Risk management
We anticipate with a comprehensive, committed and independent risk management and control system
Risk management at the Iberdrola Group is based on anticipation, independence, commitment to the objectives of our businesses and the involvement of senior management and the Board of Directors.
The Comprehensive Risk Control and Management System, a key element in the Iberdrola Group’s operation
Iberdrola's comprehensive risk control and management system (the ‘System’) is designed in accordance with international best practices. It is based on the control methodology framework defined by COSO (the Treadway Commission’s Committee of Sponsoring Organisations) and is structured around the three-line model.
Iberdrola, S.A.’s Board of Directors (the ‘Company’) establishes the basic principles for proper management of the risk–opportunity binomial. This is defined through Iberdrola Group's General Risk Control and Management Foundations (the ‘Foundations’), which seek to identify the main risks, establish management mechanisms, and set the general framework for the periodic monitoring of risks and the supervision of internal control systems.
The foundations are further developed and supplemented by guidelines and limits that may be established in relation to certain corporate or business risks (the ‘Guidelines’), which are also subject to approval and review by the Board of Directors of the company.
Iberdrola's Comprehensive Risk Control and Management System Values
Risk management at the Iberdrola Group is based on the following values:
Elements of Iberdrola's Comprehensive Risk Control and Management System
The system has the following elements:
- Ongoing identification of significant risks.
- Assignment of duties and responsibilities between the risk-taking areas and those responsible for their monitoring and control.
- The analysis and assessment of these risks, in each of the businesses or corporate areas, and taking into account their integrated effect on the group, for which the use of common criteria for measurement, control and quantification will be encouraged.
- The development of due diligence, control and monitoring systems for compliance with the guidelines.
- Continuous evaluation of the system’s suitability and efficiency and of best practices for their eventual incorporation into the model.
- Independent system auditing.
- Raising awareness about the risk culture among the group's professionals through communication and training programmes.
- Analysing the risks associated with new investments, including physical and transition risks associated with climate change.
- Transparent reporting of risks and the operation of the systems developed to control them to regulators and the main external agents.
Stakeholders involved in Iberdrola's Comprehensive Risk Management and Control System
Company Board of Directors
Annually reviews and approves, through the foundations and guidelines, the risk appetite accepted annually, both at the group level and at the level of each of the main businesses and corporate functions, both qualitatively and quantitatively. It also does so in accordance with the objectives set out in the multi-year plan and the corresponding annual budgets. It also regularly monitors risks.
Find out more about the Board of Directors
The Company's Audit and Risk Supervision Committee (ARSC)
The Board of Directors and its Executive Committee are assisted by this consultative body, which supervises and reports on the adequacy of the risk management and control system. It is supported by the company's Internal Audit and Risk Division and works in coordination with the audit and compliance committees at the country subholdings.
Learn more about the committee
Subholdings and head of business companies
The country subholdings are responsible for adopting both the foundations and the guidelines, and for specifying how they are applied. In doing so, they may adopt specific guidelines and risk limits where appropriate, taking into account the needs, characteristics and specificities of the businesses and of the different countries or territories. Listed country subholdings have a special framework of enhanced autonomy.
The head of business companies must approve the specific risk limits and implement the necessary control systems to ensure compliance.
Learn more about Corporate Structure
Internal Audit and Risk Division
It supports the ARSC (Audit and Risk Supervision Committee, to which it reports functionally, in carrying out its functions. The Risk Division, which reports to the Internal Audit and Risk Division, is an independent function and is responsible for leading the system’s design and implementation.
The Risk Division is global in nature, with a corporate team (with a cross-cutting vision) and teams at each of the country subholdings (Iberdrola España, Avangrid, Scottish Power, Iberdrola México, Neoenergia, and Iberdrola Internacional).
The Risk Division periodically monitors at least quarterly the relevant risks and the group’s various exposures, as well as of compliance with the limits and KPIs, all through a platform launched at the end of 2019 called I-Risk.
Risk Committee
This is an internal and permanent cross-cutting body comprising representatives of the company’s various corporate and business areas.
It is complemented by the credit risk and market risk committees, which meet monthly.
Other agents involved in daily operations
The following also participate in the system’s daily operations:
- The corporate and business areas, which are primarily responsible for the identification, management and control of the risks that affect their sphere of competence (‘risk owners’).
- Those responsible for defining, implementing, deploying and supervising the rules and policies of the Governance and Sustainability System, as well as the guidelines, which contain control frameworks relating to certain cross-cutting risks for which basic principles of action have been approved (‘specialist areas’). The main ones are the Control Division, the Corporate Sustainability Division and the Compliance Unit. In addition, there are other organisations that perform important expert functions related to internal control and supervision, including the Environment, People and Organisation, Corporate Security, Procurement and Insurance and Legal and Tax departments.
Main risk categories at Iberdrola Group
The types of risks to which the companies of the group are generally subject, depending on the nature of their activities and the markets in which they operate, are:
a) Governance and sustainability risks
b) Business and market risks
c) Credit and financial risks
d) Strategic, regulatory, tax and legal risks
e) Operational risks
f) Technological and comprehensive security risks
The potential reputational impact of these risks will be taken into account. Given the multidimensional nature of the risks, the taxonomy includes additional classification variables for better monitoring, control and reporting. These include the category of emerging risks, which allude to new possible threats with uncertain impact and undefined probability, which are growing and could become significant for the companies of the group.
