corporate governance
Risk Management

To operationalize the risk governance model in EDP Group, all employees should be involved, from the General Supervisory Board and the Executive Board of Directors to the individual employee, within the scope of their responsibilities.

EDP Group is exposed to a set of risks inherent to its dimension as well as diversity of businesses and geographies in which it is present, thus the company recognizes risks as an inevitable and integrant component of its activity, both as a threat or as an opportunity. 

Nevertheless, the maintenance of a low risk profile is, for the last years, one of the strategic pillars of EDP Group.

Risk governance model

EDP Group follows a risk governance model based on the concept of 3 lines of defence internal to the organization, which are complemented by an external fourth line of defence, external audit and regulation/ supervision.

For every line of defence there are clearly defined responsible bodies and forums for debate and decision, formally established to materialize each line of defence at corporate and Business Units levels, avoiding duplication of efforts and/ or the existence of gaps and promoting the cooperation and collaboration between different areas. 
 

1st line: business (Responsibility for risk)
2nd line: risk (Support the analysis and monitoring of risks)
3rd line: audit (Independent supervision)
Mission
1st line: business (Responsibility for risk)
Daily of running business, including proactive management of risks, aligned with established risk policies
2nd line: risk (Support the analysis and monitoring of risks)
Support in the identification, analysis, evaluation and monitoring of risk (to support business)
3rd line: audit (Independent supervision)
Performance and coordination of auditing exercises, seeking the improvement of processes of risk management, control and corporate governance
Areas involved*
1st line: business (Responsibility for risk)
Business Units Corporate departments (with decision-making responsibility)
2nd line: risk (Support the analysis and monitoring of risks)
Risk management (corporate and Business Units) Planning and control Compliance Sustainability
3rd line: audit (Independent supervision)
Internal audit (corporate and Business Units)
Rational
1st line: business (Responsibility for risk)
Who benefits the most from risk should be the responsible for taking it
2nd line: risk (Support the analysis and monitoring of risks)
Given the (natural) incentive for business to take risk, it is beneficial to have an independent function specialized in risk
3rd line: audit (Independent supervision)
It is beneficial to have an independent entity responsible for the verification and evaluation of processes of risk management and control
* Not exhaustive
1st line: business (Responsibility for risk)
2nd line: risk (Support the analysis and monitoring of risks)
3rd line: audit (Independent supervision)

In addition, Risk Committees are held at corporate level and in key Business Units, gathering top management and relevant specialists for analysis, debate and advice on key risk exposures for the Group, respective limits and other mitigation actions. 

Types of risk in EDP Group

The taxonomy of risks for the EDP Group combines in an integrated approach and in common language the various mapped risks existing in relation to the Group's several Business Units, structured around four major families: strategic, business, financial and operational.
 

group risk

Strategic risks typically embody disruptive events, with time horizons for materialization in medium-long term. Notwithstanding, EDP Group closely monitors and reports those risks, as it may have a significant impact in case of materialization.

Business risks aggregate all factors intrinsically related to the remuneration of the activities of energy production, transmission, distribution and commercialization in the several geographies where EDP operates. This category of risks may be disaggregated within two different types: energy market risks (e.g., electricity and other commodities prices, renewable generation volumes and demand), and regulatory risks, related with legislative and regulatory changes that EDP Group comply with, in the several geographies and markets where it operates.

Financial risks aggregate market risk factors complementary to energy business factors in the several geographies and markets where EDP Group acts, and other risks of financial nature. It may be discriminated into four different categories: financial variables risks (e.g., fluctuations of interest rates, exchange rates, inflation), credit and counterparty risks, liquidity/ solvability risks and risks related with social responsibilities. 

Operational risks include risk factors, of internal or external source, related with the operational activity of EDP Group in the several geographies and markets where it acts. This nature of risks may be disaggregated in risks associated with the planning, construction and operation of physical infrastructures, processes execution, human resources, systems, and legal, compliance and ethical risks. 

For more information, please consult the risk management sections of EDP Annual Report.

 

Process of risk management

Given the size of EDP Group and its geographical diversity, it is important to define a common process for all Business Units that recognizes and manages the heterogeneity of businesses and activities in which the Group operates. Accordingly, risk management in the EDP Group can be divided into five major integrated and structured phases (identification, analysis, evaluation, treatment and monitoring), complemented by a previous phase of establishment of context, and adequate levels of communication between all stakeholders: 
 

risk management