Corporate Risk Management, which includes a set of practices for the identification, measurement, processing and reporting of key risks, is an integral part of the management style required by the Group for its employees, in line with good international risk governance practices, in accordance with legal and regulatory requirements and meeting the expectations and demands of the Group's internal and external Stakeholders.

The deployment of an effective risk management policy seeks: 

  • To contribute to the constant creation of value for the company, by meeting the expectations of internal and external Stakeholders.
  • To adopt a position of leadership in this area in line with the vision, values and commitments expressed by the EDP Group;
  • To ensure that internal and external requirements are met in the area of corporate governance, control and reporting.

To this end, the EDP Group seeks to maintain a risk management culture in all decision making and at all functional and management levels. The implementation of Corporate Risk Management is supported by a set of principles, structure and processes that enable:

  • The identification, analysis and evaluation of risks and their processing, which may lead to the adoption of one or more of the following options: accepting the risk, increasing exposure in order to take advantage of an opportunity, avoiding the risk, reducing its probability or impact and/or sharing the risk (using hedging operations or through insurance, for example);
  • Reporting, reviewing and continuous improvement in risk management;
  • Including risk management responsibilities in overall management. 

This policy establishes the risk management principles, structure, governance and responsibilities in the EDP Group. 

EDP Group risk management policy principles 

  • Risk management is an integral part of standard business practice and is the responsibility of everyone, from the Executive Board to the individual employee. Everybody is responsible for understanding the risks in their area of operation and for managing them as an integral part of their delegated duties, skills and responsibilities; 
  • EDP manages its significant risks as a portfolio, through optimization of the risk/return ratio cutting across all business areas, in light of the value creation and distinction of the Group in its markets of operation; 
  • EDP seeks to ensure that risk management constantly improves in order to reflect EDP's changing needs over time and to remain compliant with best international risk management practices; 
  • EDP promotes timely and systematic risk management that is fully integrated in its most important business and decision-making processes, particularly as an element of strategic development, investment decisions, the business plan and operations management, in order to ensure stability of results and the development of optimized response capabilities and changes in context and opportunity. Assessment of risks and the adoption of measures for their management and control are based on the availability of better information on the date of the decision-making process; 
  • EDP's risk management is transparent and involves all internal and external Stakeholders, to ensure input into decisions taken from all levels of responsibility in the organisation, ensuring compliance and building a climate of trust; 
  • Local and/or functional risk management policies and procedures will be consistent with this corporate policy. Furthermore, all local and/or functional policies and procedures shall facilitate the aggregation, consolidation and revision at corporate level of all significant risks; 
  • The executive management bodies of the EDP Group companies are responsible for establishing the risk tolerance applicable to their scale, business and functions, always in line with the risk profile defined for the Group by the Executive Board at strategic level, which expresses the appetite for risk, and at tactical level, by setting overall aggregate risk tolerance levels. 

This policy was approved by the Executive Board of Directors (EBD) on January 31st 2023.

The EDP Group follows a risk governance model based on the concept of 3 internal lines of defence to the organization, complemented by a fourth external line of defence, in the figure of external audit and regulation/supervision.

1st Line: BusinessResponsibility for risk
2nd Line: RiskSupport the analysis and monitoring of risk
3rd Line: AuditIndependent Supersivion
4th Line>External Supervision
Daily running business, including proactive management of risks, aligned with established risk policies
Support in the identification, analysis, evaluation and monitoring of risk (to support business)
Performance and coordination of auditing exercises, seeking the improvement of processes of risk management, control and corporate governance
External Audit
Regulation / Supervision
Who benefits the most from risk should be the responsible for taking it
Given the (natural) incentive for business to take risk, it is beneficial to have an independent function specialized in risk
It is beneficial to have and independent entity responsible for the verification and evaluation of processes of risk management and control
Involved areas (not exhaustive)
Employees, suppliers and other internal and external entities
Risk Management
Risk Global Unit
Local risk management structures (risk officers and platform coordinators)
Compliance & Internal Control Global Unit
Internal Audit Global Unit
Operative Commitees
Risk Commitee

Risk management is embodied both by the Risk Global Unit and by the risk areas of the different Business Units (led by the respective risk officers), which report functionally to the former, ensuring fluid articulation and communication regarding the main sources of exposure and risk mitigation measures.

Executive Board of Directors

Risk Global Unit

Risk Committee

Business Units (BUs)/Platforms

Board of Directors or other defined governance entities

BU/Platform’s Risk Committee

Risk Officer

Download the PDF below for a detailed description of EDP Group’s competent bodies, as well as their respective responsibilities.

The EDP Group's risk taxonomy aggregates, from an integrated perspective and in a common language, the various risk mappings existing at the level of the Group's various Business Units and is structured around four large families: strategic and ESG, business, financial and operational.

  • 1.

    Strategic & ESG



  • 2.


    Energy markets


  • 3.


    Financial markets


    Liquidity / Solvability

    Social liabilites

  • 4.


    Physical assets

    Execution of Processes


    Legal & Compliance

Strategic and ESG Risks

The EDP Group closely monitors and reports risks of a strategic and ESG nature, since it believes that, if they materialise, they could have a significant impact, mainly in the medium and long term. Strategic and ESG risks can be broken down into two distinct natures: 

  • Strategic 
  • ESG 

Business Risks 

Business risks include all the risk factors intrinsically linked to the remuneration of the EDP Group's core business of generating, trading, distributing and supplying energy in the various geographies and markets where it operates. Business risks can be broken down into two distinct types: 

  • Energy markets 
  • Regulation 

Financial Risks 

Financial risks include market risk factors complementary to those of the EDP Group's energy business (non-operational) in the various geographies and markets where it operates. Financial risks can be broken down into four different types: 

  • Financial markets 
  • Credit and counterparty 
  • Liquidity/solvability 
  • Social liabilities 

Operational Risks 

Operational risks aggregate the risk factors complementary to those of the EDP Group's energy and financial business in the various geographies and markets where it operates, associated with the planning, construction and operation of physical assets, execution of processes, legal systems and litigation and compliance. Operational risks can be broken down into four different types: 

  • Physical assets 
  • Systems 
  • Execution of processes 
  • Legal & Compliance

Given the size of the EDP Group and its geographical diversity, it is important to define a transversal and consistent process at the level of the various Business Units, which at the same time recognises the heterogeneity of the businesses and activities in which the Group operates. In this way, risk management in the EDP Group is structured around five main phases (identification, analysis, evaluation, treatment, and monitoring), complemented by a prior phase of establishing the context, and by adequate levels of communication between the various stakeholders:

Fundamental phasesPreliminary/continuos phases

1Establishing the context