Internal controls and risk management
The doValue Group has adopted an internal control and risk management system aimed at constantly monitoring the main risks associated with its operations, in order to guarantee sound and prudent management consistent, with the performance objectives and safeguarding the company’s assets, in line with the reference standards and best practices.
The primary responsibility of completeness, adequacy, functionality and reliability of the processes lies with the governing bodies, and in particular with the Board of Directors and the Chief Executive Officer of doValue as director responsible for supervising the functioning of the internal control and risk management system, pursuant to the Code of Conduct of Borsa Italiana, and the Board of Statutory Auditors.
In line with reference best practices, the internal control system today in place to monitor risks, is organized in three levels:
- level one controls - embedded into day-to-day operations where business and corporate units are responsible for identifying, measuring, monitoring and mitigating the risks arising from the company’s activities;
- level two controls aimed at ensuring the correct implementation of the risk management process and the compliance of company operations with internal and external regulations, including those of self-regulation;
- level three controls, under the responsibility of an independent internal audit function, aimed at regularly evaluating the completeness, functionality, adequacy and reliability of the internal control system as well as identifying any necessary room for improvement.
As part of the international growth process of the Group, over the last two years the overall structure of the Group’s internal control system has been reviewed to maintain its full effectiveness and alignment with the Group’s strategic objectives. This led to the setup of the following Group functions responsible for the coordination of local control activities and regularly reporting to the Corporate Bodies on the outcome of their work:
- Group Control Office, hierarchically reporting to the doValue Board of Directors, is in charge of ensuring a constant and independent evaluation of the overall internal control and risk management systems as well as the adoption of homogeneous methods and operating models by the Group’s Internal Audit and Anti-money Laundering units;
- Group Internal Audit, hierarchically reporting to the Chief Group Control Officer, is responsible for defining a common methodology for the end-to end management of the audit cycle (i.e. planning, execution and reporting of audit activities) and ensuring its adoption by the local Internal Audit functions;
- Group AML, hierarchically reporting to the Chief Group Control Officer, is responsible for issuing Group guidelines and policies on the prevention of money laundering risk and supervising their adoption by the local Anti-money Laundering units;
- Compliance & Global DPO, hierarchically reporting to the Group General Counsel, is in charge of developing a Group-wide compliance framework and ensuring compliance with regulations falling under its direct responsibility (e.g., Market Abuse, Related Parties, Consob Regulations, Anti-corruption, Privacy). With regards to data protection related matters, the Global DPO defines the Group’s organisational model and a common framework of controls and coordinates with local DPOs data protection activities;
- Enterprise Risk Management, hierarchically reporting to the General Manager of Corporate Functions, has the task to coordinate the management of strategic, operational, legal, financial and reputational risks which the Group is exposed to by means of suitable methodologies, procedures and instruments;
- Group Administration & Internal Control for Financial Report, hierarchically reporting to the Group Finance Functions, is responsible to support the Responsible Officer ex. L.262/2005 in validating the financial statements’ correctness and integrity for all Group legal entities included in the consolidation process.
Any material topics for the doValue Group and its Stakeholders are reported in the Non-Financial Consolidated Statement together with their associated risks, controls and management standards.
In addition to the risks associated with the main topics, the doValue Group has assessed as material also the reputational risk which is inherent to its business operations and can transversely originated by the other risk types. In particular, the reputational risk can be associated with the profits or capital reduction as a result of a negative perception of the brand by customers, counterparties, shareholders, investors, or Supervisory Authorities.