Summary of the Corporate Risk Policies
The 'General Risk Control and Management Policy' is further developed by specific corporate policies that are established for certain risks
Summary of the Corporate Risk Policies
21 February 2023
Corporate Credit Risk Policy
The Corporate Credit Risk Policy provides the framework for the monitoring and the management of credit risk from a global viewpoint covering the companies of the Group, credit risk being understood as all counterparty risks that, in the event of default by such counterparty, might cause certain companies of the Group to sustain an economic or financial loss.
The policy focuses on identified segments within the financial relationships of the Group’s companies that create credit exposure and must be monitored.
Exposure to credit risk occurs in various ways, depending on the type of relationship with the counterparty, which takes the form of settlements, replacement costs and pending write-offs. In particular, the Corporate Credit Risk Policy establishes the identification and segmentation into homogeneous groups of the principal types of relations that give rise to credit exposure within the Group, the implementation of mechanisms to identify common counterparties, the application of corporate guidelines for acceptance of counterparties, as well as the establishment of risk limits in the aggregate and by counterparty, in accordance with credit quality standards.
Additionally, the risk policies for each business establish specific credit risk limits and guidelines in line with the characteristics thereof.
Corporate Market Risk Policy
The Corporate Market Risk Policy provides a global framework for the monitoring and management of market risk within the boundary the Group, market risk being understood as any potential loss of margin or value due to adverse changes in price-determining factors.
In particular, the Corporate Market Risk Policy sets out differentiated guidelines for the management of the market risk associated with the various activities connected to the energy value chain:
a) Energy management and sales activities associated with the core business for sale in the liberalised market (electricity production at the Company's own plants, including the supply of fuel and emission allowances, electricity and gas supply, forward, wholesale or retail sale of electricity and natural gas through the Company's own supply company, dedicated generation or cogeneration plants with or without a power purchase agreement and related hedging transactions).
b) Regulated energy management or sale activities.
c) "Discretionary trading" of electricity, natural gas, emission allowances and other fuel and associated products, with respect to which a global "stop-loss" limit is established at the Group level.
Additionally, the risk policies for each business establish specific market risk limits and guidelines adjusted to the characteristics thereof and to the countries and territories in which the Group’s companies are present.
Operational Risk in Market Transactions Policy
The Operational Risk in Market Transactions Policy establishes a global framework for the control and management of operational, regulatory and reputational risks that may arise in the day-to-day management of trading desks within the markets in which the companies of the Group operate.
It is based on the implementation of a sound internal control framework with the following key elements: (i) a strong risk culture; (ii) proper segregation of duties; (iii) formalisation of clear policies and processes; and (iv) secure and flexible reporting systems.
It also establishes a number of specific guidelines, grouped into categories, which will apply to the various activities performed by each of the affected trading desks.
The Insurance Policy provides the framework for the monitoring and management, through insurance, of the Company’s global exposure to the impact of the operational risks associated with all the activities and businesses managed by the Company and the other companies making up the Group.
It includes the limits for the main insurance programmes, including:
a) Damage to conventional assets.
b) Damage to renewables.
c) Civil liability.
d) Environmental risks (EIL).
e) Nuclear risk.
f) Cyber risks.
g) Liability of directors and members of the management team.
The policy states that the optimal scope and levels of risk retention should be based on the objective of optimising the total cost of the risk.
There is provision for the monitoring of the following, among others: (i) maximum annual loss, understood as “cost of premiums plus the maximum probable cost of the risk retained in insured events”, (ii) risk to be assumed by the captive reinsurance company belonging to the Group, (iii) the main limits of the indemnities; and (iv) main deductibles assumed.
The Investment Policy provides a common framework for the analysis and monitoring of new investment or divestment projects of the businesses carried out by the companies making up the Group and of the risks associated therewith.
In particular, the Investment Policy sets general limits in terms of profitability and risk for each project, as well as the manner in which it fits into the overall Group-level strategy, the impact on results, and the years for recovery of the investment.
The Investment Policy also provides for monitoring the expected annual volume of investments and governs the issuance of guarantees to third parties.
Financing and Financial Risk Policy
The Financing and Financial Risk Policy establishes the framework for the monitoring and management of financial risks within the boundary of the Group.
It provides that a Group-level strategy must be developed for the financing and management of financial risks that allows for the acquisition of the funds necessary to meet investment and operational needs under optimum cost and risk conditions:
a) ensuring liquidity.
b) setting the appropriate levels of risk to be assumed in order to optimise the cost/risk ratio within established limits.
c) transferring the level of risk associated with financial variables that the Company does not wish to assume to external entities specialising in the management of such risks.
d) maintaining solvency indicators that enable the Group’s companies to maintain their credit rating in accordance with pre-established objectives.
e) complying with the requirements of local regulators and the tax provisions applicable in each country or territory.
The Financing and Financial Risk Policy sets out the basic principles and guidelines applicable to all activities in respect of financial risk, as well as specific limits for the control of certain identified financial risks, namely currency risk, interest rate risk, liquidity risk and solvency risk, among others.
In particular, and in relation to the performance of the function of managing financial risk, it is established that the Finance and Treasury Division (or the division assuming the duties thereof) will be responsible for coordinating and controlling the financial operations of the companies of the Group.
Treasury Share Policy
The Treasury Share Policy provides the framework for the control and management of transactions in shares issued by the Company or financial instruments and contracts of any kind with shares of the Company as the underlying asset, by the Company and/or by any of the companies of its Group, and the risk associated therewith, with the expectation that said transactions shall be conducted in compliance with applicable regulations and with the resolutions adopted in this regard at a General Shareholders' Meeting, and that they shall always pursue lawful aims, such as:
a) providing investors with sufficient liquidity and depth in the trading of the Company's shares.
b) stabilising the share price after a public offer for the sale or subscription of shares through the loan of own shares by the Company and the granting of an option to the underwriters to purchase or subscribe shares.
c) implementing programmes for the purchase of treasury shares approved by the Board of Directors or by the shareholders at a General Shareholders' Meeting and, in particular, making available to the Company the shares required to comply with the share delivery commitments previously assumed thereby under issuances of securities or corporate transactions, as well as compensation schemes or loyalty plans for shareholders (e.g., payment of dividends in kind), directors, officers or the other professionals of the Group’s companies.
d) honouring other previously-assumed lawful commitments.
e) any other purpose allowed under applicable legal provisions.
The Treasury Share Policy also sets out a number of guidelines and limits to appropriately mitigate and limit treasury share risk.
Risk Policy for Equity Interests in Listed Companies
The Risk Policy for Equity Interests in Listed Companies provides the framework for the monitoring and management of risks affecting the various holdings in listed companies in the form of shares and derivatives:
a) in companies within the scope of consolidation (subsidiaries and affiliated companies).
b) in financial investments (financial assets at fair value through profit or loss and available-for-sale financial assets).
The Purchasing Policy provides the overall framework for the control and management of the risks deriving from the purchase of materials and equipment and from contracting for works and services within the framework of the Group, with special emphasis being laid on adherence to ethical commitments at the Group level and of the suppliers of the companies making up the Group.
The policy rests on the following basic principles:
— promoting a strong risk culture and the development of a corporate culture based on ethics and honesty across the entire organisation, capable of supporting the professional and ethically responsible behaviour of the entire workforce, through strict application of the Code of Ethics.
— establishing, in a coordinated fashion, the standards and controls associated with purchasing activities for the benefit of the companies making up the Group, ensuring full adherence to the corporate organisation deriving from the Governance and Sustainability System.
— implementing the mechanisms required for purchasing decisions to in any event ensure the achievement of balance among technical competence, quality and price as well as the rating and quality of the supplier as a key condition for the contribution of value.
— establishing supplier selection procedures that conform to standards of objectiveness, impartiality and equal opportunity, ensuring at all times the professionalism of their workforce as well as loyalty to the Group’s companies and their shareholders regardless of their own or third-party interests.
— promoting strict compliance by suppliers with contractual terms and conditions and with applicable law, placing special attention on respect for the environment and on the principles contained in the Policy on Respect for Human Rights, favourably assessing compliance with the provisions in the area of reconciliation and gender equality in the Equality, Diversity and Inclusion Policy and requiring acceptance of the principles of conduct set out in the Code of Ethics specifically applicable to the suppliers of the Group’s companies.
— furthering a supplier relationship policy based on the principles of corporate ethics and transparency, striving for continuous improvement and mutual benefit and promoting innovation and development activities.
— fostering the motivation and active participation of professionals, as well as the training required for the performance of their tasks and the continuous education thereof.
— promote sustained, inclusive and sustainable economic growth, productive employment and decent work for all professionals forming part of the value chain of the Group’s companies, in line with the provisions of goal eight of the Sustainable Development Goals (SDGs) approved by the United Nations (UN).
The Purchasing Policy establishes guidelines and limits regarding levels at which authority may be delegated and purchasing procedures within the Group’s companies in accordance with the aforementioned principles, as well as regarding the organisation principles that must be observed to ensure full adherence to the corporate organisation deriving from the Governance and Sustainability System.
Information Technology Policy
The Information Technology Policy establishes an overall framework for the governance and management of the processes and actions relating to information technology (IT) within the companies of the Group. It contemplates the management of risks associated with the use, ownership, operation, participation, influence and adoption of specific information technology, or the processes for the management and control thereof.
The Information Technology Policy also defines an integrated management framework that allows for a global technological focus and is intended to ensure the appropriate management of information technology and of the risks associated therewith, promoting the creation of value through an effective and innovative use of information technology and the satisfaction of internal and external users with the level of commitment and services provided, maintaining a balance between the generation of profits, the optimisation of risk levels and an efficient use of resources, based on standards of proportionality.
The policy also contains the guidelines of an information technology governance model that is common to the Group’s companies, based on the creation of a Global IT Governance Committee, which will supervise compliance of information technology within the Group’s companies, including the significant aspects of the audits and evaluations of compliance therewith and related action plans.
Cybersecurity Risk Policy
The Cybersecurity Risk Policy establishes a global framework for the control and management of the cybersecurity risks applicable to all the companies of the Group. In particular, it refers to the risks arising from threats and vulnerabilities affecting the control systems or information technology and communications systems of the Group’s companies, as well as any other asset forming part of their cyber-infrastructure.
It also establishes the guidelines for a common cybersecurity management model for all of the Group’s companies, coordinated by a Cybersecurity Committee and based on the development of global rules and procedures to be applied within all the businesses and corporate functions, thus encouraging a strong culture of cybersecurity.
The Cybersecurity Risk Policy rests upon the following basic principles:
— raising awareness among all professionals, third-party suppliers, and partners regarding cybersecurity risks and ensuring that they have the knowledge, skills, experience and abilities needed to support the cybersecurity goals established within the boundary of the Group.
— ensuring that the cyber assets of the Group’s companies have an appropriate level of cybersecurity and cyber-resilience and applying the most advanced standards to those that support the operation of critical cyber-infrastructure.
— fostering the existence of appropriate cybersecurity and cyber-resilience mechanisms for the systems and operations managed by third parties that provide services to the Group’s companies.
— strengthening capacities for prevention, detection, reaction, analysis, recovery, response, investigation and coordination against terrorist activities and criminality in cyberspace.
— providing procedures and tools that permit rapid adaptation to changing conditions in the technological environment and to new cyberspace threats.
— collaborating with government bodies and agencies in order to contribute to the improvement of cybersecurity in the international sphere.
— promoting the cybersecurity principles established in the Corporate Security Policy.
— protecting information regarding the critical cyber-infrastructure and cybersecurity systems of the Group’s companies.
— implementing efficiency-based cybersecurity measures that contribute to the functionality of the systems and the continuity of key services.
— acting in accordance with applicable law, the Code of Ethics and the Company's other internal rules.
The Cybersecurity Risk Policy sets out the commitment of the Group’s companies to clearly and transparently report on their risks and incidents in the area of cybersecurity, in accordance with the provisions of law. The Company must inform the market through the National Securities Market Commission on the terms required by law regarding non-public cybersecurity risks and incidents directly or indirectly relating to the Company or any other company of the Group and that, if made public, may have a material impact on the price of the Company’s shares or of any other security that the Compliance Unit defines as an affected security or related derivative instruments and that may constitute inside information, as these terms are defined in the Internal Regulations for Conduct in the Securities Markets.
Until said information is public, those persons who are aware of the existence of the risk or incident in question shall be deemed insiders, within the meaning of the provisions of the Internal Regulations for Conduct in the Securities Markets, may not engage in transactions regarding affected securities and will be subject to the duty of confidentiality, among other restrictions contemplated in said regulations.
Reputational Risk Framework Policy
The object of the Reputational Risk Framework Policy is to establish a benchmark framework for the monitoring and management of reputational risk to be implemented by all of the divisions of the companies making up the Group on a coordinated basis with the ESG Division (or such division as assumes the duties thereof).
The management of corporate reputation seeks two complementary objectives: to bring out opportunities that trigger favourable behaviour towards the Company and the other companies of the Group, and to minimise and mitigate the reputational risk in the activities they perform.
There is a direct relationship between this policy and the Stakeholder Engagement Policy, the purpose of which include identifying the Company’s Stakeholders, engaging them and strengthening relations of trust with them.
The Reputational Risk Framework Policy establishes various recommendations, including crisis management, and lists indicators for monitoring, like RepTrak, as well as standards for measuring the reputation of the Company and its subsidiaries.
Occupational Safety and Health Policy
The Company's Board of Directors, recognising the importance of occupational safety and health risks, undertakes to carry out the actions required to provide safe and healthy conditions for the prevention of work-related injuries and health impairments that are suited to the purpose, size and context of each organisation and to the specific nature of the risks for employees of both the Company and the other companies within the Group, as well as in their spheres of influence, thereby contributing to the achievement of goals three and eight of the Sustainable Development Goals (SDGs) approved by the United Nations (UN).
2. Main Principles of Conduct
To achieve this goal, the companies of the Group adhere to and promote the following main principles, among others, that must inform all of their activities:
a) Quality, productivity and the profitability of their activities are as important as the safety and physical, mental and emotional health of the people participating in the value chain, including their psychological and social well-being, all of which are permanent and fundamental Group-level objectives.
b) The safety of such people must always prevail. The prevention of work-related injuries and health impairments can be achieved by allocating resources and training to this end.
c) The integration of occupational safety and health in all business processes is a basic principle of effectiveness and efficiency and of collective responsibility.
d) The understanding of health as a state of complete physical, mental and emotional well-being, promoting actions that create environments and living conditions that nurture and allow people to adopt and maintain healthy habits.
3. Occupational safety and health commitments
The purpose and basic principles regarding occupational safety and health at the Group level translate into the following commitments assumed by senior management and promoted at all organisational levels:
a) Meeting or exceeding legal and other requirements in the area of occupational risk prevention.
b) The elimination of threats and reduction of risks to occupational safety and health.
c) The integration of occupational safety and health standards in all decisions, business processes and work methods, such that the members of the management team, managers, technicians and employees take full ownership of their responsibilities.
d) The continuous improvement of the occupational safety and health management systems.
e) The consultation and participation of all employees on workplace safety and health.
4. Instruments for the adoption and promotion of occupational safety and health commitments
Group-level occupational safety and health commitments are encouraged through:
a) An organisational structure with clearly defined responsibilities, which is decentralised and based on the principle of subsidiarity.
b) Occupational Safety and Health Policy.
c) The acquisition and maintenance of occupational safety and health certifications in line with the strictest international standards.
d) The efficient provision of appropriate technical, financial and human resources.
e) The periodic preparation of specific strategic plans that determine strategic priorities and key matters relating to prevention.
f) The establishment of specific, indicative, stimulating and verifiable objectives regarding occupational safety and health.
g) The exchange of best practices in the area of occupational safety and health among all of the organisations of the Group.
h) Ongoing preparation, training and information for officers, intermediate managers and employees in order to promote safe behaviour and raise awareness of the impact of their work on the safety of persons, processes and facilities.
i) Effective coordination and collaboration with suppliers and providers in order for occupational safety and health to be present in all services and work performed at the facilities of the Group’s companies.
j) The establishment of links of cooperation with the various competent government agencies in occupational safety and health matters in order to become a positive benchmark in this area wherever the Group’s companies engage in their activities.
Participation in international initiatives, ratings and indices relating to safety and health.
All of the foregoing such that the various levels of the organisation are aware of the importance of occupational safety and health in the planning and subsequent implementation of all activities, and that all employees contribute with their daily work to the achievement of the goals set in this field.
External link, opens in new window.