Our environment is defined by an astonishing acceleration in technology, the speed of social, economic and political change and the need to create value.
To tackle the threats from this scenario, as well as to make the most of the opportunities that arise, Abengoa believes that risk management is an essential activity and function for making strategic decisions and that it is essential to have criteria and methodologies to ensure that the business grows safely.
Abengoa’s risk management structure is based on three fundamental pillars:
These elements make up an integrated system that allows risks and controls to be appropriately managed at every level of the organisation.
This is a dynamic system that is continuously modified in order to stay up to date with the reality of the business.
Our “Common Management Systems” represent a common culture for Abengoa’s distinct businesses. They identify the risks, establish the coverage and determine the control activities.
The Common Management Systems, which implement the necessary business and risk management in Abengoa, apply to every business group and activity area and involve the different levels of management. They include specific procedures that cover any action that may generate a risk to the organisation, both financial and non-financial.
Abengoa’s risk management process, with regards to the Common Management Systems, is a continuous cycle based on five key stages, as shown in the figure below:
Compliance with the conditions established in the Common Management Systems is mandatory for the whole organisation, and all members must be aware of them.
Any exceptions to this must be appropriately authorised through the corresponding authorisation forms. Furthermore, and as a way of emphasising the involvement of all managers in managing risk, each of the rules in the Common Management Systems must be verified and certified to comply with these procedures. The annual certification is issued and submitted to the Audit Committee in January of the following year.
Furthermore, these systems are subject to a continuous update process that allows best practices to be incorporated into each area.
In 2004 Abengoa began a process to adapt its internal control structure for financial information to the requirements of Section 404 of the Sarbanes-Oxley Act (SOX). This process continues to be implemented in new companies that are acquired.
The SOX Act was passed in the USA in 2002 in order to guarantee transparency in the management, accuracy and reliability of the financial information published by companies listed in the US market (“SEC registrants”). This law requires these companies to subject their internal control system to a formal audit by their financial statements auditor, which must also issue an independent opinion on the Company’s internal control system over financial reporting.
According to the instructions of the Securities and Exchange Commission (SEC), compliance with this law is mandatory for companies and groups listed in the North American market.
At Abengoa we see this legal requirement as an opportunity for improvement and far from being satisfied with the conditions included in this law, we have tried to further develop our internal control structures, control procedures and the evaluation procedures applied, as much as possible.
This initiative is a response to the rapid expansion of the Group over the last few years and its forecasts for future growth, in order to be able to continue to guarantee investors precise, timely and comprehensive financial reporting.
In order to comply with the requirements of Section 404 of the SOX, Abengoa has redefined its internal control structure following a top-down approach that involves the initial identification of the important risk areas and the evaluation of the controls that the company has for them, beginning with those carried out at the highest level (corporate and supervision controls) and proceeding to evaluate the operational controls in each process.
Our internal control system contains more than 460 control activities, of which 214 are linked to IT systems.
Implementation of the SAP GRC Process Control module began in 2011, providing a technological solution that enables the internal control module to be automated. Compliance monitoring is also automated, making compliance easier and improving the security of the Company’s operations.
The benefits derived from implementing the GRC Process Control module lie in the automation of internal control and compliance monitoring, and integrating internal control into business processes.
The implementation of Abengoa’s Universal Risk Model, a methodology that quantifies the risks in the Risk Management System, was completed in 2011.
Abengoa’s Universal Risk Model classifies risks into four categories, 20 sub-categories and a total of 86 main risks to the business. Each of these risks is associated with a series of indicators that measures the probability and impact of each risk, and defines the degree of tolerance towards them, which enables them to be assessed and subsequently monitored.
The operational configuration of Abengoa’s Universal Risk Model is shown below. The periodic review and updating of the model is the shared responsibility of the Internal Audit Department, the managers of each area, the Corporate Risk Department and the risk departments of the different business groups:
The risks are classified into four types (low, tolerable, severe and critical) as a result of assigning the probability and impact indicators to each of the risks in the model.
Finally, the implementation of Archer eGRC was completed in 2011. This technology solution automates the process of identifying, evaluating, addressing, monitoring and reporting the risks contained in the Universal Risk Model in order to support all the activities and sectors in which Abengoa operates