Corporate Risk Management, which includes a set of practices for the identification, measurement, processing and reporting of key risks, is an integral part of the management style required by the Group for its employees, in line with good international risk governance practices, in accordance with legal and regulatory requirements and meeting the expectations and demands of the Group's internal and external Stakeholders.

The deployment of an effective risk management policy seeks: 

• To contribute to the constant creation of value for the company, by meeting the expectations of internal and external Stakeholders.
• To adopt a position of leadership in this area in line with the vision, values and commitments expressed by the EDP Group;
• To ensure that internal and external requirements are met in the area of corporate governance, control and reporting.

To this end, the EDP Group seeks to maintain a risk management culture in all decision making and at all functional and management levels. The implementation of Corporate Risk Management is supported by a set of principles, structure and processes that enable:

• The identification, analysis and evaluation of risks and their processing, which may lead to the adoption of one or more of the following options: accepting the risk, increasing exposure in order to take advantage of an opportunity, avoiding the risk, reducing its probability or impact and/or sharing the risk (using hedging operations or through insurance, for example);
• Reporting, reviewing and continuous improvement in risk management;
• Including risk management responsibilities in overall management. 

This policy establishes the risk management principles, structure, governance and responsibilities in the EDP Group. 

EDP Group risk management policy principles 

• Risk management is an integral part of standard business practice and is the responsibility of everyone, from the Executive Board to the individual employee. Everybody is responsible for understanding the risks in their area of operation and for managing them as an integral part of their delegated duties, skills and responsibilities; 
• EDP manages its significant risks as a portfolio, through optimization of the risk/return ratio cutting across all business areas, in light of the value creation and distinction of the Group in its markets of operation; 
• EDP seeks to ensure that risk management constantly improves in order to reflect EDP's changing needs over time and to remain compliant with best international risk management practices; 
• EDP promotes timely and systematic risk management that is fully integrated in its most important business and decision-making processes, particularly as an element of strategic development, investment decisions, the business plan and operations management, in order to ensure stability of results and the development of optimized response capabilities and changes in context and opportunity. Assessment of risks and the adoption of measures for their management and control are based on the availability of better information on the date of the decision-making process; 
• EDP's risk management is transparent and involves all internal and external Stakeholders, to ensure input into decisions taken from all levels of responsibility in the organisation, ensuring compliance and building a climate of trust; 
• Local and/or functional risk management policies and procedures will be consistent with this corporate policy. Furthermore, all local and/or functional policies and procedures shall facilitate the aggregation, consolidation and revision at corporate level of all significant risks; 
• The executive management bodies of the EDP Group companies are responsible for establishing the risk tolerance applicable to their scale, business and functions, always in line with the risk profile defined for the Group by the Executive Board at strategic level, which expresses the appetite for risk, and at tactical level, by setting overall aggregate risk tolerance levels. 

This policy was approved by the Executive Board of Directors (EBD) on January 31st 2023.

Strategic and ESG Risks

The EDP Group closely monitors and reports risks of a strategic and ESG nature, since it believes that, if they materialise, they could have a significant impact, mainly in the medium and long term. Strategic and ESG risks can be broken down into two distinct natures: 

• Strategic 
• ESG 

Business Risks 

Business risks include all the risk factors intrinsically linked to the remuneration of the EDP Group's core business of generating, trading, distributing and supplying energy in the various geographies and markets where it operates. Business risks can be broken down into two distinct types: 

• Energy markets 
• Regulation 

Financial Risks 

Financial risks include market risk factors complementary to those of the EDP Group's energy business (non-operational) in the various geographies and markets where it operates. Financial risks can be broken down into four different types: 

• Financial markets 
• Credit and counterparty 
• Liquidity/solvability 
• Social liabilities 

Operational Risks 

Operational risks aggregate the risk factors complementary to those of the EDP Group's energy and financial business in the various geographies and markets where it operates, associated with the planning, construction and operation of physical assets, execution of processes, legal systems and litigation and compliance. Operational risks can be broken down into four different types: 

• Physical assets 
• Systems 
• Execution of processes 
• Legal & Compliance