Roles and responsibilites:
Role of corporate bodies
The fundamental role in risk management and control is played by the Board of Directors of the parent company, which determines the strategic guidelines and risk objectives and limits, approves, reviews and revises risk management policies and assesses the degree of efficiency and adequacy of the internal control system. For investigative and consultative activities relating to internal control and the monitoring of the management of business risks, the Board of Directors uses the services of the Risks Committee within the board and the Steering Committee. In conjunction with the Chief Executive Officer, it is in charge of the implementation of the strategic guidelines, the Risk Appetite Framework and risk management policies.
The Board of Statutory Auditors, a body with a control function, oversees the adequacy of the risk management and control system as well as internal audit, compliance with the laws and regulations governing banking activity and the functionality and adequacy of the internal control system as a whole. To perform its duties, the board receives appropriate information flows from the other corporate bodies and control functions and is identified by the Group as the control body pursuant to Legislative Decree no. 231/01, and accordingly is in charge of ensuring that the Organisation, Management and Control Model is working and being complied with.
Role of business functions
The CRO is in charge of control activities as a risk management function, identifying the risks to which the Group is exposed and ensuring, through the support of the technical functions concerned, that there is constant coverage both in terms of periodic monitoring by way of specific indicators and control and in terms of governance, planning any mitigation measures for significant risks. The governance and risk management structure is regulated by the Risk Appetite Framework.
The Compliance & AML Department is in charge of managing the risk of non-compliance with laws and regulations as well as overseeing money-laundering and terrorist financing risk, internally combining the two responsibilities identified in the relevant laws and regulations. The Department is also responsible for Group control of matters on personal data protection in support of the Data Protection Officer, identified pursuant to article 37 of Regulation (EU) 2016/679 as the Head of the Compliance & AML Department and appointed in accordance with the Data Protection Authority’s Designation Scheme.
Lastly, the Internal Audit Department is responsible for overseeing control activities as the Internal Audit function. More specifically, it ensures the regular course of operations and the evolution of risks and assesses the completeness, accuracy, functionality and reliability of the components of the internal control system and the information system, the risk management process and the Risk Appetite Framework, in this way contributing to an improvement in the efficacy and efficiency of the organisation, control processes and risk management policies and processes.