Operational Resiliency Policy

Operational Resiliency Policy

20 February 2024

The Board of Directors of IBERDROLA, S.A. (the “Company”) has the power to design, assess and continuously revise the Governance and Sustainability System, and specifically to approve and update the corporate policies, which contain the guidelines governing the conduct of the Company and of the companies belonging to the group of which the Company is the controlling entity, within the meaning established by law (the “Group”).

In fulfilling these responsibilities, in order to lay down the general principles that are to govern all aspects of operational resiliency and in compliance with the provisions of the Purpose and Values of the Iberdrola Group, the Board of Directors hereby approves this Operational Resiliency Policy (the “Policy”).

1. Purpose

The purpose of this Policy is to establish the main principles of conduct as regards operational resiliency, that is, to provide a consistent, planned and coordinated response to internal or external disruptive circumstances or events or crises, of any nature, that might unexpectedly involve a significant degradation or disruption in the normal operations of the Group’s companies, in order to maintain its critical business operations and processes and key structures at previously established levels, and, if applicable, to re-establish operational capacity with the minimum impact and within the shortest possible period.

The Policy also includes the main principles that the operational resiliency model of the Company and the other companies of the Group (the “Operational Resiliency Model” or the “Model”) must follow, and it confirms, as a provider of essential services, its firm commitment to excellence as regards the continuity of the business and activities, ensuring at all times that its operational resiliency activities are fully in accordance with the law and with the Governance and Sustainability System.

2. Scope of Application

This Policy applies at the Company and at all companies of the Group, as well as at all investees not belonging to the Group over which the Company has effective control, within the lawfully established limits.

Without prejudice to the provisions of the preceding paragraph, listed country subholding companies and their subsidiaries, based on their own special framework of strengthened autonomy, may establish an equivalent policy, which must be in accord with the principles set forth in this Policy and in the other environmental, social and corporate governance and regulatory compliance policies of the Governance and Sustainability System.

At those companies in which the Company has an interest and to which this Policy does not apply, the Company will promote, through its representatives on the boards of directors of such companies, the alignment of their own policies with those of the Company.

This Policy shall also apply, to the extent relevant, to the joint ventures, temporary joint ventures (uniones temporales de empresas) and other equivalent associations, if the Company assumes the management thereof.

3. Main Principles of Conduct

To achieve the goals specified in Section 1 above, the following main principles of conduct that must inform all of the operational resiliency activities of the Group’s companies are adopted and promoted:

a) Define the continuity strategies and plans that are necessary to minimise the impact of disruptive events or crises that might affect business continuity, to be regularly tested to improve and validate their capacities and response, endeavouring to ensure continuity of operational capacity and strengthening the resilience of the Group.

b) Establish a comprehensive management process to lead, direct and control the activities of the Group’s companies in response to disruptive events or crises.

c) In relation to the external and internal context of each of the Group’s companies, including the political environment, assess the social, economic, legal and cultural aspects, the technological and competitive context, internal capacities, resources and decision-making processes to address disruptive events or crises.

d) Promote the continuous improvement of processes by measuring, evaluating and reporting on the performance and effectiveness of the results of the operational resiliency plans of the Group’s companies.

e) Allocate appropriate resources for the performance of the duties and responsibilities established in the Model and in the operational resiliency plans.

f) Develop, provide and continuously improve the education and training of the staff assigned to the duties defined in the Operational Resilience Model.

g) Promote an inclusive culture of operational resiliency and awareness within the Group, through an updated and continuous training programme.

h) Via the Operational Resilience Model, implement a formal, documented and measurable management system that defines the framework of activities for the operational resiliency plans of the Group’s companies, endeavouring to ensure continuous improvement in order to achieve its goals.

i) Strengthen the relationship with the competent authorities based on respect for the law, fidelity, reciprocal trust, professionalism, cooperation and good faith, without prejudice to the legitimate disputes that, observing the aforementioned principles and in the defence of the corporate interest, may arise with such authorities.

The companies of the Group shall designate a spokesperson to manage relationships with the competent authorities for these purposes.

4. The Operational Resilience Model

The Corporate Security Division (or such division as assumes the duties thereof at any time) shall establish and regularly review an Operational Resiliency Model in which the methodologies, procedures and tools necessary to deploy the appropriate operational resiliency capacities shall be defined.

The Operational Resilience Model allows the Company and the companies of the Group to, among other things, support the strategic goals of the Iberdrola Group, protect their reputation, credibility and brand image, reduce the costs of disruptive shutdowns, protect life, property and the environment, improve their capacity to remain effective during disruptions, and maintain proactive and efficient control of risks. All of the foregoing shall be performed while ensuring compliance with their responsibilities as the provider of an essential service: electricity supply.

The Model, which shall be prepared in accordance with the main principles of conduct established in this Policy, must:

• Include a description of the organisational structure, procedures and plans related to operational resiliency and to the management of disruptive events or crises and recovery thereafter, as well as the allocation of resources and the clear attribution of duties and responsibilities to specific persons in this area.
• Define the range of measures and procedures necessary to increase the resilience of companies, their scope and priorities.
• Evaluate the risks to which the Group is exposed by using methodologies based on market standards and good practices, analysing potential impacts on business operation, and determining on that basis the critical processes and activities for continuity of the activities of the Group’s companies, identifying priorities and establishing target recovery times in each case.
• Describe the processes that must be used to identify the interested parties that are significant for the operational resiliency plans, their needs and expectations, to determine their requirements.
• Establish monitoring and control methods, compliance metrics and analysis of evaluation results for the subsequent application of the most suitable corrective measures, all while maintaining appropriate coordination with the relevant risk and internal assurance divisions.
• Establish rules for the creation of resilience offices at the Company and at the country subholding companies, respectively, as a mechanism for coordinating and supervising the implementation of the defined resilience plans and, in the case of the Company, the effective implementation of the Operational Resilience Model. 

5. Implementation

Based on the Operational Resiliency Model, both the Company and the country subholding companies within the scope of their territories and/or businesses shall prepare their respective operational resiliency plans, which shall include details of the tasks to be carried out in each financial year within the respective company and its subsidiaries, in order to effectively deploy, implement and execute the Operational Resiliency Model, applying it in each area for the defined scope in each case.

For this purpose, the Corporate Security Division at the Company and the corresponding divisions at the country subholding companies (or such divisions as assume the duties thereof at any time), through their respective resilience offices, shall coordinate the preparation of said operational resiliency plans with their corresponding corporate and business divisions in each area.

6. Monitoring and Control

The companies of the Group shall adopt the mechanisms necessary to ensure compliance with applicable law in terms of operational resiliency, as well as the Operational Resiliency Model and the resilience plans that are developed and specified, as part of proper business management.

In this regard, the Company’s Corporate Security Division and the corporate security divisions of the country subholding companies (or such divisions as assume the duties thereof at any time), with the support of their respective operational resiliency office, shall monitor the definition, review and implementation of their respective resilience plans, as well as of the operational resiliency risk practices and management, in their respective territories and for the specific businesses.

Additionally, the Company’s Corporate Security Division (or such division as assumes the duties thereof at any time), with the support of the Company’s operational resiliency office, shall monitor the status of the Operational Resiliency Model and its global level of implementation.

This Policy was initially approved by the Board of Directors on 20 February 2024.