The Internal Control and Risk Management System of Cementir Group is defined as the set of tools, organizational structures, procedures and corporate rules aimed at ensuring, through an adequate process of identification, evaluation, management and monitoring of the main risks, a correct business management, consistent with the set objectives in terms of:
- compliance with laws and regulations;
- safeguards of company assets;
- effectiveness and efficiency of operating activities;
- accuracy and completeness of reporting.
The Internal Control and Risk Management System of Cementir Group is integrated in the organizational, administrative, accounting and governance structure of the Group and it has been organized based on the principles envisaged by the Enterprise Risk Management – Integrated Framework, international standard issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Report).
The Internal Control and Risk Management System of Cementir Group considers all the main risks that may threaten the Group’s objectives achievement. For this purpose, the following risks are identified and evaluated, based on the two variables likelihood and impact, according to uniform criteria: strategic risks (related to the company mission), compliance risks (related to the compliance to laws and regulations), financial risks (related to the accuracy and completeness of the accounting and financial reporting), operational risks (related to effectiveness and efficiency of the operating activities).
The identification and evaluation process described above is reviewed, at least, annually and specific disclosure is periodically provided to the Board of Directors and to the Audit Committee.
The Internal Control and Risk Management System of Cementir Group is integrated with the Group Sustainability Strategy. For this purpose, a dedicated section has been inserted, in which specific risks related to the Sustainability Strategy’s objectives and targets achievement are mapped and evaluated. These risks are highlighted and subject to separate disclosure to the Audit Committee.
The Internal Control and Risk Management System involves, at different levels, various corporate actors that interact with each other.
In particular, the Board of Directors has an oversight role by addressing and evaluating the Internal Control and Risk Management System, also by availing of the Audit Committee, which performs a preliminary analysis with reference to the related evaluations and decisions.
The Ethic Committee has the responsibility to ensure that the activities are conducted according to the ethical principles provided by the Code of Ethics. Moreover, it monitors the received reports related to Code of Ethics violations, regarding which it receives periodical information from the Internal Audit Department, and it can request further analysis or specific checks, if necessary.
The Group Management is the first responsible for the internal control and risk management activities and the second level control functions support the Management in the definition of adequate risk management systems and related controls according their competencies (i.e. EHS, Anticorruption, Antitrust, Privacy, etc.).
Lastly, the Internal Audit Department has the responsibility for carrying out independent assurance activities on the Internal Control and Risk Management System, verifying the related adequacy in relation to the Group size and operating activities and ensuring the definition and implementation of adequate mitigation actions from the Management.
Moreover, the Internal Audit Department manages the Code of Ethics violation reports (whistleblowing) received through the dedicated channels, regarding which it performs the necessary analysis and provides information to the Ethic Committee.