The guidelines of the internal control and risk management system (“ICRMS”) describe the internal control system adopted by ENAV to cover all of the Company’s activities.
ENAV’s ICRMS is composed of a set of rules, procedures and organisational units designed to enable the identification, measurement, management and monitoring of the main risks to which the Group is exposed and implementation of controls to ensure achievement of the corporate objectives of:
- preserving corporate assets;
- implementing effective and efficient corporate processes;
- ensuring the reliability of financial reporting;
- complying with the law, regulations, the Articles of Association and internal Company rules.
The ICRMS, which reflects the recommendations of the Corporate Governance Code and takes account of national and international best practice, is divided into three separate levels of internal control.
“First level controls” or “line controls” (risk ownership)
The set of control activities that the individual organisational units perform for their own processes in order to ensure that operations are conducted correctly. These control activities are carried out under the primary responsibility of management and they are considered an integral part of every corporate process. The corporate units are therefore the primary entities responsible for the internal control and risk management process. In the course of their regular operations, these units are required to identify, measure, evaluate, manage, monitor and report the risks arising from ordinary business operations in accordance with applicable law, regulations and internal procedures.
“Second level” controls
These are entrusted to units specifically responsible for these duties (such as Integrated Compliance and Risk Management, the Financial Reporting Officer, Planning and Control, Safety, Security) which are hierarchically and functionally independent of the “first level” corporate units, with specific control duties and responsibilities for different areas/types of risk. They monitor the corporate risks pertaining to their specific areas, propose guidelines for the associated control systems, verify their adequacy in order to ensure the efficiency and effectiveness of risk control and management operations and support the integration of the risks related to their specific areas of responsibility.
“Third level” controls
These are performed by the Internal Audit Department, which provides independent and objective assurance on the adequacy and actual operation of the “first and second level” controls and the ICRMS in general. This level of control is therefore responsible for verifying the structure and operation of the overall ICRMS, including through monitoring the line controls and “second level” controls, for ENAV and the Group as a whole.
The following chart summarises the players of the SCIGR of ENAV, with evidence of the architecture based on the three levels of control.
The three levels of control
The director in charge of the SCIGR is responsible for supervising the operation of the internal control and risk management system, with the duties referred to in Application Criterion 7.C.4 of the Corporate Governance Code (the “Director in Charge”):
(i) identifying the main corporate risks, taking account of the characteristics of the business areas in which the Company and the Group operate, bringing those risks to the attention of the Board of Directors for periodic review;
(ii) executing the guidelines of the ICRMS, handling the planning, implementation and management thereof and verifying its ongoing adequacy and effectiveness;
(iii) adapting the system to developments in operating conditions and the legislative and regulatory environment;
(iv) in consultation with the Chairman of the Board of Directors, submits to the Board of Directors proposals regarding the appointment, termination and remuneration of the Internal Audit Officer, ensuring that the latter has appropriate resources for the discharge of his/her responsibilities;
(v) in consultation with the Chairman of the Board of Directors, examines the plan of activities prepared by the Internal Audit Officer, submitting an assessment in this regard to the Board of Directors, which is called upon to approve this plan;
(vi) may ask the Internal Audit Department to perform checks of specific operational areas, as well as checks of compliance with internal rules and procedures in the performance of business operations, informing the Chairman of the Board of Directors, the Chairman of the Control, Risks and Related Parties Committee and the Chairman Board of Auditors;
(vii) promptly reporting to the Board of Directors on any problems or critical issues that have emerged in the performance of his/her duties, or that were otherwise brought to his/her attention, so that the Board of Directors may take the necessary measures.