Internal control and risks

The internal control system is the set of rules, procedures and company units aimed at making company processes effective and efficient, guaranteeing the reliability and integrity of accounting and management information, and ensuring regulatory compliance and risk management.

Based on the internal control and risk management system, the company units work according to an organisational model consisting of three lines: Internal audit, Risk management and Compliance, Risk owners.



The objective of our internal audit unit is to verify and ensure the adequacy of our internal control system, in terms of effectiveness and efficiency. This control is deployed across the group companies both directly by the unit and by coordinating with the control units of the subsidiaries. Centralising audit activities enables us to strengthen the parent company's role of coordination within the internal control system and to improve the efficiency of control structure.

The unit is responsible for assessing the completeness, adequacy, functioning and reliability of the individual components of the internal control system. The unit has direct access to all the information needed, and has suitable means available to perform all its duties. The head of group audit takes part in meetings of the control and risks committee to support the committee in its supervisory work.

Head of Audit Unit: Giorgio Paleari (reporting to the board of directors).



The Compliance and AML unit manages the regulatory and reputational risks of the group, and, in particular, it checks whether the internal procedures are in line with the objective of preventing breaches of laws and regulations applicable to both bank and group. It monitors non-compliance risk associated with the provision of investment services and activities and ancillary services regulated by the MiFID directive, ensuring the group is kept up-to-date on changes to the domestic and European regulatory framework.

The head of the unit takes part in risks committee meetings, providing support to the committee for its supervisory work.
Head of the Compliance and AML Unit: Massimiliano Carnevali (reporting to the chief executive officer).

The Compliance and AML unit also contains the Group Anti-money-laundering unit which, as required by the instructions issued by the Bank of Italy on 10 March 2011, is responsible for ongoing monitoring of the company’s procedures to prevent and tackle breaches of regulations on money-laundering and terrorist financing. The Unit monitors these risks with regards to the bank and the Group, through a centralized model for Italian Companies and a decentralized model for foreign Companies, subject to a functional coordination. The Head of the Unit, Andrea Verger, has been appointed Group Head of Anti-Money-Laundering and Group Head of suspicious activities reporting.


The Risk Management unit is responsible for identifying and implementing an effective risk management process and for ensuring its deployment throughout the group. To this end, it controls the functioning of the risk management systems of the bank and the group, and develops appropriate methods for measuring the overall set of current and future risks. The unit ensures ongoing control of the aggregate exposure – at group and individual unit level – to credit, financial, operational and other relevant risks, within the limits set by the internal and supervisory regulations.

The chief risk officer is the person responsible for identifying and implementing an efficient risk management process, by developing risk management policies, which includes setting and quantifying risk appetite and risk limits at both the individual operating unit and group level.

The head of the unit takes part in control and risks committee meetings, providing support to the committee for its supervisory work.

Head of the risk management unit (chief risk officer): Pierpaolo Montana, reporting to the chief executive officer.



The risk owners are responsible for ensuring the correct management of the risks associated with the activities they perform and for putting adequate control measures in place.

Last update: 18/10/2018