GENERAL RISK CONTROL AND MANAGEMENT POLICY
Iberdrola manages any threat that may prevent it from reaching its objectives and successfully carrying out its strategies
General Risk Control and Management Policy
24 February 2020
The Board of Directors of IBERDROLA, S.A. (the “Company”) has the responsibility to approve and update the corporate policies, which include those relating to corporate governance and regulatory compliance, risks and sustainable development.
Among the risk policies, the General Risk Control and Management Policy (the “Policy”) identifies the principal risks facing the Company and the other companies included within the group of which the Company is the controlling entity, within the meaning established by law (the “Group”), and organises appropriate internal control and information systems, as well as the regular monitoring of such systems:
The object of the Policy is to establish the basic principles and general framework for the control and management of all kinds of risks facing the Company and the Group, and which must be applied in accordance with the provisions of the Purpose and Values of the Iberdrola group.
The Policy is further developed and supplemented by the specific risk policies that may be established for certain risks, corporate functions or businesses of the Group.
The country subholding companies adopt the risk policies of the Group and define the application thereof, approving guidelines on specific risk limits based on the nature and particularities of the businesses in each country.
The management decision-making bodies of the head of business companies of each country must approve the specific risk limits applicable to each of them and implement the control systems necessary to ensure compliance therewith.
The Policy applies to all companies that make up the Group, including the companies that are not part of the Group in which the Company has an interest and over which it has effective control, within the limits established by the laws applicable to the regulated activities carried out by the Group in the various countries in which it operates.
Excluded from the scope of this policy are listed country subholding companies and the subsidiaries thereof which, pursuant to their own special framework of strengthened autonomy, have their own risk policies approved by their competent bodies. In any event, said risk policies of these companies must be in accord with the principles set forth in this Policy and in the other risk policies of the Company.
At those companies in which the Company has an interest but which do not form part of the Group, the Company shall promote principles, guidelines and risk limits established in this Policy and in the supplementary risk policies and shall maintain appropriate channels of information to ensure a due understanding of the risks.
3. Risk Factors - Definitions
From a general viewpoint, a risk is considered to be any threat that an event, action or omission may prevent the Group from reaching its objectives and successfully carrying out its strategies.
The risk factors to which the Group is subject generally are listed below:
a) Corporate Governance Risks: the Company accepts the need to achieve the fulfilment of the corporate interest and the sustained maximisation of the economic value of the Company and its long-term success, in accordance with the Group's corporate interest, culture and corporate vision, taking into account the legitimate public and private interests that converge in the conduct of all business activities, particularly those of the various stakeholders and communities and regions in which the Company and its employees act.
b) Market Risks: understood as the exposure of the Group's results and net worth to changes in prices and other market variables, such as exchange rates, interest rates, electricity prices, commodity prices (gas and other fuels), CO2 emission rights, other renewable support mechanisms, as well as financial assets.
c) Credit Risks: defined as the possibility that a counterparty fails to perform its contractual obligations, thus causing an economic or financial loss to the Group, including the risks of payment and costs of replacement. Counterparties can be end customers, counterparties in financial or energy markets, partners, suppliers or contractors.
d) Business Risks: defined as the uncertainty regarding the performance of key variables inherent in the various activities of the Group through its businesses, such as the characteristics of demand, weather conditions and the strategies of different players.
e) Regulatory and Political Risks: are those arising from regulatory changes made by the various regulators, such as changes in compensation of regulated activities or in the required conditions of supply, or in environmental or tax regulations, including risks relating to political changes that might affect legal security and the legal framework applicable to the businesses of the Group in each jurisdiction, nationalisation or expropriation of assets, the cancellation of operating licenses and the termination of government contracts.
f) Operational, Technological, Environmental and Social Risks: are those related to direct or indirect economic losses resulting from external events, inadequate internal procedures, technical failures, human error and/or fraud, including those associated with climate change, information technologies, cybersecurity and the risk of technological obsolescence.
g) Reputational Risks: potential negative impact on the value of the Company resulting from conduct on the part of the Company that is below the expectations created among various stakeholders, as defined in the Stakeholder Relations Policy.
4. Basic Principles
The Group is subject to various risks inherent in the different countries, industries and markets in which it does business and in the activities it carries out, which may prevent it from achieving its objectives and successfully implementing its strategies.
Aware of the significance of this issue, the Board of Directors of the Company undertakes to develop all of its capabilities in order for the significant risks to all the activities and businesses of the Group to be adequately identified, measured, managed and controlled, and to establish through the Policy the mechanisms and basic principles for appropriate management of the risk/opportunity ratio, at a risk level that makes it possible to:
a) attain the strategic objectives formulated by the Group with controlled volatility;
b) provide the maximum level of assurance to the shareholders;
c) defend the interests of customers, shareholders, other groups interested in the progress of the Company, and society in general;
d) contribute to meeting the Sustainable Development Goals (SDGs) approved by the United Nations, with a special focus on goals seven and thirteen;
e) protect the results and reputation of the Group; and
f) ensure corporate stability and financial strength in a sustained fashion over time.
In the implementation of the aforementioned commitment through the basic principles, the Board of Directors and its Executive Committee have the cooperation of the Audit and Risk Supervision Committee, which, as a consultative body, monitors and reports upon the appropriateness of the system for assessment, control and management of significant risks, acting in coordination with the audit and compliance committees existing at other country subholding companies of the Group.
All actions aimed at controlling and mitigating risks shall conform to the following basic principles:
a) Integrate the risk/opportunity vision into the Company's management, through a definition of the strategy and the risk appetite and the incorporation of this variable into strategic and operating decisions.
b) Segregate functions, at the operating level, between risk-taking areas and areas responsible for the analysis, control and monitoring of such risks, ensuring an appropriate level of independence.
c) Guarantee the proper use of risk-hedging instruments and the maintenance of records thereof as required by applicable law.
d) Inform regulatory agencies and the principal external players, in a transparent fashion, regarding the risks facing the Group and the operation of the systems developed to monitor such risks, maintaining suitable channels that favour communication.
e) Ensure appropriate compliance with the corporate governance rules established by the Company through its Corporate Governance System and the update and continuous improvement of such system within the framework of the best international practices as to transparency and good governance, and implement the monitoring and measurement thereof.
f) Act at all times in compliance with the values and standards of conduct reflected in the Code of Ethics, under the principle of "zero tolerance" for the commission of unlawful acts and situations of fraud set forth in the Crime Prevention Policy and in the Anti-Corruption and Anti-Fraud Policy and the good practices principles reflected in the Corporate Tax Policy.
5. Comprehensive Risk Control and Management System
The Policy and the basic principles underpinning it are implemented by means of a comprehensive risk control and management system, supported by a Risk Committee of the Group and based upon a proper definition and allocation of duties and responsibilities at the operating level and upon supporting procedures, methodologies and tools, suitable for the various stages and activities within the system, including:
a) The establishment of a structure of risk policies, guidelines, limits and indicators, as well as of the corresponding mechanisms for the approval and implementation thereof.
b) The ongoing identification of significant risks and threats, taking into account their possible impact on key management objectives and the accounts (including contingent liabilities and other off-balance sheet risks).
c) The analysis of such risks, both at each corporate business or function and taking into account their combined effect on the Group as a whole.
d) The measurement and control of risks following homogeneous procedures and standards common to the entire Group.
e) The analysis of risks associated with new facilities, as an essential element in risk/return-based decision-making, including physical and transition risks related to climate change.
f) The maintenance of a system for monitoring and control of compliance with policies, guidelines and limits, by means of appropriate procedures and systems, including the contingency plans needed to mitigate the impact of the materialisation of risks.
g) The periodic monitoring and control of profit and loss account risks that might have a significant impact in order to control the volatility of the annual income of the Group.
h) The ongoing evaluation of the suitability and efficiency of applying the system and the best practices and recommendations in the area of risks for eventual inclusion thereof in the model.
i) The audit of the comprehensive risk control and management system by the Internal Audit Division.
6. Risk Policies and Limits
The Policy is further developed and supplemented by the following policies, which are also subject to approval by the Company's Board of Directors:
Corporate Risk Policies:
- Corporate Credit Risk Policy.
- Corporate Market Risk Policy.
- Operational Risk in Market Transactions Policy.
- Insurance Policy.
- Investment Policy.
- Financing and Financial Risk Policy.
- Treasury Share Policy.
- Risk Policy for Equity Interests in Listed Companies.
- Procurement Policy.
- Information Technologies Policy.
- Cybersecurity Risk Policy.
- Reputational Risk Framework Policy.
- Occupational Safety and Health Risk Policy.
Specific Risk Policies for the Various Group Businesses:
- Risk Policy for the Networks Businesses of the Iberdrola Group.
- Risk Policy for the Renewable Energy Businesses of the Iberdrola Group.
- Risk Policy for the Liberalised Businesses of the Iberdrola Group.
- Risk Policy for the Real Estate Business.
This Policy was initially approved by the Board of Directors on 18 December 2007 and was last amended on 24 February 2020.