Risk management and compliance


MAG’s administrative and control system is based on periodic and systematic flows of information between the various bodies.

These flows are managed using reporting systems aligned to group principles and standards, based on high-tech, integrated ERP data input systems and individual accounting systems for each of the consolidated investees.

In accordance with the respective deadlines and methods established in the by-laws, corporate governance model and other internal documents, such as procedures and instructions, each body reports to its superior body on the activities it has performed in the reporting period and those that it has planned for the subsequent period, along with any observations and recommended steps.

In this area, MAG has voluntarily and step by step implemented tools, systems and procedures as part of an integrated compliance model that meets the principles of Legislative decree no. 262/2005.

This process has led to:

  • the appointment of a manager in charge of financial reporting (see THE MANAGER IN CHARGE OF FINANCIAL REPORTING) and the completion of the related manual which has been approved by the shareholders;
  • the start of an analysis of the parent’s organisation and mapping of risks as per Law no. 262/2005, focusing on administrative/accounting risks.

When the analysis is complete, the implementation process will involve a gap analysis to determine the steps needed to improve the risks of the existing controls.

Changes to the by-laws and integrations to the governance model may be necessary in the future in order to achieve an integrated compliance model.


The group is exposed to a variety of risks due to the nature and type of its business activities and the context in which it operates.

In addition to that described in the notes to the consolidated financial statements with respect to the technical and strategic management of financial risks (see Errore. L’origine riferimento non è stata trovata. Errore. L’origine riferimento non è stata trovata.), the group companies’ risk management policies are based on containing and monitoring the main risk factors.

Over the past few years, the group has progressively embraced risk assessment and risk management concepts to create and gradually implement a structured risk identification, measurement and management process.

MAG’s organisational, management and control model provides for the role of a chief risk officer (CRO), whose responsibilities are allocated to a deputy chairman in charge of the internal control and risk management system, who was appointed and the related powers conferred thereon by the resolution adopted by the new board of directors in the meeting held on 29 December 2018.

The CRO’s work plan involves a complex risk assessment process, which entails the assessment of risks with the involvement of top managers and company bodies in their respective areas of expertise.

This process has led to, inter alia, the preparation of a risk management operating manual in accordance with UNI ISO 31000 standards, containing the guidelines for risk identification, probability and impact assessment, corrective measures to eliminate risks and risk mitigation, transfer and retention, in accordance with UNI ISO 31000 and CEI EN 31010 standards.

Foremost, the assessment of risks to which the group is effectively exposed has led to their identification and mapping by nature and type, as illustrated in a chart further on.

Accordingly, the group has identified the respective risk owners (RO) to whom it has individually presented the risk management plan, along with the operating manual and it has identified the potential risks that fall into their areas of expertise, introducing a procedure in which risk reporting forms are filled out and the risk register is updated.

The CRO monitors that the procedure is followed through routine follow-ups and by specifically monitoring planned and agreed risk mitigation activities.


Below is a summary of the group’s main risks, which were identified during the risk assessment processes, along with the measures or policies that the group pursues to monitor risk factors and mitigate them.:

Risk Risk management actions
The general economic situation has influenced the budgets of the public administrations and the relevant sector in general, which could reduce the group’s profitability and its ability to generate cash. The group has taken measures to boost production efficiency and fulfil contracts on schedule, while at the same time containing overheads and maintaining adequate investment levels. It carefully vets investments through the scrupulous evaluation of potential returns and whether they are strategic, in order to hone its competitive edge over time.
The technological innovation and complexity of MAG’s business areas require the group to constantly enhance its technical and specialist expertise. The group has action plans for the recruitment, retention and motivation of personnel, further training the succession planning for key roles.
For certain business lines dedicated to institutional customers (the ASE SBU), the group relies on the spending of national governments and public institutions, which could be further cut as a result of the financial crisis. The group continues to take direct steps to increase the expertise of internal personnel dedicated to these types of activities, which require high levels of specialisation and specific certification, so as to expand the range of aircraft and activities they cover. This increase in its potential offer enables the group to participate in a larger number of public tenders.
The group is highly dependent on sales to companies that belong to the same group (concentration). For some time, the group has been taking steps to achieve a greater medium-term customer and market diversification. These plans are part of a significant and targeted investment policy, which focuses in particular on the development of new products. This policy has enabled it to acquire important new contracts in recent years.
The group’s contracts are mainly of a long-term nature with established prices, which affect profit margins in the long term. The group has a structured, agreed and formalised process for quoting product and contract costs. Its internal control system provides for a review of estimated contract costs on a systematic basis. These procedures entail the monitoring of significant risks, which are identified from when the bid is made, throughout the project, including through the constant comparison of the actual progress of the project and its stage of completion in the accounting records. These analyses involve top management, the program managers and the technical, engineering, manufacturing, production and administration departments. The results are weighted in the calculation of the necessary costs to project completion at least once a year.
As part of its continuing operations, the group is exposed to “Product” liability risks with its customers or related third parties. It is also exposed to possible charges related to “Product” risks. The more significant obligations include ensuring suitable after-sales support, including through dedicated logistical-industrial structures. The group’s organisational structure is divided into business units, in order to better focus on customers, establishing, in subsequent stages, a project management function within the business units. In this context, a dedicated product support structure may be established in the form of a specific business unit. The group negotiates and agrees product third-party liability insurance policies on the market for individual projects/products to cover any damage. It also regularly adjusts its provisions for product warranties to take into account charges arising from any product failures. The group conducts a risk assessment each year to identify maximum insured amounts and terms that best meet its risk levels. The agreed policies also sufficiently meet the coverage levels required by customers for contracts in place. The provision for warranties is adequate to cover possible charges related to “Product” risks.
Given the rigidity of its industry, the group faces the risk of having single source strategic suppliers, whose performance can affect the continuity of projects (business interruption risk). The group reduces this risk through processes that, with increasing structuring, ensure: – careful selection and monitoring of the supply chain to achieve high levels of integration; – availability of double source strategic sub-supplies, where possible.
The group’s debt could affect its operating strategies. The group monitors developments in its financial debt on a daily basis, in both Italy and for its foreign operations. Its financial strategy consists of maintaining a balance between the sources and application of funds, particularly with respect to the weight of consolidated debt against investments carried out. In 2018/19, the group maintained its debt at lower levels than in the previous year, despite substantial investments to develop and produce new products. The group also constantly monitors the interest rates of its loans. The internal control system provides for short-term and medium-term financial planning activities, which include the use of planning and simulation tools (DocFinance) integrated with the management information system (Infor LN). Based on expected cash generation, credit lines in place and the positive outcome of all financial transactions to date, the group believes that it will have the necessary resources to meet all its obligations.
The group generates part of its revenue in currencies other than those in which it incurs its costs. Accordingly, it is exposed to currency risk. Part of the consolidated assets are in US and Canadian dollars. The group continuously applies a currency risk hedging policy by aligning revenue in non-Euro currencies to purchases on markets outside the Eurozone. The group seeks ways to balance cash holdings and cash requirements in the various foreign currencies among the companies operating in the different regions, always in compliance with fair value rules. In the short-term, volatility on currency markets could lead to exchange rate differences. The group plans to agree short-term hedges as the volumes of flows in non-Euro currencies rise.
The group operates on complex markets, in which the settlement of potential disputes could be complicated and protracted. Furthermore, the group is exposed to environmental risks due to its various industrial plant. The group regularly monitors pending and potential disputes, taking the necessary corrective action and adjusting its provision for risks on a periodic basis. With respect to environmental risks, the group has a prevention and ongoing monitoring programme in place, as well as insurance coverage in one specific case, in order to mitigate the consequences of a polluting event.
The group operates on particularly complex and highly-regulated markets, which require compliance with specific regulations (e.g., export control) Through specific external structures, the group monitors the constant updates to relevant regulations, subjecting the launch of business projects to checks of compliance with restrictions and the obtaining of the necessary authorisations.
A significant portion of consolidated assets is intangible, particularly development costs for new products. The group constantly monitors the progress of projects, taking necessary corrective measures whenever there are unfavourable trends. These updates influence estimated flows used for impairment testing of amounts recognised in the consolidated financial statements.
The group’s success also depends on the ability of its executive directors and other members of management to effectively manage it and its individual business segments. The group’s human resource management policies facilitate the identification of objectives, the medium-term enhancement of skills and the maintenance of the corporate climate. Through appropriate structures (the appointment and remuneration committee), the group implements a management by objectives strategy to complement its key management personnel incentive policies.
The notes to the consolidated and separate financial statements provide disclosures about disputes and contingent liabilities. The assessment of contingent liabilities of a legal and tax nature, which requires the use of estimates and assumptions, shows the costs that the directors, based on the opinion of the group’s consultants, reasonably estimate the group will incur.
The group’s industrial plant and processes could expose it to environmental risks and to risks to the health and safety of its workforce. The group performs environmental monitoring and assessment activities for its facilities and has specific insurance coverage to mitigate the consequences of unforeseeable events. Among other things, process innovation enables the pursuit of low-environmental impact technological solutions. To protect the health and safety of workers, accident frequency and severity trends are constantly monitored and improvement goals set. The effectiveness of the safety measures adopted is assessed over time. A zero-tolerance approach is taken to compliance with regulations governing workers’ health and safety. Specific training and action plans are supported by a detailed system of responsibilities and powers for each identified risk, in order to ensure compliance with group guidelines. Moreover, the number of group facilities that have a certified management system is increasing. The group agrees specific insurance coverage to mitigate the potential consequences of weather events and natural disasters.
The group has complex information infrastructures which, if breached, could damage the group, its customers and suppliers. The group’s approach to cyber security management comprises dedicated safeguards, the training of all staff, as well as specific processes, procedures and technologies to predict, prevent, identify, manage and respond to potential threats. MAG is ISO 27001-certified and is unceasingly committed to management and improvement activities in order to retain it.


The group is pursuing a plan to gradually integrate corporate governance and legal compliance tools.


The group has gradually adopted an internal control system, which has now reached varying degrees of implementation and is most highly structured for the accounting control system and administrative/accounting procedures, in order to ensure that financial information is complete and correct (see Errore. L’origine riferimento non è stata trovata. and, in this section, INFORMATION FLOWS AND LEGISLATIVE DECREE NO. 262/2005).

Strengthening the internal control system is a key objective in the scope of internal control tools and the modules comprising the overall system (segment and consolidated reporting, management control and the information system) and in view of increasingly integrating the risk management system.


The first step in this direction has been to develop the organisational and management model recommended by Legislative decree no. 231/2001, which the group first adopted on 11 December 2007.

The aim of the model is to prevent specific types of crimes from being committed by employees and/or contractors in the group’s interests or to its benefit.

Overseen by the Supervisory Body, the model and controls performed by the company functions involved have been subsequently adjusted to meet organisational changes within the group and developments in the applicable legislation.

The following table indicates the main updates recently made to the model:

Update Content
26 February 2013 Implementation of organisational changes during the year
26 February 2013 Introduction of the special section concerning environmental crimes
17 July 2013 Integration of information flows from those subject to the model towards the Supervisory Body
17 July 2013 Informing and training employees about the existence and updating of the model

During the year, systematic checks were performed to verify that the model is effective, with the Supervisory Body conducting controls and through interviews with personnel involved in sensitive activities.