Contrast (-) (=) (+)
Size (-) (=) (+)

How we identify and manage risks

Our risk map is made up of five major categories.

As a petroleum and gas company we are active in many countries, each with different regulatory frameworks. As a consequence, we face a number of risks:

  • Financial and market risks deriving from the volatility of global oil and natural gas prices, exchange and interest rates. These also include those related to our liquidity and solvency, as well as those deriving from our contractual obligations and our commercial commitments with suppliers and customers.
  • Risks related to company strategy, how we manage our portfolio and how we make resource allocation decisions requiring Executive Committee or Board of Directors approval.
  • Risks in the business environment beyond the company's control, such as the macroeconomic context, trends in our sector, specific countries, natural catastrophes, the competition, partnerships, and our stakeholders' perceptions
  • Regulatory and compliance risks, such as changes to laws, regulations and compliance mechanisms related to legal, fiscal, safety and environmental matters, as well as reporting and aspects of corporate governance.
  • Operational risks pertaining to our effectiveness and efficiency as a result of deficient internal processes. Of particular note are risks pertaining to ethics and conduct, safety and environment and the violation of human rights.

These five major categories make up the structure of our risk map and include the main risks for the company. Each risk is linked to the business unit responsible for managing it, our existing parameters and controls, and relevant legislation.

We review our risk map annually; this is coordinated by our Audit and Control Division. Each unit with risk management responsibility helps update the risk map in view of trends in our main indicators and conditions in our operating environment.

Crime prevention model

In 2011 and in response to the Spanish Penal Code reform, the company implemented a crime prevention model in Spain that aims to prevent anduncover criminal conduct by the management and employees of the group's Spanish companies. This helps mitigate the company's criminal liability, preventing possible sanctions and negative consequences to the group's reputation and capital markets, and helps bring the group's Spanish companies into line with best anti-corruption practices. The design and functioning of this model has been verified by an independent external firm.

This initiative has helped to enhance mechanisms to identify, evaluate and mitigate risks of non-compliance of the principles established in Repsol's Ethics and Conducts Regulation.

Actions to minimize risks

The Audit and Control Division assesses the effectiveness of internal control systems and monitors compliance models and risks in the company:

  • Internal Control System on Financial Reporting (ICSFR) based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework method, structured around five components: i) the entity's control environment, ii) risk assessment, iii) control activities, iv) reporting and communication and v) system operation supervision. The ICSFR is deployed in cycles, each cycle comprising processes which are assigned a level of criticality and a series of control objectives in order to mitigate the associated risks for the financial reporting process. Based on this assignment, we identify the controls that cover the risks in each process.

    The different business units and corporate areas identified as "control managers" are responsible for ensuring control validity and execution, as well as the proper design of the associated processes.

    The design and functioning of all controls are assessed annually by the Audit and Control Division.

    The ICSFR comprises a total of 1,082 controls, which enable us to reasonably cover the risks impinging on the reliability of our company's financial reporting.

  • Spanish company crime prevention model: The Audit and Control Division, in coordination with the Legal Services and Corporate Governance areas, monitors internal self-assessment and control certification processes, as well as the verification of proper design and functioning by an independent external firm, as established in the annual plan of the Spanish company crime prevention model. The results of these model assessment processes are reported to the General Secretariat and Board of Directors and to the Audit and Control Committee.
  • Legislative Compliance Program: We have a program that monitors our conformance with our formal legal obligations (to governments, public administrations and/or public authorities) connected to our activities. This helps us limit our compliance-related risks. This program extends to 43 countries and is based on periodic self-assessment of compliance in a number of areas.
  • Risk map

Additionally, we plan our audit activities each year, focusing on risks, with an emphasis on those units, processes, or countries we believe are critical. To do this, we rely on a methodology we have developed for the identification and assessment of risks, beginning with our risk map. After identifying the projects, the scope of the review in each case is set according to the specific risk assessment for the units and processes to be reviewed.

Moreover, we continually monitor our progress on a set of indicators relevant for the company. This helps us minimize risks as it considerably extends our coverage of the transactions audited, and contributes to the early detection of incidents thus reducing potential impact. As of December 31, 2011, 875 control points were being monitored each month related to indicators in use at 27 Repsol companies in 16 countries.

Our actions to minimize risks are described as follows

Actions to minimize risks