Risk Management Policy

Our aim is to provide greater certainty and confidence in the achievement of Company objectives to shareholders, customers, employees, and other stakeholders, through the anticipation, management, and control, as far as practicable, of the risks to which the Group is exposed, with an overall vision.

Our commitments

Implement, under the supervision of the Audit and Control Committee of the Board of Directors, an Integrated Risk Management System in line with international reference standards and guided by the following principles:
- Leadership of Management, who will provide the necessary resources and ensure that the organization works in accordance with these principles.
- Integration in management processes, especially those related to strategy and planning.
- Differentiated responsibility for the units and bodies involved, based on the model of “three lines” ¹.
- Comprehensive and harmonized management, so that all risks are managed through a common process for identification, evaluation, and treatment, as defined in norm ISO 31000, in order to maintain them at levels tolerated by the Company.
- Continuous improvement through periodic reviews of the management framework.

Maintain a risk profile in line with the business model of a global and integrated energy company, present throughout the value chain and that carries out its operations in a diversified fashion. This commitment combines both quantitative and qualitative elements and is based on the following criteria and principles, inherent to its strategy, culture, and values:
- Actively managing most strategic, operational, financial and non-financial risks inherent to our activity, maintaining them within the tolerance thresholds and objectives defined. These include those related to the socio-political environment, macroeconomics and competitive scenario, regulation, partners, reputation and public image, business and asset portfolio, technology, corporate governance, people and organization, information systems, suppliers and contractors, operational excellence, projects, liquidity, market, equity, rating, and counterparty.
- Repsol declares its rejection of risks related to health, safety, environment, security, ethics and conduct, compliance (including tax compliance), minimizing by all means available the probability of their occurrence and/or associated impact, including reputation.
Define the applicable risk management strategy in each organizational area, which depending on its type and exposure, may consist of accepting the risk, interrupting the activity that generates the exposure, mitigating the risk through the preventive or contingent measures applicable according to its nature, or transferring the exposure to third parties, in accordance with the internal regulations that the Company has developed for this purpose.
Reasonably ensure compliance with the objectives of each organizational area, including operational, financial, and non-financial objectives, communication of financial and non-financial information, and regulatory compliance, through information and internal control systems based on the principles of the COSO² reference framework.
Informing transparently of the risk control systems, the main risks faced by the Group or that could affect the achievement of its business targets, as well as of the tolerance levels.
Retain high-probability low-impact risks and transferring low-probability high-impact risks to third parties through the adoption of a framework for retention and transfer that shall materialize by means of insurance contracts or other coverage measures.