81
a particular situation or event will occur within a twelve-
month period, using a scale that goes from remote to high,
where the prospect of risk must also reflect whether, in
the course of time, the likelihood is increasing, constant or
decreasing;
• Level of Risk Management is assessed with reference to the
maturity and efficiency of the risk management systems
and processes adopted, using a scale that goes from
adequate to inadequate.
RISK ASSESSMENT CRITERIA
The process of identifying, analysing, measuring and
evaluating risks results in the production of an analysis of
key risks, that are quantified, categorised and listed in order
of priority. This analysis is used by the Board of Directors to
assess the consistency of the nature and level of key risks
with the Group’s strategic objectives and risk appetite, and
to define, with Senior Management, the risks for which
risk management or risk mitigation strategies should be
developed, implemented and monitored and how existing
strategies should be enhanced.
The type of instrument to develop and/or implement for risk
management will depend on the nature of the specific risk
situation or event identified, categorised as follows:
• Risks depending on External Factors or beyond the Group’s
influence, namely those risks whose occurrence cannot be
prevented by the Group but whose impact can be mitigated
by adopting countermeasures such as, for example,
continuous monitoring activities, stress testing of the
business plan, insurance coverage, disaster recovery plans,
alternative strategies;
• Accepted Risks, i.e. those risks that are strategically
acceptable in view of the potential related benefits and can
be managed using a system that reduces the probability of
an event’s occurrence and the negative impact if the event
does occur; such a system includes, for example, scenario
analysis, adoption of specific risk management policies like
hedging or other forms of risk transfer, monitoring of key
risk indicators;
• Preventable Risks, i.e. risks inherent in the business that
can be controlled using a system of internal rules designed
to dictate the adoption of conduct likely to prevent such
risks and to prevent mistakes; such a system includes, for
example, the entire internal control system and its main
elements, namely internal processes and procedures,
reporting activities, ongoing monitoring and audit
activities.
Assessment Criteria
LIKELIHOOD
IMPACT
• Impact
• Likelihood
• Level of Risk Management
Remote
Negligible
Low
Moderate
Medium
High
High
Critical
Level of Risk Management
Risk INADEQUATELY covered and/or managed
Risk covered and/or managed but with ROOM
FOR IMPROVEMENT
Risk ADEQUATELY covered and/or managed
