In a group the size of Abengoa, with more than 620 companies operating in 70 countries worldwide and boasting over 24,000 employees, a common business management system is an absolute necessity as it enables us to work effectively on a coordinated and consistent basis.
Abengoa manages its risks through the following model, which seeks to pinpoint potential risks within a business:
Our Risk Management model is composed of two fundamental elements:
Both elements combine to form an integrated system that enables the company to manage risks and controls suitably throughout all levels of the organization.
It is essentially a living system that requires constant updates to keep it in line with the business reality.
Business Risks
The procedures aimed at eliminating business risks are channeled through the so-called Common Management Systems (CMS).
The CMS serve to identify not only the risks included in the current model, but also the monitoring activities used to mitigate them. They therefore put the internal rules for action into practice and represent a shared culture in the management of Abengoa’s businesses.
There are currently eleven internal rules, which, in turn, consist of 28 subsections, which define exactly how each of the potential risks included in Abengoa’s risk model should be managed.
The CMS incorporate a host of specific procedures covering any action that could lead to a risk for the company, whether economic or non-economic.
The Common Management Systems are available to all employees electronically, regardless of territory or job category.
For such purpose, they contain, among other things, a raft of authorization forms, which must be completed and filed so as to obtain official approval for any actions that may affect the company’s finances, or acts associated with any other kind of indirect risk (image, investor relations, press releases, information systems, access to applications, etc). All forms that are submitted follow a cascading approval system as they flow through the company’s approval bodies, business groups, corporate departments, with ultimate approval resting with the Chairman’s Office.
Similarly, the CMS contain specific appendices to provide further clarification on how to proceed in specific cases. They tackle an wide range of aspects, ranging from models for analyzing and evaluating investments to rules governing corporate identity.
The Systems extend to the entire organization on three levels:
Meeting the provisions of the Common Management Systems is compulsory throughout the entire organization and, therefore, such provisions must be known to all the members thereof. Any possible exemptions from the duty to comply with the Systems must be communicated to the party concerned and duly authorized through the corresponding authorization forms.
The Common Management Systems are submitted to an ongoing process of updating, which allows best practices to be incorporated into each of their fields of action. To enhance awareness, successive updates are immediately notified throughout the company via electronic channels.
The CMS mitigate the risks associated with company business (business risks) throughout all possible levels.
Abengoa has appointed heads for each of the rules that make up the CMS, who ensure at all times that the procedures encompassing all the actions to be carried out in their respective areas are fully implemented, the aim being to hedge against any aspects that could give rise to an economic or non-economic risk for Abengoa. These heads are the people in charge of updating the CMS on a permanent basis and making them available to the entire company.
Furthermore, those responsible for each of the rules that make up the Common Management Systems must verify and certify compliance with said rules. Official certification for each year is issued and presented to the Audit Committee in January of the following year.
In 2004, Abengoa began the process of adapting its structure of internal control over financial information to the requirements set forth in Section 404 of the SOX Act. This process of alignment was completed in 2007, although it continues to be implemented in new company acquisitions as they occur every year.
The SOX Act was passed in the United States in 2002 in order to ensure transparency in management and the accuracy and reliability of the financial information published by companies listed on the U.S. stock market (SEC registrants). This law makes it mandatory for these companies to submit their internal control system to a formal audit by their financial auditor, which must also issue an independent opinion on the control system in place.
According to the instructions of the Securities and Exchange Commission (SEC), SOX Act compliance is mandatory for companies and groups that are listed on the U.S. stock markets. Even though only one of its Business Units - Information Technologies (Telvent) - is subject to SOX-compliance, Abengoa considers it necessary to comply with these requirements not only in the case of this Nasdaq-listed subsidiary, but for all Group companies, as these requirements complement the risk control model employed by the company.
At Abengoa, we have always viewed this legal requirement as an opportunity for improvement. Far from limiting ourselves to the bare minimum required by law, we have striven to optimize our internal control structures, control procedures and the assessment procedures applied.
The initiative arose in response to the group’s rapid growth over the last few years, coupled with our anticipated future growth. The purpose is to be able to continue ensuring investors that our financial reports are accurate, timely and complete.
With the aim of complying with the requirements under Section 404 of the SOX Act, Abengoa’s internal control structure has been redefined using a “top-down” approach based on risk analysis.
This risk analysis encompasses a preliminary identification of significant risk areas and an assessment of the company’s controls over them, starting with top-level executives - corporate and supervisory controls – and subsequently moving down to the operational controls in place in each process.
Our focus is as follows:
Our work encompasses the following aspects:
In this regard, the company has defined 53 Management Processes, which are pooled together in Corporate Cycles and Cycles Common to Business Groups.
These processes identify and perform a host of control activities (manual, automatic, configurable and inherent) that ensure the integrity of the financial information prepared by the company.
These controls have likewise been set up in the areas of System Changes, Transactions and Security and in Separation of Duties, which complement the Information Security Management System by providing applications with a high level of security.
These processes and their 450-plus associated control activities, which have been tagged as relevant, are subject to both internal and external audits.
Abengoa believes that an appropriate internal control system must ensure that all relevant financial information is reliable and known to the management. We therefore believe that the model developed in line with the SOX requirements complements and forms part of our Common Management Systems, the main purpose of which is to control and mitigate business risks.
Our chosen conceptual reference framework is the COSO model, because it is most similar to the approach required under SOX. This model has also been presented to the Audit Committee. Under this model, internal control is defined as the process carried out in order to provide a reasonable degree of security in relation to the attainment of objectives, such as compliance with laws and regulations, reliability of financial information and operational effectiveness and efficiency.
Abengoa’s oversight and control of the risk management model is structured around the Joint Audit Services. These bring together the audit teams of the companies, Business Units and corporate services, which coordinate their actions and are ultimately accountable to the Audit Committee of the Board of Directors.
Among its strategic objectives, we would highlight the following:
In order to fulfill these strategic objectives, the Joint Audit Services have the following specific objectives:
Following the doctrine of The Institute of Internal Auditors and its Spanish branch, the Instituto de Auditores Internos, the ultimate aim of this structure is to provide the management of Abengoa and of each of its Business Units with an extra “control” flow of information, running parallel to the normal hierarchical flow, but with permanent horizontal information channels in place between each of the hierarchical levels of the companies and business units and the pertinent Internal Audit services, all applying clear and transparent criteria and safeguarding the confidential information involved.
This structure is illustrated in the following diagram: