Risk management

Risk management model

Naturgy’s risk management model seeks to ensure that the company’s performance is predictable within an acceptable bounded range. The model quantifies the variability of performance and ensures that it is in line with strategically defined target levels in all aspects that are of importance to its stakeholders.

Core goals of the risk measurement and management model include ensuring that material risk factors are correctly identified, assessed and managed. The final objective is to ensure that the level of risk exposure assumed by Naturgy in the course of its business is consistent with the company’s defined overall risk profile and the attainment of annual and strategic objectives.

The Integrated Risk Management and Control System is structured as follows:

Risk Governance & Management: risk governance and management mechanism for all risk classes and all businesses, with Management Committee involvement.
Risk Assessment: methodology, procedure and process for identifying, assessing and measuring risks.
Risk Appetite: definition of risk tolerance by setting limits for the main risk categories, by risk type and by business, as a function of the targets.
Risk Reporting: regular systematic reporting and monitoring of risk at the various levels of management: Business Units, Corporate Units Audit and Control Committee and Board of Directors.

Risk categories

Naturgy defines five risk types in its Corporate Risk Map: Economic, Financial, Operational, Reputational/Sustainability, and Strategic.

Types of economic and financial risk

Economic and financial risks are assessed by quantitative modelling.

Categories of economic risk

Risk factors with an impact on business results, caused by the volatility of exogenous factors, amendments to regulatory frameworks, or changes in demand with an impact on short-term results.

Commodity risk, the uncertainty caused by variability in the prices of the energy and other commodities that the company uses.
Exchange rate risk, the uncertainty associated with changes during the year in the exchange rates of the currencies in which Naturgy’s businesses are denominated.
Regulatory risk, the risk associated with reviews of the remuneration frameworks for the regulated businesses and/or updates to the specific remuneration parameters and/or amendments to the regulatory framework under which Naturgy businesses operate.
Volume risk, risk associated with the variation of volumes produced, distributed and/or supplied due to variations in temperature, changes in customer behaviour as a result of climate change, and the macroeconomic or competitive environment with respect to the base scenario considered in the projections.
Margin/price risk, understood as the price risk not contemplated under commodity risk created by changes in competitive pressure or unachieved margin assumptions.
Legal risk, related to the eventual outcome of litigation, arbitration or legal claims against Naturgy in the year of analysis.

Financial risk categories

Risk factors with an impact on the company’s cash flow and balance sheet caused by the volatility of financial variables, potential impact of counterparties, amendments to tax frameworks, and provisioning.

Credit risk, unexpected loss due to uncertainty associated with the probability of non-payment of monetary obligations and/or deterioration of the credit quality of the end customers and counterparties with which Naturgy operates.
Interest rate risk, variability of the company’s financial expenses caused by changes in interest rates and in refinancing needs in the currencies in which Naturgy’s debt is denominated.
Tax risk, associated with the proper application of tax regulations, the complexity of their interpretation, and possible amendments, with a potential economic impact on the company’s accounts.
Liquidity risk, risk associated with a potential increase in the financing needs required to maintain the company’s target rating.
Rating risk, risk of a downgrade of the company’s credit rating, considering that the company targets an anchor BBB rating.
Provisioning and warranty risk, risk of maintaining an excessive volume of provisions on the balance sheet, resulting in the risk that they may materialize and their effect on cash outflows.

Types of operational, reputational/sustainability and strategic risk

Operational, reputational/sustainability and strategic risk are generally assessed using heat maps.

Operational risk categories

Risk factors derived from operating the company’s human and material assets.

Operational risk, associated with events of force majeure or accidents affecting persons, and with accidents, damage or non-availability of the company’s operating assets, after coverage by Naturgy’s insurance programme.
Security risk, understood as the residual risk associated with personal injury or material damage to critical facilities caused intentionally by a third party.
Business continuity and crisis management risk, the risk of a service-level breach as a result of inadequacy or failure of processes, systems or performance by in-house or third-party staff.
Fraud risk, derived from any intentional breach of the law by an employee or a third party to benefit themselves or the company, directly or indirectly, through the improper use of Naturgy resources or assets.
Cybersecurity risk, arising from malicious attacks or accidental events with an operational impact that affect data, computer networks or technology.
Data protection risk, the risk associated with breach of data protection obligations that may result in an administrative sanction or civil judgement.
Environmental and biodiversity risk, associated with the possibility that natural phenomena or human action may result in regulatory environmental limits being exceeded or in harm to third parties, ecosystems or biodiversity.
Health and safety risk, understood as the risk of injury and health impairment for professionals of Naturgy or partner companies in connection with the business.

Reputational/Sustainability risk categories

Risk factors associated with behaviours that constitute a departure from good practices in the area of reputation, ESG commitment, compliance, people and climate change.

Reputational and ESG risk, uncertainty in the evolution of stakeholders’ perception of the company’s reputation and its capacity to engage in business sustainably from an environmental, social and governance point of view.
Compliance risk, risk of Naturgy suffering penalties, financial loss or loss of reputation as a result of non-compliance with legal obligations, as well as regulations, policies and other internal regulations applicable to its activities.
Customer satisfaction risk, risk of not offering the customer a distinctive value proposition that places the company in a privileged position to define new relationship models and address the digital transformation.
Climate change risk, arising from the energy transition (changes to regulations, markets or technologies) and the physical impacts of climate change (acute and chronic).

Strategic risk categories

Risk factors associated with the company’s business portfolio: Long-term commodity exposure, capital employed by geography (soft vs. hard currencies), business risk profile (exposure to regulated vs. merchant businesses).

Main risks: management, measurement and trends

Risk type	Description	Management approach	Metric	Trend
Commodity risk
Commodity prices: Gas	Volatility in the international markets that determine the gas price.	Physical and financial hedges. Management of the procurement and sale portfolio.	Stochastic	Mismatch between the indices for long-term contracts and European hub prices.
Commodity prices: Electricity	Volatility in electricity markets.	Physical and financial hedges. Optimisation of the generation fleet and supply structure..	Stochastic	Penetration by renewables with zero marginal cost and intermittent production.

Risk type	Description	Management approach	Metric	Trend
Exchange rate	Volatility in international currency markets.	Geographic diversification. Hedging via local-currency funding and derivatives.	Stochastic	Uncertainty about growth and inflation prospects in Latin America, particularly Argentina.

Risk type	Description	Management approach	Metric	Trend
Regulatory	Exposure to reviews of criteria and returns recognised for regulated activities and/or regulatory measures to mitigate emerging macroeconomic situations.	Step up communication with regulators. Adjust efficiency and capital expenditure to recognised rates.	Scenarios	Pressure from regulators, as a function of the situation of the country/industry.

Risk type	Description	Management approach	Metric	Trend
Volume: Gas	Mismatch between gas supply and demand.	Optimisation of contracts and assets worldwide.	Deterministic/ Stochastic	Aggregate demand pressure. Risk of curtailment or interruption of supply.
Volume: Electricity	Reduction of the available thermal gap. Uncertainty as to renewable production volume due to resource variability.	Optimisation of the supply-generation balance.	Stochastic	Aggregate demand pressure.

Risk type	Description	Management approach	Metric	Trend
Margin/price	Risk created by changes in competitive pressure or margin optimisation scenarios.	Portfolio management by adapting long-term purchase and sale formulas.	Scenarios	Reviews of long-term gas contracts

Risk type	Description	Management approach	Metric	Trend
Legal	Uncertainty as to the eventual outcome of litigation, arbitration or legal claims.	Analysis and mitigation of legal risk affecting the company's operations and corporate governance. Engagement of top-level law firms. Recognition of provisions on a prudential basis.	Scenarios	The business units are affected by different laws in each country.

Risk type	Description	Management approach	Metric	Trend
Insurable risks	Accidents, damage or non-availability of Naturgy assets.	Continuous improvement plans. Optimisation of the total cost of risk and hedges.	Stochastic	Growing tension in the insurance market as a function of geography and technology due to the rising frequency and severity of both extreme weather events and cybersecurity claims.

Risk type	Description	Management approach	Metric	Trend
Credit	Uncertainty associated with the probability of non-payment of monetary obligations and/or deterioration of the credit quality of end customers and counterparties.	Analysis of customer solvency in order to define specific contractual conditions. Debt collection process.	Stochastic	Increase in expected and unexpected losses due to the probability of default, given the inflation situation and the global energy crisis.

Risk type	Description	Management approach	Metric	Trend
Interest rates and credit spreads.	Interest rate volatility on borrowings, both existing debt and refinancing.	Financial hedges. Diversification of funding sources.	Stochastic	Uncertainty about interest rate scenarios.

Risk type	Description	Management approach	Metric	Trend
Tax	Ambiguity or subjectivity in the interpretation of current tax regulations, or material amendments to same. Approval of unexpected fiscal measures.	Queries to independent expert bodies. Engagement of top-level advisory firms. Adoption of the Code of Good Tax Practices. Recognition of provisions on a prudential basis.	Scenarios	Different business units are affected by different taxes.

Risk type	Description	Management approach	Metric	Trend
Liquidity, rating and provision risks	Financial risks associated with maintaining the company's rating, derived from liquidity conditions or other causes. Risks associated with excessive use of funds due to maintaining provisions.	Establishment of a target rating and ensuring sufficient liquidity to maintain it in the event of a potential adverse scenario.	Scenarios	Ratification of the target of an investment grade rating in the Business Plan 2021-2025

Risk type	Description	Management approach	Metric	Trend
Security	Residual risk associated with personal injury or material damage to critical facilities caused intentionally by a third party.	Corporate positioning through the Security Policy, defining a specific protection model for Critical Infrastructures (CI). Engagement with the businesses, Centro Nacional para la Protección de Infraestructuras Críticas (CNPIC), Instituto Nacional de Ciberseguridad (INCIBE-CERT) and other bodies.	Heatmap/Scenarios	Certification audits by the regulator (CNPIC) of critical operators, in which technology is of great importance.

Risk type	Description	Management approach	Metric	Trend
Business continuity and crisis management risk	Risk of failing to maintain service levels as a result of a shortcoming or failure in processes, systems or staff performance.	Annual internal audit plan Weakness detection. Implementation of improvement actions. Audit and Control Committee.	Heatmap/Scenarios	Increase in the percentage of material recommendations that are implemented.

Risk type	Description	Management approach	Metric	Trend
Fraud	Risk derived from any intentional breach of the law by an employee or a third party to benefit themselves or the company, directly or indirectly, through the improper use of Naturgy resources or assets.	Control mechanisms through the Global Policy of the Internal Control System over Financial Reporting. Arrangement of hedges in the insurance market	Scenarios	Maintain low levels of fraud at Naturgy

Risk type	Description	Management approach	Metric	Trend
Cybersecurity	Malicious attacks or accidental events that affect data, computer networks or technology.	Implementation of security measures; Event analysis and remediation measures; Training.	Scenarios/Heatmaps	The cybernetic situation is becoming more demanding. Threat protection plan to mitigate the likelihood of these risks and their associated impact.

Risk type	Description	Management approach	Metric	Trend
Data protection	Uncertainty associated with breaches of data protection obligations that may result in an administrative sanction or civil judgement.	Action Plan by business area to mitigate the risk associated with each obligation based on priority and criticality. The company operates in line with the requirements of the General Data Protection Regulation (GDPR). Internal audit plan in connection with regular compliance reviews.	Heatmap/Scenarios	Uncertainty and tightening regulatory requirements.

Risk type	Description	Management approach	Metric	Trend
Environment	Possibility that natural phenomena or human action may result in binding regulatory environmental limits being exceeded, resulting in damage to ecosystems or biodiversity.	Emergency plans at facilities with risk of environmental accident. Specific insurance policies. End-to-end environmental management.	Scenarios/Heatmaps	Implementation of an Integrated Management System certified and audited each year by AENOR.

Risk type	Description	Management approach	Metric	Trend
Health and safety	Risk of injury and health impairment for professionals of Naturgy or partner companies in connection with the business.	Health and safety management system. Safety plan aimed at controlling the six most critical risk factors in terms of accident frequency and severity: confined spaces, work at heights, electrical risk, tree felling and pruning, load handling, and road safety.	Heatmap/Scenarios	Accident rates at partner firms.

Risk type	Description	Management approach	Metric	Trend
Reputational and ESG	Impairment of stakeholders' perception of Naturgy due to environmental, social and governance issues.	Identification and tracking of potential reputation events. Transparency. Control mechanism through the system of Internal Control over Non-Financial Reporting.	Scenarios/Heatmaps	Stabilisation of the RepRisk index scores.

Risk type	Description	Management approach	Metric	Trend
Compliance risk
Reputational and crime risk	Administrative and criminal penalties. Impairment of Naturgy's reputation.	Crime prevention policy, Code of Ethics and Anticorruption Policy. Whistleblower channel. Training.	Heatmap/Scenarios	Criminal offences, penalties, financial losses, and loss of reputation, contracts and customers.
Counterparty risk	Administrative and criminal penalties. Harm arising from breach of contract.	Counterparty Due Diligence Procedure. Training

Risk type	Description	Management approach	Metric	Trend
Climate change	Uncertainty arising from the energy transition (regulation, markets and/or technologies) and the physical impacts of climate change.	Corporate positioning via the Global Environmental Policy and Environment Plan, which strengthen governance in climate issues and energy transition targets.	Stochastic/ Scenarios/ Heatmaps	Future technology uncertainty. Increased requirements in connection with the coherence of financial reporting with the company's objectives in connection with mitigating climate change risk.

Metrics used:

Stochastic: production of trend lines for the main magnitudes, taking the maximum deviation from the benchmark scenario to be the risk, within a pre-set confidence interval. Those magnitudes are generally EBITDA, earnings after taxes, cash flow and value.
Scenarios: analysis of the impact, with respect to the benchmark scenario, of a limited number of possible incidents.
Heatmap: the main risk factors for each risk category are assessed to quantify the impact and probability of the identified risks.
Non-financial stress tests:
Application of international risk assessment frameworks: Task Force on Climate-Related Financial Disclosures (TCFD), for climate change, and Task Force on Nature-related Financial Disclosures (TNFD), for biodiversity.