Internal controls and risk management
The doValue Group has adopted an internal control and risk management system aimed at constantly monitoring the main risks associated with its operations, in order to guarantee sound and prudent management consistent, with the performance objectives and safeguarding the company’s assets, in line with the reference standards and best practices.
The primary responsibility of completeness, adequacy, functionality and reliability of the processes lies with the governing bodies, and in particular with the Board of Directors and the Chief Executive Officer of doValue as director responsible for supervising the functioning of the internal control and risk management system, pursuant to the Code of Conduct of Borsa Italiana, and the Board of Statutory Auditors.
In line with reference best practices, the internal control system today in place to monitor risks, is organized in three levels:
- level one controls - embedded into day-to-day operations where business and corporate units are responsible for identifying, measuring, monitoring and mitigating the risks arising from the company’s activities;
- level two controls aimed at ensuring the correct implementation of the risk management process and the compliance of company operations with internal and external regulations, including those of self-regulation;
- level three controls, under the responsibility of an independent internal audit function, aimed at regularly evaluating the completeness, functionality, adequacy and reliability of the internal control system as well as identifying any necessary room for improvement.
As part of the Group's consolidation process, the overall structure of its internal control system was recently reviewed to ensure full effectiveness and alignment with the Group’s strategic objectives. This led to the set up of the following Group functions, responsible for the coordination of local control activities and regularly reporting the outcomes to the Corporate Bodies:
- Group Internal Audit Officer, reporting directly to the Board of Directors of doValue, is responsible for coordinating the methodology for managing the entire audit cycle at the Group level and ensuring its adoption by the Local Internal Audit functions. It is also responsible for preparing integrated reports for the Parent Company’s Corporate Bodies;
- Group AML, hierarchically reporting to the General Counsel, is responsible for issuing Group guidelines and policies on the prevention of money laundering risk and supervising their adoption by the local Anti-money Laundering units;
- Compliance & Global DPO, hierarchically reporting to the Group General Counsel, is in charge of developing a Group-wide compliance framework and ensuring compliance with regulations falling under its direct responsibility (e.g., Market Abuse, Related Parties, Consob Regulations, Anti-corruption, Privacy). With regards to data protection related matters, the Global DPO defines the Group’s organisational model and a common framework of controls and coordinates with local DPOs data protection activities;
- Enterprise Risk Management, hierarchically reporting to the General Manager of Corporate Functions, has the task to coordinate the management of strategic, operational, legal, financial and reputational risks which the Group is exposed to by means of suitable methodologies, procedures and instruments;
- Group Administration & Internal Control for Financial Report, hierarchically reporting to the Group Finance Functions, is responsible to support the Responsible Officer ex. L.262/2005 in validating the financial statements’ correctness and integrity for all Group legal entities included in the consolidation process.
Any material topics for the doValue Group and its Stakeholders are reported in the Non-Financial Consolidated Statement together with their associated risks, controls and management standards.
> Main risks linked to non-financial aspects
In addition to the risks associated with the main topics, the doValue Group has assessed as material also the reputational risk which is inherent to its business operations and can transversely originated by the other risk types. In particular, the reputational risk can be associated with the profits or capital reduction as a result of a negative perception of the brand by customers, counterparties, shareholders, investors, or Supervisory Authorities.