SUMMARY OF THE CORPORATE RISK POLICIES
The 'General Risk Control and Management Policy' is further developed by specific corporate policies that are established for certain risks
Summary of the Corporate Risk Policies
19 April 2021
Corporate Credit Risk Policy
The Corporate Credit Risk Policy provides the framework for the monitoring and the management of credit risk from a global viewpoint covering the entire Group, credit risk being understood as all counterparty risks that, in the event of default by such counterparty, might cause the Group to sustain an economic or financial loss.
The policy focuses on identified segments within the Group's financial relationships that create credit exposure and must be monitored.
Exposure to credit risk occurs in various ways, depending on the type of relationship with the counterparty, which takes the form of settlements, replacement costs and pending write-offs. In particular, the Corporate Credit Risk Policy establishes the identification and segmentation into homogeneous groups of the principal types of relations that give rise to credit exposure within the Group, the implementation of mechanisms to identify common counterparties, the application of corporate guidelines for acceptance of counterparties, as well as the allocation of risk limits in the aggregate and by counterparty, in accordance with credit quality standards.
Additionally, the risk policies for each business establish specific credit risk limits and guidelines in line with the characteristics of the different types of businesses.
Corporate Market Risk Policy
The Corporate Market Risk Policy provides a global framework for the monitoring and management of market risk throughout the Group, market risk being understood as any potential loss of margin and/or value due to adverse changes in price-determining factors.
In particular, the Corporate Market Risk Policy sets out differentiated guidelines for the management of the market risk associated with the various activities connected to the energy value chain:
a) Energy management and sales activities associated with the core business for sale in the liberalised market (electricity production at the Company's own plants, including the supply of fuel and emission allowances, electricity and gas supply, forward, wholesale or retail sale of electricity and natural gas through the Company's own supply company, dedicated generation or cogeneration plants with or without a power purchase agreement, hedging transactions).
b) Regulated energy management and/or sale activities.
c) "Discretionary trading" of electricity, natural gas, emission allowances and other fuel and associated products, with respect to which a global "stop-loss" limit is established at the Group level.
Additionally, the risk policies for each business establish specific market risk limits and guidelines in line with the characteristics of the different types of businesses and the countries in which the Group has a presence.
Operational Risk in Market Transactions Policy
The Operational Risk in Market Transactions Policy establishes a global framework for the control and management of operational, regulatory and reputational risks that may arise in the day-to-day management of trading desks within the markets in which the Group operates.
It is based on the implementation of a sound internal control framework based on the following key elements: (i) a strong risk culture; (ii) proper segregation of duties; (iii) formalisation of clear policies and processes; and (iv) secure and flexible reporting systems.
It also establishes a number of specific guidelines, grouped into categories, which will apply to the various activities performed by each of the affected trading desks.
The Insurance Policy provides the framework for the monitoring and management, through insurance, of the Company's global exposure to the impact of the operational risks associated with all the activities and businesses of the Group.
It includes the limits for the main insurance programmes, including:
a) Damage to conventional assets.
b) Damage to renewables.
c) Civil liability.
d) Damage to the environment.
e) Nuclear risk.
f) Cyber risks.
The policy states that the optimal scope and levels of risk retention should be based on the objective of optimising the total cost of the risk.
The following are monitored: (i) maximum annual loss, understood as "cost of premiums plus the maximum probable cost of the risk retained in insured events", (ii) risk to be assumed by the Group's captive reinsurance company, (iii) the main limits of the indemnities; and (iv) main deductibles assumed.
The Investment Policy provides a common framework for the analysis, monitoring and control of new investment or divestment projects of all businesses within the Group and of the risks associated therewith.
In particular, the Investment Policy sets general limits in terms of profitability and risk for each project, as well as the manner in which it fits into the Group's strategy, the impact on results, and the years for recovery of the investment.
The Investment Policy also provides for monitoring the expected annual volume of investments and governs the issuance of guarantees to third parties.
Financing and Financial Risk Policy
The Financing and Financial Risk Policy establishes the framework for the monitoring and management of the Group's financial risks.
The Group must develop a strategy for the financing and management of financial risks that allows for the acquisition of the funds necessary to meet investment and operational needs under optimum cost and risk conditions:
a) ensuring liquidity.
b) setting the appropriate levels of risk to be assumed in order to optimise the cost/risk ratio within established limits.
c) transferring the level of risk associated with financial variables that the Company does not wish to assume to external entities specialising in the management of such risks.
d) maintaining solvency indicators that enable the Group to maintain its credit rating in accordance with pre-established objectives.
e) complying with the requirements of local regulators and the tax provisions applicable in each country.
The Financing and Financial Risk Policy sets out the basic principles and guidelines applicable to all activities in respect of financial risk, as well as specific limits for the control of certain identified financial risks, namely currency risk, interest rate risk, liquidity risk and solvency risk.
In particular, and in relation to the performance of the function of managing financial risk, it is established that the Finance and Treasury Division will be responsible for coordinating and controlling the financial operations of the companies of the Group.
Treasury Share Policy
The Treasury Share Policy provides the framework for the control and management of transactions in shares issued by the Company or financial instruments and contracts of any kind with shares of the Company as the underlying asset, by the Company and/or by any of the companies of its Group, and the risk associated therewith, with the expectation that said transactions shall be conducted in compliance with applicable regulations and with the resolutions adopted in this regard at a General Shareholders' Meeting, and that they shall always pursue lawful aims, such as:
a) Providing investors with sufficient liquidity and depth in the trading of the Company's shares.
b) Stabilising the share price after a public offer for the sale or subscription of shares through the loan of own shares by the Company and the granting of an option to the underwriters to purchase or subscribe shares.
c) Implementing programmes for the purchase of treasury shares approved by the Board of Directors or by the shareholders at a General Shareholders' Meeting and, in particular, making available to the Company the shares required to comply with the share delivery commitments previously assumed thereby under issuances of securities or corporate transactions, as well as compensation schemes or loyalty plans for shareholders (e.g., payment of dividends in kind), directors, officers or the other professionals of the Group.
d) Honouring other previously-assumed lawful commitments.
e) Any other purpose allowed under applicable legal provisions.
The Treasury Share Policy also sets out a number of guidelines and limits to appropriately mitigate and limit treasury share risk.
Risk Policy for Equity Interests in Listed Companies
The Risk Policy for Equity Interests in Listed Companies provides the framework for the monitoring and management of risks affecting the various holdings in listed companies in the form of shares and derivatives:
a) in companies within the scope of consolidation (subsidiaries and affiliated companies).
b) in financial investments (financial assets at fair value through profit or loss and available-for-sale financial assets).
The Purchasing Policy provides the overall framework for the control and management of the risks deriving from the purchase of materials and equipment and from contracting for works and services across the entire Group, with special emphasis being laid on adherence to the ethical commitments of the Group and of its suppliers.
The policy rests on the following basic principles:
— Promoting a strong risk culture and the development of a corporate culture based on ethics and honesty across the entire organisation, capable of supporting the professional and ethically responsible behaviour of the entire workforce, through strict application of the Code of Ethics.
— Establishing, in a coordinated fashion, the standards and controls associated with purchasing activities for the benefit of the companies making up the Group, ensuring full adherence to the corporate organisation deriving from the Governance and Sustainability System.
— Implementing the mechanisms required for purchasing decisions to in any event ensure the achievement of balance among technical competence, quality, price and the rating and quality of the supplier as a key condition for the contribution of value.
— Establishing supplier selection procedures that conform to standards of objectiveness, impartiality and equal opportunity, ensuring at all times the professionalism of its personnel as well as loyalty to the Group and its shareholders regardless of their own or third-party interests.
— Promoting strict compliance by suppliers with contractual terms and conditions and with applicable law, placing special attention on respect for the environment and on the principles contained in the Policy on Respect for Human Rights, favourably assessing compliance with the provisions in the area of reconciliation and gender equality in the Equality, Diversity and Inclusion Policy and requiring acceptance of the principles set out in the Code of Ethics specifically applicable to the suppliers of the Group.
— Furthering a supplier relationship policy based on legality, efficiency and the principles of corporate ethics and transparency, striving for continuous improvement and mutual benefit and promoting innovation and development activities.
— Fostering the motivation and active participation of the workforce, as well as the training required for the performance of their tasks and the continuous education thereof.
— Promote sustained, inclusive and sustainable economic growth, productive employment and decent work for all professionals forming part of the Group's value chain, in line with the provisions of goal eight of the Sustainable Development Goals (SDGs) approved by the United Nations.
The Purchasing Policy establishes guidelines and limits regarding levels at which authority may be delegated and purchasing procedures within the Group in accordance with the aforementioned principles, as well as regarding the organisation principles that must be observed to ensure full adherence to the corporate organisation deriving from the Governance and Sustainability System.
Information Technology Policy
The Information Technology Policy also establishes an overall framework for the governance and management of the processes and actions relating to information technology (IT) within the Group. It contemplates the management of risks associated with the use, ownership, operation, participation, influence and adoption of specific information technology, as well as the processes for the management and control thereof.
The Information Technology Policy also defines an integrated management framework that allows for a global technological focus and is intended to ensure the appropriate management of information technology and of the risks associated therewith, promoting the creation of value through an effective and innovative use of information technology and the satisfaction of internal and external users with the level of commitment and services provided, maintaining a balance between the generation of profits, the optimisation of risk levels and an efficient use of resources, based on standards of proportionality.
The policy also contains the guidelines of an information technology governance model that is common throughout the Group, based on the creation of a Global IT Governance Committee, which will supervise compliance of information technology within the Group, including the significant aspects of the audits and evaluations of compliance therewith and related action plans.
Cybersecurity Risk Policy
The Cybersecurity Risk Policy establishes a global framework for the control and management of the cybersecurity risks applicable to all the companies of the Group. In particular, it refers to the risks arising from threats and vulnerabilities affecting the Group's control systems or information technology and communications systems, as well as any other asset forming part of its cyber-infrastructure.
It also establishes the guidelines for a common cybersecurity management model for the entire Group, coordinated by a Cybersecurity Committee and based on the development of global rules and standards to be applied within all the businesses and corporate functions, thus encouraging a strong culture of cybersecurity.
The Cybersecurity Risk Policy rests upon the following basic principles:
— Raising awareness among the entire workforce, suppliers and partners regarding cybersecurity risks and ensuring that they have the knowledge, skills, experience and technological abilities needed to support the Group's cybersecurity goals.
— Ensuring that the Group's information technology and communications systems have an appropriate level of cybersecurity and cyber-resilience and applying the most advanced standards to those that support the operation of critical cyber-infrastructure.
— Fostering the existence of appropriate cybersecurity and cyber-resilience mechanisms for the systems and operations managed by third parties that provide services to the Company.
— Strengthening capacities for prevention, detection, reaction, analysis, recovery, response, investigation and coordination against terrorist activities and criminality in cyberspace.
— Providing procedures and tools that permit rapid adaptation to changing conditions in the technological environment and to new threats.
— Collaborating with regulatory bodies in order to contribute to the improvement of cybersecurity in the international sphere.
- Promoting the cybersecurity principles established in the Corporate Security Policy.
- Protecting the information regarding the Group's critical cyber-infrastructure and cybersecurity systems.
- Implementing efficiency-based cybersecurity measures that contribute to the functionality of key systems and services.
- Acting in accordance with applicable law, the Code of Ethics and the Company's other internal rules.
The Cybersecurity Risk Policy sets out the Company's commitment to clearly and transparently report on its risks and incidents in the area of cybersecurity, in accordance with the provisions of law. The Company must inform the market through the National Securities Market Commission on the terms required by law regarding non-public cybersecurity risks and incidents directly or indirectly relating to the Company or any other company of the Group and that, if made public, may have a material impact on the price of the Company's shares or of any other security that the Compliance Unit defines as an affected security or related derivative instruments and that may constitute inside information, as this term is defined in the Internal Regulations for Conduct in the Securities Markets.
Until said information is public, those persons who are aware of the existence of the risk or incident in question shall be deemed insiders, within the meaning of the provisions of the Internal Regulations for Conduct in the Securities Markets, may not engage in transactions regarding affected securities and will be subject to the duty of confidentiality, among other restrictions contemplated in said regulations.
Reputational Risk Framework Policy
The object of the Reputational Risk Framework Policy is to establish a benchmark framework for the monitoring and management of reputational risk to be implemented by all the Divisions of the Group on a coordinated basis with the Investor Relations and External Communication Division.
The management of reputation seeks two complementary objectives, to bring out opportunities that trigger favourable behaviour towards the company, and to diminish reputational risk.
There is a direct relationship between this policy and the Stakeholder Engagement Policy, the purpose of which is to identify the Company's Stakeholders, engage them and strengthen relations of trust with them.
The Reputational Risk Framework Policy establishes various recommendations, including crisis management, and lists indicators for monitoring, like REPTRAK, as well as standards for measuring the reputation of the Company and its Group.
Occupational Safety and Health Risk Policy
The Company's Board of Directors, recognising the importance of occupational safety and health risks, undertakes to carry out the actions required to provide safe and healthy conditions for the prevention of work-related injuries and health impairments that are suited to the purpose, size and context of each organisation and to the specific nature of the risks for employees of both the Company and the other companies within the Group, as well as in its spheres of influence, thereby contributing to the achievement of goals three and eight of the Sustainable Development Goals (SDGs) approved by the United Nations.
2. Main Principles of Conduct
To achieve this goal, the Group adheres to and promotes the following main principles, among others, that must inform all of its activities:
a) Quality, productivity and the profitability of its activities are as important as the safety and health of the people participating in the value chain. All of the foregoing are permanent and basic objectives of the Group.
b) The safety of such people must always prevail. The prevention of work-related injuries and health impairments can be achieved by allocating resources and training to this end.
c) The integration of occupational safety and health in all business processes is a basic principle of effectiveness and efficiency and of collective responsibility.
3. Occupational safety and health commitments
The purpose and basic principles of the Group regarding occupational safety and health translate into the following commitments assumed by senior management and promoted at all organisational levels:
a) Meeting or exceeding legal and other requirements in the area of occupational risk prevention.
b) The elimination of threats and reduction of risks to occupational safety and health.
c) The integration of occupational safety and health standards in all decisions, business processes and work methods, such that the members of the management team, managers, technicians and employees take full ownership of their responsibilities.
d) The continuous improvement of the occupational safety and health management systems.
e) The consultation and participation of all employees on workplace safety and health.
4. Instruments for the adoption and promotion of occupational safety and health commitments
The occupational safety and health commitments of the Group are encouraged through:
a) An organisational structure with clearly defined responsibilities, which is decentralised and based on the principle of subsidiarity.
b) The Occupational Safety and Health Risk Policy.
c) The development and implementation of a system of global occupational safety and health standards that determines minimum levels in this area and ensures the harmonisation of the standards applied at all companies of the Group.
d) The acquisition and maintenance of occupational safety and health certifications in line with the strictest international standards.
e) The efficient provision of appropriate technical, financial and human resources.
f) The periodic preparation of specific strategic plans that determine strategic priorities and key matters relating to prevention.
g) The establishment of specific, indicative, stimulating and verifiable objectives regarding occupational safety and health.
h) The exchange of best practices in the area of occupational safety and health among all of the organisations of the Group.
i) Ongoing preparation, training and information for officers, intermediate managers and employees in order to promote safe behaviour and raise awareness of the impact of their work on the safety of persons, processes and facilities.
j) Effective coordination and collaboration with suppliers and providers in order for occupational safety and health to be present in all services and work performed at the facilities of the Group.
k) The establishment of links of cooperation with the various competent government agencies in occupational safety and health matters in order to become a positive benchmark in this area wherever the Group engages in its activities.
l) Participation in international initiatives, ratings and indices relating to occupational safety and health.
All of the foregoing such that the various levels of the organisation are aware of the importance of occupational safety and health in the planning and subsequent implementation of all activities, and that all employees contribute with their daily work to the achievement of the goals set in this field.