Corporate governance

Risk policy

The Red Eléctrica Group has a risk policy that sets out the directives and guidelines for ensuring that material risks, which could affect the objectives and activities of the Group, are systematically identified, analysed and controlled with uniform criteria and within the established risk limits.

Therefore, it has a risk management system covering both the risks of internal processes and those related to the environment in which the Company's activities are carried out. The system complies with the ISO 31000 Standard on the principles and guidelines regarding risk management. Additionally, Red Eléctrica has two specific systems, one for internal control over financial reporting (based on the US Sarbanes-Oxley) and another for internal control over operational activities (based on the SSAE 16 standard). These systems are subject to periodic internal and external audits.

The most relevant risks to which the Red Eléctrica Group is subject and that are integrated into the risk management system are:

  1. Regulatory: due to the fact that the main activities of the Group are subject to regulation.
  2. Operational: derived fundamentally from the activities they have been assigned within the electricity system, including those related to cybersecurity. The critical nature of the functions carried out by Company means that this type of risk could have widespread social and economic importance.

In addition to the specific risks indicated above, the Red Eléctrica Group faces other risks that are common to the development of economic and business activities, and which include:

  1. Market risks
  2. Business risks outside of the electricity system
  3. Counterparty risks

Risk map

Risk map 2016

Distribution of risks

 82% operational, 1% business, 3% market, 4% counterparty and 10% regulatory

Comprehensive Risk Management Policy

The Board of Directors is responsible for the approval of the comprehensive risk management policy as well as for having full knowledge of the internal control, prevention and information systems and for the regular monitoring of these systems. Twice a year, the Board proceeds to review the risk control system and material risks, independent of the information that it regularly receives from the Audit Committee as part of the monitoring framework the Committee continually performs.