SUMMARY OF THE CORPORATE RISK POLICIES
The 'General Risk Control and Management Policy' is further developed by specific corporate policies that are established for certain risks
Summary of the Corporate Risk Policies
24 February 2020
Corporate Credit Risk Policy
The Corporate Credit Risk Policy provides the framework for the monitoring and the management of credit risk from a global viewpoint covering the entire Group, credit risk being understood as all counterparty risks that, in the event of insolvency of such counterparty, might cause the Group to sustain an economic or financial loss.
The scope of the policy covers all activities that give rise to significant credit exposure within all of the financial relationships of the Group.
Exposure to credit risk occurs in various ways, depending on the type of relationship with the counterparty, which takes form in the costs of settlement, replacement or repayments. In particular, the Corporate Credit Risk Policy establishes the identification and segmentation into homogeneous groups of the principal types of relations that give rise to credit exposure within the Group, the implementation of mechanisms to identify common counterparties, the application of corporate guidelines for acceptance of counterparties, as well as the allocation of risk limits in the aggregate and by counterparty, in accordance with credit quality standards.
Additionally, the risk policies for each business establish specific credit risk limits and guidelines in line with the characteristics of the different types of businesses.
Corporate Market Risk Policy
The Corporate Market Risk Policy provides a common framework for the monitoring and management of market risk in the entire Group, market risk being understood as any potential loss of margin and/or value due to adverse changes in price-determining factors.
In particular, the Corporate Market Risk Policy sets out differentiated guidelines for the management of the market risk associated with the various activities connected to the energy value chain:
a) Activities associated with the core business for sale in the liberalised market (electricity production at the Company's own plants, including fuel supply and emission allowances, purchase of electricity and gas, forward, wholesale or retail sale of electricity and gas through the Company's own supply company, dedicated generation or cogeneration plants with or without a power purchase agreement (PPA), hedging transactions, etc.).
b) Regulated energy management and/or sale activities.
c) Other activities involving the "discretionary trading" of electricity, gas, emission allowances and other fuel and associated products, with respect to which a global "stop-loss" limit is established at the Group level.
Additionally, the risk policies for each business establish specific market risk limits and guidelines in line with the characteristics of the different types of businesses and the countries in which the Group has a presence.
Operational Risk in Market Transactions Policy
The Operational Risk in Market Transactions Policy covers the operational, regulatory and reputational risks deriving from all activities in the markets by the various energy and cash management trading desks of the Group as a result of potential improper procedures, technological errors, human failure, fraud and any other internal or external event.
It rests upon the following basic principles:
a) Strong risk culture.
b) Proper segregation of duties.
c) Formalisation of clear policies and procedures.
d) Secure and flexible information technology systems.
And establishes a number of specific guidelines, grouped into categories, which shall apply based on a principle of proportionality to the number and complexity of all transactions carried out by each of the affected trading desks.
The Insurance Policy provides the framework for the monitoring and management, through insurance, of the Company's global exposure to the impact of the operational risks associated with all the activities and businesses of the Group.
It includes the limits for the main insurance programmes, including:
a) Damage to conventional assets.
b) Damage to renewables.
c) Civil liability.
d) Environmental risks.
e) Nuclear risk.
f) Cyber risks.
The Investment Policy provides the framework for the analysis, monitoring and control of new investment or divestment projects of all businesses within the Group and of the risks associated therewith, including those arising from climate change.
In particular, the Investment Policy sets general limits in terms of profitability and risk for each project, as well as the manner in which it fits into the Group's strategy.
Additionally, the risk policies for each business establish specific limits and guidelines in line with the characteristics of the different types of investments.
Financing and Financial Risk Policy
The Financing and Financial Risk Policy establishes the framework for the monitoring and management of financial risks by the Finance and Treasury Division:
The Group must develop a strategy for the financing and management of financial risks that allows for the acquisition of the funds necessary to meet investment and operational needs under optimum cost and risk conditions:
a) Ensuring liquidity.
b) Setting the appropriate levels of risk to be assumed in order to optimise the cost/risk ratio within established limits.
c) Transferring the level of risk associated with financial variables that the Company does not wish to assume to external entities specialising in the management of such risks.
d) Maintaining solvency indicators that enable the Group to maintain its credit rating.
e) Complying with the requirements of local regulators and the tax provisions applicable in each country.
The Financing and Financial Risk Policy establishes the main principles of conduct applicable to all activities vis-à-vis financial risk and includes the risks that might affect the financing of the Group (including market, solvency, liquidity, credit, operational and reputational risk).
Additionally, the risk policies for each business provide for the obligation to transfer financial risks to the Finance and Treasury Division for the comprehensive management thereof.
Treasury Share Policy
The Treasury Share Policy provides that all transactions in own shares or in financial instruments and contracts of any kind with shares of the Company as the underlying asset, by the Company and/or by any of the companies of its Group, shall be conducted in compliance with applicable regulations and with the resolutions adopted in this regard at a General Shareholders' Meeting, and that they shall always pursue lawful aims, such as:
a) Providing investors with sufficient liquidity and depth in the trading of the Company's shares.
b) Stabilising the share price after a public offer for the sale or subscription of shares through the loan of own shares by the Company and the granting of an option to the underwriters to purchase or subscribe shares.
c) Implementing programmes for the purchase of treasury shares approved by the Board of Directors or by the shareholders at a General Shareholders' Meeting and, in particular, making available to the Company the shares required to comply with the share delivery commitments previously assumed thereby under issuances of securities or corporate transactions, as well as compensation schemes or loyalty plans for shareholders (e.g., payment of dividends in kind), directors, officers or employees.
d) Honouring other previously-assumed lawful commitments.
e) Any other purpose allowed under applicable legal provisions.
Moreover, the Treasury Share Policy provides the framework for the monitoring and management of the market, credit and reputational risks associated with treasury share transactions, including the purchase and sale of shares of the Company and trading in derivatives on treasury shares and hedging derivatives, and sets limits, inter alia, on the total volume of the position and the market risk in terms of value at risk.
Risk Policy for Equity Interests in Listed Companies
The Risk Policy for Equity Interests in Listed Companies provides the framework for the monitoring and management of risks affecting the various holdings in listed companies in the form of shares and derivatives:
a) In companies within the scope of consolidation (subsidiaries and affiliated companies).
b) That are financial in nature (financial assets at fair value according to the profit and loss account and financial assets available for sale).
The Procurement Policy provides the overall framework for the control and management of the market, credit, business, regulatory, operational (including cybersecurity and criminal) and reputational risks deriving from the purchase of materials and equipment and from contracting for works and services across the entire Group, with special emphasis being laid on adherence to the ethical commitments of the Group and of its suppliers.
The Procurement Policy rests upon the following basic principles:
— Promoting a strong risk culture and the development of a corporate culture based on ethics and honesty across the entire organisation, capable of supporting the professional and ethically responsible behaviour of all of the employees, through strict application of the Code of Ethics.
— Establishing, in a coordinated fashion, the standards and controls associated with the activities of purchasing and contracting for equipment, materials, works and services for the benefit of the companies making up the Group, ensuring full adherence to the corporate organisation deriving from the Group's governance model.
— Implementing the mechanisms required for purchasing decisions to in any event ensure the achievement of balance between technical competence, quality, price and supplier qualifications as a key condition for the contribution of value.
— Establishing supplier selection procedures that conform to standards of objectiveness, impartiality and equal opportunity, ensuring at all times the professionalism of employees as well as their loyalty to the Group and its shareholders regardless of their own or third-party interests.
— Promoting strict compliance by suppliers with contractual terms and conditions and with applicable law, placing special attention on respect for the environment and on the principles contained in the Policy on Respect for Human Rights, favourably assessing compliance with the provisions in the area of reconciliation and gender equality in the Equal Opportunity and Reconciliation Policy and requiring acceptance of the principles set out in the Code of Ethics specifically applicable to the suppliers of the Group.
— Furthering a supplier relationship policy based on the principles of corporate ethics and transparency, striving for continuous improvement and mutual benefit and promoting innovation and development activities.
— Fostering the motivation and active participation of employees, the training required for the performance of their tasks, and the continuous education thereof.
— Promote sustained, inclusive and sustainable economic growth, productive employment and decent work for all professionals forming part of the Group's value chain, in line with the provisions of goal eight of the Sustainable Development Goals (SDGs) approved by the United Nations.
The Procurement Policy establishes guidelines and detailed limits regarding levels at which authority may be delegated and purchasing procedures within the Group in accordance with the aforementioned principles, as well as regarding the organisation principles that must be observed to ensure full adherence to the corporate organisation deriving from the Group's Corporate Governance System.
Information Technology Policy
The Information Technology Policy also establishes an overall framework for the governance and management of the processes and actions relating to information technology (IT) within the Group. It contemplates the management of risks associated with the use, ownership, operation, participation, influence and adoption of specific information technology, as well as the processes for the management and control thereof.
The Information Technology Policy also defines an integrated management framework that allows for a global technological focus and is intended to ensure the appropriate management of information technology and of the risks associated therewith, promoting the creation of value through an effective and innovative use of information technology and the satisfaction of internal and external users with the level of commitment and services provided, maintaining a balance between the generation of profits, the optimization of risk levels and an efficient use of resources, based on standards of proportionality.
The policy also contains the guidelines of a information technology governance and management model that is common throughout the Group, based on the creation of a Global IT Governance Committee, which will supervise compliance of information technology within the Group, including the significant aspects of the audits and evaluations of compliance therewith and related action plans. It also contemplates the possibility of each IT organisation having its own IT Management Committee or equivalent function.
Cybersecurity Risk Policy
The Cybersecurity Risk Policy establishes a global framework for the control and management of the cybersecurity risks applicable to all the companies of the Group. In particular, it refers to the risks arising from threats and vulnerabilities affecting the Group's control, information technology and communications systems, as well as any other asset forming part of its cyber-infrastructure.
It also establishes the guidelines for a common cybersecurity management model for the entire Group, coordinated by a Cybersecurity Committee and based on the development of global rules and standards to be applied within all the businesses and corporate functions, thus encouraging a strong culture of cybersecurity.
The Cybersecurity Risk Policy is based upon the following basic principles:
— Raising awareness among all employees, contractors and collaborators regarding cybersecurity risks and ensuring that they have the knowledge, skills, experience and technological abilities needed to support the Group's cybersecurity goals.
— Ensuring that the Group's information technology and communications systems have an appropriate level of cybersecurity and cyber-resilience and applying the most advanced standards to those that support the operation of critical cyber-infrastructure.
— Fostering the existence of appropriate cybersecurity and cyber-resilience mechanisms for the systems and operations managed by third parties that provide services to the Company.
— Strengthening capacities for prevention, detection, reaction, analysis, recovery, response, investigation and coordination against terrorist activities and criminality in cyberspace.
— Providing procedures and tools that permit rapid adaptation to changing conditions in the technological environment and to new threats.
— Collaborating with the relevant governmental bodies and agencies in order to contribute to the improvement of cybersecurity in the international sphere.
- Promoting the principles established in the Policy.
- Protecting the information regarding the Group's critical cyberinfrastructure and cybersecurity systems.
- Implementing cybersecurity measures based on efficiency standards.
- Acting in accordance with applicable law and the Code of Ethics.
The Cybersecurity Risk Policy sets out the Company's commitment to clearly and transparently report on its risks and incidents in the area of cybersecurity, in accordance with the provisions of law.
Non-public Cybersecurity risks and incidents directly or indirectly relating to the Company or any other company of the Group and that could have an appreciable effect on the price of Company's shares or of any other security that the Compliance Unit defines as an affected security, might constitute inside information, as this term is defined in the Internal Regulations for Conduct in the Securities Markets, in which case the Company must report them to the market through the National Securities Market Commission upon the terms required by law.
Until said information is public, those persons who are aware of the existence of the risk or incident in question shall be deemed insiders, within the meaning of the provisions of the Internal Regulations for Conduct in the Securities Markets, may not engage in transactions regarding Affected Securities and will be subject to the duty of confidentiality, among other restrictions contemplated in said regulations.
Reputational Risk Framework Policy
The object of the Reputational Risk Framework Policy is to establish a benchmark framework for the monitoring and management of reputational risk to be implemented by all the Divisions of the Group on a coordinated basis with the Investor Relations and Communication Division.
The management of reputation seeks two complementary objectives, to bring out opportunities that trigger favourable behaviour towards the company, and to diminish reputational risk.
There is a direct relationship between this policy and the Stakeholder Relations Policy, the purpose of which is to identify the Company's Stakeholders, engage them and strengthen relations of trust with them, under the principles of transparency, active listening and equal treatment. The eight categories defined in said policy are workforce, shareholders and the financial community, regulatory entities, customers, suppliers, the media, society in general and the environment.
The Reputational Risk Framework Policy establishes various recommendations, including crisis management, and lists indicators for monitoring, like REPTRAK, as well as standards for measuring the reputation of the Company and its Group.
Occupational Safety and Health Risk Policy
The Occupational Safety and Health Risk Policy establishes a common framework for the control and monitoring of occupational safety and health risks based on established good practices and compliance with the legal and labour framework and international benchmark standards, particularly ISO standard 45001:2018 "Occupational health and safety management systems".
The Occupational Safety and Health Risk Policy assumes and promotes the following basic principles that must govern all of the Group's activities:
- Internalise that the health and safety of the employees of the Group are as important as the quality, productivity and profitability of the activities. The safety of employees must always prevail, and the required resources must be allocated for these purposes.
- Promote the training and awareness of all employees of the Group in the area of occupational health and safety, strengthening a culture of excellence.
- Encourage continued vigilance of the health of employees to ensure proper alignment between the employee and their position.
- Obtain and maintain occupational safety and health certifications in line with the strictest international standards, from the standpoint of ongoing improvement.
- Comply with the legal, labour and technological framework and the internal rules of each company of the Group in the area of occupational risk prevention.
- Implement proactive measures against potential breaches or inappropriate conduct both for employees of the Group and for third parties, and particularly promote the use of the Ethics Mailbox as provided by the Code of Ethics.
- Require that the safety rules established by the Group for contractors be observed and cause them to participate in the preventive culture that has been implemented, adopting the best international practices in this area.
- Clearly and transparently report risks and incidents.