SUMMARY OF THE CORPORATE RISK POLICIES

The 'General Risk Control and Management Policy' is further developed by specific corporate policies that are established for certain risks

Summary of the Corporate Risk Policies.

Summary of the Corporate Risk Policies

28 April 2020

Corporate Credit Risk Policy

The Corporate Credit Risk Policy provides the framework for the monitoring and the management of credit risk from a global viewpoint covering the entire Group, credit risk being understood as all counterparty risks that, in the event of insolvency of such counterparty, might cause the Group to sustain an economic or financial loss.

The scope of the policy covers all activities that give rise to significant credit exposure within all of the financial relationships of the Group.

Exposure to credit risk occurs in various ways, depending on the type of relationship with the counterparty, which takes form in the costs of settlement, replacement or repayments. In particular, the Corporate Credit Risk Policy establishes the identification and segmentation into homogeneous groups of the principal types of relations that give rise to credit exposure within the Group, the implementation of mechanisms to identify common counterparties, the application of corporate guidelines for acceptance of counterparties, as well as the allocation of risk limits in the aggregate and by counterparty, in accordance with credit quality standards.

Additionally, the risk policies for each business establish specific credit risk limits and guidelines in line with the characteristics of the different types of businesses.

Corporate Market Risk Policy

The Corporate Market Risk Policy provides a common framework for the monitoring and management of market risk in the entire Group, market risk being understood as any potential loss of margin and/or value due to adverse changes in price-determining factors.

In particular, the Corporate Market Risk Policy sets out differentiated guidelines for the management of the market risk associated with the various activities connected to the energy value chain:

a) Activities associated with the core business for sale in the liberalised market (electricity production at the Company's own plants, including fuel supply and emission allowances, purchase of electricity and gas, forward, wholesale or retail sale of electricity and gas through the Company's own supply company, dedicated generation or cogeneration plants with or without a power purchase agreement (PPA), hedging transactions, etc.).

b) Regulated energy management and/or sale activities.

c) Other activities involving the "discretionary trading" of electricity, gas, emission allowances and other fuel and associated products, with respect to which a global "stop-loss" limit is established at the Group level.

Additionally, the risk policies for each business establish specific market risk limits and guidelines in line with the characteristics of the different types of businesses and the countries in which the Group has a presence.

Operational Risk in Market Transactions Policy

The Operational Risk in Market Transactions Policy covers the operational, regulatory and reputational risks deriving from all activities in the markets by the various energy and cash management trading desks of the Group as a result of potential improper procedures, technological errors, human failure, fraud and any other internal or external event.

It rests upon the following basic principles:

a) Strong risk culture.

b) Proper segregation of duties.

c) Formalisation of clear policies and procedures.

d) Secure and flexible information technology systems.

And establishes a number of specific guidelines, grouped into categories, which shall apply based on a principle of proportionality to the number and complexity of all transactions carried out by each of the affected trading desks.

Insurance Policy

The Insurance Policy provides the framework for the monitoring and management, through insurance, of the Company's global exposure to the impact of the operational risks associated with all the activities and businesses of the Group.

It includes the limits for the main insurance programmes, including:

a) Damage to conventional assets.

b) Damage to renewables.

c) Civil liability.

d) Environmental risks.

e) Nuclear risk.

f) Cyber risks.

Investment Policy

The Investment Policy provides the framework for the analysis, monitoring and control of new investment or divestment projects of all businesses within the Group and of the risks associated therewith, including those arising from climate change.

In particular, the Investment Policy sets general limits in terms of profitability and risk for each project, as well as the manner in which it fits into the Group's strategy.

Additionally, the risk policies for each business establish specific limits and guidelines in line with the characteristics of the different types of investments.

Financing and Financial Risk Policy

The Financing and Financial Risk Policy establishes the framework for the monitoring and management of financial risks by the Finance and Treasury Division:

The Group must develop a strategy for the financing and management of financial risks that allows for the acquisition of the funds necessary to meet investment and operational needs under optimum cost and risk conditions:

a) Ensuring liquidity.

b) Setting the appropriate levels of risk to be assumed in order to optimise the cost/risk ratio within established limits.

c) Transferring the level of risk associated with financial variables that the Company does not wish to assume to external entities specialising in the management of such risks.

d) Maintaining solvency indicators that enable the Group to maintain its credit rating.

e) Complying with the requirements of local regulators and the tax provisions applicable in each country.

The Financing and Financial Risk Policy establishes the main principles of conduct applicable to all activities vis-à-vis financial risk and includes the risks that might affect the financing of the Group (including market, solvency, liquidity, credit, operational and reputational risk).

Additionally, the risk policies for each business provide for the obligation to transfer financial risks to the Finance and Treasury Division for the comprehensive management thereof.

Treasury Share Policy

The Treasury Share Policy provides that all transactions in own shares or in financial instruments and contracts of any kind with shares of the Company as the underlying asset, by the Company and/or by any of the companies of its Group, shall be conducted in compliance with applicable regulations and with the resolutions adopted in this regard at a General Shareholders' Meeting, and that they shall always pursue lawful aims, such as:

a) Providing investors with sufficient liquidity and depth in the trading of the Company's shares.

b) Stabilising the share price after a public offer for the sale or subscription of shares through the loan of own shares by the Company and the granting of an option to the underwriters to purchase or subscribe shares.

c) Implementing programmes for the purchase of treasury shares approved by the Board of Directors or by the shareholders at a General Shareholders' Meeting and, in particular, making available to the Company the shares required to comply with the share delivery commitments previously assumed thereby under issuances of securities or corporate transactions, as well as compensation schemes or loyalty plans for shareholders (e.g., payment of dividends in kind), directors, officers or the other professionals of the group.

d) Honouring other previously-assumed lawful commitments.

e) Any other purpose allowed under applicable legal provisions.

Moreover, the Treasury Share Policy provides the framework for the monitoring and management of the market, credit and reputational risks associated with treasury share transactions, including the purchase and sale of shares of the Company and trading in derivatives on treasury shares and hedging derivatives, and sets limits, inter alia, on the total volume of the position and the market risk in terms of value at risk.

Risk Policy for Equity Interests in Listed Companies

The Risk Policy for Equity Interests in Listed Companies provides the framework for the monitoring and management of risks affecting the various holdings in listed companies in the form of shares and derivatives:

a) In companies within the scope of consolidation (subsidiaries and affiliated companies).

b) That are financial in nature (financial assets at fair value according to the profit and loss account and financial assets available for sale).

Purchasing Policy    

The Purchasing Policy provides the overall framework for the control and management of the market, credit, business, regulatory, operational (including cybersecurity and criminal) and reputational risks deriving from the purchase of materials and equipment and from contracting for works and services across the entire Group, with special emphasis being laid on adherence to the ethical commitments of the Group and of its suppliers.

The Purchasing Policy rests upon the following basic principles:

— Promoting a strong risk culture and the development of a corporate culture based on ethics and honesty across the entire organisation, capable of supporting the professional and ethically responsible behaviour of the entire workforce, through strict application of the Code of Ethics.

— Establishing, in a coordinated fashion, the standards and controls associated with the activities of purchasing and contracting for equipment, materials, works and services for the benefit of the companies making up the Group, ensuring full adherence to the corporate organisation deriving from the Group's governance model.

— Implementing the mechanisms required for purchasing decisions to in any event ensure the achievement of balance between technical competence, quality, price and supplier qualifications as a key condition for the contribution of value.

— Establishing supplier selection procedures that conform to standards of objectiveness, impartiality and equal opportunity, ensuring at all times the professionalism of its personnel as well as loyalty to the Group and its shareholders regardless of their own or third-party interests.

— Promoting strict compliance by suppliers with contractual terms and conditions and with applicable law, placing special attention on respect for the environment and on the principles contained in the Policy on Respect for Human Rights, favourably assessing compliance with the provisions in the area of reconciliation and gender equality in the Equal Opportunity and Reconciliation Policy and requiring acceptance of the principles set out in the Code of Ethics specifically applicable to the suppliers of the Group.

— Furthering a supplier relationship policy based on the principles of corporate ethics and transparency, striving for continuous improvement and mutual benefit and promoting innovation and development activities.

— Fostering the motivation and active participation of the workforce, the training required for the performance of their tasks, and the continuous education thereof.

— Promote sustained, inclusive and sustainable economic growth, productive employment and decent work for all professionals forming part of the Group's value chain, in line with the provisions of goal eight of the Sustainable Development Goals (SDGs) approved by the United Nations.

The Purchasing Policy establishes guidelines and detailed limits regarding levels at which authority may be delegated and purchasing procedures within the Group in accordance with the aforementioned principles, as well as regarding the organisation principles that must be observed to ensure full adherence to the corporate organisation deriving from the Group's Corporate Governance System.

Information Technology Policy

The Information Technology Policy also establishes an overall framework for the governance and management of the processes and actions relating to information technology (IT) within the Group. It contemplates the management of risks associated with the use, ownership, operation, participation, influence and adoption of specific information technology, as well as the processes for the management and control thereof.

The Information Technology Policy also defines an integrated management framework that allows for a global technological focus and is intended to ensure the appropriate management of information technology and of the risks associated therewith, promoting the creation of value through an effective and innovative use of information technology and the satisfaction of internal and external users with the level of commitment and services provided, maintaining a balance between the generation of profits, the optimization of risk levels and an efficient use of resources, based on standards of proportionality.

The policy also contains the guidelines of an information technology governance and management model that is common throughout the Group, based on the creation of a Global IT Governance Committee, which will supervise compliance of information technology within the Group, including the significant aspects of the audits and evaluations of compliance therewith and related action plans. It also contemplates the possibility of each IT organisation having its own IT Management Committee or equivalent function.

Cybersecurity Risk Policy

The Cybersecurity Risk Policy establishes a global framework for the control and management of the cybersecurity risks applicable to all the companies of the Group. In particular, it refers to the risks arising from threats and vulnerabilities affecting the Group's control, information technology and communications systems, as well as any other asset forming part of its cyber-infrastructure.

It also establishes the guidelines for a common cybersecurity management model for the entire Group, coordinated by a Cybersecurity Committee and based on the development of global rules and standards to be applied within all the businesses and corporate functions, thus encouraging a strong culture of cybersecurity.

The Cybersecurity Risk Policy is based upon the following basic principles:

— Raising awareness among Iberdrola's entire workforce, suppliers and collaborators regarding cybersecurity risks and ensuring that they have the knowledge, skills, experience and technological abilities needed to support the Group's cybersecurity goals.

— Ensuring that the Group's information technology and communications systems have an appropriate level of cybersecurity and cyber-resilience and applying the most advanced standards to those that support the operation of critical cyber-infrastructure.

— Fostering the existence of appropriate cybersecurity and cyber-resilience mechanisms for the systems and operations managed by third parties that provide services to the Company.

— Strengthening capacities for prevention, detection, reaction, analysis, recovery, response, investigation and coordination against terrorist activities and criminality in cyberspace.

— Providing procedures and tools that permit rapid adaptation to changing conditions in the technological environment and to new threats.

— Collaborating with regulatory bodies in order to contribute to the improvement of cybersecurity in the international sphere.

- Promoting the principles established in the Policy.

- Protecting the information regarding the Group's critical cyberinfrastructure and cybersecurity systems.

- Implementing cybersecurity measures based on efficiency standards.

- Acting in accordance with applicable law and the Code of Ethics.

The Cybersecurity Risk Policy sets out the Company's commitment to clearly and transparently report on its risks and incidents in the area of cybersecurity, in accordance with the provisions of law. 

Non-public Cybersecurity risks and incidents directly or indirectly relating to the Company or any other company of the Group and that could have an appreciable effect on the price of Company's shares or of any other security that the Compliance Unit defines as an affected security, might constitute inside information, as this term is defined in the Internal Regulations for Conduct in the Securities Markets, in which case the Company must report them to the market through the National Securities Market Commission upon the terms required by law.

Until said information is public, those persons who are aware of the existence of the risk or incident in question shall be deemed insiders, within the meaning of the provisions of the Internal Regulations for Conduct in the Securities Markets, may not engage in transactions regarding Affected Securities and will be subject to the duty of confidentiality, among other restrictions contemplated in said regulations.

Reputational Risk Framework Policy

The object of the Reputational Risk Framework Policy is to establish a benchmark framework for the monitoring and management of reputational risk to be implemented by all the Divisions of the Group on a coordinated basis with the Investor Relations and Communication Division.

The management of reputation seeks two complementary objectives, to bring out opportunities that trigger favourable behaviour towards the company, and to diminish reputational risk.

There is a direct relationship between this Policy and the Stakeholder Engagement Policy, the purpose of which is to identify the Company's Stakeholders, engage them and strengthen relations of trust with them, under the principles of transparency, active listening and equal treatment. The eight categories defined in said Policy are workforce, shareholders and the financial community, regulatory entities, customers, suppliers, the media, society in general and the environment.

The Reputational Risk Framework Policy establishes various recommendations, including crisis management, and lists indicators for monitoring, like REPTRAK, as well as standards for measuring the reputation of the Company and its Group.

Occupational Safety and Health Risk Policy

Within the framework of the General Risk Control and Management Policy and the Human Resources Framework Policy, the Company's Board of Directors (a body that is vested with the power to approve and update the corporate policies, including those relating to corporate governance and regulatory compliance, risks and sustainable development), in the interest thereof and that of the companies within the Group, aware of the fundamental importance of all aspects relating to the safety and health of the group's professionals, and consistent with the values of the Company, approved an Occupational Safety and Health Risk Policy.

As to the purpose of this Policy, the Company's Board of Directors, recognising the importance of facing workplace safety and health risks, commits to taking the actions required to provide safe and healthy conditions for the prevention of work-related injuries and health impairments that are as suited to the purpose, size and context of each organisation and to the specific nature of the risks for the workforce of both the Company and the other companies within the Group, as well as in its spheres of influence, thereby contributing to the achievement of goals three and eight of the Sustainable Development Goals (SDGs) approved by the United Nations.

To achieve this goal, the Group accepts and promotes the following main principles that must inform all of its activities:

a) Quality, productivity and the profitability of its activities are as important as the health and safety of the people participating in the value chain. All of the foregoing are permanent and basic objectives of the Group.

b) The safety of such people must always prevail. The prevention of work-related injuries and health impairments relating can be achieved by allocating resources and training to this end.

c) The integration of occupational safety and health in all business processes is a basic principle of effectiveness and efficiency and of collective responsibility.

The purpose and basic principles of the Group regarding work-place safety and health translate into the following commitments assumed by senior management and promoted at all organisational levels:

a) Meeting or exceeding legal and other requirements in the area of occupational risk prevention.

b) The elimination of threats and reduction of risks to workplace safety and health.

c) The integration of workplace safety and health standards in all decisions, business processes and work methods, such that officers, managers, technicians and other professionals fully assume their responsibilities.

d) The continuous improvement of the workplace safety and health management systems.

e) The consultation and participation of all professionals in workplace safety and health.

The environmental commitments of the Group in the area of workplace safety and health are assumed and encouraged through the following instruments:

a) An organizational structure with clearly defined responsibilities, which is decentralised and based on the principle of subsidiarity.

b) The Occupational Safety and Health Risk Policy.

c) The development and implementation of a system of global workplace safety and health standards that determines minimum levels in this area and ensures the harmonisation of the standards applied at all companies of the Group.

d) The acquisition and maintenance of occupational safety and health certifications in line with the strictest international standards.

e) The efficient provision of appropriate technical, financial and human resources.

f) The periodic preparation of specific strategic plans that determine strategic priorities and key matters relating to prevention.

g) The establishment of specific, indicative, stimulating and verifiable objectives regarding workplace safety and health.

h) The exchange of best practices in the area of workplace safety and health among all of the organisations of the Group.

i) Ongoing preparation, training and information for officers, intermediate managers and other professionals in order to promote safe behaviour and raise awareness of the impact of their work on the safety of persons, processes and facilities.

j) Effective coordination and collaboration with suppliers and providers in order for workplace safety and health to be present in all services and work performed at the facilities of the Group.

k) The establishment of close links of cooperation with the various competent government agencies in workplace safety and health matters in order to become a positive benchmark in the area in which the Group engages in its activities.

l) Participation in international initiatives, ratings and indices relating to workplace safety and health.

All of the foregoing such that the various levels of the organisation are aware of the importance of workplace safety and health in the planning and subsequent implementation of all the actions of the Company, and that the entire workforce contribute with their daily work to the achievement of the goals set in this field.

Download the policy in PDF. [PDF]