Compliance and integrity risks are connected with breaches of internal procedures, laws, and regulations applicable to company operations at national or international level.
With regard to internal risks, the objective of the ERM system is to manage them through specific prevention and control measures incorporated into company processes, designed to eliminate the risk, minimise its likelihood of occurrence, or contain its impact in the event of occurrence.
With regard to external risks, the objective of the ERM system is to monitor them and mitigate their impact in the event of any occurrence.
For each business area in which a risk has been identified, there is a ‘risk owner’ responsible for supervising the risk itself and the effectiveness of the control system, and for implementing or improving mitigation measures.
All risks and related mitigation actions are recorded in a Risks Register, which is updated regularly (in concert with risk owners) on the basis of an annual plan approved by the Board of Directors with the support of the Control, Risks, and Sustainability Committee.
The plan is periodically updated to include any new elements of risk and/or to reflect any increases in the likelihood of occurrences or in the extent of impacts.
In 2016, a detailed analysis was conducted of the risks associated with: operations (with a focus on the supply chain); the areas of retail, wholesale, logistics, IT, and product development; and the business support processes of the administration and control, treasury, and legal divisions.