A. General aspects, management procedures and measurement methods of the operational risk

Operational risks are risks of loss due to poor functioning of processes, procedures and human resources, internal systems or external events. Losses from fraud, human error, business interruption, unavailability of systems, contract infringement and natural disasters all fall into this category. Management of operational risks requires the ability to identify the risks present in all the significant products, activities, processes and systems that can compromise the achievement of Banca IFIS Group’s goals. Included in operational risks are the risks of judicial or administrative sanctions, of significant financial losses or of reputational damage following violations of norms (laws and regulations, such as the laws on transparency in banks, anti-money laundering, privacy and administrative responsibility) or of corporate governance (for example, the Corporate Governance Code for listed companies).

Correct management of operational risks is tightly connected to the presence of organisational structures, operational procedures and suitable IT support. Also extremely important is the correct training of resources. Indeed, Banca IFIS is constantly committed to the training and professional growth of its human resources.

Management of operational risks is ensured within the Internal Auditing System described in the already-mentioned report on Corporate Governance and Shareholding Structure, drawn up as per paragraph 3 of article 123 bis of Legislative Decree no. 58 of 24 February 1998 (the Consolidated Law on Finance).

The management of operational risks for the subsidiary is, at present, guaranteed by the strong involvement of the parent company which makes decisions in terms of strategies and risk management for the subsidiary. Specifically, subsidiary’s organisational structures and operational processes are defined and approved by the parent company, while the parent company Internal Auditing Office is responsible for assessing levels of supervision over risks, both directly and through support from specialised local structures.

As far as business continuity is concerned, Banca IFIS Group has adopted, as from December 2006, a group business continuity plan, that is an ensemble of initiatives and counter-measures to be enforced in order to reduce business interruption to the acceptable limits set within business continuity strategies. Part of the business continuity plan involves disaster recovery in cases where corporate IT systems cease to work.

As per the Basel 2 Accord on the calculation of capital requirements for first pillar risks, the bank has chosen to avail itself of the Basic Indicator Approach.