Risks

Ferrovial, in fulfilling its business objectives, is exposed to a variety of risk factors arising from the nature of the sectors in which it operates, the countries in which its activities are located, and the different regulatory frameworks to which it is subject.

Policy

The company has a Risk Control and Management Policy, approved by the Board of Directors, which establishes the general framework of action for the control and management of risks of different nature that the management team may encounter in the achievement of business objectives, as well as the level of acceptable risk and of tolerance per risk factor. Acceptable risk and tolerance levels are specified in certain risk appetite metrics approved by the Board.

The Policy is communicated throughout the organization for implementation and employees receive specific training on internal risk management and control systems related to their activities. 

Supervision

The Board of Directors monitors the functioning of the internal risk management and control systems and carries out systematic evaluation of their design and effectiveness at least once a year.

The process of monitoring the company’s risk management and control systems and the policies that develop them is based on the three lines of defense model.

On the other hand, under the principle of continuous improvement, the risk management process is periodically subject to external review in order to detect weaknesses and opportunities for improvement.

Board of Directors

Ferrovial’s Board of Directors analyzes the risks associated with the strategy and activities of the Company and its businesses, in accordance with the Risk Control and Management Policy and the established risk appetite metrics.

The Non-Executive Directors oversee the policies, management and general affairs of the Company and its business, including relations with shareholders, with an emphasis on the effectiveness of the Company’s internal risk management and control systems.

The Board of Directors has the necessary skills to effectively perform its risk oversight function.

Audit and Control Committee

The members of the Audit and Control Committee, and especially its chairman, are appointed on the basis of their knowledge and experience in accounting, auditing and risk management, both financial and non-financial.

The Audit and Control Committee advises the Board in its decision-making, among other matters, on the supervision of the integrity and quality of the Company’s financial and sustainability reporting and on the effectiveness of the Company’s internal risk management and control systems.

The Audit and Control Committee also supervises and evaluates the control and management systems for financial and non-financial risks relating to the Company and the Ferrovial Group, including operational, technological, legal, social, environmental, political, reputational and corruption-related risks.

Internal Audit

The Internal Audit function, acting as a third line of defense, supervises the company’s risk management system through internal audits of the company’s various risk management processes (financial, operational, compliance, etc.), issuing recommendations to correct any weaknesses detected. 

Risks

The independent risk function of the business lines, acting in the second line of defense, is responsible for managing and supervising the risk assessment and identification process, known as Ferrovial Risk Management, and for reporting periodically to the Audit and Control Committee and, where appropriate, to the Board of Directors on the risks that threaten the achievement of business objectives and compliance with the risk appetite metrics established by the Board.

On the other hand, as part of the second line of defense, the company’s corporate departments in their area of responsibility supervise compliance with the risk management systems and policies in force that apply to them. 

Business Managers

Business managers, acting as the first line of defense, analyze and supervise the management of risks associated with the achievement of the business objectives of their area of activity, in accordance with the specific risk management systems and policies applicable to them. 

Ferrovial Risk Management

The company has a risk identification and assessment process, called Ferrovial Risk Management (FRM), promoted by the Management Committee and implemented in all the company’s business areas, under the regular supervision of the Audit and Control Committee of the Board of Directors. The process is carried out twice a year.

Through the application of common metrics, the process allows risk events to be identified in advance and assessed in terms of their likelihood of occurrence and their potential impact on business objectives, including corporate reputation. In this way, the highest rated risks are prioritized in order to take the most appropiate mitigation measures according to the nature of the risk, as well as to take advantage of the opportunities that may arise from proper risk management.

For each risk event identified, two assessments are carried out: an inherent assessment  prior to the specific control measures implemented to mitigate the risk, and a residual assessment, after specific mitigation measures have been implemented.

In a process of continuous improvement, during the last financial year Ferrovial has carried out a review of the risk management process by means of an internal audit and an external consultancy exercise in order to detect weaknesses and improve the performance of the process in accordance with comparable international best practices.