The Internal Control and Risk Management of the ERG Group

The "Guidelines for the Internal Control and Risk Management System", adopted on 11 March 2014 by the Board of Directors of ERG, were subsequently updated in order to take into account organisational changes and changes resulting from the Company's adherence with the Corporate Governance Code. The version currently in force was approved on 13 July 2016 and takes into account, inter alia, the reorganisation of the Internal Control and Risk Management System which provided for the establishment of a Risk Management function at Group level.

General Guidelines 

The Internal Control and Risk Management System of the ERG Group (hereinafter also "ICRM System") is the combination of measures, organisational structures, regulations and rules whose purpose is, by means of an appropriate process of identification, measurement, management and monitoring of the main risks, and the creation of adequate information flows to ensure the proper flow of information, to allow the company to be managed on a sound and proper basis, consistent with the company targets defined by the Board of Directors.

IT complies with the principles contained in the current edition of the Corporate Governance Code for listed companies promoted by Borsa Italiana S.p.A. (hereinafter the "Corporate Governance Code") and, more generally, current national and international level best practices.

IT is defined on the basis of leading national and international practices, and in particular "CoSO Internal Control - Integrated Framework 2013" which identifies a direct relationship between company targets (efficiency and effectiveness of operations, reporting and compliance), the components of the ICRM System and the organisational structure adopted by the Group.

This System, which is an integral part of the company's business, involves, and therefore applies to, to the entire organisational structure of the ERG Group: from the Board of Directors of ERG and its subsidiaries, to Group Management and the company staff.

The ICRM System Guidelines, approved by the Board of Directors of ERG, lay down the general principles by which the Group's main risks are managed, in line with the strategic objectives identified, and the coordination arrangements between the parties involved in order to maximise the effectiveness and efficiency of the ICRM System.

Below is a summary of those involved in the ICRM System and their respective responsibilities.
  • First level: entrusted to individual operating lines, it encompasses the checks carried out by those involved in certain activities and those with supervisory responsibilities; also makes it possible to ensure operational activities are carried out correctly;
     
  • Second level: entrusted to structures other than line, it is involved with defining risk measurement methods, identifying, assessing and checking them (Risk Management); it also makes it possible to verify compliance with regulatory obligations (Compliance);
     
  • Third level: entrusted to Internal Audit, it serves to assess the functionality of the overall internal control and risk management system and to detect irregularities and violations of procedures and rules.
Structure and operation of the Internal Control and Risk Management System of the ERG Group

The Group is aware that an effective Internal Control and Risk Management System allows the company to be managed on a sound and proper basis, consistent with the company targets defined by the Board of Directors, by promoting well-informed decisions and contributing to wealth preservation, the efficiency and effectiveness of processes, the reliability of financial reporting, and compliance with standards, the Articles of Association and internal procedures.

To promote and maintain an adequate ICRM System, the ERG Group uses organisational, informational and regulatory instruments, which allow the identification, measurement, management and monitoring of the main risks.

This system is integrated in the organisational, administrative and accounting structure and, more generally, in the corporate governance structure. It is based on the recommendations of the Corporate Governance Code, which the Group has adopted, taking as references national and international models and best practices, aimed at consolidating overall effectiveness and efficiency.
  • The System of Rules and Procedures
    The definition of the Internal Control and Risk Management System structure and its governing rules takes place through the definition of appropriate internal business standards (Policies, Guidelines, Procedures and Operating Notes) which regulate the processes and activities carried out by ERG and its subsidiaries.

    The beneficiaries of each standard are defined below:
    • Policies: these are intended for all stakeholders and, based on the values expressed in the Code of Ethics, define the fundamental management principles involved in the performance of corporate activities;
    • Guidelines: these are intended mainly for those who must set up operations and manage them, and define the principles for the execution of such activities;
    • Procedures: these are intended for the parties involved in the operating processes regulated by them;
    • Operating Notes: these are intended for the parties who, at operational level, carry out the activity or stages of activity regulated by the document.

    Moreover, a specific procedure was formalised in the Group with the goal of defining a method for the uniform, integrated, effective and efficient management of the corporate rules and for regulating the activities performed by the involved parties, in terms of:
    • responsibilities of the parties involved in the process;
    • (electronic and hardcopy) communication flows among the various parties involved in the process;
    • control activities connected with the operations reported in the process.
  • The System for Assigning Powers
    A correct and effective Corporate Governance system requires a formal assignment of powers consistent with the company's own organisational system.

    A correct assignment of powers entails assessing whether the validity requirements exist, determining its limits and identifying matters that can be delegated.
    The system adopted in the Group provides for:
    • the assignment of powers by the Board of Directors to the Group's various Companies, through Board resolutions, to the Chief Executive Officers for the ordinary management of the Companies;
    • the assignment, normally to first-level executives reporting to Chief Executive Officers, of powers of signature, representation and external negotiation;
    • the assignment of special powers for the performance of specific, well-defined actions, upon completion of which the validity of the power is voided;
    • the assignment to the heads of organisational positions of internal powers related to actions that have no external enforceability.

    The system of delegated powers and mandates in place within the Group is structured so as to achieve consistency between the organisational structures, pursuant to the powers granted, and the company's regulatory system (Policies, Guidelines, Procedures, Operating Notes and Job Descriptions), in compliance with the Segregation of Duties ("SoD").
Guidelines of the Internal Control and Risk Management System
Approved by the Board of Directors of ERG S.p.A. on 3 August 2018