Compliance and internal reporting and whistleblower protection system policy

Compliance and internal reporting and whistleblower protection system policy

20 June 2023

The Board of Directors of IBERDROLA, S.A. (the “Company”) has the power to design, assess and continuously revise the Governance and Sustainability System, and specifically to approve and update the corporate policies, which contain the guidelines governing the conduct of the Company and of the companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the “Group”). 

The Company has a solid and innovative track record in compliance, which it has developed on the basis of regulatory requirements and best practices, positioning it as a leader in this field. In 2002 it already had a Code of Ethics to guide the conduct of its directors, professionals and suppliers as well as those of the other companies of the Group, and in 2010 it approved a Crime Prevention Policy which, together with the Anti-Corruption and Anti-Fraud Policy that came into force in 2016, demonstrate the development of a business culture based on ethics and on honesty, as well as the responsibility and the commitment of the Company and of the other companies of the Group to actively respond to the challenge of the fight against corruption and fraud in all their areas of activity.

The Company has also established an effective, autonomous, independent and robust Compliance System of its own to prevent, manage and mitigate the risk of improper conduct and acts that are illegal or contrary to law and the Governance and Sustainability System that can be performed within the organisation, and to ensure that the conduct of the organisation is in accordance with ethical principles, the law and internal rules. Based on the experience it has accumulated and in line with the evolution of its Governance and Sustainability System towards an increasing decentralisation of duties and responsibilities among the various companies of the Group, the Company intends to continue to make progress and to maintain its commitment to leadership at the forefront of a compliance culture.

Along these lines, in fulfilling said responsibilities and within the framework of the law, the By-Laws and the guidelines for conduct that take shape in the Purpose and Values of the Iberdrola Group, and consistently with its culture of prevention of improper conduct and acts that are illegal or contrary to law and to the Governance and Sustainability System, as well as its firm commitment to ethics and compliance, the Board of Directors hereby approves this Compliance and Internal Reporting and Whistleblower Protection System Policy (the “Policy”). 

This Policy integrates, further develops, recasts and, in turn, reinforces the content of the Crime Prevention Policy, which is no longer in effect, and also includes the latest regulatory requirements in the field of compliance, as well as the latest trends and the highest international standards in that field. 

In the area of corruption and fraud, the principles contained in this Policy take specific shape in the Anti-Corruption and Anti-Fraud Policy.

1. Purpose

The purpose of this Policy is to establish the principles governing the commitment of the Company and of the other companies of the Group to prevent, detect and respond to any conduct that is improper or involves any act that is illegal or contrary to law or to the Governance and Sustainability System, as well as to demonstrate the willingness of the Company and of the other companies making up the Group to combat said conduct in all of their activities, both as an expression of their culture of compliance and their own social commitment to the public interest and to avoid any potential damage to their image and reputational value and, ultimately, the value of the Company’s shares and brand. 

Thus, on the one hand, this Policy makes explicit the firm commitment of the Company and of the other companies of the Group to its purpose and values, to ethical principles and to ongoing monitoring and penalisation of improper conduct or acts that are illegal or contrary to law or to the Governance and Sustainability System, which entails the maintenance of effective mechanisms for communication, sensitisation and awareness-raising among all professionals, and the development of a business culture of ethics and honesty, thereby contributing to the achievement of the Sustainable Development Goals (SDGs) approved by the United Nations (UN).

On the other hand, the Policy conveys to the shareholders, to the members of the management bodies and to the professionals of the Company and of the other companies of the Group, as well as to third parties engaging in relationships with them, a strong message of opposition to the commission of any impropriety or act that is illegal or contrary to law or to the Governance and Sustainability System. 

This Policy also includes the fundamental principles governing the internal reporting systems available to the companies of the Group so that the shareholders, the members of their management bodies, their professionals, their suppliers, as well as other third parties provided for in applicable legal provisions may report potentially improper conduct or acts that are potentially illegal or contrary to law or to the Governance and Sustainability System (particularly including any conduct that might constitute a crime, a serious or very serious administrative offence, or a breach of European Union law) provided for in Section 6 of this Policy, all without prejudice to the modifications or adaptations that may be necessary to comply with the rules that apply at each of the Group’s companies.

2. Scope of Application

This Policy applies at the Company and at all companies making up the Group, as well as at all investees not belonging to the Group over which the Company has effective control, within the lawfully established limits.

Without prejudice to the provisions of the preceding paragraph, the listed country subholding companies and their subsidiaries, pursuant to their own special framework of strengthened autonomy, may approve their corresponding compliance policy applicable to each of said companies and to their subsidiaries in order to comply with the requirements deriving from their status as a listed company. In any event, such policy must be in accord with the principles set forth in this Policy and in the other environmental, social, and corporate governance and regulatory compliance policies of the Governance and Sustainability System and must be communicated to the Company’s Compliance Unit through the channels implemented for these purposes. 

Members of the management bodies and professionals of the Company and of the other companies of the Group who are also subject to other policies, rules or principles, whether applicable to a particular industry or deriving from the laws of the territories or countries in which said companies do business, shall also be bound thereby, and the corresponding measures of coordination shall be established in order for said policies, rules or principles to be consistent with the provisions of this Policy.

Furthermore, all persons acting as representatives of the Company and of the other companies of the Group at companies and entities not belonging thereto shall comply with the provisions of this Policy and shall promote, to the extent possible, the enforcement of the principles hereof at said companies and entities.

This Policy shall also apply, to the extent relevant, to joint ventures, temporary joint ventures (uniones temporales de empresas) and other equivalent associations if the Company or another company of the Group assumes the management thereof, and in other cases, to the extent possible, with a view to promoting the application of the principles hereof.

3. Main Principles of Conduct

The main principles of conduct of the Company and of the other companies of the Group on which this Policy is based are described below:

a) On the one hand, foster a preventive culture based on the principle of “zero tolerance” towards improper conduct and acts that are illegal or contrary to law or to the Governance and Sustainability System, and on the other, the application of ethical principles and principles of responsible behaviour that should govern the conduct of all members of the management bodies, as well as of the professionals of the Company and of the other companies of the Group, regardless of their level, geographic location or functional subordination, and that of the suppliers of all of them.

This “zero tolerance” principle is absolute in nature and takes precedence over the possibility of obtaining any type of benefit (financial or otherwise) for the Company or for the other companies of the Group or their directors or professionals, when based on a business or transaction that is improper, illegal or contrary to law or to the Governance and Sustainability System, and particularly the ethical principles set out in the Code of Ethics.

b) Development by the Group’s companies of their own effective, autonomous, independent and robust compliance systems (in accordance with the best and most advanced international practices in this area), applicable to all activities that they carry out and based on strong ethical principles and legality, such that they contribute to the full realisation of the Purpose and Values of the Iberdrola Group and the corporate interest.

c) Within the framework of the drive for its preventive culture, foster processes of self-control in the conduct and decision-making of the members of the management body and of the professionals, such that their actions are based on four basic premises: (i) that they are ethically acceptable; (ii) that they are legally valid and comply with the provisions of applicable law and internal rules, including the Governance and Sustainability System, and particularly with the Code of Ethics; (iii) that they are performed within the framework of the corporate interest of the Company and of the other companies of the Group; as well as (iv) that they are prepared to assume responsibility therefor.

d) Identify and assess the risks associated with improper conduct and acts that are illegal or contrary to law or to the Governance and Sustainability System in the activities of the Company and of the other companies of the Group. 

e) Establish the appropriate controls and preventive measures (including, without limitation, through the internal rules and procedures approved for this purpose) for the identification, control, mitigation and prevention of improper conduct and acts that are illegal or contrary to law or to the Governance and Sustainability System, as well as identified risks, in line with the provisions of the General Risk Control and Management Policy and the Sustainable Development Policy.

f) Take appropriate measures to ensure that relations between the professionals of the Company and of the other companies of the Group with any other company and the members thereof are governed by the principles of transparency and honesty, as well as by respect for free competition. 

g) Promote relations of the Company and of the other companies of the Group with their Stakeholders being based on ethics and integrity.

h) Ensure that the relationship of the Company and of the other companies of the Group with their suppliers is based on legality, business ethics, efficiency, transparency and honesty and that they comply with the policies, rules and procedures established within the Group’s boundary, particularly with respect to the prevention of corruption, in any of its manifestations, adopting the appropriate due diligence measures to promote principled, sustainable and responsible business behaviour throughout the supply chains.

i) Implement appropriate training programmes and communication plans for professionals of the Company and of the other companies of the Group, as well as for third parties with whom relations are customarily maintained, regarding the duties imposed by the law applicable to any of their areas of activity or established in the Governance and Sustainability System or other internal rules and regarding the consequences of the violation thereof, with a frequency sufficient to ensure that their knowledge of the issues covered by this Policy is kept up to date. 

In particular, specific training programmes shall be carried out to provide information on the internal reporting system and the operation thereof, as well as on the procedure established to manage grievances and reports received through this system and measures of protection and support for whistleblowers.

j) Penalise, in accordance with the provisions of applicable law at any given time: (i) conduct that contributes to preventing or hindering the discovery of improprieties or acts that are illegal or contrary to law or to the Governance and Sustainability System; (ii) breach of the specific duty to report through internal reporting channels (as this term is defined in Section 6.1 of this Policy) potential improprieties or breaches of which they are aware; and (iii) the taking of any type of retaliatory measures against the whistleblower (or persons related thereto) who reports the aforementioned conduct. 

k) Seek a fair, non-discriminatory and proportional application of penalties as provided by applicable law from time to time.

l) Provide all assistance and cooperation that may be requested by internal or judicial and administrative bodies and domestic or international institutions and entities, including competition authorities, to investigate acts that are allegedly improper, illegal or contrary to law or the Governance and Sustainability System that may have been committed by the members of the management bodies or the professionals of the Company or of the other companies of the Group and that relate to or affect the scope of their activities.

The monitoring of and compliance with the principles contained in this Policy contribute to achieving the full realisation of the Purpose and Values of the Iberdrola Group and of the corporate interest, in accordance with applicable legal provisions, and particularly with the Governance and Sustainability System, consistently with the principles and guidelines for conduct aimed at ensuring the ethical and responsible behaviour of the directors, professionals and suppliers of the Company and of the other companies of the Group.

4. Compliance Systems

The Company has a Compliance System, which includes all the rules, formal procedures and substantive activities that are intended to ensure that the Company acts in accordance with ethical principles, the law, and internal rules, particularly the Governance and Sustainability System, to contribute to the full realisation of the Purpose and Values of the Iberdrola Group and the corporate interest, and to prevent, manage and mitigate the risk of regulatory and ethical breaches that may be committed by the directors, professionals or suppliers thereof within the organisation. 

The Company’s Compliance Unit proactively and autonomously oversees the implementation and effectiveness of its Compliance System, without prejudice to the responsibilities corresponding to other bodies and divisions of the Company. 

For their part, the country subholding companies and the head of business companies have their own compliance systems, the application and effectiveness of which must be proactively and autonomously monitored by their respective compliance units, without prejudice to the appropriate coordination carried out at all levels of the Group.

The aforementioned compliance systems are under continuous review to incorporate the most advanced international practices and trends in this field and the regulatory requirements at any given time, and they ensure the dissemination, implementation and monitoring of the principles of conduct set out in this Policy.

For such purposes, the Company’s Compliance Unit and the compliance units of the country subholding companies and of the head of business companies, which are configured in accordance with the highest standards of independence and transparency and each of which has at least one member not related to any of the companies of the Group, enjoy the necessary autonomy and capacity for initiative and control and have the appropriate material and human resources for the performance of their duties. 

The foregoing is without prejudice to the bodies dedicated to the prevention of specific risks and to the control of activities that it may be necessary or advisable to create at certain companies of the Group in order to comply with the industry-specific or national laws of the territories or countries in which they carry out their activities, with which relations shall be established by the corresponding compliance units for coordination purposes as appropriate pursuant to applicable law.

The fundamental elements of the Company’s Compliance System are, on the one hand, its crime prevention programme and, on the other hand, the Company’s internal reporting system, which is comprised of, among other things, various channels suitable for reporting potentially improper conduct or acts that are potentially illegal or contrary to law or to the Governance and Sustainability System on the terms indicated in Section 6 of this Policy (the “Internal Reporting System”).

The Company and the other companies of the Group regularly submit their respective compliance systems to an audit by an independent expert. 

5. Crime Prevention Programmes 

As regards the basic principle relating to the identification and evaluation of the risks relating to improper conduct and acts that are illegal or contrary to law or to the Governance and Sustainability System, the Company has implemented through the Compliance Unit and other competent bodies a specific and effective programme for the prevention of crimes (understood as a group of measures intended to prevent and mitigate the risk of commission of potential crimes and to detect and react to the commission thereof). 

Likewise, the other companies of the Group implement programmes to prevent the commission of similar crimes through their respective compliance units (or compliance bodies or functions), which have full responsibility and autonomy for the management thereof.

The purpose of such programmes is: (i) to strengthen the existing commitment of the Company and of the other companies of the Group to combat the commission of crimes, particularly all forms of corruption and fraud; and (ii) to assure third parties and judicial and administrative authorities that the Company and the other companies of the Group effectively comply with the duties of supervision, monitoring and control of their activities by establishing appropriate measures to prevent crimes −or to significantly reduce the risk of the commission thereof− and that, therefore, said companies exercise due control over the members of their management bodies, their professionals, and other subordinates, based on their governance model, as is legally required thereof, including the monitoring of possible situations of crime risk that may arise within the scope of their activities, even in those cases in which such situations cannot be attributed to a specific individual.

The Company’s Compliance Unit is responsible for endeavouring to ensure the implementation, development, updating and fulfilment of the crime prevention programme of the Company and of those other companies of the Group that are not country subholding companies, head of business companies, or companies in which they have a stake, as well as forcoordinating the implementation, development and fulfilment of similar programmes at the other companies of the Group, without prejudice to the powers and responsibilities assigned to other bodies and divisions of the Company and, if applicable, to the administrative and management bodies of the country subholding and head of business companies and to the compliance units of these companies.

Furthermore, at least once per year, the Company’s Compliance Unit shall evaluate compliance with and the effectiveness of its crime prevention programme and shall assess whether regular modification and update thereof is appropriate, provided that the circumstances so require.

This same evaluation shall be performed by the compliance units of the country subholding companies and of the head of business companies in relation to the crime prevention programmes of their respective companies.

6. The Company’s Internal Reporting System 

The Company declares that it intends to create an environment of transparency and to foster respect for the law and the rules of conduct established in the Code of Ethics by its directors, its professionals and its suppliers, and, to such end, has implemented an Internal Reporting System in accordance with applicable legal provisions to encourage the reporting of potentially improper conduct or acts that are potentially illegal or contrary to law or to the Governance and Sustainability System (including, in particular, any conduct that could constitute a crime, a serious or very serious administrative offence, or a breach of European Union law), with an impact on the Company, its contractual relationship with its suppliers, or the interests and image of the Company(the “Conduct”).

The Internal Reporting System is designed and managed in a secure manner to ensure: (i) the confidentiality of the identity of the whistleblower and of any third party mentioned in the grievance or report, and of the actions taken in the management and processing thereof, as well as the protection of personal data, preventing access to the content of the investigation by unauthorised personnel; and (ii) that the grievances or reports submitted can be dealt with effectively within the Company.

6.1 Internal Reporting Channels

The Company has established for the members of its management body, its professionals, its suppliers, as well as for other third parties provided for in applicable legal provisions, the duty to report through the Internal Reporting System any Conduct of which they are aware.

To this end, the Company has activated internal reporting channels (the “Internal Reporting Channels”), which allow shareholders, directors, professionals, suppliers and other third parties determined by law to report any Conduct, whether in writing, through the corresponding form available on the Company’s corporate website, or by any other means established by the Company, all without prejudice to their being able to address their grievances or reports to the Independent Whistleblower Protection Authority (Autoridad Independiente de Protección del Informante) (A.A.I.) or to any other competent institution, body or entity.

The Internal Reporting System includes all the Internal Reporting Channels activated by the Company for the communication of grievances or reports relating to Conduct by shareholders, directors, professionals, suppliers and other third parties as determined by law.

The Internal Reporting Channels enable the prevention and detection of Conduct, constituting the preferred channel for reporting such Conduct and for the processing of grievances or reports received in relation thereto. 

Communications through the Internal Reporting Channels may be made anonymously, must meet standards of truthfulness and proportionality, may not be used for purposes other than to seek regulatory compliance, and must be submitted in writing or verbally and shall be processed in accordance with the procedure established by the Board of Directors in the Regulations of the Compliance Unit.

6.2 Whistleblower Protection and Safeguards 

As provided by legal provisions, the Company and the other companies of the Group undertake not to take (and to ensure that their professionals do not take) any form of direct or indirect retaliation, including threats of or attempted retaliation, against any person who has reported any Conduct, through the Internal Reporting Channels or by any other means, unless the grievance or report is false or the person has acted in bad faith.

Furthermore, as provided by legal provisions, the Company and the other companies of the Group undertake not to take (and to ensure that their professionals do not take) any form of direct or indirect retaliation, including threats of or attempted retaliation, against: (i) any individual who, within the organisation in which the whistleblower works, assists him/her in the process, or is related to him/her, as a representative of the employees, co-worker or relative; and (ii) any legal person, for whom the whistleblower works or with whom he/she has another type of relationship in an employment context or in which he/she has a significant shareholding.

For these purposes, the following actions, among others, against the person who has communicated the grievance or report are considered to be retaliation:

(a) the following measures, provided that they were not carried out in the regular exercise of managerial authority under applicable law, due to proven circumstances unrelated to the submission of the grievance or report: (i) suspension of the employment contract, dismissal or termination of employment or statutory relationship; (ii) imposition of any disciplinary measure; (iii) demotion or denial of promotion and any other material change in working conditions; and (iv) failure to convert a temporary employment contract into a permanent one, if the person providing the report had legitimate expectations to that effect; 

(b) harm, including reputational damage, or financial loss, coercion, intimidation, harassment or ostracism;

(c) negative evaluation or references with regard to work or professional performance; 

(d) blacklisting or dissemination of information in a particular industry that makes it difficult or impossible for the person to gain access to employment or the hiring of works or services; 

(e) denial or revocation of a licence or permit; 

(f) denial of training; 

(g) any form of discrimination or unfavourable or unfair treatment; and

(h) any other action arising from the above.

6.3 Management of the Internal Reporting System 

The Company’s Compliance Unit is the body responsible for managing the Company’s Internal Reporting System, and for processing and managing the investigation files opened on the basis of grievances or reports received through the Internal Reporting Channels, in accordance with the information management procedure established by the Board of Directors in the Regulations of the Compliance Unit, and delegates the aforementioned management and processing powers to the director of Compliance, with due notice to the Independent Whistleblower Protection Authority (A.A.I.). 

On this basis, the Company's Compliance Unit investigates any grievance or reporting of a fact that could allegedly constitute Conduct (even if anonymous and regardless of the financial significance thereof) as soon as possible, guaranteeing the rights of the whistleblower, as well as the rights to privacy, respectability, defence and the presumption of innocence of the persons investigated or affected, in accordance with the internal procedure established by the Board of Directors for this purpose and regulated in the Regulations of the Compliance Unit.

The procedure for management of the grievances or reports sent through the Internal Reporting Channels provides for the immediate forwarding of information to the Public Prosecutor’s Office (Ministerio Fiscal) when the facts might indicate a criminal offence, and such grievances or reports shall be forwarded to the European Public Prosecutor’s Office if the information affects the financial interests of the European Union.

The Audit and Risk Supervision Committee shall also have direct access to grievances or reports that could have a material impact on the Company’s financial statements or internal control. For these purposes, the Company’s Compliance Unit shall inform the aforementioned committee of the existence of said grievances or reports and shall provide it with any documentation it may request in relation to the processing of the investigation files.

After any appropriate evaluation, the Company’s Board of Directors may entrust the management of the Internal Reporting Channels to a third party that offers appropriate assurances of independence, confidentiality, personal data protection and secrecy of grievances or reports, subject to a prior report from the Sustainable Development Committee.

7. Internal Reporting Systems at other Companies of the Group

The country subholding companies, head of business companies and other companies of the Group have their own internal reporting systems, including appropriate reporting channels, managed by their respective compliance bodies in accordance with the principles set forth in this Policy.

8. Implementation of the Policy 

The Company’s Compliance Unit proactively endeavours to ensure the application and effectiveness of this Policy and disseminates the content hereof among the people to whom it is addressed, all without prejudice to the responsibilities assigned to other bodies and divisions of the Company and, if appropriate, the administrative and management bodies of the country subholding companies and head of business companies and the respective compliance units of these companies. 

The country subholding companies and head of business companies may adopt policies, rules and principles that adapt and develop the provisions of this Policy in accordance with the particular nature of each territory, country or business, reporting them to the Company’s Compliance Unit through the channels established for these purposes.

9. Revision of the Policy

The Sustainable Development Committee shall regularly review the contents of the Policy, ensuring that it reflects the recommendations and best international practices from time to time in effect, and shall propose to the Company’s Board of Directors those amendments and updates that contribute to the development and ongoing improvement thereof, taking into account any suggestions or proposals made by the compliance units and the professionals of the Company and of the other companies of the Group.

This Policy was approved by the Board of Directors on 20 June 2023.