Abengoa manages its risks through a model aimed at identifying the potential risks of a business. This model considers 4 important areas that are subdivided into 20 categories of risks, which contemplate more than 90 potential risks of a business.
Our model contemplates the following areas and categories of risks:
Risk Management at Abengoa is based on two significant bases:
a) the Common Management Systems, which serve to mitigate business risks
b) internal control procedures designed following the SOX (Sarbanes-Oxley Act) to mitigate risks linked with the reliability of financial information.
Both elements make up an integrated system that permits an appropriate management of the risks and controls at all levels of the organization.
This is a live system that undergoes continuous modifications to remain in line with the reality of business.
There are also internal auditing services in charge of ensuring the compliance with and the good functioning of both systems.
I) Business risks
Procedures geared towards eliminating business risks are instrumented through what is referred to as “Common Management Systems” (CMS).
The Common Management Systems of Abengoa develop the internal rules governing Abengoa and its chosen approach to assessing and controlling risk. They represent a common culture in the business management of Abengoa, in that they permit the sharing of accumulated knowledge and they set the criteria and patterns of action.
The CMSs serve to identify both the risks embedded in the current model as well as the activities of control that mitigate them and they mitigate the risks inherent to the activity of the Company (business risks), at all possible levels.
There are 11 internal policies with 28 subsections that define how to manage each of the potential risks included in the Abengoa risks model.
The CMSs include some specific procedures that cover any action that may entail a risk for the organization, whether economic or not. In addition, they are available for all employees in IT media regardless of the geographical location and post of the employees.
For that reason, they contain, amongst other aspects, a series of authorization forms that must be filled in order to be granted approval for any action that may bear a financial repercussion on the Company, as well as in actions associated with other kinds of indirect risks (image, relationship with investors, press releases, information systems, access to applications, etc). All the forms filled in follow a cascading system of approvals passing through the company’s organs of approval, business units, corporate departments, and are finally approved by the Chairperson.
The CMSs also include specific annexes aimed at helping to clarify the way to act in specific cases. They include aspects as varied as models of investment analysis and evaluation, up to corporate identity rules.
The following are also achieved through Common Management Systems:
The Systems cover the whole organization at three levels:
Compliance with what is set forth in the Common Management Systems is compulsory for the whole organization, which is why all its members are bound to know them. Any exceptions to said compliance with said systems must be made known to the person in charge and must be conveniently authorized through the relevant authorization forms.
Besides, they are constantly undergoing updates that permit the incorporation of good practices to each of the fields of action. To facilitate their spreading, successive updates are immediately communicated to the organization through IT media.
At all times there are people in charge for each of the regulations entailed in the CMSs who assure the implementation of the procedures that consider all the relevant actions in their area, to mitigate anything that could derive in a financial or non-financial risk for Abengoa. It is them who are in charge of permanently updating the CMSs and placing them at the disposal of the whole organization.
In addition, those in charge of each of the policies of the Common Management Systems must verify and certify compliance with said procedures. Each year’s certification is issued and submitted to the Audit Committee in January the following year.
II) Risks in relation to the reliability of financial information
In 2004 Abengoa started a process of adjusting its internal control structure on financial information to fit the requirements set forth by Section 404 of the SOX Act. Said adjustment process ended in 2007, although it is still being implemented in the new company acquisitions which occur each year.
The SOX Act was enacted in the United States in 2002 for the purpose of guaranteeing the transparency in management and the veracity and reliability of the financial information published by companies trading on the US market (SEC registrants). This Act requires that companies subject their internal control systems to formal auditing by the auditor of their financial statements who, in addition, would have to issue an independent opinion on them.
Following the instructions of the Securities and Exchange Commission (SEC), compliance with said Act is compulsory for companies and groups listed on North American markets. Thus, and although only one of the Business Units – Information Technologies (Telvent) – is obliged to comply with the SOX Act, Abengoa deems it necessary to comply with these requirements in both the subsidiary listed on NASDAQ as well as in the rest of the companies, because the risks control model used by the company is completed with it.
Abengoa considers this legal requirement as an opportunity for improvement and, far from simply conforming to the precepts set forth in the law, it has tried to develop its internal control structures, the control and assessment procedures applied up to the maximum level.
The initiative is a response to the rapid expansion the group has undergone over the past years, and to the expectations of future growth, and for the purpose of being able to continue ensuring investors the preparation of accurate, timely and complete financial reports.
Also for the purpose of complying with the requirements in section 404 of the SOX act, Abengoa redefined its internal control structure following a Top-Down approach based on risk analysis.
Said risk analysis, entails the initial identification of significant risk areas and the assessment of the controls that the company has over them, starting from those executed at the highest level – corporate controls and supervision – and then down to the operational controls present in each process.
In this sense we defined 53 Management Processes (POC) grouped in Corporate Cycles and Business Units Common Cycles.
These processes have identified and put in place a series of activities of control (manual, automatic, configurable and inherent) that guarantee the integrity of the financial information prepared by the company.
Likewise, these controls are also present in the areas of Change, Operation and Security of the Systems, as well as in the Separation of Functions, that complement the Information Safety and Security Management System, providing a high level of security in the applications.
These processes and their over 550 activities of control catalogued as relevant are subjected to verification by internal and external auditors.
III) Other existing tools
The company has a Corporate Social Responsibility master plan that involves all the areas and is implemented in the five business units, adapting the CSR strategy to the social reality of the various communities in which Abengoa is present. Corporate Social Responsibility, understood as the integration of the Expectations of interest groups into the Company’s strategy, the respect for the Law and the consistency with international standards of action, is one of the pillars of the Abengoa culture. The company informs its interest groups on the performance in the various CSR matters through a report following the GRI standard for preparing sustainability reports. This report will be externally verified as part of the company’s commitment to transparency and rigour.
In 2002 Abengoa signed the United Nations World Pact, an international initiative aimed at achieving the voluntary commitment of entities regarding social responsibility, by way of implementing ten principles based on human, labour and environmental rights and on the fight against corruption. Also, in 2008, the company signed the Caring for Climate initiative, also from the United Nations. Consequently, Abengoa put in motion a system of reporting on greenhouse gas (GHG) emissions which would permit it to register its greenhouse gas emissions, know the traceability of all its supplies and certify its products and services.
In 2009, we developed a system of environmental sustainability indicators that would contribute to improving the management of the company’s business, thus permitting us to measure and compare the sustainability of its activities, and to establish improvement objectives for the future. The combination of both initiatives places Abengoa at the helm of world leadership in sustainability management
IV) Criminal Liability Risks
Following the enactment of Organic Law 5/2010 Abengoa is developing a system of risks management, internal control and regulatory compliance that will allow it to minimize the possible criminal risks, implementing measures aimed at showing that its personnel and executives are subject to control and due diligence. Said procedure will ensure the prevention and/or detection and investigation of crimes committed.
No
If so, indicate the circumstances that led to them and whether the established control system worked.
If so, provide details of its functions.
Name of the committee or body
Audit Committee.
Description of functions
To inform the Board of any change in accountancy criteria and risks either on or off the balance sheet.
1. See fourth annex at the end of this document.
2. Summary.
Since 2007, Abengoa has voluntarily submitted its Internal Control Systems to external evaluation, with the issuance of an audit opinion under PCAOB standards and a compliance audit under section 404 of the Sarbanes-Oxley Act (SOX).
This fact implies that Abengoa has been complying strictly with the reference indicators included in the National Stock Market Commission’s “Systems of Internal Control over Financial Reporting” document for four financial years.
I) Internal Audit service
The Audit Committee’s functions include the “supervision of the internal audit service” and “obtaining information on the financial reporting process and internal control systems and on the risks for the company”.
I. i) The Internal Audit service in Abengoa
The Internal Audit service originated as an independent global function, reporting to the Audit Committee of the Board of Directors, with the principal objective of supervising Abengoa’s internal control and significant risk management systems.
II) External Audit
The auditor of the individual and consolidated annual financial statements of Abengoa, S.A. is PricewaterhouseCoopers, which is also the Group’s main auditor.
The Audit Committee proposed the appointment of this firm to the Board of Directors, in order for the latter to subsequently submit it to the General Meeting of Shareholders, due to said firm’s extensive knowledge of the Group and its history, which were valued very favorably by both the Committee itself and Management.
Notwithstanding, a significant part of the Group, basically the Information Technologies Business Group (Telvent), is audited by Deloitte.
In addition, other firms collaborate in performing the audit, especially in small companies, both in Spain and abroad, although their scope is not significant in the Group overall.
The Audit Committee’s functions include ensuring the independence of the external auditor, proposing the appointment or renewal thereof to the Board of Directors and approving its fees.
Thus, in the year 2007, the company submitted the Corporate Social Responsibility Report to verification for the first time. In the year 2008, it was the Report on Greenhouse Gas Emissions and, in 2009 the Corporate Governance Report was verified externally.
Thus, in the year 2010, 6 reports were issued by the external auditors and form an integral part of the Annual Report:
III) Internal Control
The Audit Committee’s main objectives concerning internal control over the preparation of the financial reporting are:
Abengoa and its different Business Groups employ a mechanism for complaints to the Audit Committee, which was formally put in place in the year 2007 under the requirements of the Sarbanes-Oxley Act.
Abengoa has two complaint channels:
IV) Risk Management
Abengoa is aware of the importance of managing its risks in order to carry out appropriate strategic planning and attain the defined business objectives. To do this, it applies a philosophy formed by a set of shared beliefs and attitudes, which define how risk is considered, starting with the development and implementation of the strategy and ending with the day-to-day activities.
The risk management philosophy is set out and applied through Abengoa’s Risk Management System, which is completed with the Universal Risk Model.
Abengoa defines risk as any potential event that may prevent the company from reaching its business objectives. Abengoa considers that a risk arises as a loss of opportunities and/or strengths or the materialization of a threat and/or strengthening of a weakness.
IV. i) The Universal Risk Model
Abengoa’s Universal Risk Model is made up of four categories, twenty subcategories and a total of 94 principal risks for the business. Each one of these risks has an associated series of indicators that allow its probability and impact to be measured and the degree of tolerance of the risk to be defined.
For each risk, at least one probability indicator and an impact indicator have been established. These may be quantitative and/or semi-quantitative indicators, while, at the same time, they allow tolerance levels to be fixed for subsequent evaluation and monitoring.