Webuild Internal Control and Risk management system consists of policies, procedures and organizational structures aimed at identifying, measuring, managing and monitoring the main risks, in order to contribute to the sustainable success of the company.

The Board of Directors is responsible for the Internal Control and Risk Management System guidelines consistently with the strategies of the company and annually assess its adequacy and effectiveness.

The Internal Control and Risk Management System is based on standards that require business activities to be based on applicable internal and external rules, that they can be traced and documented, that the allocation and exercise of powers as part of a decision- making process be matched to the positions of responsibility and/or with the size and/or significance of the underlying transactions, that those parties that take or implement decisions, which record transactions and those that are required to perform the controls over such transactions provided for by law and procedures envisaged by the internal control and risk management system be different parties and that confidentiality and compliance with the privacy legislation be ensured.

The parties mainly involved in the Internal Control and Risk management system are:

• the Board of Directors
• the Chief Executive Officer
• the Control, Risk and Sustainability committee
• the Manager in charge of financial reporting
• the Board of Statutory Auditors
• the Independent Auditors
• the Internal Audit and Compliance Department (appointed with the Internal Audit and Compliance functions), each by carrying out their duties and roles.

The Integrity Board appointed pursuant to Article 6 of Legislative Decree 231/01 supports the Board of Directors within the scope of its competence. Other subjects involved in the Internal Control and Risk Management System are the Risk Management Dept., the General Managers and the Management.

Sources and principles of the Internal Control and Risk Management System

The sources and principles of the Company's Internal Control and Risk Management System are represented by:

• the Corporate Governance Code
• Webuild's Code of Ethics
• the Organization, Management and Control Model pursuant to Legislative Decree no. 231/01
• Guidelines for the design of administrative and accounting processes pursuant to law no. 262/2005 of the Webuild Group
• the Anti-Corruption Model
• the Business Plan
• additional internal regulations, i.e. the set of corporate documents defining roles and responsibilities within the organization, including the assignment of responsibilities for managing company risks, including, by way of example, but not limited to, Organizational Charts, Organizational Communications and Memos, Framework, Interfunctional and Operational Procedures; the system of delegations and powers of attorney, structured in such a way as to grant authorisation and signature powers consistent with the assigned organizational and management responsibilities; best practices.

The Chief Audit Executive is in charge of verifying that the Internal Control and Risk Management System is functional, adequate and consistent with the guidelines defined by the Board of Directors.