​​​​​​​​​The Risk Management Process of the Montepaschi Group

The Montepaschi Group attaches the utmost importance to the process of identifying, monitoring, measuring and controlling risk. The risk management process within the Group has been further strengthened over the last few years. This was primarily made possible by the gradual extension of the advanced management and reporting models to the various entities of the Montepaschi Group.

The fundamental principles of the Montepaschi Group's risk management process are based on a clear-cut distinction of the roles and responsibilities of the different functions at first, second and third-levels of control.

The Board of Directors of the Parent company is responsible for:

  • defining and approving strategic guidelines and risk management policies;
  • at least once a year, quantitatively expressing the Group's overall risk appetite in terms of Economic capital.

The Board of Statutory Auditors and the Control and Risk Committee are responsible for:

  1. evaluating the level of efficiency and adequacy of the Internal Control Systems with particular regard to risk control.

    The CEO/General Management is responsible for ensuring compliance with risk policies and procedures. The Director in charge of the internal control and risk management system, appointed in compliance with the Corporate Governance Code for listed companies, is responsible for creating and maintaining an effective system of internal control and risk management.

Specific management committees responsible for risk issues are also in place in order to promote efficiency and flexibility in the decision-making process and facilitate interactions between the various corporate departments involved.

The Risk Committee of the Parent Company:

  • establishes risk management policies;
  • ensures overall compliance with the limits defined for the various operating levels;
  • defines capital allocation proposals to be submitted to the Board of Directors;
  • assesses risk profile and, therefore, capital consumption (Regulatory and Economic) at both Group level and individual Group company level and analyses the risk-return performance indicators.

The Finance and Liquidity Committee of the Parent company has the task of:

  • setting the principles and providing strategic guidance for Proprietary Finance;
  • deliberating and submitting proposals concerning the interest rate and liquidity risk exposure of the banking book and defines capital management actions required.

The Credit, Credit Policies and Credit Assessment Committee of the Parent Company:

  • formulates credit process guidelines and expresses an opinion, at least once a year, on credit policies by verifying their commercial sustainability and consistency with risk appetite levels;
  • at least once a year, approves company policies pertaining to credit assessment, including for the purpose of subsequent reporting in the financial statements.
  • Within the Internal Control System, third-level controls are carried out by the Internal Audit Area, second-level controls by the Risk Management Division and first-level controls by the Business Control Units.

The Internal Audit Area performs an independent and objective "assurance" and advising activity, aimed both at monitoring operations compliance and risk trends (including through on-site audits) as well as assessing the overall functioning of the internal control system as part of a wider objective to improve the effectiveness and efficiency of the organisation.

The Risk Division, which reports directly to the CEO, includes a Risk Management department, a Compliance department, an Anti-money laundering department and an internal approval department. The Division, therefore, has the task of:

  • guaranteeing the overall functioning of the risk management system and overseeing the assessment of capital adequacy and measurement of risk appetite together with the CFO Division;
  • defining strategic policies for the loan portfolio, performing the compliance and anti-money laundering duties envisaged by governing regulations and ensuring  the necessary reporting flows to the Group's Top Management and Governance bodies.

Within the Risk Division, the:

Risk Management Area:

- defines integrated analysis methodologies needed to measure overall risks so as to guarantee they are accurately assessed and constantly monitored;

- quantifies Economic Capital consumption as well as the minimum amount of capital to be held to cover all existing risks;

- ensures compliance with the operational limits set by the Board of Directors on the basis of internally-developed models;

- oversees criteria for verification of MiFID compliance for investment products and services offered to customers as well as those for risk and performance measurement and monitoring of products and portfolios held by customers.

Validation, Monitoring and Risk Reporting Area:

- verifies the reliability of results obtained from the risk measurement systems as well as their constant alignment with regulatory requirements;

- validates the models, including the ones not used for regulatory purposes;

- prepares the Pillar 3 Disclosure Report as well as Group Risk Disclosures for the governing bodies.


Outer Business Control Units (BCUs), which are internal to the Group subsidiaries or the main business areas of the Parent company, carry out conformity checks on transactions and are the first level of organisational supervision of operations within the more general system of internal controls.

In accordance with the principles contained in the New Accord on Capital Adequacy (Basel 2) in relation to First Pillar risks, in the first half of 2008, the Montepaschi Group completed its work on the internal models for credit and operational risks.

Pursuant to circular letter 263/2006 of the bank of Italy, on 12 June 2008 the Montepaschi Group was officially authorised under regulation no. 647555 to use the advanced models for the measurement and management of credit risk (AIRB -Advanced Internal Rating Based) and operational risk (AMA – Advanced Measurement Approach) as of the first consolidated report at 30-06-2008.

These models were subsequently developed and their scope of application extended to Group entities not originally included in the initial scope of validation.