The Enagás Group has a risk control and management model designed to ensure that the company's objectives are achieved in a predictable manner and with a medium-moderate profile for all of its risks. This model allows the company to adapt to the complexity of a globalised competitive environment and a complex economic context.
In its Risk Control and Management Policy, Enagás sets out its commitments to ensuring a clear governance structure, a proactive and comprehensive approach to risk management and control, and effective information management that enables risks to be identified, assessed, managed and communicated at the appropriate levels.
This model is based on five aspects:
Enagás has defined standard risk typologies depending on the nature of the risks.
Enagás has a solid risk culture that is reflected in its risk control and management model, which is geared towards ensuring that the company's objectives and the Strategic Plan are achieved in a predictable manner.
The company has established a clear governance structure and a proactive and comprehensive approach to risk management and control, ensuring effective information management that enables risks to be identified, assessed, managed and communicated at appropriate levels.
In order to continue reinforcing this organisational culture, Enagás carries out internal communication actions, as well as training actions for the Board of Directors and Enagás employees, in relation to the Risk Management Model, the methodology, and the integral security risk in information and communications systems (cybersecurity), which enables it to update knowledge in this sphere and continue to strengthen the risk culture at all levels of the organisation.
The Model complies with international best practice standards for risk management and control. It is also fully aligned with the Spanish Companies Act and the recommendations of the Good Governance Code of Listed Companies, as well as the CNMV's Technical Guide 3/2017 on Audit Committees of Public Interest Entities).
The transparency of the information provided by Enagás to third parties guarantees the company's commitment to reliability and rigour.
During 2024, the Risk Management and Control Model was reviewed by an independent third-party expert, who concluded in his report that there is a high level of maturity and deployment within the organisation. In 2025, Enagás also obtained ISO 31000 certification for the Risk Control and Management Model, and its certification report also highlights the soundness of the model, methodology and risk culture in the organisation, the strategic positioning of the function, as well as the exhaustiveness of the continuous monitoring of relevant risks.
Corporate risks are continuously monitored through different channels and a wide variety of reports. A quarterly monitoring report is submitted to the Executive Committee, the Audit and Compliance Committee and the company’s Board of Directors.
Below are the four phases of the risk management process:
The impact or exposure of risks is assessed in different dimensions, including ESG (environmental, social and governance) aspects, so that risk levels are determined from the perspective of relative importance, impact on the company's value and impact on the environment.
Enagás measures risk by defining different prospective scenarios that could eventually have a negative impact on the Company's interests, which are defined with each of the owners of the divisions based on the projections in the Budget and the Strategic Plan.
The risk level is determined on the basis of the impact/exposure and likelihood of materialisation of risk events, and is classified into four levels: Acceptable, Assumable, Relevant or Critical. The existing model is complemented by specific risk analyses, which facilitate decision-making based on risk-profitability criteria in the Enagás Group's strategic initiatives, new products (CO2, ammonia, etc.), services, businesses, etc.
The risk management and control department carries out this analysis independently, across the entire spectrum (covering all types of risks) and uniformly (following the same methodologies as in the global risk measurement) based on the definition of specific risk levels for this type of operation which in turn are aligned with the methodology used for the rest of the risks, which enables the risks identified to be monitored throughout their life cycle (from the study of the opportunity to the management of the activity once it is integrated into the Company's processes).
These are the main risk categories considered by Enagás.
Strategic uncertainties, economic cycles, changes in the regulatory framework, evolution of demand, changes in market dynamics, etc.
These are generally of a "one-off" nature (an external or internal factor that generates a potential negative impact for the company). The risk measurement exercise consists of determining possible scenarios of prospective risks, which could eventually have a negative impact on the Company's interests.
For further information, please refer to the ‘Risk Management’ section of Enagás’ Annual Report.
Occurring during the execution of activities due to failures in processes, physical equipment, IT systems, human resources or external factors.
Stochastic methodologies are used to measure these risks, simulating scenarios based on historical data, frequency and exposure.
For further information, please refer to the ‘Risk Management’ section of Enagás’ Annual Report.
Financial risks are caused by fluctuations in interest and exchange rates and market conditions affecting liquidity and financing.
Tax risks arise from changes in regulatory frameworks and/or possible differences in the interpretation of existing legislation.
Credit risk covers potential defaults on payment obligations by third parties in relation to services rendered and outstanding receivables.
Finally, counterparty risk covers any non-performance of obligations under medium- and long-term contracts.
The methodology for measuring counterparty risk consists mainly in monitoring the credit quality of the company's most important counterparties.
For further information, please refer to the ‘Risk Management’ section of Enagás’ Annual Report.
This category covers any non-compliance with legislation, internal regulations, as well as compliance with internal procedures.
We also consider within the category of criminal liability risks, any impact on the company arising from criminal offences committed by its directors or employees.
Enagás carries out an analysis based on qualitative criteria to determine the breaches or offences that may be committed in the various divisions and department of the company according to the activity they carry out, in order to determine the areas' exposure to the different criminal risks.
For further information, please refer to the ‘Risk Management’ section of Enagás’ Annual Report.
Enagás considers reputational risk to be any unfavourable perception and opinion of stakeholders that may have an impact on the company.
Enagás performs a "qualitative" measurement based on an estimate of the exposure and probability of dissemination of the risk event. For the qualitative estimation of exposure, there is a predefined scale that discriminates according to the scope of the media coverage of the events and their potential effect on the perception of the affected stakeholders and the period during which the events are disseminated.
For further information, please refer to the ‘Risk Management’ section of Enagás’ Annual Report.
The control and management of sustainability risks are integrated across the organisation in the company's Risk Control and Management Model.
Enagás considers sustainability risks to be a cross-cutting risk, which does not involve a specific risk category, it being understood that some of the risks included in our inventory have a cross-organisational component in one of the three areas of sustainability: environmental, social and governance (ESG).
In relation to these three areas, Enagás has adapted this methodology to the CSRD Directive, identifying, through the double materiality calculation exercise and the IRO matrix, the new ESG issues to ensure the company's sustainability through the management of these aspects:
| ESG Topic | ||
|---|---|---|
| Environmental | Social | Governance |
| Climate action and energy efficiency | People | Good Corporate Governance |
| Pollution | Human rights | Ethics and integrity |
| Water and marine resources management | Sustainable value chain | Operational excellence |
| Biodiversity | Local communities | |
| Circular Economy | Customers | |
At Enagás, the processes for identifying and assessing climate risks are integrated into the corporate risk control and management model, aimed at ensuring that the company's objectives are achieved in a predictable manner and with an average profile for all its risks.
This model makes it possible to identify and quantify the financial impact of climate change risks, which are risks framed within the company's risk taxonomy (essentially, physical risks are "operational and technological" risks and transition risks are "strategic and business" risks). The quantification of these risks enables their integration into corporate strategy and the setting of objectives in order to minimise risks and maximise opportunities.
Enagás follows the recommendations of the Task Force on Climate-Related Financial Disclosures (TCFD) in its management of climate risks and has a methodology for their identification, prioritisation and economic quantification that it began to apply in 2016. Physical risks (extreme weather events, sea level rise) and transitional risks (regulatory, technological, market and reputational) are identified and assessed according to the classification provided by the TCFD standard.
During 2025, Enagás has reinforced its methodology for measuring physical risk in gas pipelines and taxonomic projects, considering for each of the threats included in the CSRD, the probability of occurrence and economic impacts in the following dimensions: material damage, gas leaks, health and safety, interruption of service and environmental damage, under the TCFD temperature scenarios RCP.4.5 and RCP 8.5 and different time horizons, up to 2100.
For further information, please refer to the ‘Climate Change’ section of Enagás’ Annual Report.
Within the Corporate Risk Management Model, Enagás pays special attention to identifying changes in the reference context in order to capture events or macro-trends from outside the organisation that could have a significant impact on the business or the sector in the long term, identifying the most significant threats in order to anticipate them and establish mitigation measures.
Emerging risks are different in that they are unpredictable and uncertain risks, which have not been dealt with in the past, and for which there is a lack of knowledge and preparedness to quantify their potential impact through long-term prospective scenarios. Proactive management of these risks is essential to avoid potential negative effects and deviations from established objectives, which, if they occur, could be mitigated through the establishment of prevention and control strategies and measures.
Emerging risks are identified by the business divisions (first line of defence) during measurement exercises.
We highlight a context of great uncertainty accentuated by the speed of change, and where the unpredictable may materialise, accentuated by the complex geopolitical environment, aggravated by the escalation of military conflicts. The Transformation Plan of the models and adoption of new technologies such as Artificial Intelligence also entail the emergence of new risks.
In addition to those risks that are already included in the company's risk breakdown because they are already present in the company's day-to-day business (such as risks arising from the macroeconomic and geopolitical context, the transformation plan and the adoption of new technologies, climate change, exposure to cyber-attacks or artificial intelligence), other risks have been identified that could become significant in the future and are detailed in the ‘Emerging Risks’ section of the Annual Report.
You may also be interested in...
