The guidelines for the Internal Control and Risk Management System
The Board of Directors has defined the guidelines for the Internal Control and Risk Management System (ICRMS), an articulated group of rules, procedures and organizational structures for identifying and managing risks.
An adequate Internal Control and Risk Management System facilitates company operation that is healthy, correct and coherent with the preset goals. It favors the adoption of informed decisions in the interest of all stakeholders. It contributes to ensuring the protection of company assets, the efficiency and effectiveness of company processes, the trustworthiness of the information provided to company bodies and the market, the respect of law and regulations, the bylaws and internal procedures.
The ERM approach
Our company manages risks through an ERM (Enterprise Risk Management) approach, developed in line with the best international practices and inspired by the framework developed by the “Committee of Sponsoring Organizations of the Treadway Comission” (CoSO report).
The aim of the ERM approach is the informed analysis and evaluation of risk factors that could compromise the achievement of strategic goals, at the same time identifying instruments suited to the prevention, management and mitigation of the most relevant risks.
At least once a year, during the drafting of the budget, we carry out a global evaluation of risks, quantifying them and evaluating their possible impact both on the achievement of results and the management of our portfolio of shareholdings.
The participants in the Internal Control and Risk Management System
The Internal Control and Risk Management System involves various company bodies and functions:
- the Board of Directors has final responsibility for the Internal Control and Risk Management System. In particular, it defines and modifies guidelines, in line with strategic objectives and the company’s risk profile
- the director with responsibility in matters regarding the Internal Control and Risk Management System ensures the functioning and adequacy of the System. Usually, this is the Chief Executive Officer
- the Control, Risks and Sustainability Committee has functions of consultation, proposal and monitoring of the System
- the manager responsible for the internal audit function prepares an audit plan and submits it to the Control, Risks and Sustainability Committee so that it may propose its adoption to the Board of Directors; verifies the operation and suitability of the Internal Control and Risk Management System through the audit plan; promptly prepares reports on particularly important events
- The Risk Manager carries out constant activities of analysis and monitoring of key risks. In particular, he or she maps company processes, documents the principals and measures of risk management; methodically facilitates the measurement of risks in terms of probability and impact, evaluating its effects; analyzes factors of risk mitigation, monitors actions plans for a better management of risk
- The Board of Statutory Auditors monitors the Internal Control and Risk Management System, exchanging information in a timely manner with the Control, Risks and Sustainability Committee
- The Supervisory Body carries the tasks foreseen in the Organizational Model and exchanges information with the Control, Risks and Sustainability Committee, the Board of Statutory Auditors, and periodically reports to the Board of Directors.
- the manager responsible for the drafting of the company’s accounting documents, that oversees the system of internal administrative-accounting control
Risk management in the subsidiaries
For KOS, the prevention and management of risk is not only a legal obligation but also an indicator of quality, a guarantee for patients and collaborators and in the company’s interests.
From 2012, KOS has equipped itself with a model of Enterprise Risk Management, which includes guidelines, annual audits, company training, constant monitoring of processes, protocols aimed at safety and risk assessment.
The group has instituted two company responsibility functions, respectively for risk management and safety. KOS’s ERM model is periodically updated to reflect the group’s growth and internal organizational changes.
Sogefi has implemented its own model of Enterprise Risk Management since 2012. In line with best practices, since January of 2019, Sogefi has had a separate Group Chief Risk Officer function.
The identification of risks addresses the key medium-long term strategic and economic drivers, the evaluation of which allows the Board of Directors to better grasp the scenarios that could compromise the achievement of targets, and to evaluate the actions to be taken, and with which priority, to prevent, mitigate or manage the main exposures.