Risk management and compliance


MAG’s administrative and control system is based on periodic and systematic flows of information between the various bodies.

These flows are managed using reporting systems aligned to group principles and standards, based on high-tech, integrated ERP data input systems and individual accounting systems for each of the consolidated investees.

In accordance with the respective deadlines and methods established in the by-laws, corporate governance model and other internal documents, such as procedures and instructions, each body reports to its superior body on the activities it has performed in the reporting period and those that it has planned for the subsequent period, along with any observations and recommended steps.

In this area, MAG has voluntarily and step by step implemented tools, systems and procedures as part of an integrated compliance model that meets the principles of Legislative decree no. 262/2005.

This process has led to:

  • the appointment of a manager in charge of financial reporting (see THE MANAGER IN CHARGE OF FINANCIAL REPORTING) and the completion of the related manual which has been approved by the shareholders;
  • the start of an analysis of the parent’s organisation and mapping of risks as per Law no. 262/2005, focusing on administrative/accounting risks.

When the analysis is complete, the implementation process will involve a gap analysis to determine the steps needed to improve the risks of the existing controls.

Changes to the by-laws and integrations to the governance model may be necessary in the future in order to achieve an integrated compliance model.



The group is exposed to a variety of risks due to the nature and type of its business activities and the context in which it operates.

The general context of 2020 highlighted the “pandemic risk”, long identified as a potentially major risk to business, though widely regarded largely as a theoretical risk.

In addition to that described in the notes to the consolidated financial statements with respect to the technical and strategic management of financial risks (see Errore. L’origine riferimento non è stata trovata. Errore. L’origine riferimento non è stata trovata.), the group companies’ risk management policies are based on containing and monitoring the main risk factors.

Over the past few years, the group has progressively embraced risk assessment and risk management concepts to create and gradually implement a structured risk identification, measurement and management process.

MAG’s organisational, management and control model provides for the role of a chief risk officer (CRO), whose responsibilities are allocated to a deputy chairman in charge of the internal control and risk management system, who was appointed and the related powers conferred thereon by the resolution adopted by the new board of directors in the meeting held on 29 December 2018.

Foremost, the assessment of risks to which the group is effectively exposed has led to their identification and mapping by nature and type, as illustrated in a chart further on.

Albeit limited in what it can do in respect of certain external systemic factors, the situation experienced during the year led the group to consider issues of a more general nature, with the aim of including any kind of mitigation actions that it can put in place.

The following table, taken from the World Economic Forum’s 2020 Global Risks Report, shows the evolving landscape of the top 5 global risks in terms of impact on society and the economy:

As it was prepared just before the outbreak of the pandemic, it is no coincidence that, although included in the table, pandemic risk had slid down in the scale of probability, although still deemed high impact.

The global risks interconnections map2 highlights the environmental issue, to which the roots of the outbreak of the pandemic can also be traced, in terms of the extent and methods of natural resources exploitation.

Against the backdrop of these analyses there is, as mentioned several times in this report, a new balance of political powers and strategies following the disruption caused by the health emergency to the economic, demographic and social dynamics.

Risks of economic instability and to social cohesion overlaid a framework already significantly affected by climate issues. Health systems across the globe were placed under pressure, highlighting inequalities in the allocation of resources.

There was a dual reaction to these types of risks by the group.

In purely operating terms, MAG rolled out comprehensive safety protocols to ensure the highest level of protection of the people operating in its facilities. It also introduced regulations allowing the immediate commencement of agile or work-from-home arrangements, for all office staff, limiting and alternating on-site presence based on the alert levels issued by government and local authorities.

More broadly, MAG adopted a suite of measures to assist employees in managing the demands of family, introducing flexible working hours and alternation between on-site and agile working, so that they could manage the distance learning of children or family members.

In the early stage of the outbreak, which was particularly bad in Italy, where the parent and most of the group employees are located, MAG sourced protective equipment for all employees, including from abroad.

MAG requires its personnel to undergo regular mandatory and optional clinical tests with a view to general prevention in addition to occupational disease prevention.

Prevention is an important part of protecting the health of the individual and easing the burden on national health systems.

The survey carried out by the Institute for Health Metrics and Evaluation3 shows that the diseases responsible for over 60% of the causes of death may be correlated with working activity, even just in terms of aggravating or attenuating the risk.

MAG’s CRO’s follows an ongoing work plan involving a complex risk assessment process, which entails the assessment of risks with the involvement of top managers and company bodies in their respective areas of expertise.

This process has led to, inter alia, the preparation of a risk management operating manual in accordance with UNI ISO 31000 standards, containing the guidelines for risk identification, probability and impact assessment, corrective measures to eliminate risks and risk mitigation, transfer and retention, in accordance with UNI ISO 31000 and CEI EN 31010 standards.

As part of this process, the group identifies the respective risk owners (RO) to whom it individually presents the risk management plan, along with the above-mentioned operating manual and the potential risks that fall into their areas of expertise, introducing a procedure in which risk reporting forms are filled out and the risk register is updated.

The CRO monitors that the procedure is followed through routine follow-ups and by specifically monitoring planned and agreed risk mitigation activities.


Below is a summary of the group’s main risks, which were identified during the risk assessment processes, along with the measures or policies that the group pursues to monitor risk factors and mitigate them:

RiskRisk management actions
The global health crisis and the state of the national health systems could negatively affect business continuity on several levels, in relation to which the group identified lines of action: emergencies within the company and/or the families of its employees,threat to the physical and mental wellbeing of employees and contractors,supply chain interruptions,interruption to customer operations;damage to reputation or communication problems with the local social context;insufficient resources, including financial, to respond to the need to take action and the containment and prevention measures.   Some of these issues also come up in other risk areas; they are specified here in relation to the specific actions taken in response to the pandemic risk.   Similarly, the measures rolled out to reduce these risks may also be included under other actions the group normally implements; in that case, they represent the risk management actions separate from the health issue.The group responded decisively to the health emergency with a series of immediate actions to reduce the following types of risks: Organisational. Establishment of internal groups for the management of the emergency, comprised of managers (generally HR, quality assurance and top management) granted the power to make immediate decisions. Procedural. Drawing up of “emergency plans” containing clear rules and protocols to be applied in the case of potential emergency situations. Roll-out offlexible and/or agile working (working-from-home) agreementsto enable the necessary alternation of on-site work and working from home. Improvement of IT and digital infrastructures to ensure adequate off-site access to company intranets. Preparation of a plan for the management of personal data,of employees and all contractors (partners and external personnel), compliant with privacy regulations, for contact tracing purposes. Communication. Clear and timely communication with employees, suppliers and customers providing the necessary information and to ensure business continuity. Health. Introduction of measures for hygiene and health conditions in the workplace and of personnel. The latter involve specific health assessments in addition to and as part of testing campaigns for employees and contractors. Compliance. Cooperation with both suppliers (supply chain) and customers to prevent disruption to product/services procurement and supply. Procurement plans were drawn up for the supply chain to stave off the risk of shortages in materials and parts needed in production. These plans include an assessment of alternative sources in markets or areas less heavily impacted by the health crisis. Financial. Accrual in the company budgets of adequate resources for the prevention and containment measures.
The general economic situation has influenced the budgets of the public administrations and the relevant sector in general, which could reduce the group’s profitability and its ability to generate cash.The group has taken measures to boost production efficiency and fulfil contracts on schedule, while at the same time containing overheads and maintaining adequate investment levels. It carefully vets investments through the scrupulous evaluation of potential returns and whether they are strategic, in order to hone its competitive edge over time.
The technological innovation and complexity of MAG’s business areas require the group to constantly enhance its technical and specialist expertise.The group has action plans for the recruitment, retention and motivation of personnel, further training and succession planning for key roles.
For certain business lines dedicated to institutional customers (the ASE SBU), the group relies on the spending of national governments and public institutions, which could be further cut as a result of the financial crisis.The group continues to take direct steps to increase the expertise of internal personnel dedicated to these types of activities, which require high levels of specialisation and specific certification, so as to expand the range of aircraft and activities they cover. This increase in its potential offer enables the group to participate in a larger number of public tenders.
The group is highly dependent on sales to companies that belong to a single group (concentration).For some time, the group has been taking steps to achieve a greater medium-term customer and market diversification. These plans are part of a significant and targeted investment policy, which focuses in particular on the development of new products. This policy has enabled it to acquire important new contracts in recent years.
The group’s contracts are mainly of a long-term nature with established prices, which affect profit margins in the long term.  The group has a structured, agreed and formalised process for quoting product and contract costs. Its internal control system provides for a review of estimated contract costs on a systematic basis. These procedures entail the monitoring of significant risks, which are identified from when the bid is made, throughout the project, including through the constant comparison of the actual progress of the project and its stage of completion in the accounting records. These analyses involve top management, the program managers and the technical, engineering, manufacturing, production and administration departments.  The results are weighted in the calculation of the necessary costs to project completion at least once a year.
As part of its continuing operations, the group is exposed to “Product” liability risks with its customers or related third parties. It is also exposed to possible charges related to “Product” risks. The more significant obligations include ensuring suitable after-sales support, including through dedicated logistical-industrial structures.The group’s organisational structure is divided into business units, in order to better focus on customers, establishing, in subsequent stages, a project management function within the business units. In this context, a dedicated product support structure may be established in the form of a specific business unit. The group negotiates and agrees product third-party liability insurance policies on the market for individual projects/products to cover any damage. It also regularly adjusts its provisions for product warranties to take into account charges arising from any product failures. The group conducts a risk assessment each year to identify maximum insured amounts and terms that best meet its risk levels. The agreed policies also sufficiently meet the coverage levels required by customers for contracts in place. The provision for warranties is adequate to cover possible charges related to “Product” risks.
Given the rigidity of its industry, the group faces the risk of having single source strategic suppliers, whose performance can affect the continuity of projects (business interruption risk).The group reduces this risk through processes that, with increasing structuring, ensure: – careful selection and monitoring of the supply chain to achieve high levels of integration; – availability of double source strategic sub-supplies, where possible.
The group’s debt could affect its operating strategies.The group monitors developments in its financial debt on a daily basis, in both Italy and for its foreign operations. Its financial strategy consists of maintaining a balance between the sources and application of funds, particularly with respect to the weight of consolidated debt against investments carried out. In 2019/20, the group maintained its debt at levels comparable with the previous year, despite substantial investments being made to develop and produce new products. The group also constantly monitors the interest rates of its loans. The internal control system provides for short-term and medium-term financial planning activities, which include the use of planning and simulation tools (DocFinance) integrated with the management information system (Infor LN). Based on expected cash generation, credit lines in place and the positive outcome of all financial transactions to date, the group believes that it will have the necessary resources to meet all its obligations.
The group generates part of its revenue in currencies other than those in which it incurs its costs. Accordingly, it is exposed to currency risk. Part of the consolidated assets are in US and Canadian dollars.The group continuously applies a currency risk hedging policy by aligning revenue in non-Euro currencies to purchases on markets outside the Eurozone. The group seeks ways to balance cash holdings and cash requirements in the various foreign currencies among the companies operating in the different regions, always in compliance with fair value rules. In the short-term, volatility on currency markets could lead to exchange rate differences. The group plans to agree short-term hedges as the volumes of flows in non-Euro currencies rise.
The group operates on complex markets, in which the settlement of potential disputes could be complicated and protracted. Furthermore, the group is exposed to environmental risks due to its various industrial plant.The group regularly monitors pending and potential disputes, taking the necessary corrective action and adjusting its provision for risks on a periodic basis. With respect to environmental risks, the group has a prevention and ongoing monitoring programme in place, as well as insurance coverage in one specific case, in order to mitigate the consequences of a polluting event.
The group operates on particularly complex and highly-regulated markets, which require compliance with specific regulations (e.g., export control).Through specific external structures, the group monitors the constant updates to relevant regulations, subjecting the launch of business projects to checks of compliance with restrictions and the obtaining of the necessary authorisations.
A significant portion of consolidated assets is intangible, particularly development costs for new products.The group constantly monitors the progress of projects, taking necessary corrective measures whenever there are unfavourable trends. These updates influence estimated flows used for impairment testing of amounts recognised in the consolidated financial statements.
The group’s success also depends on the ability of its executive directors and other members of management to effectively manage it and its individual business segments.The group’s human resource management policies facilitate the identification of objectives, the medium-term enhancement of skills and the maintenance of the corporate climate. Through appropriate structures (the appointment and remuneration committee), the group implements a management by objectives strategy to complement its key management personnel incentive policies.
The notes to the consolidated and separate financial statements provide disclosures about disputes and contingent liabilities.The assessment of contingent liabilities of a legal and tax nature, which requires the use of estimates and assumptions, shows the costs that the directors, based on the opinion of the group’s consultants, reasonably estimate the group will incur.  
The group’s industrial plant and processes could expose it to environmental risks and to risks to the health and safety of its workforce.The group performs environmental monitoring and assessment activities for its facilities and has specific insurance coverage to mitigate the consequences of unforeseeable events. Among other things, process innovation enables the pursuit of low-environmental impact technological solutions. To protect the health and safety of workers, accident frequency and severity trends are constantly monitored and improvement goals set. The effectiveness of the safety measures adopted is assessed over time. A zero-tolerance approach is taken to compliance with regulations governing workers’ health and safety. Specific training and action plans are supported by a detailed system of responsibilities and powers for each identified risk, in order to ensure compliance with group guidelines. Moreover, the number of group facilities that have a certified management system is increasing. The group agrees specific insurance coverage to mitigate the potential consequences of weather events and natural disasters.
The group has complex information infrastructures  which, if breached, could damage the group, its customers and suppliers.  The group’s approach to cyber security management comprises dedicated safeguards, the training of all staff, as well as specific processes, procedures and technologies to predict, prevent, identify, manage and respond to potential threats.   MAG is ISO 27001-certified and is unceasingly committed to management and improvement activities in order to retain it.


The group is pursuing a plan to gradually integrate corporate governance and legal compliance tools.


The group has gradually adopted an internal control system, which has now reached varying degrees of implementation and is most structured for the accounting control system and administrative/accounting procedures, in order to ensure that financial information is complete and correct (see Errore. L’origine riferimento non è stata trovata. and, in this section, INFORMATION FLOWS AND LEGISLATIVE DECREE NO. 262/2005).

Strengthening the internal control system is a key objective in the scope of internal control tools and the modules comprising the overall system (segment and consolidated reporting, management control and the information system) and in view of increasingly integrating the risk management system.


The first step in this direction has been to develop the organisational and management model recommended by Legislative decree no. 231/2001, which the group first adopted on 11 December 2007.

The aim of the model is to prevent specific types of crimes from being committed by employees and/or contractors in the group’s interests or to its benefit.

Overseen by the Supervisory Body, the model and controls performed by the company functions involved have been subsequently adjusted to meet organisational changes within the group and developments in the applicable legislation.

The following table indicates the main updates recently made to the model:

26 February 2013Implementation of organisational changes during the year
26 February 2013Introduction of the special section concerning environmental crimes
17 July 2013Integration of information flows from the recipients of the model towards the Supervisory Body
17 July 2013Informing and training employees about the existence and updating of the model

During the year, systematic checks were performed to verify that the model is effective, with the Supervisory Body conducting controls and through interviews with personnel involved in sensitive activities.

  1. WEF Global Risk Report 2020 

  2. WEF, The Global Risk Report 2020, op. cit. National university of Singapore, Oxford Martin School, University of Oxford, Wharton Risk Management and Decision Processes Center, University of Pennsylvania. 

  3. IHME, “Global Burden of Disease Study 2017”. http://www.healthdata.org/policy-report/findings-global-burden-disease-study-2017