Your browser version is not updated, please update it.

Poste Italiane crisis communication policy

The Poste Italiane Group (hereinafter the Group) is a complex business context, unique in its kind, represented by the high number and heterogeneity of the services offered, as well as by the vastness of its network, which is widespread throughout the country.
The business structure within which the Group operates is subject to continuous evolution and change due to various factors, including:
  • the diverse and not always predictable dynamics of the regulatory framework;
  • the complexity of relations with various stakeholders for an organisation that provides public utility services;
  • market trends and factors related to the stock market context;
  • the incessant pace of technological innovation supporting the various business sectors.
Within the Group, the following business areas are identified to which, in some cases, the Obliged Parties belong (Functions and Group Companies supervised by the relevant Supervisory Authorities of the sector to which they belong):
  • Financial Services;
  • Payments, Mobile and Digital;
  • Insurance Services;     
  • Mail, Parcels and Distribution.
 
The organisational operating model adopted by the Group provides for the unitary management of staff and support processes, designed to provide shared services for all business areas and guarantee quality, efficiency and synergies with a view to industrial integration. With particular reference to Obliged Parties, the entrusting and/or outsourcing of functions is regulated in accordance with the specific applicable regulations.
In this context, the Group intends to address the needs of crisis management and business continuity in line with the restrictions to be met, and on which to base an approach aimed at the development and evolution of services, as indicated below:
  • applicable laws and regulations;
  • requirements deriving from technological and/or industry standards as well as guidelines and best-practices;
  • business needs and commercial development.
One of the enabling elements to operate in a dynamic and interconnected context is the resilience of the organisation and the business, i.e. the ability to predict, prepare the response and adapt to sudden changes and crisis situations. As resilience is a relative and dynamic concept, it must be strengthened by integrating and coordinating the various operational aspects with the disciplines that the organisation applies in a context of continuous improvement.
Resilience is a strategic objective for the Group to pursue, to enable the Organisation to react promptly to incidents and crises that may threaten its existence or the achievement of its objectives.
The Group’s resilience, understood as a strategic objective, is defined and referred to in the document Group Crisis Management and Business Continuity Policy Errore. L'origine riferimento non è stata trovata. and is pursued with a model designed for the Group’s Crisis Management and Business Continuity.

Reference model for crisis management

Crisis management is the ability of a company to predict, prepare, respond and recover from crises. Therefore, it needs to be developed with awareness and supported through the development of a framework.
The Group has chosen to develop a crisis management framework consistent with the guideline BS 11200:2014 Crisis management. Guidance and good practice. By adopting this framework and through the implementation of predefined steps, the Group will be able to respond to crises in an effective and structured manner and prevent them wherever possible.
In particular, the framework is divided into the phases illustrated and described below and developed in detail in the Group Crisis Management Plan:


 
  • Forecasting and Evaluation: formalised and continuous processes are activated for analysis and monitoring of possible events that crises may produce before they occur (horizon scanning). The aim of this phase is to develop a scale of priorities to assess the most likely situations and the severity of the damage they could potentially cause.
 
  • Preparation: the crisis can develop independently of the effectiveness of the forecasting and evaluation phase; therefore, the Group must be able to manage it effectively. In the preparation phase, readiness to react must be ensured in order to deal with specific risks and to manage any non-modelled crises. In this regard, a response plan is developed and adopted through the preparation and definition of key elements such as:
    • a Group Crisis Management Plan, which aims to support activities of preparation, response and recovery from a crisis (or return to normal activity);
    • preparation of the Crisis Unit formed by the highest representatives of the Group to ensure the application of the Group Crisis Management Plan.
 
  • Response: the Crisis Unit uses the tools provided in the preparation phase, defines the strategic direction of the response to the crisis, takes decisions, continuously monitors and reviews the objectives and effectiveness of the response ensuring a timely recovery phase.
  • Recovery: once the crisis has been resolved, the Crisis Unit must manage the impacts and long-term effects that may result and decide how to return to normality or possibly adapt to new circumstances.
 
  • Revision and Improvement: the crisis management process must include reviewing and evaluating the crisis response, plans and procedures to identify areas for improvement to make the defined crisis management framework more effective and the Group more resilient and prepared for the future.

Roles and responsibilities for the crisis

The Group defines an organisational model for crisis management, to be activated only and exclusively in crisis situations, which allows modular and flexible management of serious emergencies through the activation of the management level most appropriate to the type of impact, with a view to responding optimally to crisis scenarios and ensuring the timeliness and effectiveness of the measures to be adopted.

It is be noted that the crisis management model can be activated for all events classified with the highest level of severity, regardless of the solutions provided. If the scenario to be managed coincides with one of the regulated scenarios, the procedures for business continuity are also activated. Otherwise, in view of the roles and responsibilities of the crisis management model described, the Group Crisis Management Manager and the Crisis Unit are responsible for identifying the best solutions to be put in place to limit the Group’s damage, particularly with regard to financial, legal, regulatory and image aspects, resulting from the event.

For events impacting on one or more of the Obliged Parties, it remains their responsibility, always in agreement with the Group Crisis Management Manager, to declare the possible state of crisis of their Company/Organisation and to comply with the notification obligations towards the relevant Authorities provided for by the regulations applicable to them.
They also participate in the Crisis Unit to identify the best solutions to be put in place to limit the damage to their Organisations. 

The organisational model for crisis management identifies the roles to be involved, progressively and according to the severity of the case, for the management of the crisis event, in order to ensure:
  • the extraordinary decision-making authority necessary for crisis management;
  • the ability to operate under intense operational stress;
  • the maintenance of exceptionally tight decision-making time frames;
  • an adequate level of internal and external communication within the group, including the Supervisory Authorities of the Obliged Parties.
To integrate the main roles of the Management Systems described in paragraph Errore. L’origine riferimento non è stata trovata., the further roles involved in crisis management are listed below, with a brief description:
  • Communication Plan Representative: responsible for communications outwards (mass media, institutions, large customers, etc.) and inwards (post offices, branches, employees, family members, etc.) of the Group, in case of crisis.
  • Log Keeper: carries out the essential activity of documenting all decisions taken, in consideration of the information available at the time and the actions taken for crisis management. The Log Keeper ensures the collection of evidence to be used for any legal action or investigation by offering a tool to support the Group Crisis Management Manager regarding the decisions taken.
  • Risk Manager of the Obliged Party: supports crisis management action as far as it is concerned, jointly with the Group Risk Manager.
  • Group Crisis and Business Continuity Management Team: implements and maintains the Group Crisis Management System.


The table below shows the roles and responsibilities in the crisis management system
 
ROLE RESPONSIBILITY
Board of Directors Approve the Group Crisis Management and Business Continuity Policy.
Approves the Group Crisis Management and Business Continuity Guidelines.
Approves the Group Incident Management Guidelines.
Approves the Group Crisis Management Plan and subsequent amendments following technological and organisational adjustments.
Appoints the Group Crisis Management Manager.
Board of Directors of the Obliged Party Examines and implements the documents relating to the Group’s crisis management for the area of responsibility. Approves strategic decisions regarding crisis management relating to the fulfilment of the regulatory requirements applicable to the relevant area.
Chief Executive Officer Preliminarily examines all documents addressed to the Board of Directors.
Promotes the development, periodic monitoring of the Group Crisis Management Plan and related updating following significant organisational, technological and infrastructural innovations, as well as in the case of gaps or deficiencies found or new critical issues that have arisen.
Approves the Annual Crisis Management Test Plan and examines the documented results in writing.
Chief Executive Officer / Manager of the Obliged Party Examines in advance all the documents to be submitted to its Board of Directors with reference to the area of responsibility.
Examines the Annual Crisis Management Test Plan with reference to the area of responsibility.
Examines the reports of the audit carried out by the Group Control Function, with reference to the area of responsibility.
Jointly with the Group Crisis Management Manager, declares the state of crisis for its area, should the event have an impact on it and proceeds with the required notifications to the relevant Authority.
Verifies the activation of the Crisis Management Communication Plan.
Group Crisis Management Manager Favours the adoption of the reference model for crisis management.
Formally declares the crisis and the return to normality, after consultation with the Crisis Unit.
Oversees the Crisis Unit that it convenes and supports in decision-making regarding the areas of responsibility assigned to it.
In light of the event, convenes specific Group company functions to provide strategic support on pertinent issues, involving any parties external to the Organisation that may be necessary in terms of responsibility and authority (Public Security Bodies, Prefecture, Judiciary, Civil Protection, Guarantor Authorities, etc.).
Activates the functions responsible for the management of appropriate emergency actions.
Ensures the timely availability of the necessary resources, including economic resources, for the resolution of the crisis.
Manages contacts with Organisations and Institutions.
Defines the communication strategy outwards (mass-media, institutions, large customers, etc.) and inwards (post offices, branches, employees, family members, etc.) in crisis situations and, together with the Communication Plan Representative, guarantees the execution of the Crisis Management Communication Plan.
Acts on the basis of the best information available, making use of the best expertise and, if necessary, in collaboration with the Group Business Continuity and Emergency Management Manager, activates the Group Business Continuity Plan1.
Ensures that the contracts of critical suppliers and outsourced service providers are adequate for crisis management objectives.
Constantly informs the Board of Directors and the Chief Executive Officer on the evolution of the event and the solutions adopted.
Verifies the Annual Crisis Management Test Plan and examines the results of the documented tests in writing.
Considers submitting the Group Crisis Management Plan for review by competent independent third parties.
Control Function Monitors the completeness, adequacy, functionality and reliability of the Group Crisis Management Plan. Adequately documents the verification activity carried out and the evidence that emerged.
Regularly verifies the Group Crisis Management Plan and the related updating process.
Reviews the verification programs, is present during tests and checks the results, proposing changes to the Group Crisis Management Plan on the basis of the deficiencies found.
Examines the contracts of critical suppliers and outsourced service providers to ensure that the level of protection is adequate for crisis management objectives.
Verifies ex post the appropriateness of the time taken to declare the state of crisis.
Group Risk Manager Collaborates with the competent company Risk Management functions and with the Risk Managers of the Obliged Parties for the requirements of sector regulations.
Supports the Group Crisis Management Manager, with a view to risk-based strategy, defining the levels of risk appetite at Group level for all areas, including those of reference of Obliged Parties, to be submitted to the Board of Directors of Poste Italiane. Monitors the consistency of residual risk with defined risk appetite levels.
Risk Manager of the Obliged Party Jointly with the Group Risk Manager, supports crisis management action to the extent of its responsibility.
Supports, to the extent of its responsibility, the Group Risk Manager in the definition of risk appetite levels, to be submitted to its Board of Directors.
Supports, to the extent of its responsibility, the Group Risk Manager in monitoring the consistency of the residual risk with the defined risk appetite levels.
Group Business Continuity and Emergency Management Manager Supports the Group Crisis Management Manager in implementing the measures defined by the Crisis Unit.
Crisis Unit Assesses the threats and opportunities in the medium and long term arising from the actions taken to manage the crisis.
Supports the Group Crisis Management Manager in assessing the crisis scenario for the purposes of formally declaring the state of crisis and returning to normality.
Supports the Group Crisis Management Manager in defining and implementing the actions to be taken in the event of a crisis, in determining priorities in the allocation of resources, in decisions to be taken that have strategic implications in the long term.
Supports the Communication Plan Representative in the implementation of the communication strategy outwards (mass-media, institutions, large customers, etc.) and inwards (post offices, branches, employees, family members, etc.).
Plans the activities necessary for the return to normality and promotes the sharing of experience to encourage continuous improvement for crisis management.
Assesses and monitors the crisis management process, ensuring that priorities are clearly understood and that performance and information flow are appropriate to the situation, ensuring that stakeholders receive information correctly and that their views, advice and assistance are sought in a timely manner.
Participates in the activities foreseen in the Annual Crisis Management Test Plan.
Incident Management Manager Provides operational support to the Crisis Unit by activating the response actions defined to manage a crisis event, referring to the Incident Management Unit.
Collects, normalizes and analyzes information from internal and external information sources (Social Media, Deep Web, newspapers, TV, radio, Threat Intelligence platforms, etc.) to identify potential crisis scenarios, referring to the Incident Management Unit.
Identifies, implements and monitors preventive and containment measures to counter, mitigate and/or transfer the critical issues associated with potential crisis scenarios, referring to the Incident Management Unit.
Participates in the activities foreseen in the Annual Crisis Management Test Plan, referring to the Incident Management Unit.
Group Crisis and Business Continuity Management Team Drafts and updates the Group Crisis Management and Business Continuity Guidelines.
Supports the Group Crisis Management Manager for crisis management.
Implements and maintains the Crisis Management and Business Continuity System as detailed in the annex Documentary Framework for Group Crisis Management and Business Continuity.
Drafts the Annual Crisis Management Test Plan, ensuring related conduct and final report.
Drafts the Group Crisis Management Plan.
Communication Plan Representative Supports the Group Crisis Management Manager in defining the communication strategy outwards (mass-media, institutions, large customers, etc.) and inwards (post offices, branches, employees, family members, etc.) in crisis situations and ensures execution thereof.
Activates the Crisis Management Communication Plan.
Log Keeper Keeps a record of key information, decisions taken and actions carried out in relation to crisis situations, in strict chronological order.
Keeps the record ensuring the confidentiality of the information contained in it.
 

1 During a crisis, parts of the Group Business Continuity Plan may be activated to partially resolve the crisis.