Risk Control Systems

D - Sistema de Control de Riesgos


D.1 General description of the risk policy of the company and/or its group, detailing and evaluating the risks covered by the system, together with an explanation of why these systems are adequate for each type of risk.


Abengoa manages its risks through a model aimed at identifying the potential risks of a business. This model considers 4 important areas that are subdivided into 20 categories of risks, which contemplate more than 90 potential risks of a business.


Our model contemplates the following areas and categories of risks:

  • Strategic risks: Corporate governance, strategic and R+D+i projects, mergers, acquisitions and divestments, planning and assignment of resources, market dynamics, communication and relation with investors
  • Operational risks: Human resources, information technologies, physical assets, sales, supply chain, threats or catastrophes.
  • Financial risks: Cash flow and credit, markets, taxation, capital structure, accounting and reporting.
  • Legal risks:Regulations, laws and codes of ethics and of conduct.


Risk Management at Abengoa is based on two significant bases:

a) the Common Management Systems, which serve to mitigate business risks

b) internal control procedures designed following the SOX (Sarbanes-Oxley Act) to mitigate risks linked with the reliability of financial information.

Both elements make up an integrated system that permits an appropriate management of the risks and controls at all levels of the organization.

This is a live system that undergoes continuous modifications to remain in line with the reality of business.

There are also internal auditing services in charge of ensuring the compliance with and the good functioning of both systems.

I) Business risks


Procedures geared towards eliminating business risks are instrumented through what is referred to as “Common Management Systems” (CMS).

The Common Management Systems of Abengoa develop the internal rules governing Abengoa and its chosen approach to assessing and controlling risk. They represent a common culture in the business management of Abengoa, in that they permit the sharing of accumulated knowledge and they set the criteria and patterns of action.

The CMSs serve to identify both the risks embedded in the current model as well as the activities of control that mitigate them and they mitigate the risks inherent to the activity of the Company (business risks), at all possible levels.

There are 11 internal policies with 28 subsections that define how to manage each of the potential risks included in the Abengoa risks model.

The CMSs include some specific procedures that cover any action that may entail a risk for the organization, whether economic or not. In addition, they are available for all employees in IT media regardless of the geographical location and post of the employees.

For that reason, they contain, amongst other aspects, a series of authorization forms that must be filled in order to be granted approval for any action that may bear a financial repercussion on the Company, as well as in actions associated with other kinds of indirect risks (image, relationship with investors, press releases, information systems, access to applications, etc). All the forms filled in follow a cascading system of approvals passing through the company’s organs of approval, business units, corporate departments, and are finally approved by the Chairperson.


The CMSs also include specific annexes aimed at helping to clarify the way to act in specific cases. They include aspects as varied as models of investment analysis and evaluation, up to corporate identity rules.

The following are also achieved through Common Management Systems:

  • Optimization of daily management, applying procedures geared towards financial efficiency, reduction of expenses, homogenization and compatibility of information and management systems.
  • Promoting the synergy and creation of value of the various Business Units of Abengoa.
  • Reinforcing the corporate identity, respecting the values shared by all the companies of Abengoa.
  • Achieving growth through strategic development, searching for innovation and new opportunities on short- and long-term bases.

The Systems cover the whole organization at three levels:

  • All Business Units and Areas of Activity.
  • All levels of responsibility.
  • All types of operations.

Compliance with what is set forth in the Common Management Systems is compulsory for the whole organization, which is why all its members are bound to know them. Any exceptions to said compliance with said systems must be made known to the person in charge and must be conveniently authorized through the relevant authorization forms.

Besides, they are constantly undergoing updates that permit the incorporation of good practices to each of the fields of action. To facilitate their spreading, successive updates are immediately communicated to the organization through IT media.

At all times there are people in charge for each of the regulations entailed in the CMSs who assure the implementation of the procedures that consider all the relevant actions in their area, to mitigate anything that could derive in a financial or non-financial risk for Abengoa. It is them who are in charge of permanently updating the CMSs and placing them at the disposal of the whole organization.

In addition, those in charge of each of the policies of the Common Management Systems must verify and certify compliance with said procedures. Each year’s certification is issued and submitted to the Audit Committee in January the following year.


II) Risks in relation to the reliability of financial information


In 2004 Abengoa started a process of adjusting its internal control structure on financial information to fit the requirements set forth by Section 404 of the SOX Act. Said adjustment process ended in 2007, although it is still being implemented in the new company acquisitions which occur each year.

The SOX Act was enacted in the United States in 2002 for the purpose of guaranteeing the transparency in management and the veracity and reliability of the financial information published by companies trading on the US market (SEC registrants). This Act requires that companies subject their internal control systems to formal auditing by the auditor of their financial statements who, in addition, would have to issue an independent opinion on them.


Following the instructions of the Securities and Exchange Commission (SEC), compliance with said Act is compulsory for companies and groups listed on North American markets. Thus, and although only one of the Business Units – Information Technologies (Telvent) – is obliged to comply with the SOX Act, Abengoa deems it necessary to comply with these requirements in both the subsidiary listed on NASDAQ as well as in the rest of the companies, because the risks control model used by the company is completed with it.

Abengoa considers this legal requirement as an opportunity for improvement and, far from simply conforming to the precepts set forth in the law, it has tried to develop its internal control structures, the control and assessment procedures applied up to the maximum level.

The initiative is a response to the rapid expansion the group has undergone over the past years, and to the expectations of future growth, and for the purpose of being able to continue ensuring investors the preparation of accurate, timely and complete financial reports.

Also for the purpose of complying with the requirements in section 404 of the SOX act, Abengoa redefined its internal control structure following a Top-Down approach based on risk analysis.

Said risk analysis, entails the initial identification of significant risk areas and the assessment of the controls that the company has over them, starting from those executed at the highest level – corporate controls and supervision – and then down to the operational controls present in each process.

In this sense we defined 53 Management Processes (POC) grouped in Corporate Cycles and Business Units Common Cycles.

These processes have identified and put in place a series of activities of control (manual, automatic, configurable and inherent) that guarantee the integrity of the financial information prepared by the company.

Likewise, these controls are also present in the areas of Change, Operation and Security of the Systems, as well as in the Separation of Functions, that complement the Information Safety and Security Management System, providing a high level of security in the applications.

These processes and their over 550 activities of control catalogued as relevant are subjected to verification by internal and external auditors.


III) Other existing tools


The company has a Corporate Social Responsibility master plan that involves all the areas and is implemented in the five business units, adapting the CSR strategy to the social reality of the various communities in which Abengoa is present. Corporate Social Responsibility, understood as the integration of the Expectations of interest groups into the Company’s strategy, the respect for the Law and the consistency with international standards of action, is one of the pillars of the Abengoa culture. The company informs its interest groups on the performance in the various CSR matters through a report following the GRI standard for preparing sustainability reports. This report will be externally verified as part of the company’s commitment to transparency and rigour.

In 2002 Abengoa signed the United Nations World Pact, an international initiative aimed at achieving the voluntary commitment of entities regarding social responsibility, by way of implementing ten principles based on human, labour and environmental rights and on the fight against corruption. Also, in 2008, the company signed the Caring for Climate initiative, also from the United Nations. Consequently, Abengoa put in motion a system of reporting on greenhouse gas (GHG) emissions which would permit it to register its greenhouse gas emissions, know the traceability of all its supplies and certify its products and services.


In 2009, we developed a system of environmental sustainability indicators that would contribute to improving the management of the company’s business, thus permitting us to measure and compare the sustainability of its activities, and to establish improvement objectives for the future. The combination of both initiatives places Abengoa at the helm of world leadership in sustainability management


IV) Criminal Liability Risks


Following the enactment of Organic Law 5/2010 Abengoa is developing a system of risks management, internal control and regulatory compliance that will allow it to minimize the possible criminal risks, implementing measures aimed at showing that its personnel and executives are subject to control and due diligence. Said procedure will ensure the prevention and/or detection and investigation of crimes committed.


D.2 Indicate whether any of the different types of risk affecting the company and/or its group (operating, technological, financial, legal, image-related, tax, etc.) materialized during the financial year.



If so, indicate the circumstances that led to them and whether the established control system worked.


D.3 Indicate whether there is a committee or other governing body responsible for establishing and supervising these control devices.


If so, provide details of its functions.

Name of the committee or body


Audit Committee.


Description of functions


To inform the Board of any change in accountancy criteria and risks either on or off the balance sheet.

D.4 Identification and description of the processes for complying with the different regulations that affect the company and/or its group. 


1. See fourth annex at the end of this document.

2. Summary.

Since 2007, Abengoa has voluntarily submitted its Internal Control Systems to external evaluation, with the issuance of an audit opinion under PCAOB standards and a compliance audit under section 404 of the Sarbanes-Oxley Act (SOX).

This fact implies that Abengoa has been complying strictly with the reference indicators included in the National Stock Market Commission’s “Systems of Internal Control over Financial Reporting” document for four financial years.


I) Internal Audit service

The Audit Committee’s functions include the “supervision of the internal audit service” and “obtaining information on the financial reporting process and internal control systems and on the risks for the company”.

I. i) The Internal Audit service in Abengoa

The Internal Audit service originated as an independent global function, reporting to the Audit Committee of the Board of Directors, with the principal objective of supervising Abengoa’s internal control and significant risk management systems.


II) External Audit

The auditor of the individual and consolidated annual financial statements of Abengoa, S.A. is PricewaterhouseCoopers, which is also the Group’s main auditor.

The Audit Committee proposed the appointment of this firm to the Board of Directors, in order for the latter to subsequently submit it to the General Meeting of Shareholders, due to said firm’s extensive knowledge of the Group and its history, which were valued very favorably by both the Committee itself and Management.

Notwithstanding, a significant part of the Group, basically the Information Technologies Business Group (Telvent), is audited by Deloitte.

In addition, other firms collaborate in performing the audit, especially in small companies, both in Spain and abroad, although their scope is not significant in the Group overall.

The Audit Committee’s functions include ensuring the independence of the external auditor, proposing the appointment or renewal thereof to the Board of Directors and approving its fees.

Thus, in the year 2007, the company submitted the Corporate Social Responsibility Report to verification for the first time. In the year 2008, it was the Report on Greenhouse Gas Emissions and, in 2009 the Corporate Governance Report was verified externally.

Thus, in the year 2010, 6 reports were issued by the external auditors and form an integral part of the Annual Report:

  • Audit report on the Group’s consolidated financial statements, as required by current legislation.
  • Voluntary audit report on internal audit compliance under PCAOB (Public Company Accounting Oversight Board) standards, as required under section 404 of the Sarbanes-Oxley Act (SOX).
  • Voluntary reasonable assurance verification report on the Corporate Governance Report, being the first Spanish listed company to obtain a report of this kind.
  • Voluntary reasonable assurance verification report on the Corporate Social Responsibility Report.
  • Voluntary verification report on the inventory of greenhouse gas emissions.
  • Voluntary verification report on the design of the Risk Management System in accordance with the specifications of ISO 31000.


III) Internal Control

The Audit Committee’s main objectives concerning internal control over the preparation of the financial reporting are:

  • To determine the risks of a possible material error in the financial reporting caused by fraud or possible fraud risk factors.
  • Analysis of the procedures to assess the efficiency of internal control in relation to the financial reporting.
  • Capacity of the internal controls over the processes that affect Abengoa and its Business Groups.
  • To identify the material deficiencies and weaknesses in the internal control in relation to the financial reporting and the response capacity.
  • To supervise and coordinate any significant changes made over the internal controls related to the quarterly financial reporting.
  • Performance of the quarterly processes of closing the financial statements and differences identified in relation to the processes performed at the year end.
  • Putting in place plans and monitoring for the actions implemented to correct the differences identified in the audits.
  • Measures to identify and correct possible internal control weaknesses in relation to the financial reporting. 


Abengoa and its different Business Groups employ a mechanism for complaints to the Audit Committee, which was formally put in place in the year 2007 under the requirements of the Sarbanes-Oxley Act.

Abengoa has two complaint channels:

  • An internal channel, which is available to all employees, so that they can notify any alleged irregularity in accounting or audit or breaches of the Code of Conduct. The communication channel is by e-mail or ordinary mail.
  • An external cannel, available to anyone outside the company, so that they can notify any alleged irregularities, fraudulent actions or breaches of Abengoa’s Code of Conduct through the web page (www.abengoa.com).

IV) Risk Management


Abengoa is aware of the importance of managing its risks in order to carry out appropriate strategic planning and attain the defined business objectives. To do this, it applies a philosophy formed by a set of shared beliefs and attitudes, which define how risk is considered, starting with the development and implementation of the strategy and ending with the day-to-day activities.

The risk management philosophy is set out and applied through Abengoa’s Risk Management System, which is completed with the Universal Risk Model.


Abengoa defines risk as any potential event that may prevent the company from reaching its business objectives. Abengoa considers that a risk arises as a loss of opportunities and/or strengths or the materialization of a threat and/or strengthening of a weakness.

IV. i) The Universal Risk Model

Abengoa’s Universal Risk Model is made up of four categories, twenty subcategories and a total of 94 principal risks for the business. Each one of these risks has an associated series of indicators that allow its probability and impact to be measured and the degree of tolerance of the risk to be defined.

For each risk, at least one probability indicator and an impact indicator have been established. These may be quantitative and/or semi-quantitative indicators, while, at the same time, they allow tolerance levels to be fixed for subsequent evaluation and monitoring.