of money laundering and terrorist financing, and the risk of financial misstatement.

The main sources of operational risk are operational errors, the inefficiency or inadequacy of operational processes and of related controls/safeguards, internal and external fraud, lack of internal regulation compliance with external regulations, the outsourcing of company functions, quality level of physical and logical security, inadequacy or unavailability of hardware and software systems, increasing use of automation, insufficient number of personnel compared to the size of operations and lastly inadequacy of personnel management and training policies.

The Banca Ifis Group has for some time now defined – in line with the appropriate regulatory requirements and best practices in the sector – the overall framework for the management of operational risk, represented by a set of rules, procedures, resources (human, technological and organisational) and control activities aimed at identifying, assessing, monitoring, preventing or mitigating and communicating to the appropriate hierarchical levels all the operational risks assumed or that can be assumed in the various organisational units. The key processes for proper operational risk management are the following:

  • Loss Data Collection activity has now been consolidated, also thanks to Risk Management’s constant efforts to disseminate a culture of pro-actively managing and raising awareness of operational risks among the various structures;
  • by the prospective self-assessment of risk exposure through the execution of periodic Risk Self Assessment and Model Risk Self Assessment campaigns, aimed at obtaining an overall view of risks in terms of frequency and/or potential financial impact and of the related organisational safeguards and, in the context of monitoring the evolution of IT risk and assessing the effectiveness of measures to protect ICT resources, by the Group’s ICT Risk Assessment process and monitoring of IT services provided by ICT third parties.

In addition, the Group’s operational risk management framework foresees the definition of a set of indicators that can promptly identify the presence of vulnerabilities in the exposure of the Bank and its subsidiaries to operational risks. These indicators are continuously monitored and disclosed in periodic reports by means of summary risk measures that are shared with the competent structures and bodies: events such as the breach of certain thresholds or the emergence of anomalies trigger specific escalation processes aimed at defining and implementing appropriate mitigation actions. In addition, as part of the definition of the Risk Appetite Framework (RAF) and the preparation of the Recovery Plan and ICAAP Report, the Risk Management function performs analyses to assess its exposure to exceptional but plausible operational risk events. These are called stress analyses and help to identify the resilience of the Group by simulating the impacts of adverse situations in terms of riskiness under the assumption of adverse scenarios.

It should also be noted that, in order to prevent and manage operational risk, the Parent Company’s Risk Management function works with other corporate functions to supervise the risks associated with the outsourcing of simple, essential or important operational functions; to assess the risks associated with the introduction of new products and services; and to carry out a preliminary assessment of the impact, in operational terms, of significant changes to the economic and contractual conditions of products.

Concerning the Companies of the Banca IFIS Group, please note that currently the management of operational risks is guaranteed by the strong involvement of the Parent Company, which makes decisions in terms of risk management.

For the purposes of determining the capital requirement for operational risks, the Group has adopted the so-called Basic Method set out by prudential regulations.

For further information, please refer to the 2022 consolidated reports and financial statements.

Impacts resulting from the Covid-19 pandemic

With reference to the impacts deriving from the Covid-19 emergency, the operational and reputation risk management strategies underwent changes in 2020 both as a result of specific requests by the regulator, and to recalibrate the internal control system in order to make the monitoring activities more responsive to the changed methods of carrying out some business activities following the restrictions imposed. Following the easing of the restrictive measures and the subsequent resumption of business activities as normal, the strategies for managing operational and reputational risks were also gradually readjusted. In particular, the methods of carrying out Risk Management activities with regard to monitoring and reporting in the various areas (e.g. disputes, NPL loans, etc.), as well as the Key Risk Indicators restructured with a view to bringing the controls more in line with the various operating conditions and business needs, were restored to regular levels and did not undergo any further significant changes as a result.

The impacts of the Russia-Ukraine conflict

With regard to operational risks, the Risk Management function considered the effects of the crisis caused by the conflict in Ukraine on the process of comprehensively managing the economic conditions of the Group’s products on a unilateral basis, and, in this case, in relation to the economic conditions of certain factoring and current account relationships. In this context, it was pointed out that the implementation of the manoeuvre pursuant to Articles 118 and 126-sexies of the Consolidated Banking Act (TUB) could represent a further economic burden for companies that find themselves operating in a difficult and uncertain international socio-political context that has already led to an increase in the prices of raw materials, especially energy. The Risk Management function, in order to monitor this risk and promptly report any critical issues, will continue to carry out routine periodic checks such as, for example, monitoring the turnover of factoring customers as well as the trend in the number of any disputes and negative comments on the web.

For further information, please refer to the 2022 consolidated reports and financial statements.