GENERAL RISK CONTROL AND MANAGEMENT POLICY
Iberdrola manages any threat that may prevent it from reaching its objectives and successfully carrying out its strategies
General Risk Control and Management Policy
23 February 2021
The Board of Directors of IBERDROLA, S.A. (the "Company") has the power to design, assess and continuously revise the Governance and Sustainability System, and specifically to approve and update the corporate policies, which contain the guidelines governing the conduct of the Company, of its shareholders and of the companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the "Group").
Among the risk policies, the General Risk Control and Management Policy (the "Policy"), identifies the principal risks of the Group and organises appropriate internal control and information systems, as well as the regular monitoring of such systems.
The object of the Policy is to establish the basic principles and general framework for the control and management of all kinds of risks facing the Company and the Group, and which must be applied in accordance with the provisions of the Purpose and Values of the Iberdrola group.
The Policy is further developed and supplemented through specific policies that may be established for certain risks, corporate functions or businesses of the Group.
The country subholding companies must adopt said risk policies of the Group and define the application thereof, approving guidelines on specific risk limits based on the nature and particularities of the businesses in each country.
The management decision-making bodies of the head of business companies of each country must approve the specific risk limits applicable to each of them and implement the control systems necessary to ensure compliance therewith.
The Policy applies to all companies that make up the Group, including the companies that are not part of the Group in which the Company has an interest and over which it has effective control, within the limits established by the laws applicable to the regulated activities carried out by the Group in the various countries in which it operates.
Excluded from the scope of this policy are listed country subholding companies and the subsidiaries thereof which, pursuant to their own special framework of strengthened autonomy, have their own risk policies approved by their competent bodies. In any event, said risk policies must be in accord with the principles set forth in this Policy and in the other risk policies of the Company.
At those companies in which the Company has an interest but which do not form part of the Group, the Company shall promote principles, guidelines and risk limits established in this Policy and in the supplementary risk policies and shall maintain appropriate channels of information to ensure a due understanding of the risks.
3. Risk Factors — Definitions
From a general viewpoint, a risk is considered to be any threat that an event, action or omission may prevent the Group from reaching its objectives and successfully carrying out its strategies.
The risk factors to which the Group is subject generally are listed below:
a) Corporate Governance Risks: the Company accepts the need to achieve the fulfilment of the corporate interest and the sustained maximisation of the economic value of the Company and its long-term success, in accordance with the Group's corporate interest, culture and corporate vision, taking into account the legitimate public and private interests that converge in the conduct of all business activities, and particularly among those of the various Stakeholders, those of the communities and regions in which the Company operates and those of its professionals.
b) Market Risks: understood as the exposure of the Group's results and net worth to changes in prices and other market variables, such as exchange rates, interest rates, electricity prices, commodity prices (gas and other fuels), CO2 emission rights and other renewable support mechanisms, as well as financial assets.
c) Credit Risks: defined as the possibility that a counterparty breaches its contractual obligations, thus causing an economic or financial loss to the Group, including the risks of payment and costs of replacement. Counterparties may include end customers, counterparties in financial markets or energy markets, partners, suppliers, contractors, financial institutions and insurance companies.
d) Business Risks: defined as the uncertainty regarding the performance of key variables inherent in the various activities of the Group through its businesses, such as the characteristics of demand, weather conditions and the strategies of different players.
e) Regulatory and Political Risks: are those arising from regulatory changes made by the various regulators, such as changes in compensation of regulated activities or in the required conditions of supply, or in environmental or tax regulations, including risks relating to political changes that might affect legal security and the legal framework applicable to the businesses of the Group in each jurisdiction, nationalisation or expropriation of assets, the cancellation of operating licenses and the termination of government contracts.
f) Operational, Technological, Environmental, Social and Legal Risks: those relating to direct or indirect economic losses caused by external events or inadequate internal processes, including those arising from:
— technological failures, human error and technological obsolescence;
— cybersecurity and information technology systems;
— climate change and pandemics;
— fraud and corruption; and
— litigation, arbitration and taxation issues.
g) Reputational Risks: potential negative impact on the value of the Group resulting from conduct on the part of the Company that is below the expectations created among the various Stakeholders, as defined in the Stakeholder Engagement Policy, including behaviour or conduct relating to corruption.
Given the multidimensional nature of the risks, the taxonomy includes additional classification variables for improved monitoring, control and reporting of these risks through the monitoring tools. These additional categories include:
— classification of risks into structural, "hot topics" and emerging, the latter of which are understood as possible new threats with an uncertain impact and undefined growth probability, but which could eventually become material for the Group.
— the inclusion of secondary risk factors, including financial, environmental, sustainability, governance (environmental, social and governance, or "ESG"), fraud or corruption, tax, health, cybersecurity or third party risk factors.
4. Basic Principles
The Group is subject to various risks inherent in the different countries, industries and markets in which it does business and in the activities it carries out, which may prevent it from achieving its objectives and successfully implementing its strategies.
Aware of the significance of this issue, the Board of Directors of the Company undertakes to develop all of its capabilities in order for the significant risks to all the activities and businesses of the Group to be adequately identified, measured, managed and controlled, and to establish through the Policy the mechanisms and basic principles for appropriate management of the risk/opportunity ratio, at a risk level that makes it possible to:
a) attain the strategic objectives formulated by the Group with controlled volatility;
b) provide the maximum level of assurance to the shareholders;
c) protect the interests of shareholders, customers and other Stakeholders;
d) contribute to meeting the Sustainable Development Goals (SDGs) approved by the United Nations, with a special focus on goals seven and thirteen;
e) protect the results and reputation of the Group;
f) ensure corporate stability and financial strength in a sustained fashion over time; and
g) raise awareness of the risk culture among the Group's professionals through communication and training programmes.
In pursuing this commitment as expressed through the basic principles, the Board of Directors and its Executive Committee rely on the support of the Audit and Risk Supervision Committee, which, as a consultative body, monitors and reports upon the appropriateness of the system for internal control and management of significant risks, with the support of the Internal Audit Area and of the Risk Management and Internal Assurance Division of the Group, which reports functionally to the committee, and in coordination with the audit and compliance committees existing at other country subholding companies of the Group.
All actions aimed at controlling and mitigating risks shall conform to the following basic principles:
a) Integrate the risk/opportunity vision into the Company's management, through a definition of the strategy and the risk appetite and the incorporation of this variable into strategic and operating decisions.
b) Segregate, functions, at the operating level, between risk-taking areas and areas responsible for the analysis, control and monitoring of such risks, ensuring an appropriate level of independence.
c) Guarantee the proper use of risk-hedging instruments and the maintenance of records thereof as required by applicable law.
d) Inform regulatory agencies and the principal external players, in a transparent fashion, regarding the risks facing the Group and the operation of the systems developed to monitor such risks, maintaining suitable channels that favour communication.
e) Ensure appropriate compliance with the corporate governance rules established by the Company through its Governance and Sustainability System and the update and continuous improvement of such system within the framework of the best international practices as to transparency and good governance, and implement the monitoring and measurement thereof.
f) Act at all times in compliance with the values and standards of conduct reflected in the Code of Ethics, under the principle of "zero tolerance" for the commission of unlawful acts and situations of fraud set forth in the Crime Prevention Policy and in the Anti-Corruption and Anti-Fraud Policy and the good practices principles reflected in the Corporate Tax Policy.
5. Comprehensive Risk Control and Management System
The Policy and the basic principles underpinning it are implemented by means of a comprehensive risk control and management system, supported by a Risk Committee of the Group and based upon a proper definition and allocation of duties and responsibilities at different levels (operational and control) and upon supporting procedures, methodologies and tools, suitable for the various stages and activities within the system, including:
a) The establishment of a structure of risk policies, guidelines, limits and indicators, as well as of the corresponding mechanisms for the approval and implementation thereof, which review and dictate the risk appetite to be assumed each year in both qualitative and quantitative terms, in accordance with the objectives set out in the multi-year plan and the annual budget.
b) The ongoing identification of significant risks and threats, taking into account their possible impact on key management objectives and the accounts (including contingent liabilities and other off-balance sheet risks).
c) The analysis of such risks, both at each corporate business or function and taking into account their combined effect on the Group as a whole.
d) The measurement and control of risks following homogeneous procedures and standards common to the entire Group.
e) The analysis of risks associated with new investments, as an essential element in risk/return-based decision-making, including physical and transition risks related to climate change.
f) The maintenance of a system for monitoring and control of compliance with policies, guidelines and limits, by means of appropriate procedures and systems, including the contingency plans needed to mitigate the impact of the materialisation of risks.
g) The ongoing evaluation of the suitability and efficiency of applying the system and the best practices and recommendations in the area of risks for eventual inclusion thereof in the model.
h) The audit of the comprehensive risk control and management system by the Internal Audit Area.
6. Risk Policies and Limits
The Policy is further developed and supplemented by the following policies, which are also subject to approval by the Company's Board of Directors:
Corporate Risk Policies:
- Corporate Credit Risk Policy.
- Corporate Market Risk Policy.
- Operational Risk in Market Transactions Policy.
- Insurance Policy.
- Investment Policy.
- Financing and Financial Risk Policy.
- Treasury Share Policy.
- Risk Policy for Equity Interests in Listed Companies.
- Procurement Policy.
- Information Technologies Policy.
- Cybersecurity Risk Policy.
- Reputational Risk Framework Policy.
- Occupational Safety and Health Risk Policy.
Specific Risk Policies for the Various Group Businesses:
- Risk Policy for the Networks Businesses of the Iberdrola Group.
- Risk Policy for the Renewable Energy Businesses of the Iberdrola Group.
- Risk Policy for the Liberalised Businesses of the Iberdrola Group.
- Risk Policy for the Real Estate Business.
This Policy was initially approved by the Board of Directors on 18 December 2007 and was last amended on 23 February 2021.