Internal control system and risk management

Taxonomy of Risks

The Group has defined a Risk Taxonomy which describes the logic followed in identifying the current and/or potential risks to which the Group could be exposed in pursuing its strategies and achieving its business objectives.

This document is shared with the Internal Audit department and is approved, after sharing with the CEO and with the subsequent favourable opinion of the Risk Management and Internal Control Committee, by the Parent Company’s Board of Directors.

After receiving guidance from the Control Functions, the Financial Reporting Officer and the Organisational Office, the Chief Executive notifies the Parent Company’s Board of Directors of any requirements to update this document following regulatory, strategic and organisational changes.

Risk Management

Risk Management identifies the risks the Parent and the Group companies are exposed to and measures and monitors them on a regular basis through specific risk indicators, planning potential actions to mitigate material risks. Risk Management regularly reports to corporate bodies on its operations through the Dashboard – as well as, if required, to the Bank of Italy and Consob (Italy’s stock market watchdog).

The Group’s overall risk governance and management structure is governed by the Risk Appetite Framework (RAF) and the relevant documents, which are constantly updated based on the evolution of the Group’s strategic framework.

With specific reference to climate and environmental risks, the Bank of Italy’s analysis of expectations on climate and environmental risks and, subsequently, the Guidelines on the Management of Environmental, Social and Governance Risks (ESG risks) published by the European Banking Authority (EBA) gave rise to the launch of a structured programme with the aim of integrating environmental factors into corporate strategies, governance and control systems, the risk management framework and disclosure. A further strategic objective is to incorporate the relevant risks into the company’s main valuation processes.

Among the activities already undertaken by Banca Ifis is the materiality assessment exercise, which is instrumental in identifying climate risk factors and the causal mechanisms by which these factors are transferred to traditional risks (transmission channels).

The findings of the materiality assessment exercise indicate an overall moderate exposure to climate and environmental risks. In line with the Bank of Italy’s expectations on climate and environmental risks (i.e. Expectations VI), the Parent Company Banca Ifis carried out an initial Climate Stress test exercise in 2025, which was attached to the ICAAP Report. The study of the effects of climate and environmental risks on credit risk was conducted by analysing the possible impact of severe climate change on the Income Statement through the deterioration of credit quality and risk parameters. 

Compliance

The Compliance Department ensures the control of the risk of non-compliance, for example, by assessing the adequacy of the safeguards with respect to the applicable regulations or by verifying the compliance of the advertising messages envisaged. In addition, following the introduction of new products and services, the Compliance Department requires the provision of appropriate training courses for the organisational units impacted by the new banking products and services (e.g., on the risks inherent in the new product and how to mitigate them).

The audit work performed by the Compliance Department seeks to evaluate the effectiveness of the required, proposed or implemented organisational measures intended to manage the risk of non-compliance. Therefore, these audits apply to all areas for which said risk exists. The audit findings are formally presented in reports shared with the relevant business structures, which must provide feedback on the remedial actions identified and the relevant implementation time line. The function monitors compliance with these requirements and regularly reports to the corporate bodies through the Dashboard – as well as, if required, to the Bank of Italy and Consob. It operates with an ex-ante approach, advising the business on identified regulatory areas, and ex-post, conducting compliance audits.

The Compliance department monitors compliance with applicable regulations through ongoing checks and audits, with the aim of assessing the effectiveness of the organisational measures prepared, proposed and implemented to manage the risk of non-compliance in every area where such risk is present.

Anti-Money Laundering

The Anti-Money Laundering function performs systematic second line of defence audits concerning the risk of money-laundering and terrorist financing to ensure the relevant procedures are properly applied to operational processes, and develops Key Risk Indicators representing the most significant risk factors to be monitored. It also performs a self-assessment of the risk of money laundering and terrorist financing once a year. The function shares the audit findings and the action plan with the relevant Management. These audits and indicators are also displayed in the Dashboard on a quarterly basis and reported to the Board of Directors as well as, if required, to the Bank of Italy.

Internal Audit

The review carried out by the Internal Audit function is transversal to all corporate processes. In order to identify any abnormal performance or breach of internal regulations and assess the function of the Internal Control System as a whole, the function is assigned responsibility for verifying the correct application of internal provisions.

The Internal Audit operates on the schedule approved by the Board of Directors; in addition to this, it also performs unplanned audits as specifically necessary and/or required by the main corporate bodies or external supervisory bodies. The results of the audits are shared with the reference organisational unit and with the second-level audit functions and then sent to the Board of Statutory Auditors and the Control and Risks Committee. The Internal Audit function also reports back regularly to the corporate bodies, also by presenting specific summary reports (Annual reports and Quarterly Dashboards) that, if required, are also submitted to the Bank of Italy or Consob. The audit cycle, as required by the supervisory regulations, is three years and includes audits of all major business processes.

Credit risk

Given the particular business of the Group’s companies, credit risk is the most important element to consider as far as the general risks assumed by the Group are concerned. Maintaining an effective credit risk management is a strategic objective for the Banca Ifis Group, pursued by adopting integrated tools and processes that ensure proper credit risk management at all stages (preparation, lending, monitoring and management, and interventions on troubled loans).

Credit risk is continuously monitored with the help of procedures and tools that allow for the timely identification of positions that present particular anomalies. Over time, the Banca Ifis Group has implemented instruments and procedures allowing to specifically evaluate and monitor risks for each type of customer and product.

The Banca Ifis Group pays particular attention to the concentration of credit risk with reference to all Group companies, at both individual and consolidated level. Banca Ifis’s Board of Directors has mandated the Top Management to take action to contain “Major exposures”. In line with the directives of the Board, those positions that are at risk and engage the group to a considerable extent are subject to systematic monitoring.

Credit risk mitigation techniques

Credit risk mitigation techniques include those instruments that help limit the loss the Group would suffer should the counterparty default; specifically, these are the collateral and personal guarantees pledged by customers, and any agreements that could potentially reduce credit risk.

In general, as part of the credit granting and management process, for certain types of credit lines, customers are encouraged to provide suitable guarantees in order to reduce their risk. These may consist of collateral, such as liens on financial assets, mortgages on residential or non-residential property, and/or personal guarantees (usually sureties) provided by a third party, where an individual or legal entity takes responsibility for the customer’s obligations in the event of insolvency.

In particular:

• as part of factoring operations, when the type and/or quality of factored receivables do not fully satisfy requirements or, more generally, the invoice seller is not sufficiently creditworthy, the bank’s established practice is to hedge the credit risk assumed by the Group by obtaining additional surety bonds from the shareholders or directors of the invoice seller. As regards the assigned debtors in factoring relationships, where it is believed that the evaluation elements available on the assigned debtor do not enable a correct evaluation/assumption of the credit risk connected to the debtor counterparty, or that the risk amount proposed exceeds limits identified when assessing the counterparty, the default risk of the assigned debtor is suitably hedged. Guarantees issued by correspondent factors and/or insurance policies underwritten with specialised operators are the main hedge against non-domestic account debtors in non-recourse operations;
• in the area of loans to companies, where possible, suitable guarantees are acquired from the Central Guarantee Fund or from other companies within the public sphere such as SACE S.p.A .;
• in regard to Structured Finance, collateral is acquired according to the counterparty’s standing as well as the term and type of the facility. Said collateral includes mortgage guarantees, liens on plant and equipment, pledges, surety bonds, credit insurance, and collateral deposits;
• as for finance leases, the credit risk is mitigated by the leased asset. The lessor maintains the ownership until the purchase option is exercised, ensuring a higher recovery rate in the event the client defaults;
• in relation to financial leases, it should be noted that the credit risk is mitigated by the presence of the leased asset. The Lessor maintains the ownership until the final purchase option becomes available, thus ensuring for itself a greater recovery rate in case of a default by the customer;
• in relation to transactions involving non-performing loans and the purchase of tax receivables from insolvency proceedings, and the related business model, no actions are normally taken to hedge against credit risks;
• salary-backed loans have a low-risk technical form, considering the characteristics of this product which necessarily requires insurance coverage against the risk of death and/or loss of employment and the constraint, as a greater guarantee of the loan, on the Severance Pay accrued by the customer.
• the operation of financing to pharmacies involves an advance payment combined with a transfer or a mandate for the collection of receivables with the possibility of using the subsequent advances to reduce existing loans.

In line with the provisions of the  Liquidity Decree (Italian Legislative Decree no. 23 of 8 April 2020) the Group took advantage of the guarantees offered by the state Guarantee Fund for the type of customers and loans provided for by the Decree, with coverage that can reach up to 100%. This guarantee allows for a reduction in RWAs relating to credit risk, in proportion to the amount of exposure covered by the Fund.

The acquired NPL portfolios include positions secured by mortgages on properties that present a lower risk than the overall acquired portfolio.

When calculating the overall credit limit for an individual customer and/or legal and economic group, the Bank considers specific criteria when weighing the different categories of risks and guarantees. Specifically, when measuring collateral, it applies prudential ‘spreads’ differentiated by type of guarantee.

The Group continuously checks the quality and adequacy of guarantees acquired on the loan portfolio, with second-level controls carried out by the Parent Company’s Risk Management function and performed in the Single File Review (SFR) area.

For more details, see the 2025 Consolidated Reports and Financial Statements, on the Financial results and presentations page.

Market risk

Interest rate risk and price risk – supervisory trading book

In 2025, the investment strategy continued, as regulated in the “Banca Ifis Proprietary Portfolio Management Policy” and in the “Policy for Managing Securitisation & Structured Solutions investment operations” is structured to coincide with the risk appetite formulated by the Board of Directors under the scope of the Risk Appetite Framework (RAF) and laid out in the “Group Market Risk Management Policy”, as well as with the system of objectives and limits.

Consistent with the conservative “stance” outlined in the above-mentioned documents, the overall investment strategy focused on risk containment, implemented mainly by seeking out securities characterised by high liquidity and a strategy of steady returns over the medium term. During the course of the year, however, it was decided to gradually increase the duration of the portfolio, with a simultaneous increase in the value invested, in order to pursue greater stability of interest flows in the face of expected declining future returns. The change in portfolio composition was accompanied by continuous monitoring of the exposure of the risks it generated. Compliance with the risk limits set by the Banca Ifis Group has always been verified on an ongoing basis by the Risk Management function. With the acquisition of illimity Bank, the strategic guidelines of the parent were naturally extended to the new subsidiary and the other companies of the illimity Group and, therefore, the latter months of 2025 saw an alignment of the two companies’ strategies and procedures.

It should also be noted that during 2024, certain hedge accounting (micro fair value hedge) transactions were put in place on certain equity securities measured at fair value with an impact on overall profitability, realised through combinations of call and put options and maturing within 36 months. The purpose of these transactions is to reduce the price risk of the underlying securities, and they continued during 2025.

The component relating to the “trading book” from which the market risk in question originates was marginal with respect to the total investments in the banking book both in absolute terms of the risk values recorded and with respect to the established limits. The trading book mainly comprises options and futures deriving from hedging transactions and ancillary enhancements to the investment strategy in assets that are part of the “banking book” and “discretionary trading” portfolio, characterised by short-term speculation and marginal exposure.

Within the trading portfolio, there are also derivative transactions with corporate customers of the Banca Ifis Group as counterparty (almost entirely related to illimity Bank). These positions are managed ‘by the book’, continuously monitoring and managing the risk of Greeks generated by the portfolio. The risk metrics observed were extremely low.

Interest rate risk and price risk – banking book

As a general principle, the Group does not assume significant interest rate risks. In terms of breakdown of the balance sheet with reference to the types of risk in question, in respect of the liabilities, the main funding source is still the on-line savings accounts and current accounts (in particular Rendimax and illimityBank.com), structured into the technical forms of fixed-rate customer deposit accounts for the restricted component and the non index-linked variable rate that can be unilaterally revised by the Group in respect of the rules and contracts, for the technical forms of unrestricted demand and on-call current accounts. The other main components of funding concern fixed-rate bond funding, variable-rate securitisation operations, repurchase agreements at both fixed and variable rate and loans with the Eurosystem (referred to as LTRO, MRO and other types of ECB operations) at variable rates.

As for the assets, loans to customers still largely have floating rates as far as both trade receivables and corporate financing are concerned.

As for the operations concerning distressed retail loans carried out by the subsidiaries Ifis Npl Investing and Ifis Npl Servicing, the first is characterised by a business model focused on acquiring receivables at prices lower than their nominal amount, there is a potential interest rate risk associated with the uncertainty about when the receivables will be collected.

At 31 December 2025, the comprehensive bond portfolio mainly comprises government securities for a percentage of 87%; the modified average duration and average maturity of the portfolio are respectively 4,1 years and 5,3 years. A number of derivative positions are, however, recognised on these securities under hedge accounting, aimed at reducing the portfolio’s interest rate risk (micro fair value hedge). Therefore, the average effective duration of the portfolio, including derivatives, at 31 December 2025 was 2,3 years.

The Capital Markets function is appointed to guarantee the rate risk management, which, in line with the risk appetite established, defines what action is necessary to pursue this. The Risk Management function is responsible for proposing the risk appetite, identifying the most appropriate risk indicators and monitoring the relevant performance of the assets and liabilities in connection with the pre-set limits. Each year, the Top Management proposes to the Board of Directors of the Banca Ifis Parent Company its lending and funding policies and its interest rate risk management policies. It also suggests any appropriate action to ensure that it carries out its activities in accordance with the risk policies approved by the Group.

The Risk Management department periodically reports to the Parent Company’s Board of Directors on the interest rate risk position as part of the specific monthly reports prepared by the Risk Management department for top management.

For more information, please refer to the 2025 Consolidated Reports and Financial Statements on page Financial results and presentations.

Currency risk

The assumption of currency risk, intended as an operating element that could potentially improve treasury performance, represents an operation that is not part of the Group’s policies. The Banca Ifis Group’s foreign currency operations largely involve collections and payments associated with factoring operations and in hedging assets in foreign currencies, like units of UCITS. In this sense, the assets in question are generally hedged with deposits and/or loans from other banks in the same currency, thus eliminating for the most part the risk of losses associated with exchange rate fluctuations. In some cases, synthetic instruments are used as hedging instruments.

A residual currency risk arises as a natural consequence of the mismatch between the clients’ borrowings and the Capital Markets function’s funding operations in foreign currency. Such mismatches are mainly a result of the difficulty in correctly anticipating financial trends connected with factoring operations, with particular reference to cash flows from account debtors vis-à-vis the maturities of loans granted to customers, as well as the effect of interest on them.

However, the Capital Markets function strives to minimise such mismatches every day, constantly realigning the size and timing of foreign currency positions.

Currency risk related to the Bank’s business is assumed and managed according to the risk policies and limits set by the Parent Company’s Board of Directors, with precise delegations of power limiting the autonomy of those authorised to operate, as well as especially strict limits on the daily net currency position.

The business functions responsible for ensuring the currency risk is managed correctly are: the Capital Markets function, which, amongst other duties, directly manages the Bank’s funding operations and currency position; the Risk Management function, responsible for selecting the most appropriate risk indicators and monitoring them with reference to pre-set limits; and the Top Management, which every year, based on the Capital Markets function’s proposals, shall consider these suggestions and make proposals to the Banca Ifis Board of Directors regarding policies on funding and the management of currency risk, as well as suggest appropriate actions during the year in order to ensure that operations are conducted consistently with the risk policies approved by the Group.

As regards the subsidiaries Ifis Finance Sp. z o.o. and Ifis Finance I.F.N. S.A., which operate on the Polish and Romanian markets, respectively, exposures in Polish zloty and leu from factoring activities are financed by funding in the same currency.

With the acquisition of the Polish subsidiary, Banca Ifis has assumed the currency risk represented by the initial investment in Ifis Finance Sp. z o.o.’s share capital for an amount of 21,2 million Zloty and the subsequent share capital increase for an amount of 66 million Zloty.

As instead for the Rumanian subsidiary Ifis Finance I.F.N. S.A., Banca Ifis assumed the exchange rate risk on its own at the time of its incorporation through the initial payment into the share capital totalling 14,7 million Romanian Leu and at the time of the payments of 9,6 million Leu, 24,7 million Leu and 49,0 million Leu as a capital increase respectively during the second half of 2022 and the first and second half of 2023.

The Risk Management function is committed to monitoring the set limits, aimed at verifying that the Group’s exchange rate risk remains low. As at 31 December 2025, the total net position amounts to about 7,1 million Euro (or about 0,3% of own funds), with a maximum single-currency exposure of 5 million Euro.

For more information, please refer to the 2025 Consolidated Reports and Financial Statements on page Financial results and presentations.

Liquidity risk

The liquidity risk refers to the possibility that the Group fails to service its debt obligations due to the inability to raise funds or sell enough assets on the market to address liquidity needs. The liquidity risk also refers to the inability to secure new adequate financial resources, in terms of amount and cost, to meet its operating needs and opportunities, hence forcing the Group to either slow down or stop its operations or incur excessive funding costs in order to service its obligations, significantly affecting its profitability.

At 31 December 2025, financial sources mainly consisted of equity, online funding (mainly the products Rendimax and illimityBank.com), including on-demand and time deposits, medium/long-term bonds issued as part of the EMTN programme, medium/long-term securitisation transactions, as well as funding from corporate customers. Funding in the form of repurchase agreements, entered into with leading banks, continued to be a significant source of funding in 2025. Finally, with regard to Eurosystem funding (TLTRO, MRO and other types of operations with the ECB), the Parent Company participates in weekly auctions on an ongoing basis, and as of 31 December 2025, there was an MRO operation for 500 million Euro, repaid on 7 January 2026, and an OT (Other Type of operation) for 260 US Dollar (equal to 221 million Euro), repaid on 8 January 2026.

The Group’s activities consist of factoring operations, which focus mainly on trade receivables and receivables due from Italy’s public administration maturing within the year, and medium/long-term receivables deriving mainly from Leasing, Corporate banking, Structured Finance and Workout, Restructuring & Recovery operations; security portfolio management, mainly comprising eligible and readily liquid Italian government securities are also important.

As for the Group’s operations concerning the Npl Segment and the segment relative to purchases of tax receivables arising from insolvency proceedings, the characteristics of the business model imply a high level of variability concerning both the amount collected and the date of actual collection. Therefore, the timely and careful management of cash flows is particularly important. To ensure expected cash flows are correctly assessed, also with a view to correctly pricing the transactions undertaken, the Group carefully monitors the trend in collections compared to expected flows.

The Group is constantly engaged in the harmonious development of its financial resources, both in terms of size and costs, in order to have available liquidity reserves adequate for the current and future business volumes.

The corporate functions of the Parent Company responsible for ensuring the correct application of the liquidity policy are the Capital Markets function, which handles the direct management of liquidity, and the Risk Management function, which proposes the risk appetite, identifying the most appropriate risk indicators and monitoring their trend in relation to the pre-set limits and supporting the activities of Top Management. The latter, together with the Capital Markets function, proposes funding and liquidity risk management policies to the Board of Directors on an annual basis, and suggests any appropriate actions during the year to ensure that activities are carried out in full compliance with the approved risk policies.
In compliance with supervisory provisions, the Group also has a Contingency Funding Plan aimed at protecting itself from losses or threats arising from a potential liquidity crisis and guaranteeing business continuity even in the midst of a serious emergency arising from its own internal organisation and/or the market situation.

The liquidity risk position is the subject of periodic reporting prepared by the Risk Management function for the Board of Directors of Banca Ifis, which now also includes the illimity Group scope.

The Banca Ifis Group carries out the Internal Liquidity Adequacy Assessment Process (ILAAP) exercise on an annual basis, for the purposes of the Supervisory Review and Evaluation Process (SREP). The objective of the ILAAP process is to assess the adequacy of the liquidity and funding risk profile and the governance, management and monitoring of this risk. With reference to the Polish and Rumanian subsidiaries, treasury operations are coordinated by the Parent Company.

For more information, please refer to the 2025 Consolidated Reports and Financial Statements on page Financial results and presentations.

Impacts deriving from the macroeconomic environment

As already explained in previous reports, it is noted that the Covid-19-related health emergency in early March 2020 generated unprecedented impacts on global economic growth. This circumstance prompted intermediaries to consider possible impacts on credit risk produced by such extraordinary risk factors not adequately captured by the expected loss (ECL) calculation models in use. This, coupled with the need to capture expectations of a rapid deterioration in macroeconomic conditions from a forward-looking perspective, led the Group to introduce prudential adjustments (“management overlays”) over time in the determination of expected losses (ECL); these adjustments were aimed in particular at capturing the risks associated with exposures to counterparties belonging to the economic sectors that are potentially the most vulnerable.

After 2021, as a result of geopolitical tensions related to the Russia-Ukraine conflict and the conflict in the Middle East, the inflationary scenario and the slowdown in economic growth, the prudential adjustments applied and previously described were replaced and restated with the aim of factoring in the risks emerging from the macroeconomic context of reference.

In particular, a number of new prudential adjustments were introduced to take into account the macroeconomic context strongly influenced by geopolitical tensions, the impact of rising energy prices, inflationary dynamics, and the significant increase in interest rates in order to intercept risk factors relating to counterparties belonging to sectors considered particularly exposed to new emerging risks; in particular, companies in the manufacturing, agricultural, transport, trading and energy sectors.

As at 31 December 2023, the total amount of the described prudential adjustments (management overlay) was approximately 52,3 million Euro, almost equally divided between adjustments to hedge multiple risk factors (particularly related to inflationary, geopolitical and energy supply risks) and adjustments to hedge adverse macroeconomic expectations, the quantifications of which are also supported by stress scenario and sensitivity analyses. As at 31 December 2023, an additional 12,8 million Euro of prudential adjustments had also been provided for to protect positions specifically identified to take into account their possible deterioration, which can be estimated in a reasonably short time horizon and is not captured by current models (“expert-based” valuations).

During 2024, the bank had fully utilised the prudential adjustments resulting from expert-based assessments following the actual classification of specifically identified positions as impaired exposures. In addition, management overlays set aside to hedge multiple risk factors (particularly related to inflationary, geopolitical and energy supply risks) and to hedge against adverse macroeconomic expectations, were utilised against the deteriorating dynamics of the underlying portfolio clusters, as the risks against which these overlays were set up were deemed to have materialised. The total remaining amount of management overlays as at 31 December 2024 therefore stood at 25,2 million Euro.

During the third quarter of 2025, the amount of the overlay was reduced by approximately 8 million Euro due to a decrease in the severity of the scenarios supporting the quantification as well as due to utilisation against the deterioration dynamics of the underlying portfolio clusters.

At the end of 2025, management overlays to hedge multiple risk factors and adverse macroeconomic expectations were fully utilised, resulting in a positive economic impact.

This decision, in addition to covering some specific positions impaired during the quarter, was deemed reasonable on the basis of a set of evidence, both internal and external, that, on the one hand, confirms the full incorporation in the new macroeconomic scenarios of the elements linked to ’emerging risks’ and, on the other, attests to a strengthening of internal credit risk measurement and control controls. In particular, the extraordinary conditions that had motivated the introduction of management overlays gradually disappeared. ‘Novel risks’, such as those of a geopolitical or climatic-environmental nature, are now integrated into the macroeconomic scenarios used to calibrate the risk parameters; moreover, the sensitivities illustrated show a limited responsiveness of the ECL even in the presence of a worsening macroeconomic environment.

With reference to the main macroeconomic factors, there are signs of improvement. In fact, inflation in the Eurozone fell to 2% in December, hitting the ECB’s price stability target and signalling an easing of inflationary pressures; at the same time, the 3-month Euribor stabilised at around 2%, with moderate fluctuations reflecting relatively stable monetary policy expectations after the rate cuts made in 2025. Overall, these dynamics point to a more stable macroeconomic framework that is less exposed to adverse shocks.

Alongside the described evolution of the external environment, the IFRS 9 models in use have progressively shown a level of robustness that further reduces the need for prudential overlays: the models have steadily passed backtesting, conducted according to a framework made more structured during 2025, and guarantee levels of coverage that can also be considered adequate in light of the systemic evidence. Another important aspect is the gradual strengthening of the monitoring and control processes of the credit portfolio, both within the framework of first-level activities and through second-level supervision, ensuring a more timely and effective ability to identify deterioration dynamics.

Finally, as of FY 2025, the forward-looking component of the parameters has been revised by incorporating ESG elements, thanks to the introduction of a dedicated climate scenario to reflect potential vulnerabilities related to climate transition in the model. Taken together, these elements combine to define a solid and adequately supervised methodological and management framework.

For more information, please refer to the 2025 Consolidated Reports and Financial Statements on page Financial results and presentations.

Operational risks

The operational risk is defined as the risk of suffering losses resulting from inadequate or dysfunctional processes, human resources, internal systems or external events. This definition does not include strategic risk and reputational risk, but it does include legal risk (i.e. the risk of losses deriving from failure to comply with laws or regulations, contractual or extra-contractual liability, or other disputes), IT risk, risk of non- compliance, fraud risk, risk of money laundering and terrorist financing, and the risk of financial misstatement.

The main sources of operational risk are operational errors, the inefficiency or inadequacy of operational processes and of related controls/safeguards, internal and external fraud, lack of internal regulation compliance with external regulations, the outsourcing of company functions, quality level of physical and logical security, inadequacy or unavailability of hardware and software systems, increasing use of automation, insufficient number of personnel compared to the size of operations and lastly inadequacy of personnel management and training policies.

Risk management is articulated through structured processes, such as:

• Loss Data Collection, i.e. the collection and recording of losses resulting from operational risk events;
• periodic Risk Self Assessment and Model Risk Self Assessment campaigns, aimed at providing an overall view of risks in terms of frequency, potential impact and organisational safeguards;
• the definition and monitoring of processes, indicators and risk thresholds, in order to detect changes in the exposure to operational risks (including, where applicable, the risk of fraud) at an early stage.

For the definition of the Risk Appetite Framework (RAF), as part of the ICAAP Report and Recovery Plan, stress analyses are also conducted to verify the resilience of the Group in adverse scenarios.

To calculate capital requirements against operational risks, the Banca Ifis Group adopted the Standardised Measurement Approach (SMA) envisaged by supervisory regulations.

The Parent Company’s Risk Management function, in cooperation with other corporate functions, also oversees the risks associated with the outsourcing of corporate functions, assesses the risks associated with the introduction of new products and services, and analyses the operational impact of massive changes to contractual conditions.

Alongside operational risk, reputational risk is also managed. Reputational risk represents the current or prospective risk of a decrease in profits or capital deriving from a negative perception of the Group’s image by customers, counterparties, shareholders, investors or the Supervisory Authorities. The management of reputational risk, like that of operational risk, is entrusted to the parent company’s Risk Management function. This function defines the overall framework, which includes specific evaluation processes and a set of risk indicators monitored on an ongoing basis, in accordance with regulatory requirements and industry best practices. The objective is to ensure effective control of reputational risk, through the identification, assessment and monitoring of risks assumed or potentially assumed by the Group’s various organisational units.

With specific reference to monitoring the evolution of ICT and Security risks and assessing the effectiveness of ICT resource protection measures, the Banca Ifis Group has defined a framework aimed at ensuring the identification, assessment and monitoring of ICT and Security risks, while ensuring adequate communication to the relevant hierarchical levels. In compliance with the regulatory requirement, the Group has opted for a shared responsibility model by assigning tasks to the Risk Management and Compliance corporate control functions, in relation to the roles, responsibilities and competences of each of the two functions. In particular, the Risk Management function conducts ICT and security risk analysis processes in accordance with the organisational and methodological framework approved by the Board of Directors of Banca Ifis, which takes the form of IT risk measurement activities on IT services and the processes they support, with the aim of detecting potential threats and vulnerabilities that could compromise the availability, integrity and confidentiality of information. Added to this activity is the definition and monitoring of a set of ICT and Security risk indicators and related thresholds that can promptly highlight the emergence of potential vulnerabilities. In addition, the framework provides for risk assessment on projects involving substantial changes to information systems, to ensure that technological developments are consistent with the acceptable level of risk and the protection measures in place.

Finally, the Group adopts a structured approach to managing the risks associated with IT services provided by third parties, in line with the relevant regulatory framework, DORA. Risk analyses, conducted both pre-contractually and on an ongoing basis, ensure an adequate assessment of the main risk profiles, including concentration risk, and support the protection of business continuity, data security and overall compliance.

All these processes are accompanied by the Risk Management function’s commitment to the dissemination of a culture geared towards proactive risk management.

The Banca Ifis Group has internal policies and regulations and ensures that they are regularly updated. These documents define the methodological framework, how risks are identified, assessed and mitigated, and the responsibilities of the functions involved. They are the reference to ensure a structured, consistent and regulatory-compliant approach.

Concerning the companies of the Banca Ifis Group, please note that currently the management of operational, reputational, ICT and security risks is guaranteed by the strong involvement of the Parent company Banca Ifis, which makes decisions in terms of strategies and risk management. The overall risk management framework was therefore extended, on the basis of the principle of proportionality, by adopting the same methodological approach and IT tools developed at the Parent company.

For more information, please refer to the 2025 Consolidated Reports and Financial Statements on page Financial results and presentations.