Risk management
We anticipate risks through a comprehensive, committed and independent risk control and management system
Risk management within the Iberdrola Group is based on anticipation, independence, alignment with business objectives and the involvement of senior management and the Board of Directors.
The Comprehensive Risk Control and Management System, a key element in the Iberdrola Group’s operation
In carrying out their activities, the Group’s companies are exposed to various risks that may hinder or prevent the achievement of their objectives and the successful execution of their strategies.
The Board of Directors of Iberdrola, S.A. (the “Company”), aware of the importance of this matter, is committed to developing measures so that, within the scope and limits of its powers, the Group’s significant risks are properly identified, measured, managed and controlled.
To this end, it approves the “General risk control and management foundations of the Iberdrola Group” (the “Foundations”), whose objective is to identify the main risks, define the structure of the “comprehensive risk control and management system” (the “System”), establish risk management mechanisms and their regular monitoring and, finally, oversee internal risk control and management systems.
The Foundations are developed and complemented by (i) guidelines and limits that may be established in relation to certain corporate or business risks (the “Guidelines”), which are also approved and reviewed by the Company’s Board of Directors, and (ii) the policies and rules that form part of the Governance and Sustainability System.
The System is designed in accordance with international best practices. Specifically, it is based on the control framework defined by COSO (Committee of Sponsoring Organizations of the Treadway Commission) and is structured in line with the Three Lines Model published by the Institute of Internal Auditors. The System integrates, under a common methodology and taxonomy, all mechanisms, specific actions and control frameworks developed in relation to risks.
Iberdrola's Comprehensive Risk Control and Management System Values
Risk management at the Iberdrola Group is based on the following values:
Elements of Iberdrola's Comprehensive Risk Control and Management System
The system has the following elements:
- Ongoing identification of significant risks.
- Analysis and assessment of these risks, both within each business or corporate area and considering their combined impact on the Group, promoting the use of common criteria for measurement, control and quantification.
- Development of due diligence, control and monitoring systems to ensure compliance with the Guidelines.
- Establishment of a framework of guidelines, limits and risk indicators, together with the corresponding mechanisms for their approval and implementation. These define and review the risk appetite in relation to specific risks affecting Group companies, are approved by the Company’s Board of Directors and, where appropriate, by other Group companies in accordance with the Foundations, and are reviewed at least annually.
- Continuous assessment of the suitability and efficiency of the System and of best practices for possible incorporation into the model.
- Implementation of information systems and internal control mechanisms to monitor and manage risks.
- Audit of the System.
Agents involved in the System
An appropriate allocation of functions and responsibilities has been established at Group level across operational, supervisory and governance levels for the different relevant risks and threats.
Company Board of Directors
Annually reviews and approves, through the foundations and guidelines, the risk appetite accepted annually, both at the group level and at the level of each of the main businesses and corporate functions, both qualitatively and quantitatively. It also does so in accordance with the objectives set out in the multi-year plan and the corresponding annual budgets. It also regularly monitors risks.
Find out more about the Board of Directors
The Company's Audit and Risk Supervision Committee (ARSC)
The Board of Directors is supported by this advisory body, which oversees and reports on the effectiveness of the System. It is supported by the Company’s Internal Audit and Risk Division and works in coordination with the audit and compliance committees of the subholding companies.
Learn more about the committee
Subholdings and head of business companies
Subholding companies are responsible for adopting the Foundations and the Guidelines approved by the Company’s Board of Directors and for specifying their application, approving, where appropriate, specific risk guidelines and limits.
The governing bodies of the business head companies must approve the specific risk limits applicable to each of the guidelines and risk limits approved by the subholding companies and implement the necessary control systems to ensure compliance.
Learn more about Corporate Structure
Internal Audit and Risk Division
It supports the ARSC (Audit and Risk Supervision Committee, to which it reports functionally, in carrying out its functions.
Responsibility for the design and implementation of the Foundations and for achieving their objectives lies with the Company’s Internal Audit and Risk Division, through the independent Risk Division, which establishes the necessary coordination mechanisms among the different participants in the System.
The Internal Audit Division, as the independent third line, is responsible for proactively ensuring the proper functioning of internal control, risk management and governance systems by systematically auditing the first- and second-line functions in the performance of their respective management and control responsibilities.
Risk Committee
A permanent internal cross-functional body, chaired by the head of Internal Audit and Risk, composed of representatives from the Company’s various corporate and business areas. It meets at least quarterly and coordinates with equivalent committees in the subholding companies, ensuring an effective flow of information and aligned implementation of the Guidelines.
Other agents involved in daily operations
Also involved are:
- Corporate and business areas, which are primarily responsible for identifying, managing and controlling the risks affecting their areas of responsibility (“risk owners”).
- Those responsible for defining, implementing, deploying and supervising the rules and policies of the Governance and Sustainability System, as well as the Guidelines, as they include control frameworks relating to certain cross-cutting risks for which basic principles of action have been established (“specialist areas”).
Main risk categories at Iberdrola Group
The internally defined risk categories are:
a) Governance and sustainability risks
b) Business and market risks
c) Credit and financial risks
d) Strategic, regulatory, tax and legal risks
e) Operational risks
f) Technological and comprehensive security risks
In addition to probability and impact, reputational variables are also assessed. The System also includes the identification of emerging risks.
The key pillars of the Comprehensive Risk Control and Management System
-
Continuous identification of significant risks and threats
-
Holistic taxonomy and common risk measurement, control and quantification standards
-
Risk appetite defined by the Board of Directors
-
Consideration of financial, reputational and sustainability impacts
-
-
Separation of functions at operational and supervisory level among the various players
-
Evaluation of effectiveness of information systems and internal control
-
Risk Committee. Involvement of management in risk management
-
Independence of Risk function
