CEPSA - 2021 INTEGRATED MANAGEMENT REPORT

CHAPTER 2 A future-proof company

RISK MANAGEMENT GOVERNANCE

The risk management system s governance model and organisational structure is designed around the three lines of defence model. The aim is to provide an integrated view of how the different parts of the organisation interact in an effective and coordinated way, increasing the efficiency of the company's risk management and control processes.

The Board of Directors is ultimately responsible for the proper functioning of the 'Integrated Risk Management System' (IRMS). It approves the 'Risk Policy' and relies on the Audit, Compliance, Ethics and Risk Committee to develop and oversee implementation.

The Management Committee promotes company-wide compliance with the established risk tolerance level and risk management in line with the 'Risk Policy'.

The Corporate Risk Unit is in charge of proposing, developing and implementing risk policies and establishing common methods and tools to ensure that the criteria and approach are consistent across all business units and corporate functions.

The business units and corporate functions identify, analyse, assess and manage risks, as well as implementing action plans coordinated by the Risk in the Business Units.

EMERGING RISKS

We monitor and analyse emerging risks as part of the risk analysis that accompanies our strategic planning. Some examples are the growing sophistication of cyber-attacks due to the continuous emergence of new types of ransomware, supply chain disruptions, talent management issues that may be caused by the post-pandemic era and the return to normality in work environments.

The main emerging risks we have identified over the last year, in line with the latest Emerging Risks reports published by Gartner, include:

· New types of ransomware. The proliferation and sophistication of increasingly efficient and specialised attacks and, in particular, data hijacking models affecting relevant information, can increase a company's vulnerability to such attacks and cause operational disruptions or information leaks. For this reason, we make sure that protection of our own and our suppliers information and operating systems is robust and permanently updated. We also have a programme in place to promote a risk prevention culture.

· Fragility of the supply chain, raising doubts as regards the current economic model of delocalisation and globalization. This operational risk, which could impact supply continuity, was aggravated in 2021 due to a number of geopolitical and social factors giving it a global scope and dimension7. Growing obstacles due to geopolitics, increasingly extreme weather events and permanent supplier closures make supply chain risk more uncertain going forward. The potential impact of this risk on the company would be a delay in the receipt or increase in the cost of components and/or raw materials. We mitigate the effects by means of continuous, multidisciplinary monitoring of our supply chain, identifying critical components and materials, and reviewing supply contract clauses and templates.

7 Congestion in ports due to the impact of COVID-19 but also due to the larger size of vessels, increased global demand, higher fuel prices and the high cost of some components, which increased the cost of transport and were passed on in cargo prices, as well as causing re-routing delays.