Risk management

Prudent risk management is one of our distinguishing features. We have adopted a series of rules, procedures and organisational structures involving our management and control bodies and our various operating units.

We have always stood out for an approach to risk management based on the principles of prudence and selectivity, in addition to a high level of capitalisation (higher than the regulatory requirements and one of the highest among Italian banks).

Risk management is the unit responsible for identifying and implementing an efficient risk management process and for its deployment within the group. It controls the functioning of the risk management systems of the bank and the group, and develops appropriate methods for measuring the overall set of current and future risks.

Its task is to provide ongoing control of aggregate exposure – at group and individual unit level – to credit, financial, operational and other relevant risks, within the limits set by the internal and supervisory regulations. A full list of the risks is available in the IR section.

The head of the unit is the chief risk officer who reports directly to the chief executive officer. He also attends the meetings of the control and risks committee, which he supports in its supervisory work. The risk management unit reports to the control and risks committee and the board of directors twice a year on the work carried out.

The chief risk officer establishes and quantifies the risk appetite, in addition to the risk policies and limits at operating unit and group level.



To manage the degree of uncertainty inherent in banking and financial activities, we have created a series of rules, procedures and organisational structures with the aim of:

1. safeguarding the bank's capital strength, with direct benefits for shareholders, customers and employees;
2. supporting the formulation and implementation of business strategies;
3. favouring the sustainable and lasting growth of the bank and returns for shareholders;
4. establishing effective and reliable company processes and procedures.

The head of the unit is the chief risk officer.



Risk management involves the management and control bodies, and the various operating units of the parent company and the subsidiaries, through various roles and responsibilities.

There are four other company units primarily involved in the management and control of risk:

  1. group audit
  2. compliance
  3. asset liability management (ALM) and liquidity
  4. risk management


Management and control bodies involved in risk management

  • Board of directors: Performs a strategic supervision role, approving the guidelines and strategic approaches for the risk appetite framework (RAF), financial and business plans, budgets, and the policy for risk management and internal control. Every year the board of directors assesses the adequacy of the bank's organisational, management and accounting structure, particularly with regard to the internal control system and the management of conflicts of interest.
  • Executive committee: Responsible for the day-to-day management of the bank and the coordination and management of the group companies, except for the tasks reserved to the board of directors.
  • Control and risks committee: Assists the board of directors by providing advice and information on the internal control system, risk management and the financial reporting structure.
  • Statutory audit committee: Monitors the risk management and control system as identified by the RAF and the internal control system, assessing the effectiveness of all the structures and units involved and ensuring their coordination.

The following committees have specific powers in the processes of taking, managing, measuring and controlling risks in the risk management system:

  • Group risks committee: tasked with addressing credit, issuer, operational and conduct risks, and with powers of approval for market risks;
  • Lending and underwriting: for credit, issuer and conduct risk;
  • Group ALM and operating ALM: monitors group ALM risk-taking and risk management policy (treasury and funding) and approving the methods for measuring exposure to liquidity and interest rate risk and the internal fund transfer rate;
  • Investments: gives its view on investments covered by article 18 of the company’s articles of association and other banking book equity interests or holdings (except investments in the banking group companies and Banca Esperia);
  • New operations: performs advance assessment of new activities and entry to new sectors and products, and related pricing models;
  • Operational risks: manages operational risks in terms of risk profile monitoring and identifying mitigation actions.

Other company units involved in risk management

The other main company units involved in the management and control of risk are:

1.Group audit

Carries out audits for the entire group, in accordance with the provisions of the “Supervisory Instructions for Banks”, the “Supervisory Instructions for Financial Intermediaries” and the “Bank of Italy-Consob Combined Regulations”. Specifically, the unit is responsible for:

  • defining the audits to be carried out, in accordance with the audit methodology adopted, and preparing three-year and annual audit plans;
  • checking, among other things:
    • the correct performance of the company’s various activities and the status of the related risk at the central headquarters and the branch offices;
    • the monitoring of regulatory compliance at all company levels;
    • compliance, in the various sectors of operation, with the limits set by the delegation mechanisms, and full and correct use of the information available in the various activities;
    • the effectiveness of the powers of the units responsible for controlling risks for providing prior opinions on most significant transactions and their consistency with the RAF;
    • the adequacy and correct functioning of the processes and methods for valuing company operations;
    • the adequacy, overall reliability and security of the information system;
    • the follow-up for the removal of irregularities found in operations and in the functioning of controls;
  • checking that the conduct of individual Group companies is consistent with the guidelines issued by the parent company;
  • carrying out audits in respect of specific irregularities, if requested by the governing bodies and/or top management;
  • regularly informing management about the audit activities performed and their results, through specific reports;
  • preparing periodic summary reports for the governing bodies, describing
  • the main results from the audits carried out, the suggestions made and any corrective measures taken.



Responsible for checking and managing compliance and reputational risk in accordance with the applicable regulations. It is tasked with the following duties in particular:

  • checking and ensuring that the activities of the bank and the group comply with legal and regulatory requirements, particularly with regard to regulations on banking, the provision of investment services, and market abuse, and taking care of operational relations with the relevant authorities;
  • implementing the measures and instruments needed to ensure effective control of risks associated with managing conflicts of interest;
  • performing operational duties, proposing organisational and procedural changes to ensure suitable control of non-compliance risk and preparing information flows to the governing bodies and the units involved;
  • providing assistance to the units of the bank and group companies on operational matters, including through explanatory memos or reports on relevant regulatory aspects, and ensuring a continuous and up-to-date flow of information on developments in Italian and international regulations;
  • reporting duties, preparing regular reports for the governing bodies on the activities carried out and in all instances of failure to comply with regulations, in addition to identifying new compliance risks and possible corrective actions.

The Compliance unit also contains the Anti-money-laundering unit which, as required by the instructions issued by the Bank of Italy on 10 March 2011, is responsible for ongoing monitoring of the company’s procedures to prevent and tackle breaches of regulations on money-laundering and terrorist financing.


3.Asset liability management (ALM) and liquidity

Responsible for monitoring future changes in net interest income and the group’s liquidity situation through reporting to the ALM committee. It is tasked with the following duties in particular:

  • monitoring the ALM position at group level;
  • estimating net interest income and the sensitivity indicators for the banking (and non-banking) book;
  • monitoring compliance with the liquidity policy and the contingency funding plan (in conjunction with the Risk Management unit);
  • measuring the liquidity indicators and monitoring compliance with their limits, through specific reporting flows.


4.Risk management

Responsible for monitoring the functioning of the bank's risk system, by developing appropriate methods for measuring the overall set of current and future risks, in accordance with regulatory provisions and the management decisions taken by the bank, as well as monitoring those risks and verifying compliance with the limits set for the various business lines.

The risk management process

The risk management process overseen by the chief risk officer is described below. Group risk management provides operational guidance for the activities and projects of the group and the parent company, and also coordinates relations with the supervisors.
Risk Managemente
Group Chief Risk Officer
Group Risk Management
Credit Risk Management Market & Liquidity Risk Management Operational Risk Management
Credit risk analysis and assigning internal ratings to counterparties Monitoring market, counterparty, liquidity and interest-rate risk of the banking book Developing and maintaining the measurement system and managing operational risk
Enterprise Risk Management Coordinating risk management policies at group level, integrated monitoring of group risk and the risk appetite framework, reporting on the Risk Appetite Framework, Internal Capital Adequacy Assessment Process (ICAAP), and internal validation of risk management models
Risk Analytics (Quantitative risk methodologies) Developing methods for quantitative analysis and credit and market risk management
Risk Management London (responsible for risk management in the London branch in coordination with the other risk management units)


Last update: 10/02/2017