INTERNAL CONTROL AND RISK MANAGEMENT SYSTEM

The Internal Control and Risk Management System (“SCIGR”) consists of a set of tools, organizational structures and company procedures designed to contribute, through a process of identification, management and monitoring of the main risks within the Company, to the sound and proper management of the business in line with the objectives set by the Board of Directors.

Fincantieri has adopted a risk management model that defines the general principles it intends to pursue in order to implement the SCIGR guidelines, which define the methods by which the main risks will be identified, measured, managed and monitored.

Risk management, in order to ensure better control and improve the effectiveness of the SCIGR, involves:

  • defining the structure and scope of responsibilities of roles within the SCIGR, ensuring a review and integration of segregation of duties;
  • strengthening and centralising the project risk management system;
  • a committee dedicated to coordinating and supporting the functions involved in the SCIGR.

The SCIGR is integrated into the more general organisational and corporate governance structures adopted by the Company and takes into account the reference models, the recommendations of the Corporate Governance Code and existing best practices in this area at national and international level.

In order to implement its strategic guidelines, Fincantieri has adopted an integrated risk management model ERM-PRM (Enterprise Risk Management – Project Risk Management), in line with the principles contained in the Corporate Governance Code for listed companies, which provides for the identification, assessment and management of risk events through a continuous, recurring and widespread process throughout the organisation, minimising impacts and enhancing opportunities for growth and development.

The integrated ERM-PRM risk management model aims to identify the interconnections between all corporate risks, both “Enterprise” and “Project”, providing a more comprehensive and holistic view of risk management, improving the organisation's resilience and enabling it to adequately address future challenges. The purpose of the model is to identify and manage key risk events using a business-oriented approach, focused on the integration of planning, strategic management and the operational level of the company.

The integration of project risks and enterprise risk management (ERM) is facilitated by the use of specific key risk indicators (KRIs). This allows projects to be monitored at Group level, aligning specific project objectives with Fincantieri's more general and broader objectives.

The main features of the integrated ERM-PRM risk management model include:

  • the definition of a Macro Risk Rating model developed within the PRM framework to support Bid/No Bid decisions and provide a priority level for monitoring Risks/Opportunities during the Proposal and Execution phases;
  • the development of the Project Advanced Risk Measurement, a key approach of the PRM assessment model, which allows the monitoring over time of the Net Project Risk profile and the overall portfolio risk profile (at segment/business area and Group level).
  • the definition of the ERM risk catalogue, structured on several levels and containing specific risk events closely related to the various segments and business areas in which the Group operates;
  • a risk management model structure with clear identification of risk owners;
  • the use of trend indicators (KRIs), which can have a direct impact on the occurrence of risks;
  • the adoption of a quantitative assessment system with reference to risks with a predominantly economic-financial and GHG impact;
  • the implementation of quantitative probabilistic approaches, which can be used to accurately define the potential impact of events on the main key indicators of the business plan, as well as on the budgets defined for each of the organisations within the Group;

At the same time, SCIGR enables the identification, measurement, management and monitoring of key risks, as well as ensuring the reliability, accuracy, credibility and timeliness of financial reporting.

Fincantieri is indeed aware that an effective SCIGR contributes to the management of the business in line with the corporate objectives defined by the Board of Directors, supporting informed decision-making. In particular, the SCIGR helps ensure the safeguarding of corporate assets, the efficiency and effectiveness of business processes, the reliability of financial information and compliance with laws and regulations, as well as with the Articles of Association and company procedures.

This system, defined according to leading international practices, is structured on the following three levels of control:

Code of conduct
General section of the Model 231
1° Level
The operational functions identify and assess risks and implement specific mitigation actions for their management.
2° Level
The functions responsible for risk control define methodologies and tools for risk management and carry out monitoring activities.
3° Level
The Internal Auditing function provides independent assessments of the entire System.
ACTORS IN THE CONTROL PROCESS
Boards of Directors
+
Based on the information received from the delegated bodies, which are responsible for ensuring that the organizational, administrative and accounting structure is appropriate to the nature and size of the company, the Board of Directors sets the guidelines for the Internal Control System and appoints the Head of the Internal Auditing function.
Chairman
+

On May 14, 2025, the Board of Directors granted the Chairman powers regarding the internal control and risk management system.

Internal Control and Risk Management Committee.

Board of Statutory Auditors.

Internal Control and Risk Management Committee
+

The Internal Control and Risk Management Committee has investigative, advisory, and propositional functions with respect to assessments and decisions regarding the Company’s Internal Control and Risk Management System. In particular, its role is to assist the Board of Directors in defining the guidelines of the Internal Control System, in identifying a person responsible for supervising its functioning, and in evaluating the adequacy, effectiveness, and actual operation of the Internal Control System.

The Internal Control and Risk Management Committee periodically reports to the Board of Directors on the results of its activities and its assessments regarding the adequacy of the Internal Control System, also formulating any proposals as appropriate.

Board of Statutory Auditors
+
The Board of Statutory Auditors oversees compliance with the law and the By-Laws, adherence to proper management principles, and, in particular, the adequacy of the organizational, administrative, and accounting structure adopted by the Company and its actual functioning.
Internal Audit Function and Head of Internal Audit
+

The Internal Audit Function operates within the scope of Fincantieri, its subsidiaries pursuant to Article 93 of the TUF, and joint ventures/holdings jointly owned with other partners in accordance with the specific provisions set out in the agreements between the parties.

The Internal Audit Function plays a primary role in the process of verifying and assessing the Internal Control and Risk Management System, with the main tasks of:

• verifying its operation and adequacy, both on an ongoing basis and in relation to specific needs, through an Audit Plan approved by the Board of Directors;

• providing support to the company’s top management and management in matters relating to the Internal Control and Risk Management System (SCIGR), in order to promote the efficiency, effectiveness and integration of controls within business processes.

Risk Officer
+
The Function is responsible for ensuring the establishment of a risk management system, overseeing enterprise and project risks at Group level in coordination with the subsidiaries and individual divisions, and providing support to the Chairman for the supervision and coordination of the Internal Control and Risk Management System (SCIGR), with particular reference to Enterprise Risk Management. The Risk Officer supports the management of specific project risks and is responsible for implementing the integrated ERM-PRM model.
Head of the Anti-Corruption and 231 Model Function
+
The Group Compliance, Anti-Corruption and 231 Model Function is responsible for ensuring compliance with and improvement of the Anti-Corruption Management System (UNI ISO 37001 standard), addressing the need to update the Organization, Management and Control Model of the Company and its subsidiaries, and supporting the Supervisory Bodies in the activities required by the regulatory provisions of Legislative Decree 231/2001.
Manager in charge of preparing the company’s accounting documents
+

The role of manager in charge of preparing the company’s accounting documents (the “Manager in Charge”) has been assigned to Felice Bonavolontà, Head of the Group Accounting and Administration Function, by the Board of Directors at its meeting held on 29 May 2025, following the opinion of the Board of Statutory Auditors, until the expiry of the current Board of Directors’ term.

In compliance with the provisions of Article 154-bis of the TUF and Article 26 of the Articles of Association, the Manager in Charge is an expert in administration, finance, control and sustainability, and possesses the integrity requirements prescribed by current regulations for Directors. The Manager in Charge establishes appropriate administrative and accounting procedures for the preparation of the separate and consolidated financial statements, for the process of preparing the sustainability statement, as well as for any other financial communication.

The acts and communications of the Company disseminated to the market and relating to accounting information, including interim reports, must be accompanied by a written statement from the Manager in Charge, certifying their correspondence to the documentary evidence, books and accounting records.

In particular, the Manager in Charge, together with the Chief Executive Officer, certifies by means of a specific report on the separate financial statements, the consolidated financial statements, and the condensed half-yearly financial statements:

• the adequacy and effective application of the administrative and accounting procedures and of the process for preparing the sustainability statement during the period to which the documents refer;

• that the documents are prepared in accordance with the applicable international accounting standards recognized in the European Community pursuant to Regulation (EC) No. 1606/2002 of the European Parliament and of the Council of 19 July 2002;

• the correspondence of the documents to the results of the books and accounting records;

• the suitability of the documents to provide a true and fair view of the financial position, results of operations, and cash flows of the Company and of the group of companies included in the consolidation;

• for the separate and consolidated financial statements, that the management report includes a reliable analysis of the performance and results of operations, as well as of the situation of the Company and of the group of companies included in the consolidation, together with a description of the main risks and uncertainties to which they are exposed;

• for the condensed half-yearly financial statements, that the interim management report contains a reliable analysis of the information referred to in Article 154-ter, paragraph 4 of the TUF.

Pursuant to Article 154-bis, paragraph 5-ter of the TUF, the Manager in Charge, together with the Chief Executive Officer, also certifies that the sustainability statement included in the management report has been prepared in accordance with the reporting standards applied pursuant to Directive 2310/34/EU of the European Parliament and of the Council of 26 July 2013, and the Legislative Decree adopted in implementation of Article 13 of Law No. 15 of 21 February 2024, and with the specifications adopted pursuant to Article 8, paragraph 4, of Regulation (EU) 2020/852 of the European Parliament and of the Council of 18 June 2020.

In order to facilitate information flows, the Manager in Charge is entitled to attend meetings of the Board of Directors with reference to matters relating to accounting.

The Manager in Charge prepares periodic reports regarding the planning of activities to be carried out and the results of the controls performed, which are made available to the Board of Directors.

The Board of Directors verifies, pursuant to Article 154-bis of the TUF, that the Manager in Charge has adequate powers and resources for the performance of the tasks assigned to him.

Supervisory Body
+

In accordance with the provisions of the Organization, Management and Control Model pursuant to Legislative Decree 231/2001, the Supervisory Body (OdV) of Fincantieri is appointed by the Board of Directors and remains in office for three financial years, and in any case until the appointment of the new Supervisory Body.

The Supervisory Body is established as a collegial body capable of ensuring an adequate level of independence, professionalism, and continuity of action. Specifically, it is composed of:

• two members (including the Chairman) selected from outside the company structure, chosen from individuals with proven experience, independence and professionalism;

• one internal member, also to ensure coordination among the various parties involved in the Internal Control and Risk Management System (SCIGR).

The Supervisory Body in office for the three-year period 2024–2026 was appointed by the Board of Directors on 16 April 2024 and is composed as follows:

• External members: Attilio Befara (serving as Chair) and Iole Savini

• Internal member: Davide Carlino (Head of Internal Audit).

Other functions overseeing legal and compliance risk
+

Within the Legal, Corporate Affairs and Compliance Department, headed by the Company’s General Counsel, in addition to the Group Compliance, Anti-Corruption and 231 Model Function, there are two other functions responsible for overseeing legal and compliance risk. These functions are impartial and independent, as they do not report, either hierarchically or functionally, to the business functions involved.

• Corporate Affairs Function: This function is responsible for ensuring compliance with the requirements set out by law, regulatory provisions, the Articles of Association, the Corporate Governance Code, and internal regulations, mainly in relation to:

• corporate bodies

management and disclosure to the market of corporate information and internal dealing regulations

transactions with related parties

• Data Protection Officer: Through the DPO, the Legal, Corporate Affairs and Compliance Department coordinates activities for the protection of individuals with regard to the processing of personal data, as well as the free movement of such data.

External Auditors
+
The statutory audit is entrusted, in accordance with the law, to an external auditors registered in the Register of Statutory Auditors and Auditing Firms pursuant to Article 6 of Legislative Decree No. 39 of January 27, 2010. The appointment of the auditing firm is the responsibility of the Shareholders' Meeting, upon a reasoned proposal by the Board of Statutory Auditors.