The internal control and risk management system of the Mondadori Group is defined as the set of procedures, organisational structures and related activities aimed at ensuring, through an adequate process of identification, measurement, risk management and monitoring, correct company management consistent with the established objectives.
The guidelines and orientation of the internal control and risk management system make reference to the principles envisaged in the Enterprise Risk Management (ERM) standard, an international standard developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Report).
In 2008, within the framework of the definition of the guidelines, the Mondadori Group implemented a process aimed at identifying, assessing and managing the main risks and uncertainties to which it is exposed in pursuing the company’s objectives. A Risk Management function was established for the purpose of developing an internal risk management model and monitoring the performance and periodic updating and monitoring of the same process.
Risk relevance, classified into categories and sub-categories, is determined on the basis of parameters of probability of occurrence and impact, not only economic, but also in terms of market share, competitive advantage and reputation. Through the process of self-assessment, company management identifies the risks attributable to its own competence and assesses the effects on the objectives that were previously defined by the business and staff general managers. The assessment is accomplished both inherently – that is, without any mitigation action – and residually, thus taking into account the actions implemented to reduce the probability of occurrence of the risk event and/or limit its damaging impact.
The outcomes, collected and processed by Risk Management, are subject to targeted disclosure to the Control and Risks Committee, the Board of Statutory Auditors and the Board of Directors. The risk scenario is revised and updated annually. The actual identification and efficiency of the mitigating actions indicated by management during the process of assessment are subject to auditing by the Internal Audit function. In addition, in order to align the residual risk within a certain risk range considered acceptable (Risk Appetite), the Risk Management function plans and implements risk response actions in collaboration with the company heads involved, by mapping the additional designed mitigating actions.
Director in charge of the system of internal control and risk management
The Board of Directors has appointed the Chief Executive Officer as the Director in charge of the system of internal control and risk management. His task is to identify, also through coordination of the Internal Audit function, the main company risks and to manage the internal control and risk management system, taking into account the characteristics of the activities carried out by the Group, and reporting any critical issues identified to the Control and Risks Committee or the Board.
Head of Internal Audit
The role of Head of Internal Audit has been assigned to Paolo De Benedetti, with the task of verifying the effectiveness and adequacy of the system of internal control and risk management – on an ongoing basis and as required by international standards – through an audit plan, which is to be approved by the Board of Directors, and which is to be based on a well-defined process of risk analysis and prioritisation.
The Head of Internal Audit has direct access to all information needed to perform his/her duties, which envisage:
- preparation of regular and sufficiently detailed reports on the work being carried out in performance of the function, the ways in which risk management is being conducted, and on compliance with the plans that have been implemented to control risks. These periodic reports include an assessment regarding the adequacy of the system of internal control and risk management;
- timely preparation of reports on particularly significant events;
- submission of the aforementioned reports to the chairmen of the Board of Statutory Auditors, the Control and Risks Committee and the Board of Directors, as well as to the Director of the system of internal control and risk management;
- use of the audit plan to verify the reliability of the Company’s information systems, including its accounting IT systems.