General Risk Control and Management Policy

Iberdrola manages any threat that may prevent it from reaching its objectives and successfully carrying out its strategies

General risk control and management policy

Corporate Governance.

General Risk Control and Management Policy


20 February 2024

The Board of Directors of IBERDROLA, S.A. (the "Company") has the power to design, assess and continuously revise the Governance and Sustainability System, and specifically to approve and update the corporate policies, which contain the guidelines governing the conduct of the Company, of its shareholders and of the companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the "Group").

Among the risk policies, the General Risk Control and Management Policy (the "Policy"), identifies the principal risks of the Group’s companies and organises appropriate internal control and information systems, as well as the regular monitoring of such systems.

1. Object

The object of the Policy is to establish the basic principles and general framework for the control and management of all kinds of risks facing the Company and the other companies of the Group, and which must be applied in accordance with the provisions of the Purpose and Values of the Iberdrola Group.

The Policy is further developed and supplemented through specific policies that may be established for certain risks, corporate functions or businesses within the boundary of the Group.

The country subholding companies must adopt said risk policies of the Company and define the application thereof, approving guidelines on specific risk limits based on the nature and particularities of the businesses in the various countries and territories.

The management decision-making bodies of the head of business companies must approve the specific risk limits applicable to each of them and implement the control systems necessary to ensure compliance therewith.

2. Scope

The Policy applies to all companies that make up the Group, as well as to the companies that are not part of the Group in which the Company has an interest and over which it has effective control, within the limits established by the laws applicable to the regulated activities carried out by the Group’s companies in the various countries in which they operate.

Excluded from the scope of this policy are listed country subholding companies and the subsidiaries thereof which, pursuant to their own special framework of strengthened autonomy, have their own risk policies approved by their competent bodies. In any event, said risk policies must be in accord with the principles set forth in this Policy and in the other risk policies of the Company.

At those companies in which the Company has an interest but which do not form part of the Group, the Company shall promote risk principles, guidelines and limits consistent with those established in this Policy and in the supplementary risk policies and shall maintain appropriate channels of information to ensure a proper understanding of the risks.

3. Risk Factors — Definitions

From a general viewpoint, a risk is considered to be any threat that an event, action or omission may prevent the Group’s companies from reaching their objectives and successfully carrying out their strategies.

The risk factors to which the Group’s companies are subject generally are listed below:

a) Corporate Governance Risks: arising from a possible breach of: (i) applicable law, (ii) the provisions of the Governance and Sustainability System, (iii) the recommendations of the Good Governance Code of Listed Companies of the National Securities Market Commission (“CNMV”) and its practical guides, and (iv) international standards in this area.

Potential consequences include: (i) the challenge of corporate resolutions; (ii) proposed supplements to the call to the General Shareholders’ Meeting as an expression of dissent by some shareholders regarding the management of the Board of Directors; (iii) requests received from the CNMV, or any sanction thereby; and (iv) divestment from or lack of interest in investing in shares of the Company.

b) Market Risks: understood as the exposure of the results and assets of the Group’s companies to changes in prices and other market variables, including:

 - Financial: exchange rate, interest rate, solvency, liquidity, inflation and the value of financial assets and liabilities.

 - Energy and other raw materials: electricity, gas and other fuel prices, CO2 emission rights or other support mechanisms for renewables, as well as those related to other raw materials (including steel, aluminium, copper and polysilicon, amongst others).

c) Credit Risks: defined as the possibility that a counterparty breaches its contractual obligations, thus causing an economic or financial loss to the Group’s companies, including the risks of payment and costs of replacement. Counterparties may include end customers, counterparties in financial markets or energy markets, partners, suppliers, contractors, financial institutions and insurance companies.

d) Business Risks: defined as the uncertainty regarding the performance of key variables inherent in the various activities of the Group’s companies through their businesses, such as the characteristics of demand, weather conditions and the strategies of different players.

e) Regulatory and Political Risks: are those arising from regulatory changes made by the various regulators, such as changes in compensation of regulated activities or in the required conditions of supply, or in environmental or tax regulations, including risks relating to political changes that might affect legal security and the legal framework applicable to the businesses of the Group’s companies in each jurisdiction, nationalisation or expropriation of assets, the cancellation of operating licences and the termination of government contracts.

f) Operational, Technological, Environmental, Social and Legal Risks: those relating to direct or indirect economic losses caused by external events or inadequate internal processes, including those arising from:

— technological failures, human error and technological obsolescence;

— operation and construction of facilities;

— sabotage and/or terrorism;

— those associated with market operations;

— security of facilities, physical assets and information technology systems, including cyber-security; 

— trustworthiness of financial and non-financial information;

— climate change, extreme natural phenomena and pandemics; 

— nature risks: environmental management and biodiversity;

— communities affected by the facilities;

— procurement and the supply chain, from both the industrial and social standpoint;

— the safety and health of people;

— diversity and Inclusion;

— regulatory compliance;

— fraud and corruption; and

— litigation, arbitration and taxation issues. 

g) Reputational Risks: potential negative impact on the value of the Group’s companies resulting from conduct on the part of the company that is below the expectations created among the various Stakeholders, as defined in the Stakeholder Engagement Policy, including behaviour or conduct relating to corruption.

Given the multidimensional nature of the risks, the taxonomy includes additional classification variables for improved monitoring, control and reporting of these risks. These additional categories include:

— classification of risks into structural, "hot topics" and emerging, the latter of which are understood as possible new threats with an uncertain impact and undefined growth probability, but which could eventually become material for the Group’s companies.

— the inclusion of secondary risk factors, including financial, environmental, social, governance (“ESG”), fraud or corruption, tax, health, cybersecurity or third party risk factors. 

4. Basic Principles

The Group’s companies are subject to various risks inherent in the different countries, territories, industries and markets in which they do business and in the activities they carry out, which may prevent them from achieving their objectives and successfully implementing their strategies.

Aware of the significance of this issue, the Board of Directors of the Company undertakes to develop all of its capabilities in order for the significant risks to all the activities and businesses of the Group’s companies to be adequately identified, measured, managed and controlled, and to establish through the Policy the mechanisms and basic principles for appropriate management of the risk/opportunity ratio, at a risk level that makes it possible to:

a) attain Group-level strategic objectives with controlled volatility;

b) provide the maximum level of assurance to the shareholders;

c) protect the interests of shareholders, customers and other Stakeholders of the Group’s companies;

d) contribute to the achievement of the Sustainable Development Goals (SDGs) approved by the United Nations (UN), with a special focus on goals seven and thirteen;

e) protect Group-level results and reputation; 

f) ensure corporate stability and financial strength in a sustained fashion over time; and

g) raise awareness of the risk culture among the professionals of the Group’s companies through communication and training programmes.

In pursuing this commitment as expressed through the basic principles, the Board of Directors and its Executive Committee rely on the support of the Audit and Risk Supervision Committee, which, as a consultative body, monitors and reports upon the appropriateness of the system for internal control and management of significant risks, with the support of the Internal Audit and Risk Division of the Company (or with that of such divisions as assume the duties thereof at any time), which reports functionally to the committee, and in coordination with the audit and compliance committees existing at the country subholding companies.

All actions aimed at controlling and mitigating risks shall conform to the following basic principles:

a) Integrate the risk/opportunity vision into the Company's management, through a definition of the strategy and the risk appetite and the incorporation of this variable into strategic and operating decisions.

b) Segregate, functions, at the operating level, between risk-taking areas and areas responsible for the analysis, control and monitoring of such risks, ensuring an appropriate level of independence.

c) Guarantee the proper use of risk-hedging instruments and the maintenance of records thereof as required by applicable law.

d) Inform regulatory agencies and the principal external players, in a transparent fashion, regarding the risks facing the Group’s companies and the operation of the systems developed to monitor such risks, maintaining suitable channels that favour communication.

e) Ensure appropriate compliance with the corporate governance rules established by the Company through its Governance and Sustainability System and the update and continuous improvement of such system within the framework of the best international practices as to transparency and good governance, and implement the monitoring and measurement thereof.

f) Act at all times in compliance with the values and standards of conduct reflected in the Code of Ethics, under the principle of “zero tolerance” towards improper conduct and acts that are illegal or contrary to law or the Governance and Sustainability System set forth in the Compliance and Internal Reporting and Whistleblower Protection System Policy and in the Anti-Corruption and Anti-Fraud Policy and the good practices and principles reflected in the Corporate Tax Policy.

5. Comprehensive Risk Control and Management System

The Policy and the basic principles underpinning it are implemented by means of a comprehensive risk control and management system, supported by the Company’s Risk Committee and based upon a proper definition and allocation of operational and supervisory duties and responsibilities and upon supporting procedures, methodologies and tools, suitable for the various stages and activities within the system, including:

a) The establishment of a structure of risk policies, guidelines, limits and indicators, as well as of the corresponding mechanisms for the approval and implementation thereof, which review and dictate the risk appetite to be assumed each year in both qualitative and quantitative terms, in accordance with the objectives set out in the multi-year plan and the annual budget.

b) The ongoing identification of significant risks and threats, taking into account their possible impact on key management objectives and the accounts (including contingent liabilities and other off-balance sheet risks).

c) The analysis of such risks, both at each corporate business or function and taking into account their combined effect on the Group’s companies as a whole.

d) The measurement and control of risks following homogeneous procedures and standards common to all of the Group’s companies. 

e) The analysis of risks associated with new investments, as an essential element in risk/return-based decision-making, including physical and transition risks related to climate change.

f) The maintenance of a system for monitoring and control of compliance with policies, guidelines and limits, by means of appropriate procedures and systems, including the contingency plans needed to mitigate the impact of the materialisation of risks.

g) The ongoing evaluation of the suitability and efficiency of applying the system and the best practices and recommendations in the area of risks for eventual inclusion thereof in the model.

h) The audit of the comprehensive risk control and management system by the Internal Audit Division.

6. Risk Policies and Limits

The Policy is further developed and supplemented by the following policies, which are also subject to approval by the Company's Board of Directors:

Corporate risk policies:

  • Corporate Credit Risk Policy.
  • Corporate Market Risk Policy.
  • Operational Risk in Market Transactions Policy.
  • Insurance Policy.
  • Investment Policy.
  • Financing and Financial Risk Policy.
  • Treasury Share Policy.
  • Risk Policy for Equity Interests in Listed Companies.
  • Purchasing Policy.
  • Information Technology Policy.
  • Cybersecurity Risk Policy.
  • Reputational Risk Framework Policy.
  • Occupational Safety and Health Policy.

Specific risk policies for the various businesses of the Group’s companies:

  • Risk Policy for the Networks Businesses of the Iberdrola Group.
  • Risk Policy for the Electricity Production and Customers Businesses of the Iberdrola Group.
  • Risk Policy for the Real Estate Business.

This Policy was initially approved by the Board of Directors on 18 December 2007 and was last amended on 20 February 2024.
External link, opens in new window.