Internal control system and risk management

The internal control system comprises the rules, procedures and organisational structures that aim to guarantee compliance with corporate strategies, the effectiveness and efficiency of processes, and the conformity of transactions with the regulatory framework and corporate regulations.

The internal control system

The internal control system plays a key role in the organisation of Banca Ifis. It plays a fundamental role in monitoring corporate risks and favours the dissemination of a correct culture of risk, legality and corporate values. It represents a key element of expertise for the corporate bodies in order to:
  • Guarantee full awareness of the situation and an effective monitoring of company risks and their interrelations;
  • Influence changes to strategic lines and company policies;
  • Consistently adapt the context of the organisation;
  • Oversee the functionality of the management systems and compliance with prudential supervisory institutions;
  • Encourage the dissemination of a correct culture of risk, legality and corporate values.
Banca Ifis, in compliance with the provisions of supervisory regulations and the rules on the investment services provided, pursues the following general principles of organisation:
  • The decision-making processes and the assignment of tasks to personnel are formalised and allow univocal identification of duties and responsibilities, and are suited to preventing any conflict of interest. Additionally, the necessary separation between operating and control functions is ensured;
  • The human resource management policies and procedures ensure that all personnel are equipped with the skills and expertise needed to perform the responsibilities assigned to them;
  • The risk management process is effectively integrated. Indeed: a common language is used in risk management at all levels; the methods and instruments used to identify and assess risks are consistent with each other; risk reporting forms are clearly defined, in order to encourage understanding and proper assessment of these, also considering the global risk; moments dedicated to coordination and liaison are set aside in order to carry out the relative activities effectively; there are continuous information flows between the various functions in connection with the results of the pertinent control activities; the identified corrective actions are shared;
  • The processes and methods for evaluating corporate assets and liabilities, also for accounting purposes, are reliable and integrated with the risk management process. To this end: definition and validation of valuation methods are entrusted to different units; the valuation methods are robust, tested under stress and do not rely excessively on any single source of information; valuation of financial instruments is entrusted to an independent unit rather than the unit trading said instrument;
  • The operating and control procedures minimise the risks related to fraud or employee disloyalty, prevent, or where this is not possible, mitigate, potential conflicts of interest and, furthermore, prevent involvement, even unconsciously, in money laundering, usury or terrorism financing;
  • The IT system complies with the requirements of supervisory regulations currently in force;
  • The guaranteed levels of business continuity are suitable and comply with the requirements of supervisory regulations currently in force.
Role of the company’s bodies:
  • The Board of Directors approves the document of the “Group Guidelines on the Internal Control System”, updated last in February 2022. It verifies that the guidelines are consistent with the established strategic guidelines and risk appetite and that they can follow the evolution of business risks and the interaction between them. Approves the Risk Appetite Framework and risk management policies;
  • The Risk Management and Internal Control Committee  is responsible for supporting, the Board of Directors in making assessments and decisions relating to the internal control and risk management system;
  • The Board of Statutory Auditors plays a fundamental role in supervising the adequacy and functionality of the internal control system;
  • The CEO is the director in charge of overseeing the functionality of the internal control and risk management system.
The correct functioning is based on successful interaction between corporate bodies, any committees formed within corporate bodies, external auditors and control functions. In particular, the Risk Management and Internal Control Committee and the Board of Statutory Auditors interact frequently during their meetings, and, as needed, with the CEO, the Manager responsible for drafting accounting and corporate documents, the Auditing Firm, the Chief Risk Officer, the Head of Compliance and the Head of Anti-Money Laundering. They also systematically interact with the Head of Internal Audit who, usually, attends the meetings of both bodies.
All corporate activities are subject to controls, articulated in three levels:
  • Line controls (first level): business areas, owners of the various processes and activities;
  • Second level controls: Risk Management, Compliance and Anti-Money Laundering corporate functions;
  • Third level controls: Internal Audit.
The heads of the control organisational units liaise with each other, coordinating and collaborating, to avoid overlapping, to develop synergies and to optimise partnership.
Taxonomy of Risks Banca Ifis has defined a Risk Taxonomy which describes the logic followed in identifying the current and/or potential risks to which the Group could be exposed in reaching its strategic objectives and, for each type, the planned prevention and mitigation instruments. The identification of risks and the periodic updating of the Risk Taxonomy are the result of a joint job performed by the Control Functions (Risk Management, Compliance, Anti-Money Laundering, Internal Audit) and the Executive in Charge and is approved, at the proposal of the Chief Executive Officer, by the Board of Directors of the Parent Company, after consulting the Risk Management and Internal Control Committee. After receiving guidance from the Control Functions, the Financial Reporting Officer and the Organisational Office, the Chief Executive notifies the Parent Company’s Board of Directors of any requirements to update this document following regulatory, strategic and organisational changes.
Risk Management Risk Management identifies the risks the Parent and the Group companies are exposed to and measures and monitors these risks on a regular basis through specific indicators, planning potential actions to mitigate material risks. The goal is to provide a holistic and comprehensive view of the risks the Group is exposed to, ensuring an adequate reporting to governance bodies. The overall governance and risk management structure at Group level is governed by the Risk Appetite Framework.
Compliance The control activities carried out by Compliance, identified on the basis of planning approved by the Board of Directors, aim to verify the effectiveness of the organizational measures required, proposed and implemented to manage the risk of non-compliance. The audit findings are formally presented in reports shared with the relevant business structures, which must provide feedback on the remedial actions identified and the relevant implementation time line.
Anti-Money Laundering A specific Anti-Money Laundering function carries out systematic second-level controls in relation to the risk of money laundering and terrorist financing, to ensure correct application of procedures to the operating processes.
Internal Audit The audit work performed by the Internal Audit department concerns all processes and consists in regularly monitoring the application of all the Bank’s operational policies, procedures and practices to identify potential anomalies or violations of internal rules as well as evaluate the effectiveness of the internal control system as a whole. Internal Audit operates on the basis of planning approved by the Board of Directors, and carries out unplanned audits for specific needs. Audit results are shared with the reference organizational unit and with the second level control functions, and are sent to the Board of Statutory Auditors and the Risk Management and Internal Control Committee.
Credit risk Given the particular business of the Group’s companies, credit risk is the most important element to consider as far as the general risks assumed by the Group are concerned. Maintaining an effective credit risk management is a strategic objective for the Banca Ifis Group, pursued by adopting integrated tools and processes that ensure proper credit risk management at all stages (preparation, lending, monitoring and management, and interventions on troubled loans). Credit risk is continuously monitored with the help of procedures and tools that allow for the timely identification of positions that present particular anomalies. Over time, the Banca Ifis Group has implemented instruments and procedures allowing to specifically evaluate and monitor risks for each type of customer and product. The Banca Ifis Group pays particular attention to the concentration of credit risk with reference to all Group companies, at both individual and consolidated level. Banca Ifis’s Board of Directors has mandated the Top Management to take action to contain major risks. In line with the directives of the Board, those positions that are at risk and engage the Group to a considerable extent are subject to systematic monitoring. Credit risk mitigation techniques Credit risk mitigation techniques include those instruments that help limit the loss the Group would suffer should the counterparty default; specifically, these are the collateral and personal guarantees pledged by customers, and any agreements that could potentially reduce credit risk. In general, as part of the credit granting and management process, for certain types of credit lines, customers are encouraged to provide suitable guarantees in order to reduce their risk. These may consist of collateral, such as liens on financial assets, mortgages on residential or non-residential property, and/or personal guarantees (usually sureties) provided by a third party, where an individual or legal entity takes responsibility for the customer’s obligations in the event of insolvency. In particular:
  • As part of factoring operations, when the type and/or quality of factored receivables do not fully satisfy requirements or, more generally, the invoice seller is not sufficiently creditworthy, the bank’s established practice is to hedge the credit risk assumed by the Group by obtaining additional surety bonds from the shareholders or directors of the invoice seller. As regards the assigned debtors in factoring relationships, where it is believed that the evaluation elements available on the assigned debtor do not enable a correct evaluation/assumption of the credit risk connected to the debtor counterparty, or that the risk amount proposed exceeds limits identified when assessing the counterparty, the default risk of the assigned debtor is suitably hedged. Guarantees issued by correspondent factors and/or insurance policies underwritten with specialised operators are the main hedge against non-domestic account debtors in non-recourse operations;
  • In the area of loans to companies, where possible, suitable guarantees are acquired from the Central Guarantee Fund or from other companies within the public sphere such as SACE S.p.A .;
  • In relation to the Special Situations and Structured Finance operations, guarantees are acquired according to counterpart standing, the duration and type of loan. Said collateral includes mortgage guarantees, liens on plant and equipment, pledges, surety bonds, credit insurance, and collateral deposits;
  • In relation to financial leases, it should be noted that the credit risk is mitigated by the presence of the leased asset. The Lessor maintains the ownership until the final purchase option becomes available, thus ensuring for itself a greater recovery rate in case of a default by the customer;
  • In relation to transactions involving non-performing loans and the purchase of tax receivables from insolvency proceedings, and the related business model, no actions are normally taken to hedge against credit risks;
  • Salary-backed loans undoubtedly have a low-risk technical form, considering the characteristics of this product which necessarily requires insurance coverage against the risk of death and/or loss of employment and the constraint, as a greater guarantee of the loan, on the Severance Pay accrued by the customer.
  • Pharmacy financing transactions provide for an advance accompanied by a sale or a mandate to collect receivables.
In line with the provisions of the Liquidity Decree (D.L. no. 23 of 8 April 2020) the Group took advantage of the guarantees offered by the state Guarantee Fund for the type of customers and loans provided for by the Decree, with coverage that can reach up to 100%. This guarantee allows for a reduction in RWAs relating to credit risk, in proportion to the amount of exposure covered by the Fund. The acquired NPL portfolios include positions secured by mortgages on properties that present a lower risk than the overall acquired portfolio. When calculating the overall credit limit for an individual customer and/or legal and economic group, the Bank considers specific criteria when weighing the different categories of risks and guarantees. Specifically, when measuring collateral, it applies prudential ‘spreads’ differentiated by type of guarantee. The Group continuously checks the quality and adequacy of guarantees acquired on the loan portfolio, with second-level controls carried out by the Parent Company’s Risk Management function and performed in the Single File Review area. For further information, please refer to the 2021 Reports and consolidated financial statements. Market risk Interest rate risk and price risk – supervisory trading book Market risk represents the risk of loss due to adverse movements in market prices (share prices, interest rates, foreign exchange rates, commodity prices, volatility of risk factors, and so on) in connection with the trading book for Supervisory purposes (position, settlement and concentration risks) and with the Bank’s entire budget (exchange rate and position risk on commodities). During 2021, the overall investment strategy of the Group’s proprietary portfolio, governed by the “Banca Ifis Property Portfolio Management Policy”, continued to be characterised, in line with the risk tolerance formulated by the Board of Directors and expressed in the “Group Policy for the management of Market Risks”, by a conservative “stance”, mainly consisting of a low-risk portfolio characterised by high liquidity and a strategy of constant returns in the medium term. In this context, the component relating to the ‘trading portfolio’ from which the market risk in question originates was marginal both in absolute terms of the risk values recorded and with respect to the established limits. The trading portfolio is mainly composed of optional components deriving mainly from hedging and enhancement transactions ancillary to the investment strategy for the assets in the ‘banking portfolio’ and the ‘discretionary trading’ portfolio, which takes a short-term speculative approach. From the point of view of internal management, in a broader perspective and in general relating to operations on the financial markets, the banking portfolio is also prudently monitored according to the logic of market risks and subject to specific limits, i.e. the positions posted in HTC&S and accounted for as FVOCI, whose changes in value could have significant impacts on reserves and consequently on the Bank’s assets. Interest rate risk and price risk – banking book As a general principle, the Group does not assume significant interest rate risks. In terms of composition of the balance sheet with reference to the type of risk in question, in relation to the liability component, the main source of funding continues to be the “Rendimax” online deposit account, customer deposits at a fixed rate for the binding component , and at a non-indexed floating rate, which can be reviewed unilaterally by the Bank in compliance with regulations and contracts, for free demand and demand deposits. The other main funding components concern mainly fixed rate bond deposits, a variable rate self-securitisation transactions and loans with the Eurosystem (the so-called TLTRO). As for the assets, loans to customers still largely have floating rates as far as both trade receivables and corporate financing are concerned. Within the sphere of non-performing loan transactions (carried out by the subsidiaries Ifis Npl Investing S.p.A. and Ifis Npl Servicing S.p.A.), characterised by a business model focused on the purchase of receivables at lower values than the nominal value, there is a potential interest rate risk connected also to the uncertainty over collection times. At 31 December 2021, the total bond portfolio consisted mainly of government bonds, for a percentage of approximately 87%; the overall average modified duration is approximately 2.5 years. The Central Capital Markets Directorate is the corporate function responsible for managing interest rate risk. In line with the established appetite for risk, it defines the actions necessary to pursue the risk. The Risk Management function is responsible for proposing the risk appetite, identifying the most appropriate risk indicators and monitoring the performance of assets and liabilities in relation to the set limits, Each year, the Top Management proposes to the Bank’s Board of Directors its lending and funding policies and its interest rate risk management policies. It also suggests any appropriate action to ensure that it carries out its activities in accordance with the risk policies approved by the Bank. The Risk Management department periodically reports to the Bank’s Board of Directors on the interest rate risk position as part of the specific monthly reports prepared by the Risk Management department for top management. For further information, please refer to the 2021 Reports and consolidated financial statements. Currency risk The exchange rate risk is the risk of incurring losses due to adverse changes in the prices of foreign currencies on the positions held, regardless of the allocation portfolio (trading portfolio for supervisory purposes and trading portfolio). In relation to exchange rate risk, currency transactions mainly consist of:
  • transactions entered into with customers normally related to typical factoring and lending activity, originating from both Business Units in Italy and from foreign subsidiaries (in Poland and Romania) for which the exchange risk is mitigated from the outset by resorting to funding with the same original currency;
  • Transactions that are part of the typical Treasury activity for the management of mismatching between use by customers and the related currency procurement carried out on the market.
For further information, please refer to the 2021 Reports and consolidated financial statements. Liquidity risk The liquidity risk refers to the possibility that the Group fails to service its debt obligations due to the inability to raise funds or sell enough assets on the market to address liquidity needs. The liquidity risk also refers to the inability to secure new adequate financial resources, in terms of amount and cost, to meet its operating needs and opportunities, hence forcing the Group to either slow down or stop its operations or incur excessive funding costs in order to service its obligations, significantly affecting its profitability. In 2021, in line with the strategy defined in the funding plan, the Group increased the stock of securitised deposits placed directly with institutional investors and used indirectly as collateral medium term structured repo transactions with institutional investors. The other main forms of funding (from customers, Eurosistema, bond issuances) have remained essentially stable. At 31 December 2021 the main funding sources were the Bank’s equity, online retail funding-consisting of on-demand and term deposits— medium/long-term bonds issued as part of the EMTN programme, funding from the Eurosystem (TLTRO), medium/long-term securitisation transactions, and the Abaco channel with the Bank of Italy. The Group is constantly engaged in the harmonious development of its financial resources, both in terms of size, of structural balance between assets and liabilities in terms of duration, and costs, in order to have available liquidity reserves adequate for the current and future business volumes. The corporate functions of the Parent Company responsible for ensuring the correct application of the liquidity policy refer to the Capital Markets Head Office, in relation to the direct and centralised management of liquidity, and the Risk Management function, which contributes to the definition of the policies, processes and instruments for the identification, assessment, monitoring, mitigation and reporting of the Group with regard to liquidity risk. Risk Management also checks to see whether business departments observe the limits imposed and proposes risk mitigation initiatives to the Board of Directors and the Chief Executive Officer. The Risk Management function is also responsible for proposing the risk appetite, selecting the most appropriate risk indicators and monitoring them with reference to pre-set limits, as well as supporting Top Management; and the Top Management, which every year, aided by Capital Markets Head Office, shall make proposals to the Bank’s Board of Directors regarding policies on funding and the management of liquidity risk, as well as suggest appropriate actions during the year in order to ensure that operations are conducted consistently with the risk policies approved by the Bank. For further information, please refer to the 2021 Reports and consolidated financial statements. Impacts resulting from the Covid-19 pandemic In the period of greatest turbulence of the markets as a result of the pandemic, the available and readily usable liquidity reserves remained largely sufficient with respect to the Group’s bonds, constantly recording, for the LCR and NSFR regulatory indicators, values significantly higher than the required thresholds. Also in terms of the survival period, which considers the occurrence of a severe combined stress scenario, values were found in line with the established risk appetite. With regard to the evolution of funding volumes attributable to the effects of the pandemic during 2021, available liquidity remained at levels significantly above regulatory and internal limits and up from the average level in 2020. In line with the aforementioned strategy in terms of management and risk appetite, despite the exceptional nature of the pandemic event, no violations of the risk thresholds assigned internally were detected during 2021. For further information, please refer to the 2021 Reports and consolidated financial statements. Operational risks The operational risk is defined as the risk of suffering losses resulting from inadequate or dysfunctional processes and IT systems, human error, or external events. This definition does not include strategic risk and reputational risk, but it does include legal risk (i.e. the risk of losses deriving from failure to comply with laws or regulations, contractual or extra-contractual liability, or other disputes), IT risk, risk of non- compliance, fraud risk, risk of money laundering and terrorist financing, and the risk of financial misstatement. The Operational Risk Management structure, which is part of the Risk Management department, monitors the Operational risks at the level of the Parent Company and main subsidiaries. The main sources of operational risk are operational errors, the inefficiency or inadequacy of operational processes and of related controls/safeguards, internal and external fraud, lack of internal regulation compliance with external regulations, the outsourcing of company functions, quality level of physical and logical security, inadequacy or unavailability of hardware and software systems, increasing use of automation, insufficient number of personnel compared to the size of operations and lastly inadequacy of personnel management and training policies. The Banca Ifis Group has for some time now defined – in line with the appropriate regulatory requirements and best practices in the sector – the overall framework for the management of operational risk, represented by a set of rules, procedures, resources (human, technological and organisational) and control activities aimed at identifying, assessing, monitoring, preventing or mitigating and communicating to the appropriate hierarchical levels all the operational risks assumed or that can be assumed in the various organisational units. The key processes for correct management of operational risk are represented by the collection of operational loss data (Loss Data Collection – LDC) and the prospective self-assessment of the exposure to operational risk (Risk Self Assessment – RSA) and the self-assessment of the degree of exposure to model risk, i.e. the risk of incurring financial losses or incorrect strategic decisions deriving from improper or incorrect use of the results and reports produced by the models used (Model Risk Self Assessment). The Loss Data Collection process has now been consolidated, also thanks to Risk Management’s constant efforts to disseminate a culture of pro-actively managing operational risks among the various structures, and therefore to raise awareness about the Loss Data Collection process. It should be noted that during the first half of 2021 the periodic Risk Self Assessment campaign, launched in the last quarter of 2020, was completed. The main operational issues were then identified and specific mitigation measures were defined and launched aimed at further strengthening the safeguards against operational risks. In the same period, the Model Risk Self Assessment campaign was also completed, conducted considering the organizational units as Model Owners present at the Parent Company and at the Subsidiary Ifis Npl Investing, as the responsibility for the development and maintenance of the models is attributed to the Parent Company’s Risk Management. Following the campaign, the models most exposed to risk were identified and reported to the Validation department for the definition of appropriate mitigation actions. The Group’s operational risk management framework also foresees the definition of a set of risk indicators that can promptly identify the presence of vulnerabilities in the exposure of the Bank and its subsidiaries to operational risks. These indicators are continuously monitored and disclosed in periodic reports that are shared with the competent structures and bodies: events such as the breach of certain thresholds or the emergence of anomalies trigger specific escalation processes aimed at defining and implementing appropriate mitigation actions. Considering the development of the business and the internal and external operating context in which the Group operates, the indicators are subject to a periodical update/review. The Group operational and reputational risk management policy, which covers all the Key Risk indicators, was adjusted and reviewed in the last quarter of 2021 and approved and published in January 2022. Moreover, in order to prevent and manage operational risk, the Parent’s Risk Management, working together with other business functions, assesses the outsourcing of operational functions as well as the risks associated with the introduction and specific testing of new products and services. Finally, it helps monitor IT risk as well as the effectiveness of the measures intended to protect ICT resources. For further information, please refer to the 2021 Reports and consolidated financial statements. Impacts resulting from the Covid-19 pandemic With reference to the impacts deriving from the Covid-19 emergency, the operational and reputation risk management strategies underwent changes in 2020 both as a result of specific requests by the regulator, and to recalibrate the internal control system in order to make the monitoring activities more responsive to the changed methods of carrying out some business activities following the restrictions imposed. Following the easing of the restrictive measures and the subsequent resumption of business activities as normal, the strategies for managing operational and reputational risks were also gradually readjusted. In particular, the methods of carrying out Risk Management activities with regard to monitoring and reporting in the various areas (e.g. disputes, NPL loans, etc.), as well as the Key Risk Indicators restructured with a view to bringing the controls more in line with the various operating conditions and business needs, were restored to regular levels and did not undergo any further significant changes as a result during 2021. For further information, please refer to the 2021 Reports and consolidated financial statements.