Risk management
Risk control and management model
Naturgy’s Risk Control and Management Model determines the risk assessment methodologies and it models, controls, manages and establishes the Group’s risk reporting, ensuring that a risk profile and target risk limits are maintained to guarantee that the level of exposure in the course of its activities is consistent with its annual and strategic objectives.
The model is implemented on the basis of the principles of integration, segregation, homogeneity, coherence and transparency in corporate governance and is structured in four pillars:
- Risk governance: defines governance for each type of risk, establishing the necessary regulations and assigning responsibilities.
- Risk Assessment: establishes the risk assessment methodologies, harmonising common procedures for the identification, assessment and treatment of the information associated with each risk, to ensure uniformity and coherence both when quantifying them individually and when subsequently aggregating them, with the aim of achieving a homogeneous, integrated vision.
The metrics used to assess risk depend on the nature of the risk, mainly:
- Quantitative/Stochastic: probabilistic scenario simulation with random components makes it possible to assess deviations within different confidence intervals.
- Deterministic/Scenarios: expected impact of an event based on its probability.
- Stress Test: assessment of extreme scenarios.
- Heatmaps: qualitative analysis of the risk on a factor basis.
- Risk Appetite: establishes the risk tolerance by setting limits for the main risk categories, as a function of the Group’s targets.
- Risk Reporting: establishes regular, systematic risk reporting at different management levels, expressed in the Corporate Risk Map, recurring risk reports and/or ad hoc reports.
The Corporate Risk Map identifies and quantifies the risks that might affect Naturgy’s performance, providing a comprehensive, consistent and integrated overview of these risks.
Risk categories
Naturgy defines five types of risk in its Corporate Risk Map: Economic, Financial, Operational, Reputational/Compliance and Strategic.
Types of economic and financial risk
For economic and financial risk types, a risk assessment is performed using quantitative/stochastic modelling or deterministic/scenario methodology; in the latter case, the expected impact of the event is assessed based on its probability.
Categories of economic risk
Risks arising from the volatility of external factors, changes in supply and demand, changes in regulatory frameworks, as well as legal risks, with an impact on the Group’s results:
- Commodity risk: uncertainty caused by variability in the prices of the energy and other commodities that Naturgy uses.
- Margin/price risk (other than commodity risk): uncertainty associated with the performance of key variables as a result of changes in competitive pressure, unmet margin assumptions and/or contract revisions.
- Exchange rate risk: the uncertainty associated with changes during the year in the exchange rates of the currencies in which Naturgy’s businesses are denominated.
- Volume risks: uncertainty associated with variations in volumes produced, procured, distributed and/or supplied due to the characteristics of the markets and the demand in which Naturgy’s businesses operate, weather and climate factors and/or the macroeconomic environment.
Given their nature and how they are managed, these four risks are grouped broadly under the heading of Market Risk.
- Regulatory risk: uncertainty associated with reviews of the remuneration frameworks and/or parameters for the regulated businesses or changes to the regulatory framework in which Naturgy’s businesses operate.
- Legal risk: uncertainty associated with the potential outcome of litigation, arbitration or legal claims against Naturgy.
Financial risk categories
Risks arising from changes in tax frameworks, asset financing structures and funding needs and delinquency, with an impact on the Group’s cash flow and/or statement of financial position.
- Tax risk: uncertainty associated with the proper application of tax regulations, the complexity of their interpretation and possible amendments, with a potential economic impact on the Group’s consolidated annual accounts.
- Credit risk: uncertainty associated with the deterioration of credit quality or default by Naturgy’s various customer segments and/or trade and financial counterparties.
- Interest rate risk: uncertainty associated with interest rate changes impacting the Group’s financial expenses, arising from the need for funding in the currencies in which Naturgy’s debt is denominated.
- Rating risk: uncertainty associated with the review of the Group’s rating in relation to the established target.
- Liquidity risk: uncertainty associated with a potential increase in funding requirements and the Group’s ability to meet its financial obligations.
Types of Operational, Reputational/Compliance and Strategic risk
Operational, reputational/compliance and strategic risk types are generally assessed quantitative/stochastic modelling or a deterministic/scenario methodology, heat maps, internal/external rating assessments and/or stress tests.
Operational risk categories
Risks arising from failures in processes, systems, people, physical assets and/or external factors that could negatively impact business continuity and sustainability and/or result in financial losses, legal penalties or impairment of health and safety.
- Operational risk: uncertainty associated with chance events, process failures or accidents affecting people, financial losses and/or damage or unavailability of the Group’s operating assets.
- Nature-related risks: uncertainty associated with the adverse effects that ecosystem degradation, species loss or disruption of ecosystem services may have on Naturgy’s operations, supply chain and financial value, due to the organisation’s dependencies and impacts on natural resources.
- Climate change risk: uncertainty associated with physical impacts, whether due to extreme natural events or gradual, long-term climate change and impacts resulting from transition policies that bring about changes in regulations, the market or technology.
- Security risk: uncertainty associated with the occurrence of personal injury or property damage caused intentionally by a third party.
- Third-party risk: uncertainty associated with relationships with third parties whose behaviour/performance may result in loss, damage, operational disruption, regulatory non-compliance and/or possible loss of control, quality or service of outsourced processes, including the impact on business continuity due to disruptions at suppliers, contractors, business partners, vendors and any other external entity with which the organisation has a contractual or collaborative relationship.
- Fraud risk: uncertainty associated with the occurrence of any unlawful action carried out intentionally by an employee or third party to obtain a direct or indirect personal benefit through the misuse of Naturgy’s resources or assets.
- Cybersecurity risk: uncertainty associated with the occurrence of malicious attacks or accidental events with an operational impact such as to affect data, computer networks or technology.
- Data protection risk: uncertainty associated with breach of data protection obligations that may result in an administrative penalties or civil judgements.
- Health and safety risk: uncertainty associated with injuries and deterioration in the health of Naturgy professionals and those of partner companies related to its activity.
Reputational/compliance risk categories
Risks arising from breach of current laws, applicable regulations, both internal and external, and Naturgy’s ethical standards, as well as inadequate performance in connection with ESG, customer satisfaction and talent management, which may result in financial losses, penalties, litigation or harm to the Group’s reputation.
- Compliance risk: uncertainty associated with breach of current legislation, as well as any policies and other internal regulations applicable to the Group’s activities that may result in penalties, financial losses and/or reputational damage.
- Reputational and ESG risk: uncertainty associated with changes in stakeholders’ perceptions of Naturgy’s reputation and its ability to develop sustainable businesses, from an environmental, social and governance (ESG) perspective.
- Customer satisfaction risk: uncertainty associated with the impairment of customer satisfaction due to shortcomings in the execution of processes that impact their life cycle.
- Risk to persons: uncertainty associated with changes in political and economic contexts, modifications to labour regulations, or those arising from the management of the processes that make up Naturgy’s value proposition and professional experience.
Strategic risk categories
Risks associated with Naturgy’s long-term business portfolio arising from strategic planning (such as long-term exposure to commodities, capital allocation by geography, the risk profile of the businesses, the commercial strategy and the development of new initiatives), changes in the competitive environment, business sustainability (including climate change and other nature-related risks) and innovation initiatives, which affect the company’s ability to achieve its long-term objectives. In general, the impacts of strategic risks will be factored into projections, within the appropriate time horizon, of economic, financial, operational and reputational/compliance risks.
Main risks: management, measurement and trends
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Commodity risk | |||||
| Commodity prices: Gas | Volatility in the international markets that determine the gas price. | Management of the procurement and sale portfolio, complemented with financial hedges. | Stochastic | ⇆ | Gas index volatility Decoupling of commodity price performance. |
| Commodity prices: Electricity | Volatility in electricity markets. | Optimisation of the generating fleet and supply structure, complemented with financial hedges. | Stochastic | ↑ | Penetration by renewables with zero marginal cost and intermittent production. Decoupling of commodity price performance. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Exchange rate | Currency volatility in the countries where Naturgy operates. | Geographic diversification. Hedging via local-currency funding, derivatives and pricing. | Stochastic | ↑ | Uncertainty about growth and inflation prospects in Latin America, especially in Argentina, Brazil and Mexico, to a lesser extent. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Regulatory | Exposure to reviews of criteria and returns recognised for regulated activities and/or new regulatory measures. | Step up communications with regulators. Adjust efficiency and capital expenditure to recognised rates. | Scenarios | ↑ | Pressure from regulators, as a function of the situation of the country/industry. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Volume: Gas | Mismatch between gas supply and demand. | Optimisation of contracts and assets worldwide. | Deterministic/Stochastic | ⇆ | Aggregate demand pressure. Risk of curtailment or interruption of supply. |
| Volume: Electricity | Reduction of the available thermal gap. Uncertainty as to renewable production volume due to resource variability. | Optimisation of Naturgy's electricity balance. | Stochastic | ⇆ | Aggregate demand pressure. Predictability of renewable output. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Margin/price | Risk created by changes in competitive pressure or margin optimisation scenarios. | Portfolio management by adjusting contract terms. | Scenarios | ↑ | Reviews of long-term gas contracts. Competitive pressure in the renewal of supply contracts. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Legal | Uncertainty as to the eventual outcome of litigation, arbitration or legal claims. | Analysis and mitigation of legal risk affecting the company's operations and corporate governance. Engagement of top-level law firms. Recognition of provisions in accordance with accounting standards. | Scenarios | ⇆ | The business units are affected by different laws in each country. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Operational risk | Accidents, damage and non-availability of Naturgy assets. With regard to environmental incidents, this includes the possibility that natural phenomena or human action may result in regulatory environmental limits being exceeded, leading to harm to third parties, ecosystems or biodiversity. | Continuous improvement plans. Optimisation of total cost of risk and of hedges. Emergency plans at facilities with risk of environmental accident. Specific insurance policies. Comprehensive environmental management through an Integrated Management System, that is certified and audited annually by TÜV (environmental). | Stochastic | ⇆ | Soft insurance market in the short term, with improvements in coverage and lower premiums, due to a decrease in natural disaster claims over the last 48 months. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Credit | Uncertainty associated with the probability of non-payment of financial obligations and/or deterioration of the credit quality of end customers and counterparties. | Analysis of customer solvency to define specific contractual conditions. Debt collection process. Arrangement of insurance. | Stochastic | ⇆ | Stability of expected and unexpected losses. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Interest rate | Volatility in interest rates applicable to Naturgy's financing. | Diversification of funding sources. Debt management. Financial hedges. | Stochastic | ⇆ | Uncertainty about the interest rate scenario. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Tax | Ambiguity or subjectivity in the interpretation of current tax regulations, or due to amendments or the enactment of new regulations. | Queries to independent expert bodies. Engagement of top-level advisory firms. Adoption of the Code of Best Tax Practices. Recognition of provisions in accordance with accounting standards. | Scenarios | ↑ | Increasing complexity of the applicable tax items and wide differences between regulations in different territories. All of this affects the different business and corporate units. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Liquidity and rating risk | Financial risks associated with maintaining the Group's rating, derived from liquidity conditions or other causes. | Establishment of measures to ensure liquidity and the target rating. | Scenarios | ⇆ | Ratification of the target of an investment grade rating. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Security | Residual risk associated with personal injury or material damage to critical facilities caused intentionally by a third party. | Corporate positioning through the Security Policy, defining a specific protection model for Critical Infrastructures (CI). Engagement with the businesses, Centro Nacional para la Protección de Infraestructuras Críticas (CNPIC), Instituto Nacional de Ciberseguridad (INCIBE-CERT) and other bodies. | Heatmap/Scenarios | ⇆ | Certification audits of critical undertakings by the regulator (future CNPREC), in which technology will be of great importance. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Third parties | Uncertainty associated with relationships with third parties whose behaviour/performance may result in loss, damage, operational disruption, regulatory breach and/or possible loss of control. | Supplier risk management. Due diligence procedures for analysing counterparty risk. Systematic adoption of the Supplier Code of Ethics. Annual Internal Audit Plan to detect weaknesses and implement improvement actions under the supervision of the Audit and Control Committee. | Heatmap/Scenarios | ↑ | Assessment, monitoring and oversight of suppliers on the basis of the risks in the energy sector, specific supply risks and risks in the country where the supply is made. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Fraud | Risk derived from any intentional breach of the law by an employee or a third party to benefit themselves or the company, directly or indirectly, through the improper use of Naturgy resources or assets. | Control mechanisms through the system of Internal Control over Financial Reporting (ICFR), the crime prevention model and the Global Financial Information and Sustainability Policy. Ongoing audits | Scenarios | ↑ | Improvement in fraud identification ratios using AI tools and developments, helping to contain fraud. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Cybersecurity | Malicious attacks or accidental events that affect data, computer networks or technology. | Implementation of security measures; analysis of events and application of remedies; training. Strengthening awareness plans, technology plans and measures to protect infrastructure and operating assets in order to mitigate the likelihood of risks and associated impacts materialising. | Scenarios/Heatmaps | ↑ | Increase in threats driven by AI, cybercriminals and the geopolitical context. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Data protection | Uncertainty associated with breaches of data protection obligations that may result in an administrative sanction or civil judgement. | Action Plan for each business area to mitigate the risk associated with each obligation based on priority and criticality. The company works in line with the requirements of the General Data Protection Regulation (GDPR) and Spain's Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). Internal audit plan in connection with regular compliance reviews. | Heatmap/Scenarios | ↑ | Regulatory uncertainty and tightening requirements. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Related to nature | Adverse effects that ecosystem degradation, species loss or disruption of ecosystem services may have on Naturgy's operations, supply chain and financial value, due to the organisation's dependencies and impacts on natural resources. | Emergency plans at facilities with risk of environmental accident. Specific insurance policies. End-to-end environmental management. Naturgy has adopted the recommendations of the Task Force on Nature-related Financial Disclosures (TNFD) for analysing the risks and opportunities related to biodiversity. | Scenarios/Heatmaps | ⇆ | Significant regulatory and/or legislative changes depending on location. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Health and safety | Risk of injury and health impairment for professionals of Naturgy or partner companies in connection with the business. | Health and safety management system. Safety plan aimed at controlling the six most critical risk factors in terms of accident frequency and severity: confined spaces, work at heights, electrical risk, tree felling and pruning, load handling and road safety. | Heatmap/Scenarios | ⇆ | Stable at low risk values. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Reputational and ESG | Impairment of stakeholders' perception of Naturgy due to environmental, social and governance issues. | Identification and tracking of potential reputational events. Transparency. Control mechanism through the system of Internal Control over Sustainability Reporting (ICSR). | Scenarios/Heatmaps | ⇆ | Stabilisation of the RepRisk index scores. |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Compliance risk | |||||
| Reputational and crime risk | Administrative and criminal penalties. Impairment of Naturgy's reputation. | Crime prevention policy, Code of Ethics and Anti-corruption Policy. Whistleblower channel. Training. | Heatmap/Scenarios | ⇆ | Criminal offences, penalties, financial losses and loss of reputation, contracts and customers. |
| Counterparty risk | Administrative and criminal penalties. Reputational damage, with an impact on contractual relationships. | Counterparty Due Diligence Procedure. Training |
| Risk type | Description | Management approach | Metric | Trend | |
|---|---|---|---|---|---|
| Climate change | Uncertainty arising from the energy transition (regulation, markets and/or technologies) and the physical impacts of climate change. | Corporate positioning through the Global Sustainability Policy, the Sustainability Plan and the Climate Transition Plan, which reinforce governance on climate issues and establish energy transition objectives aligned with the Strategic Plan. | Climate scenario analysis and qualitative assessment | ↑ | Future technology uncertainty. Higher requirements for financial and sustainability reporting to be consistent with the company's objectives. |
Metrics used:
- Stochastic: production of trend lines for the main magnitudes, taking the maximum deviation from the benchmark scenario to be the risk, within a pre-set confidence interval. Those magnitudes are generally EBITDA and free cash flow after non-controlling interests.
- Scenarios: analysis of the impact, with respect to the benchmark scenario, of a limited number of possible incidents.
- Heatmap: the main risk factors for each risk category are assessed to quantify the impact and probability of occurrence of each one.
- Non-financial stress factors.
- Application of international risk assessment frameworks: Task Force on Climate-Related Financial Disclosures (TCFD), as regards climate change, and Task Force on Nature-related Financial Disclosures (TNFD), as regards biodiversity.