Parties involved

BOARD OF DIRECTORS
Several years ago, the Board of Directors, working with the support of the Control and Risk Committee, defined the guidelines of the Internal Control System, which in 2013 were updated, integrating them with the risk management guidelines, which the Company has been following for some time, adopting a conduct consistent with them.
Based on the abovementioned guidelines, the Board of Directors defines each year the type and level of risks compatible with the Company’s strategic objectives, as explained in the section of this Report entitled “Role of the Board of Directors.”
As required by the Code, the Board of Directors regularly reviews the main risks faced by the Company and, based on the findings presented in the report prepared by the Control and Risk Committee, assesses the adequacy, efficacy and effectiveness of the Internal Control and Risk Management System at least once a year.

On the other hand, the Board of Directors chose, as in the past, to leave to the Control and Risk Committee the assessment of the findings presented by the Independent Statutory Auditors in the management letter, when issued, and in the report on key issues uncovered in the course of the independent statutory audit, in the belief that the Committee provides a more suitable venue for studying and analyzing such issues.

DIRECTOR RESPONSIBLE FOR OVERSEEING THE FUNCIONALITY OF THE INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM
As mentioned above, the Board of Directors entrusted to the Chief Executive Officer responsibility for overseeing the functionality of the Internal Control and Risk Management System. As part of this assignment, the Chief Executive Officer, with the support of the Chief Financial Officer and of the Risk Officer, mapped the key business risks that have been submitted from time to time to the Board of Directors, and implemented the guidelines of the Internal Control and Risk Management System taking care of its planning, accomplishment and management and overseeing the System’s suitability for handling changes in operating conditions and in the legislative and regulatory framework.

In 2016, the Chief Executive Officer did not submit specific requests to the Internal Auditing Department concerning the performance of audits of specific operational areas or specific processes, but reported to the Control and Risk Committee, through the Internal Auditing Department, with regard to the main critical issues uncovered in the course of his activities seeking the Committee’s assessments in this regard.

CONTROL AND RISK COMMITEE
Please see the previous section of this Report for information about the jurisdiction and activities of this Committee.

INTERNAL AUDITING DEPARTMENT
The Internal Auditing Department, established in May 2003, is responsible for performing internal audits, with the goal of assisting the Board of Directors, the Control and Risk Committee and the Company’s management in the pursuit of a correct implementation of the internal control and risk management system and thus facilitate the achievement of the Company’s objectives. In February 2004, acting upon a proposal by the Chief Executive Officer, the Board of Directors assigned to the manager of the Internal Auditing Department the task of assessing the adequacy and effectiveness of the overall Internal Control and Risk Management System.
Hierarchically, the Internal Auditing Department, which does not perform any operational function from March 2013, reports directly to the Board of Directors, which assigned to the General Counsel Department the task of providing operational coordination for the activities of the Department and its manager, serving as liaison between the abovementioned Department and the Board of Directors, the Board of Statutory Auditors and the Oversight Board. The Board of Directors then delegated to the Chief Executive Officer, in his capacity as the Director responsible for the Internal Control and Risk Management System, responsibility for ensuring that the Department is provided with the resources needed to discharge its duties and for defining the compensation of the Department’s manager, determined in a manner consistent with the Group’s management compensation policies, in accordance with general guidelines reviewed by the Compensation Committee.
The current manager, Paolo Colapenna, was appointed on July 29, 2013 upon a recommendation by the Chief Executive Officer, in his capacity as the Director responsible for the Internal Control and Risk Management System, with a favorable opinion provided by the Control and Risk Committee and the input of the Board of Statutory Auditors. For reasons explained in the 2012 Governance Report, the previous manager had been appointed by the Chairman of the Board of Directors and reported to him.

The Department operates on the basis of a Mandate approved by the Board of Directors. The Mandate was last updated at the end of 2013 to take into account the changes brought by the evolution of professional auditing standards and its terminology was upgraded consistent with the Code. Under this mandate. the Department is required to prepare a work plan, defined using risk-based methods to identify the engagements that should be performed, and specify the necessary resources, based on information derived from the following sources: Group’s strategic plan and budget; Risk Assessment -Enterprise Risk Management (ERM); 262 and 231 compliance; recommendations from management; suggestions by the Chief Executive Officer and the Chairman of the Control and Risk Committee; control self-assessment activities; assessments by the Internal Auditing Department; results of previous audits; Independent Auditors. The audit plan is then submitted to the Control and Risk Committee and, starting in 2014, approved by the Board of Directors. The Plan is updated at least once every six months. Activities include monitoring the actual implementation of the recommendations that resulted from audit engagements (follow-up). 
A report is issued at the end of each audit engagement. Generally, the report is addressed to parties who have jurisdiction over and responsibility for the management of the audited processes and any other parties who may be able to properly follow-up the recommendations contained in the report and/or provide specific support in this area. An executive summary of each audit report is also sent to the Chief Executive Officer, the Chief Financial Officer, the manager of the Human Resources and Organization Department and the General Counsel. The distribution of reports that are highly confidential can be limited, based on the nature of the report. The Chief Executive Officer and the Control and Risk Committee must be promptly informed of any problems affecting the internal control and risk management system.

At least once every six months, the Internal Auditing Department reports to the Control and Risk Committee about the results of its audit engagements and supports the Committee in performing audit and assessments of the internal control and risk management system. Also once every six months it reports to the Board of Statutory Auditors with regard to the work performed and its assessments of the internal control and risk management system.

The Internal Auditing Department operates in accordance with the international standards for the internal auditing profession, as set forth in the International Professional Practices Framework (IPPF) and, since 2009, its internal auditing activities are certified in accordance with international Quality Assessment Review (QAR) methods; in 2014, this certification was renewed for another five years further to a review by an external, independent certificator.

The manager of the Internal Auditing Department has direct access to all information useful for discharging the assigned tasks. Moreover, owing in part to the fact that he attends the meetings of the Control and Risk Committee and the Oversight Board, of which he is the Secretary, receives and assesses any additional information and assists the Control and Risk Committee in assessing the internal control and risk management system.

OTHER PARTIES INVOLVED
The risk management process is coordinated by the Risk Officer, who reports to the Chief Financial Officer. The Risk Officer also provides management with support in defining the overall risk strategy and policies and in analyzing, identifying, evaluating and managing risk and defining and managing the corresponding control and reporting system.
The managers in charge of each Business Unit, department or division are responsible for designing and managing the internal control system for the operations under their jurisdiction and for monitoring that the system is operating effectively, in accordance with the framework defined by the Board of Directors and the instructions provided to implement those guidelines. As explained below, this activity has been integrated into the processes deployed to identify, monitor and manage risks. All employees, each within the scope of his or her responsibilities, must contribute to ensuring that the Internal Control and Risk Management System is operating effectively.

BOARD OF STATUTORY AUDITORS
Pursuant to law, the Board of Statutory Auditors monitors the effectiveness of the Company’s organization, of the system of internal control and of the administrative and accounting system, as stated in the report submitted by the Board of Statutory Auditors to the Shareholders’ Meeting, which should be consulted for additional details. A comment about the flow of information between the Board of Statutory Auditors and the other governance entities is provided in the sections of this Report entitled “Rules of Operation of the Board of Statutory Auditors” and “Control and Risk Committee.”