Risk Management Policy

Our aim is to provide greater certainty and confidence in the achievement of Company objectives to shareholders, customers, employees, and other stakeholders, through the anticipation, management, and control, as far as practicable, of the risks to which the Group is exposed, with an overall vision.

Our commitments

Implement, under the supervision of the Audit and Control Committee of the Board of Directors, an Integrated Risk Management System in line with international reference standards and guided by the following principles:
- Leadership of Management, who will provide the necessary resources and ensure that the organization works in accordance with these principles.
- Integration in management processes, especially those related to strategy and planning.
- Differentiated responsibility for the units and bodies involved, based on the model of “three lines” ¹.
- Comprehensive and harmonized management, so that all risks are managed through a common process for identification, evaluation, and treatment, as defined in norm ISO 31000, in order to maintain them at levels tolerated by the Company.
- Continuous improvement through periodic reviews of the management framework.

Maintain a risk profile in line with the business model of a global and integrated energy company, present throughout the value chain and that carries out its operations in a diversified fashion. This commitment combines both quantitative and qualitative elements and is based on the following criteria and principles, inherent to its strategy, culture, and values:
- In the case of risks that can impact people and the environment, as well as those linked to actions that contrary to Repsol's policies, values, and principles (health, accident, safety, environmental, ethics and conduct, and compliance risks, including tax), Repsol maintains a high ambition of control in order to reduce their probability of occurrence and their impact, including reputational impact.
- The rest of the strategic, operational, financial, and regulatory risks inherent to our activity will be actively managed and kept within the tolerance thresholds defined in the Group's regulations.
Define the applicable risk management strategy in each organizational area, which depending on its type and exposure, may consist of accepting the risk, interrupting the activity that generates the exposure, mitigating the risk through the preventive or contingent measures applicable according to its nature, or transferring the exposure to third parties, in accordance with the internal regulations that the Company has developed for this purpose.
Reasonably ensure compliance with the objectives of each organizational area, including operational, financial, and non-financial objectives, communication of financial and non-financial information, and regulatory compliance, through information and internal control systems based on the principles of the COSO² reference framework.
Informing transparently of the risk control systems, the main risks faced by the Group or that could affect the achievement of its business targets, as well as of the tolerance levels.
Retain high-probability low-impact risks and transferring low-probability high-impact risks to third parties through the adoption of a framework for retention and transfer that shall materialize by means of insurance contracts or other coverage measures.