Risk management

We anticipate risks through a comprehensive, committed and independent risk control and management system

Risk management within the Iberdrola Group is based on anticipation, independence, alignment with business objectives and the involvement of senior management and the Board of Directors.

The Comprehensive Risk Control and Management System, a key element in the Iberdrola Group’s operation

The companies of the Group are subject to various risks inherent to the nature of the activities they carry out, which may hinder or prevent them from achieving their objectives and successfully implementing their strategies.

The Board of Directors of Iberdrola, S.A. (the “Company”), aware of the importance of this matter, is committed to developing measures so that, in the exercise and subject to the limits of its powers, the significant risks to the activities and businesses of the Group’s companies are adequately identified, measured, managed and controlled.

To this end, it has approved the “General risk control and management foundations of the Iberdrola Group” (the “Foundations”), which are intended to establish risk management mechanisms, identify the main risks, define the structure of the “comprehensive risk control and management system” (the “System”), establish risk management mechanisms and their regular monitoring and, finally, oversee internal risk control and management systems.

The Foundations are further developed and supplemented by (i) guidelines and limits that may be established in relation to certain corporate or business risks (the “Guidelines”), which are also approved and reviewed by the Company’s Board of Directors, and (ii) the policies and rules making up the Company’s Governance and Sustainability System.

The System is designed in accordance with best international practices in corporate risk control and management. Specifically, it is based on the methodological control framework defined by COSO (Committee of Sponsoring Organizations of the Treadway Commission) and is

structured in accordance with the three-line model published by the Institute of Internal Auditors on 20 July 2020. The System integrates, using a common methodology and taxonomy to integrate the range of mechanisms, specific actions and control frameworks developed in relation to risks.

Iberdrola's Comprehensive Risk Control and Management System Values

Risk management at the Iberdrola Group is based on the following values:

Icono 1
Anticipation
Icono 2
Independence
Icono 3
Commitment to business objectives
Icono 4
Involvement of senior management and the Board of Directors

Elements of Iberdrola's Comprehensive Risk Control and Management System

The system has the following elements:

  • The ongoing identification of significant risks and threats.
  • The analysis and evaluation of such risks, both within each business or corporate area and  taking into account their combined effect on the Group’s companies as a whole, for which purpose the use of common risk measurement, control and quantification standards will be promoted.
  • The development of due diligence, control and monitoring systems for compliance with guidelines.
  • The establishment of a structure of risk guidelines, limits and indicators, together with the corresponding mechanisms for their approval and implementation, which review and establish the risk appetite in relation to specific risks affecting Group companies, are approved by the Company’s Board of Directors and, where appropriate, by other Group companies in accordance with the Foundations, and are reviewed at least annually.
  • The ongoing evaluation of the suitability and efficiency of applying the system and of best practices and recommendations for eventual inclusion thereof in the model.
  • The implementation of internal control and information systems to control and manage risks.
  • The audit of the Comprehensive Risk Control and Management System.

Participants involved in the System

There has been an appropriate allocation of Group-level operational duties and
responsibilities and supervision of the various significant risks and threats.

Board of Directors of the Company

Annually reviewing and approving the accepted risk appetite through the foundations and guidelines, both at the Group level and at the level of each of the main businesses and corporate functions, both qualitatively and quantitatively. It also does so in accordance with the objectives set out in the multi-year investment plan and the corresponding annual budgets. It also regularly monitors risks. 

Find out more about the Board of Directors

The Company's Audit and Risk Supervision Committee (ARSC)

The Board of Directors is supported by this advisory body, which monitors and reports upon the effectiveness of the System with the support of the Company’s Internal Audit and Risk Division, and works in coordination with the audit and compliance committees of the subholding companies.

Learn more about the committee

Country subholding companies and head companies

Country subholding companies are responsible for adopting the Foundations and the Guidelines approved by the Company’s Board of Directors and for specifying their application, approving, where appropriate, specific risk guidelines and limits.

The the management decision-making bodies of the head companies must approve the specific risk limits applicable to each of the guidelines and risk limits approved by the subholding companies and implement the necessary control systems to ensure compliance.

Learn more about Corporate Structure

Internal Audit and Risk Division

It supports the ARSC (Audit and Risk Supervision Committee, to which it reports functionally, in carrying out its functions.

Responsibility for the design and implementation of the Foundations and for achieving their objectives lies with the Company’s Internal Audit and Risk Division, via the independent function of the Risk Division, which establishes the necessary coordination mechanisms among the different participants in the System.

As an independent third line, the Internal Audit Division is responsible for proactively endeavouring to ensure the proper operation of internal control, risk management and governance systems by systematically auditing the first- and second-line functions in the performance of their respective management and control responsibilities.

Risk Committee

A permanent internal cross-functional body, chaired by the Chief Internal Audit and Risk Officer, composed of representatives from the Company’s various corporate and business areas. It meets at least quarterly and coordinates with equivalent committees in the subholding companies, ensuring an effective flow of information and aligned implementation of the Guidelines.

Participants in the day-to-day operation of the System

Also involved are:

  • Corporate and business areas, which are primarily responsible for identifying, managing and controlling the risks affecting their areas of responsibility (“risk owners”).
  • Those responsible for defining, implementing, deploying and supervising the rules and policies of the Governance and Sustainability System, as well as the Guidelines, as they include control frameworks relating to certain cross-cutting risks for which basic principles of action have been established (“specialist areas”). 

Main risk categories at Iberdrola Group

The main categories of risks faced by the Iberdrola Group are defined below:

a) Governance and sustainability risks
b) Business and market risks
c) Credit and financial risks 
d) Strategic, regulatory, tax and legal risks
e) Operational risks
f) Technological and comprehensive security risks 

In addition to probability and impact, there is an assessment of reputational variables. The system also includes the identification of emerging risks.

 Description of main risks Iberdrola Group [PDF]

 Details of significant risks Iberdrola Group [PDF]

 Summary of our Comprehensive Risk Control and Management System [PDF]