Risk management

Guidelines of the Internal Control and Risk Management System

The Board of Directors has defined the guidelines of the Internal Control and Risk Management System (ICRMS), an integrated set of rules, procedures, and organizational structures aimed at identifying, assessing, and managing the risks to which the Group is exposed.
An effective ICRMS is essential for sound and proper business management, consistent with strategic objectives, and capable of supporting informed decision-making in the interest of all stakeholders. It contributes to the protection of corporate assets, operational efficiency, the reliability of financial and non-financial information, and compliance with applicable regulations, the Bylaws, and internal policies.

The ERM approach

CIR adopts an Enterprise Risk Management (ERM) model inspired by international best practices and based on the framework of the “Committee of Sponsoring Organizations of the Treadway Commission” (CoSO report).
The objective of the ERM model is to:

  • identify in a structured manner the main risks that could hinder the achievement of strategic objectives;
  • assess their impact and probability of occurrence;
  • identify adequate measures for their prevention, mitigation, or management.

This analysis is carried out at least once a year, during the budget definition process, with an overall assessment of the risk portfolio, which is also useful for the strategic management of investments.

The participants in the Internal Control and Risk Management System

The ICRMS involves multiple corporate bodies and functions with differentiated but coordinated tasks:

  • Board of Directors: has ultimate responsibility for the ICRMS. It defines the guidelines, identifies the nature and level of risk compatible with strategic objectives, and annually assesses the effectiveness, efficiency, and adequacy of the system;
  • Director in charge of the ICRMS: ensures the implementation and effective functioning of the system. This role is normally held by the Chief Executive Officer;
  • Control, Risks and Sustainability Committee: carries out advisory, propositional, and monitoring functions in support of the Board regarding internal control and risks;
  • Head of Internal Audit: prepares the audit plan, verifies the adequacy of the ICRMS, and drafts periodic reports on significant aspects or issues identified;
  • Risk Manager: continuously analyzes and monitors the main corporate risks, manages process mapping, supports quantitative risk assessment, monitors mitigation plans, and periodically updates risk reporting;
  • Board of Statutory Auditors: oversees the effectiveness of the ICRMS, maintaining constant information exchange with the Control, Risk and Sustainability Committee;
  • Supervisory Body (OdV): monitors compliance with Model 231, reports to the Board of Directors, and cooperates with the control system actors;
  • Officer in charge of preparing the company’s accounting documents: supervises the internal control system in the administrative-accounting area, ensuring the reliability of financial information.

Risk Management in Subsidiaries

The Group’s main operating companies adopt an approach consistent with that of the parent company, integrating an ERM model into their respective control systems.

  • KOS considers risk management a distinguishing factor of quality, with direct relevance to patient safety and service reliability. Its ERM system, introduced in 2012, includes guidelines, annual audits, training, safety protocols, and two dedicated functions for Risk Management and Safety. The model is regularly updated to reflect the group’s organizational evolution.
  • Sogefi, also equipped with an ERM model since 2012, established the role of Group Chief Risk Officer in 2019, independent from Internal Audit, tasked with overseeing the identification, assessment, and management of major strategic, operational, and compliance risks.

In both cases, risk identification is guided by the main medium-to-long-term strategic and financial drivers and supports the Board of Directors in understanding evolving scenarios and defining intervention priorities.