Corporate Risk Management, which includes a set of practices for the identification, measurement, processing and reporting of key risks, is an integral part of the management style required by the Group for its employees, in line with good international risk governance practices, in accordance with legal and regulatory requirements and meeting the expectations and demands of the Group's internal and external Stakeholders.
The deployment of an effective risk management policy seeks:
- To contribute to the constant creation of value for the company, by meeting the expectations of internal and external Stakeholders.
- To adopt a position of leadership in this area in line with the vision, values and commitments expressed by the EDP Group;
- To ensure that internal and external requirements are met in the area of corporate governance, control and reporting.
To this end, the EDP Group seeks to maintain a risk management culture in all decision making and at all functional and management levels. The implementation of Corporate Risk Management is supported by a set of principles, structure and processes that enable:
- The identification, analysis and evaluation of risks and their processing, which may lead to the adoption of one or more of the following options: accepting the risk, increasing exposure in order to take advantage of an opportunity, avoiding the risk, reducing its probability or impact and/or sharing the risk (using hedging operations or through insurance, for example);
- Reporting, reviewing and continuous improvement in risk management;
- Including risk management responsibilities in overall management.
This policy establishes the risk management principles, structure, governance and responsibilities in the EDP Group.
EDP Group risk management policy principles
- Risk management is an integral part of standard business practice and is the responsibility of everyone, from the Executive Board to the individual employee. Everybody is responsible for understanding the risks in their area of operation and for managing them as an integral part of their delegated duties, skills and responsibilities;
- EDP manages its significant risks as a portfolio, through optimization of the risk/return ratio cutting across all business areas, in light of the value creation and distinction of the Group in its markets of operation;
- EDP seeks to ensure that risk management constantly improves in order to reflect EDP's changing needs over time and to remain compliant with best international risk management practices;
- EDP promotes timely and systematic risk management that is fully integrated in its most important business and decision-making processes, particularly as an element of strategic development, investment decisions, the business plan and operations management, in order to ensure stability of results and the development of optimized response capabilities and changes in context and opportunity. Assessment of risks and the adoption of measures for their management and control are based on the availability of better information on the date of the decision-making process;
- EDP's risk management is transparent and involves all internal and external Stakeholders, to ensure input into decisions taken from all levels of responsibility in the organisation, ensuring compliance and building a climate of trust;
- Local and/or functional risk management policies and procedures will be consistent with this corporate policy. Furthermore, all local and/or functional policies and procedures shall facilitate the aggregation, consolidation and revision at corporate level of all significant risks;
- The executive management bodies of the EDP Group companies are responsible for establishing the risk tolerance applicable to their scale, business and functions, always in line with the risk profile defined for the Group by the Executive Board at strategic level, which expresses the appetite for risk, and at tactical level, by setting overall aggregate risk tolerance levels.
This policy was approved by the Executive Board of Directors (EBD) on January 31st 2023.
The EDP Group follows a risk governance model based on the concept of 3 internal lines of defence to the organization, complemented by a fourth external line of defence, in the figure of external audit and regulation/supervision.
Risk management is embodied both by the Risk Global Unit and by the risk areas of the different Business Units (led by the respective risk officers), which report functionally to the former, ensuring fluid articulation and communication regarding the main sources of exposure and risk mitigation measures.
The EDP Group's risk taxonomy aggregates, from an integrated perspective and in a common language, the various risk mappings existing at the level of the Group's various Business Units and is structured around four large families: strategic and ESG, business, financial and operational.
Strategic and ESG Risks
The EDP Group closely monitors and reports risks of a strategic and ESG nature, since it believes that, if they materialise, they could have a significant impact, mainly in the medium and long term. Strategic and ESG risks can be broken down into two distinct natures:
Business risks include all the risk factors intrinsically linked to the remuneration of the EDP Group's core business of generating, trading, distributing and supplying energy in the various geographies and markets where it operates. Business risks can be broken down into two distinct types:
- Energy markets
Financial risks include market risk factors complementary to those of the EDP Group's energy business (non-operational) in the various geographies and markets where it operates. Financial risks can be broken down into four different types:
- Financial markets
- Credit and counterparty
- Social liabilities
Operational risks aggregate the risk factors complementary to those of the EDP Group's energy and financial business in the various geographies and markets where it operates, associated with the planning, construction and operation of physical assets, execution of processes, legal systems and litigation and compliance. Operational risks can be broken down into four different types:
- Physical assets
- Execution of processes
- Legal & Compliance
Given the size of the EDP Group and its geographical diversity, it is important to define a transversal and consistent process at the level of the various Business Units, which at the same time recognises the heterogeneity of the businesses and activities in which the Group operates. In this way, risk management in the EDP Group is structured around five main phases (identification, analysis, evaluation, treatment, and monitoring), complemented by a prior phase of establishing the context, and by adequate levels of communication between the various stakeholders: