Enterprise risk management Nexi

Enterprise risk management

Nexi Group’s Enterprise Risk Management (ERM) framework, in line with the Top Management’s new vision and consistent with the recommendations of the Corporate Governance Code of listed companies, focuses on the management of major risks for the creation and protection of value, by integrating risk management culture and practices in the processes that define performance strategies and management.

Find out more on the main risks to which Nexi Group is exposed and how they are managed. 

Mission and reference principles

Identifying a risk does not necessarily mean declaring its certain existence, but being aware that a specific risk could verify. The mission of ERM model is thus to promote the assumption of informed decisions, based not only on expected results but also on underlying risk profile with the guarantee of a proper management in line with corporate risk appetite.

The principles underpinning Nexi’s ERM model are the following

  • Comprehensive vision: by analysing all types of risk the Group is or might be exposed to under ordinary or stress situations.
  • Value-driven approach: focus on the most significant risk events that may impact the Group’s value drivers, the achievement of strategic goals and/or the business’ sustainability in the medium-long run.
  • Top-down approach: the Top Management, with the support of the Risk Management Function, identifies, prioritises, and manages the main corporate risks.
  • Actionability: focus resources on the management and mitigation of risks for which Nexi has intervention levers.
  • Collaboration: all organisational units of the Group are called to actively contribute, according to their areas of expertise and activities, to the identification, assessment and management of risks, based on the risk appetite defined by the Holding Company’s Board of Directors.
  • Transparency: in relation to the Group's risk profile and risk management strategies towards the Board of Directors and adequate disclosure to shareholders and all other relevant stakeholders

Risk appetite

Consistent with the Group’s mission and values defined by Code of Ethics and in line with the company risk appetite, Nexi is risk adverse towards events that could:

  • Lead to non-compliance with regulations, Supervisory Authority provisions and/or other rules applicable to the Group;
  • Drive to an interruption in the supply of services to Clients;
  • Compromise the protection of the data processed in Group operations.

Overview

In line with the recommendations of the Corporate Governance Code of Italian listed companies, Nexi ERM Governance model requires a broad involvement at all organizational levels. More concretely and based on strategic directions defined by competent corporate bodies, Nexi ERM Governance model enables the proper and complete identification and oversight of the Group risk profile leveraging on the role assumed by the three lines of defence:

  • First level of control – Identify, assess, and manage risks (Risk Owners) 
    Business structures are the primary responsible for the internal control and risk management system. In their day-to-day operations, these structures are called upon to identify, measure or evaluate, monitor, mitigate and report the risks deriving from ordinary activities in accordance with the risk management process and applicable internal procedures.
  • Second level of control – Oversight, control and compliance (Risk Management and Compliance)
    Control functions responsible to provide oversight and monitoring of risks and compliance with rules and regulations through frameworks, tools, processes and control activities, enabling group-wide risk management system.
  • Third level of control – Independent assurance (Internal Audit)
    Controls aimed at identifying violations of procedures and regulations. Group Internal Audit provides also a periodic assessment of the completeness, functionality and adequacy of the internal control and risk management system.
Board of directors

Consistent with its role of direction and coordination, the board of directors is responsible for the strategic address and the supervision of the risk management system. In detail:

· It defines the nature and level of risk according to the strategic goals, including in its evaluations all the risks that could be relevant with respect to the business sustainability in the medium- long term;

· It defines the guidelines for the risk management governance and system, in order to assure that relevant risks are correctly identified and properly measured, managed and monitored;

· It periodically evaluates the adequacy and the effectiveness of the risk management system in relation to the assumed risk profile.

Risk, control and sustainability committee

The committee supports the board of directors in the evaluations and decisions related to the risk management system. In detail:

· It supports, through the execution of adequate preliminary activities, the board of directors in the review and approval of risk management activities (including the activities related to the biannual and annual financial reports with regard to the impairment test and assessment criteria);

· It reports to the whole board of directors on the activities carried out and on the adequacy of the risk management system.

Strategic committee (stratco)

The committee supports, through the execution of adequate preliminary activities, the board of directors in the evaluations and decisions related to strategic risks linked for example to the strategic plan, business line plans, relevant strategic projects, financing strategies.

Remuneration committee

The committee periodically evaluates the adequacy, application and coherence of directors and managers remuneration policy with the company strategic responsibilities.

Chief Executive Officer

The chief executive officer is responsible for the design and implementation of the risk management system, based on the guidelines defined by the board of directors. In detail:

· Is accountable towards the board of directors for the correct identification and representation of the main risks the company is exposed to and propose to the board the overall risk profile for approval;

· Implements risk management strategies defined by the board of directors;

· Handles the design and the implementation of the risk governance model and verifies its adequacy and efficacy;

· Ensures an appropriate risk management organizational structure.

The chief executive officer can be supported by specific managerial committees in order to:

· Examine the results of the risk analysis;

· Discuss major risk the company is exposed to;

· Identify and monitor the implementation of risk management strategies;

· Periodically monitor the overall risk exposure at local level; and

· Spread the risk culture within the company.

Risk management

As risk management function, its role is to facilitate, coordinate and monitor the implementation of the erm model, ensuring the compliance with regulations and risk management requirements in force. In particular:

· It ensures the definition, evolution and update of the methodology to support risk management processes, setting standards and procedures for risk analysis, assessment, management and monitoring as well as providing methodologic support to the functions involved;

· It coordinates the analysis and management of all relevant risks, aggregating and consolidating the outcomes for risk reporting purposes;

· It monitors the exposure to main risks;

· It periodically oversees / monitors the implementation and efficacy of strategies and mitigation plans;

· It receives proper reporting / information flows related to risks events.

Internal audit

In the context of its assurance responsibility, it supports the board of directors in defining the internal control and risk management system guidelines, in compliance with corporate strategies, and assesses their adequacy and effectiveness on an annual basis.

Risk owners

Risk owners are the main responsible for the identification, evaluation and management of risks within their area of responsibility. They:

· Identify risk events and evaluate their significance;

· Suggest, implement and monitor the deployment of risk-mitigation action plans;

· Promptly report to risk management function relevant evolutions of risk exposures.

Main phases and activities

Nexi ERM process is conducted twice a year and includes four different steps: identification, evaluation, response and monitoring.

  1. Risk identification
    Focus on all risk categories, which are strategic, operational, compliance, financial and ESG 
  2. Risk evaluation
    Assessing risks according to their impact and probability, as well as on the maturity of the risk management system, which leads to a tier 1 and tier 2 prioritization
  3. Risk response
    Define a risk strategy and an action plan where needed to mitigate the risk. 
  4. Risk monitoring
    Provide periodical updates on action plans, that will be reported to the Control Risk and Sustainability Committee.

 

As a reference / guidance, the risk methodology and processes are inspired by the ISO 31000:2018 standard’s approach to risk management.

The ERM process undergoes regular internal audits, with the most recent one conducted in 2022.