DIA has an enterprise risk management (ERM) model which is the shared responsibility of the Board of Directors, the Audit and Compliance Committee, which supervises and reviews the effectiveness of the internal control procedures, the internal audit function and the risk management systems, and the Executive Committee, which is tasked with implementing the model and defining the related risk management strategy and culture, processes and technology.
DIA has also set up a Risk Management Committee at the corporate level. This committee is tasked with analysing the environment and new projects that could alter the company’s risk map. It also keeps the list of risk factors continually updated (including new risks and eliminating those that have dissipated) and recommends specific course of action. This committee reports regularly to the Executive Committee and the Audit and Compliance Committee.
The Risk Management Committee has also appointed a corporate risk officer whose duties include coordinating and communicating at committee meetings, as well as information gathering and reporting functions. This officer also serves as the contact person for the various risk management jurisdictions defined by DIA.
Risk approach and classification
DIA’s risk management model is based on the COSO II standard, the risk management methodology widely accepted in the marketplace, tailored for DIA’s requirements. On the basis of this model, DIA defines risk as any internal or external contingency that, if it were to materialise, would impede or hamper delivery of the targets set by the organisation. They are classified between inherent risks (risk to an entity in the absence of any potential mitigating actions) and residual risks (the risk remaining after management’s response to the risk) into one of the following four categories:
- Strategic risks: these affect targets that are directly related to DIA’s strategy.
- Operational risks: related to targets dependent on the effective and efficient use of the organisation’s resources.
- Financial and reporting risks: these relate to the reliability of the (financial and non-financial) information disclosed internally and externally.
- Compliance risks: these affect targets that are related to regulatory compliance matters.
None of the risk factors identified in DIA’s risk map had a material impact on the group in 2012.
DIA has a compliance department that is tasked with ensuring effective compliance with its obligations under the Internal Securities Market Code of Conduct. This independent body is made up of three members (the heads of the HR, finance and the law departments) who are additionally assisted by an external advisor that specialises in securities market matters. One of the unit’s members, the head of legal affairs at DIA, is also the chief compliance officer and as such controls and registers securities market transactions, serves as the contact person for the CNMV, and ensures that the Compliance Unit works as intended.
For additional information on risk management, please see the corresponding section of the Corporate Governance Report.