Internal control system and risk management

The internal control system comprises the rules, procedures and organisational structures that aim to guarantee compliance with corporate strategies, the effectiveness and efficiency of processes, and the conformity of transactions with the regulatory framework and corporate regulations.

The internal control system

The internal control system plays a key role in the organisation of Banca Ifis. It plays a fundamental role in monitoring corporate risks and favours the dissemination of a correct culture of risk, legality and corporate values.

The internal control system consists of the set of regulations, functions, structures, resources, processes and procedures aimed at ensuring, in compliance with a sound and prudent management, the achievement of the following objectives:

  • Executing business strategies and policies;
  • Risk containment within the limits set forth by the Risk Appetite Framework (RAF) for determining the Group’s risk appetite;
  • Safeguarding the value of assets and protecting the Bank from losses;
  • Maintaining effective and efficient business processes;
  • Ensuring the reliability and security of corporate information and IT procedures;
  • Preventing the risk that the Group might become involved, including involuntarily, in unlawful activities (and specifically those associated with money laundering, usury, and terrorist financing);
  • Ensuring operations comply with the law and supervisory regulations as well as internal policies, rules and procedures.

Role of the company’s bodies:

  • The Board of Directors approves the document of the “Group guidelines on the Internal Controls system”, last updated in September 2018. It verifies that the guidelines are consistent with the established strategic guidelines and risk appetite and that they can follow the evolution of business risks and the interaction between them. It approves the Risk Appetite Framework and the risk management policies;
  • The Risk Management and Internal Control Committee is responsible for supporting the Board of Directors in making assessments and decisions concerning the internal control and risk management system;
  • The Board of Statutory Auditors plays a fundamental role by supervising the adequacy and functionality of the internal control system;
  • The CEO is the director in charge of overseeing the functionality of the internal control and risk management system.

The proper function of the internal control system is based on fruitful interaction between the company’s bodies, the persons tasked with auditing and the control departments.

In particular, the Risk Management and Internal Control Committee and the Body of Statutory Auditors interact frequently during their meetings, and, as needed, with the CEO, the Manager responsible for drafting accounting and corporate documents, the Auditing Firm, the Chief Risk Officer, the Head of Compliance and the Head of Anti-Money Laundering. They also systematically interact with the Head of Internal Audit who, usually, attends the meetings of both bodies.

All corporate activities are subject to controls, articulated in three levels:

  • Line controls (first line of defence): Business areas, owners of the various processes and activities;
  • Second line of defence controls: Risk Management, Compliance, and Anti-Money Laundering departments;
  • Third line of defence controls: Internal Audit.

The heads of the control organisational units liaise with each other, coordinating and collaborating, to avoid overlapping, to develop synergies and to optimise partnership.

Taxonomy of Risks

Banca Ifis has defined a Risk Taxonomy which describes the logic followed in identifying the current and/or potential risks to which the Group could be exposed in reaching its strategic objectives and, for each type, the planned prevention and mitigation instruments. 

Identifying risks and regularly updating the relevant Risk Taxonomy is the result of the joint work of second line of defence departments (Risk Management, Compliance, Anti-Money Laundering) and third line of defence departments (Internal Audit), which meet once a year to discuss whether to introduce new risk events and/or review the assessment of potential risks based on the risk management outcomes of the previous year.

Risk Management

Risk Management identifies the risks the Parent and the Group companies are exposed to and measures and monitors these risks on a regular basis through specific indicators, planning potential actions to mitigate material risks. The goal is to provide a holistic and comprehensive view of the risks the Group is exposed to, ensuring an adequate reporting to governance bodies. 

The overall governance and risk management structure at Group level is governed by the Risk Appetite Framework.


The audit work performed by the Compliance department, identified based on the plans approved by the Board of Directors, seeks to evaluate the effectiveness of the required, proposed or implemented organisational measures intended to manage the risk of non-compliance. 

The audits’ outcomes are formalised in reports that are shared with the competent corporate functions, which are requested to provide feedback on the remedial actions identified and on the schedule of their implementation.

Anti-Money Laundering

A specific Anti-Money Laundering corporate department performs systematic second line of defence audits concerning the risk of money-laundering and financing of terrorism to ensure the relevant procedures are properly applied to operational processes.

Internal Audit

The audit work performed by the Internal Audit department concerns all processes and consists in regularly monitoring the application of all the Bank’s operational policies, procedures and practices to identify potential anomalies or violations of internal rules as well as evaluate the effectiveness of the internal control system as a whole.

Internal Audit operates based on the plans approved by the Board of Directors, and conducts unplanned audits if required. Audit findings are shared with the relevant organisational unit as well as second line of defence functions, and submitted to the Board of Statutory Auditors as well as the Risk Management and Internal Control Committee.

Credit risk

Given the particular business of the Group’s companies, credit risk is the most important element to consider as far as the general risks assumed by the Group are concerned. Maintaining an effective credit risk management is a strategic objective for the Group, pursued by adopting integrated tools and processes that ensure proper credit risk management at all stages (preparation, lending, monitoring and management, and interventions on troubled loans). 

Credit risk is continuously monitored with the help of procedures and tools that allow for the timely identification of positions that present particular anomalies. Over time, the Banca Ifis Group has implemented instruments and procedures allowing to specifically evaluate and monitor risks for each type of customer and product.

The Banca Ifis Group pays particular attention to the concentration of credit risk with reference to all the Group’s companies, both at an individual and consolidated level. Banca Ifis’s Board of Directors has mandated the Top Management to take action to contain major risks. In line with the directives of the Board, those positions that are at risk and engage the Group to a considerable extent are subject to systematic monitoring.

Credit risk mitigation techniques

Credit risk mitigation techniques include those instruments that help limit the loss the Group would suffer should the counterparty default; specifically, these are the collateral and personal guarantees pledged by customers, and any agreements that could potentially reduce credit risk.

In general, as part of the credit granting and management process, for certain types of credit lines, customers are encouraged to provide suitable guarantees in order to reduce their risk. These may consist of collateral, such as liens on financial assets, mortgages on residential or non-residential property, and/or personal guarantees (usually sureties) provided by a third party, where an individual or legal entity takes responsibility for the customer’s obligations in the event of insolvency.

The Bank’s Risk Management function constantly monitors the quality and adequacy of the procedures for assessing collateral to provide central oversight over the assessment and monitoring of collateral for the Banca Ifis Group’s loan portfolio. For greater operational efficiency, these processes are carried out by a dedicated organisational unit, recently established, called ‘Collateral Monitoring’, which reports directly to the Bank’s Chief Risk Officer.

For further information, we refer you to the 2019 Reports and consolidated financial statements.


Market risk

Interest rate risk and price risk – supervisory trading book 

The guidelines on the assumption and monitoring of market risk are set out at Group level in the ‘Group Market Risk Management Policy’, in which, for the purposes of a more rigorous and detailed representation of process activities, the metrics for measuring and monitoring the risk in question have also been indicated.

In particular, the measurement and assessment of market risks is based on the various characteristics (in terms of time horizon, investment instruments, etc.) of the investment strategies of the Banca Ifis Proprietary Portfolio, consistently with what is outlined in the document “The Proprietary Portfolio Management Policy of Banca Ifis”, which defines the strategies to be followed in terms of portfolio structure, instruments subject to operations and activities in detail.

Interest rate risk and price risk – banking portfolio

As a general principle, the Group does not assume significant interest rate risks. In terms of composition of the Assets and Liabilities Statement and consequent sources that generate interest rate risk, where liabilities are concerned the prevalent technical form of funding continues to be made up of the online deposit account “Rendimax Conto Deposito”. Customer deposits on the “Rendimax Conto Deposito” and “Rendimax Conto Corrente” products are at a fixed rate for the fixed-term part, while on demand and call deposits are at a non-indexed floating rate the Group can unilaterally revise without prejudice to legal and contractual provisions. The other main funding components concern mainly fixed rate bond deposits, a variable rate self-securitisation transaction and loans with the Eurosystem (TLTRO). 

With regard to assets, customer loans remain mainly at variable rates, both with regard to the commercial credit component and to corporate loans.

Within the sphere of non-performing loan transactions (carried out by the subsidiaries Ifis Npl S.p.A. and Ifis Npl Servicing S.p.A.), characterised by a business model focused on the purchase of receivables at lower values than the nominal value, there is a potential interest rate risk connected to the uncertainty over collection times.

At 31 December 2019, the total bond portfolio consisted mainly of fixed-rate government securities indexed to the inflation rate. The average duration of this portfolio is approximately 2.9 years.

The Central Capital Markets Directorate is the corporate function responsible for managing interest rate risk. In line with the established appetite for risk, it defines the actions necessary to pursue the risk. The Risk Management function is responsible for proposing the risk appetite, identifying the most appropriate risk indicators and monitoring the performance of assets and liabilities in relation to the set limits. Each year, the Top Management proposes to the Bank’s Board of Directors its lending and funding policies and its interest rate risk management policies. It also suggests any appropriate action to ensure that it carries out its activities in accordance with the risk policies approved by the Bank.

The Risk Management department periodically reports to the Bank’s Board of Directors on the interest rate risk position by means of a quarterly Dashboard prepared for the Bank’s management.

For further information, we refer you to the 2019 Reports and consolidated financial statements.


Currency risk

The assumption of currency risk is currently foreign to the group’s policies. Banca Ifis’s foreign currency operations largely involve collections and payments associated with factoring operations. In this sense, the advances in foreign currency granted to customers are generally hedged with deposits and/or loans from other banks in the same currency, thus eliminating for the most part the risk of losses associated with exchange rate fluctuations. In some cases, synthetic instruments are used as hedging instruments. 

For further information, we refer you to the 2019 Reports and consolidated financial statements.


Liquidity risk

The liquidity risk refers to the possibility that the Group fails to service its debt obligations due to the inability to raise funds or sell enough assets on the market to address liquidity needs. The liquidity risk also refers to the inability to secure new adequate financial resources, in terms of amount and cost, to meet its operating needs and opportunities, hence forcing the Group to either slow down or stop its operations, or incur excessive funding costs in order to service its obligations, significantly affecting its profitability.

During 2019, the composition of the Group’s funding remained substantially unchanged compared to the end of 2018.

During 2019 there was a significant increase in available liquidity reserves compared to the end of 2018. The amount of these high quality liquidity reserves (mainly held by the Group in its current account with the Bank of Italy and government securities forming part of the intra-day reserve) makes it possible to satisfy the regulatory and internal requirements relating to the prudent management of liquidity risk liquidity.

The Group is constantly striving to improve the state of its financial resources, in terms of both size and cost, so as to have available liquidity reserves adequate for current and future business volumes.

The Parent Company’s business departments responsible for ensuring that liquidity policies are properly implemented refer to the ALM & Capital Management, which directly manages liquidity; the Risk Management function, responsible for proposing the risk appetite, selecting the most appropriate risk indicators and monitoring them with reference to pre-set limits, as well as supporting Top Management; and the Top Management, which every year, aided by ALM & Capital Management, makes proposals to the Board of Directors regarding policies on funding and the management of liquidity risk, and suggests appropriate actions during the year in order to ensure that operations are conducted consistently with the risk policies approved by the Bank.

For further information, we refer you to the 2019 Reports and consolidated financial statements.


Operational risks

Operational risk is the risk of losses arising from inadequate or dysfunctional processes, human resources, internal systems or external events. This definition does not include strategic risk and reputational risk, but it does include legal risk (i.e. the risk of losses deriving from failure to comply with laws or regulations, contractual or extra-contractual liability, or other disputes), IT risk, risk of non- compliance, fraud risk, risk of money laundering and terrorist financing, and the risk of financial misstatement.

The main sources of operational risk are operational errors, inefficiency or inadequacy of the operational processes and of the relative controls/measures, internal and external fraud, lack of compliance of internal regulations with external standards, the outsourcing of corporate functions, the qualitative level of physical and logical security, inadequacy or unavailability of hardware and software systems, increasing recourse to automated processes, insufficient number of posts compared to the size of operations and, lastly, inadequacy of staff management and training policies.

Banca Ifis Group has for some time now defined – in line with the appropriate regulatory requirements and best practices in the sector – the overall framework for the management of operational risk, represented by a set of rules, procedures, resources (human, technological and organisational) and control activities aimed at identifying, assessing, monitoring, preventing or mitigating and communicating to the appropriate hierarchical levels all the operational risks assumed or that can be assumed in the various organisational units. The key processes for the correct management of operational risk are also represented by Loss Data Collection and the forward-looking self-assessment of exposure to operational risk (Risk Self-Assessment).

The Loss Data Collection process has now been consolidated, also thanks to Risk Management’s constant efforts to disseminate a culture of pro-actively managing operational risks among the various structures, and therefore to raise awareness about the Loss Data Collection process.

In the last quarter of 2019, the Group launched the periodic Risk Self Assessment campaign, which included the scope at the end of the year. Following this campaign, scheduled to end in the first half of 2020, the Group shall identify the main operational issues and subsequently define and launch specific mitigation measures to bolster operational risk controls.

In addition, the Group’s operational risk management framework foresees the definition of a set of risk indicators that can promptly identify the presence of vulnerabilities in the exposure of the Bank and its subsidiaries to operational risks. These indicators are continuously monitored and disclosed in periodic reports that are shared with the competent structures and bodies: events such as the breach of certain thresholds or the emergence of anomalies trigger specific escalation processes aimed at defining and implementing appropriate mitigation actions.

For further information, we refer you to the 2019 Reports and consolidated financial statements.