CEPSA - 2021 INTEGRATED MANAGEMENT REPORT

2021 INTEGRATED MANAGEMENT REPORT

RISK MANAGEMENT APPROACH

Our 'Integrated Risk Management System' (IRMS) is in line with COSO-ERM and ISO 31000. It defines the general framework, as well as the principles and procedures to be followed, to efficiently manage risks of any nature.

During 2021, we undertook a methodological review of our risk management approach in order to progress further in creating a better, more consistent quantification of the impact of risks in order to be aligned with industry best practices, including climate change risks.

Our strategic planning process is underpinned by an analysis of the main risks to which the company is exposed, including potential new emerging risks. We estimate the probability, impact and speed of occurrence of risks. This is achieved by reviewing external sources and cross-checking the information with our business and corporate units to assess impacts.

The main phases of our integrated risk management process are as follows:

· Establishing the external and internal contexts, and evaluation approach.

Identifying risks and redefining the risk universe in 2021 so as place particular emphasis on those that may have an impact on sustainability, including climate change risks.

Analysing and assessing risks, including causes, sources and consequences.

Treating the risk based on relevance and on responses to minimise probability of occurrence or potential impact.

Regularly monitoring and reviewing risks.

The spectrum of risks to which the company is exposed can be classified into four broad categories, which include properly identified ESG risks:

· Strategic risks related to general contextual factors, positioning and strategic planning, including risks in connection with politics, the economy, technology, etc.

Financial risks arising from the variability of basic raw material prices and other financial variables, from hedging and trading, and from economic, financial and tax management.

Operational risks associated with value chain management, the effectiveness and efficiency of operations, management of resources and people, safety of people and facilities, the environment and asset integrity.

Compliance risks related to governance and compliance with legal requirements and commitments made, as well as the management of legal affairs.

APPENDIX 2. The company's

main risks

2.9.3 Risk management