Internal control and risk management system

The Guidelines of the Internal Control and Risk Management System (“SCIGR”), describe the internal control system adopted by ENAV covering all the activities of the Company.

In particular, ENAV's SCIGR is comprised of the overall array of instruments, organisational structures, corporate regulations and rules that ensure identification, measurement, management and monitoring of the main risks and implementation of the controls for achievement of the corporate objectives of:

Internal control and risk managemente system

The SCIGR, which takes into account the recommendations of the Corporate Governance Code and references national and international best practices, is divided into three separate levels of internal control:

“first level” or “line controls” (risk ownership)

The set of control activities that the individual group areas, management and corporate structures perform on their own processes in order to ensure that transactions are performed correctly. These control activities are carried out under the main responsibility of the management and they are considered an integral part of every corporate process. The corporate structures are therefore the main entities that are responsible for the internal control and risk management process. In the course of its regular operations, these structures are required to identify, measure, evaluate, manage, monitor and report the risks arising from ordinary business operations in accordance with the mandatory standards, regulations and internal procedures applicable.

“second level” controls
Assigned to the structures specifically in charge of carrying out this work, (such as Risk Management, Planning and Control, Safety, Security, Quality, Management Systems and HSE) which are autonomous as well hierarchically and functionally distinct from the “first level” corporate structures, with specific duties and responsibilities of control over different areas/types of risks.

“third level” controls

Carried out by the Internal Audit department, which provides independent and objec¬tive assurance on the adequacy and the actual operation of the first and second level controls, and, more generally, on the SCIGR. This level of control, therefore, has the task of verifying the structure and operation of the SCIGR overall, including through monitoring the line controls and the second level controls, both for ENAV and the Group.

The following chart summarises the players of the SCIGR of ENAV, with evidence of the architecture based on the three levels of control.

 SCIGR Organization

The Executive Director in charge of the SCIGR supervises the functionality of the Internal Control and Risk Management System, to which the tasks referred to in the application criterion 7.C.4 of the Self-Governance Code are given. These include:

(i) identifying the main risks while taking into account the characteristics of the business areas in which the Company and the Group operate, submitting said risks to the Board of Directors for periodic review;

(ii) executing the guidelines of the SCIGR, handling the planning thereof, realisation and management and verifying constant adequacy and efficacy;

(iii) adapting this system to the operating conditions and legislative and regulatory environment;

(iv) after consulting with the Chairman of the Board of Directors, submitting to the Board of Directors the proposals regarding the appointment, revocation and remuneration of the head of the Internal Audit Department, ensuring that the latter has the appropriate staff available for the discharge of his or her responsibilities;

(v) together with the Chairman of the Board of Directors, examining the work schedule prepared by the head of the Internal Audit Department, submitting his/her own evaluations in this regard to the Board of Directors which is called upon to approve this schedule;

(vi) is entitled to request the Internal Audit Department to carry out checks on specific operational areas, as well as checks on compliance with internal rules and procedures in the performance of business operations, at the same time informing the Chairman of the Board of Directors, the Chairman of the Risk and Related Parties Control Committee and the Board of Statutory Auditors of such requests; -

(vii) promptly report to the Board of Directors on problems or critical situations that may have emerged in the performance of his/her duties, or that were otherwise brought to his/her knowledge, so that the Board may take the necessary measures.