6. Response and supervision plans for the main risks faced by the Company
The Group relies on response plans seeking to reduce the impact and materialization likelihood of critical risks described under section E.3 above, or to improve the level of risk preparedness.
The main response plans for each risks category are explained below:
6.1. Business environment
In order to reduce the risk exposure in this area, the Group carries out a feasibility research for each new market, business line or store, considering pessimistic scenarios, and subsequently monitors whether the expected figures are met or not. Moreover, the business model of the Group is not only based upon the management of new openings, but also on improvements in the efficiency and effectiveness of the markets, business lines and stores already existing, so that the growth achieved via expansion and diversification, be complemented by the organic growth of the current business.
In line with the foregoing, the expansion policy, the multi-brand format of the Group and the use of new technologies as an option for communicating and selling to our customers, represent a way to diversify this risk, which downplays the global exposure to this risk of business environment.
6.2. Regulatory risk
In order to reduce risk exposure in this area and secure the appropriate enforcement of the prevailing local legislation in force, the corporate Legal, Tax, Industrial Property, Human Resources, Internal Audit and Corporate Social Responsibility Departments, in addition to the General Counsel’s Office liaise with the different supervisors and the legal external advisors of each country or geographic area.
Special mention should be made of criminal regulatory risks. For the purposes of reducing such risks, the Group relies on a Manual on Criminal Risks Prevention, overseen by the Committee of Ethics.
The Internal Audit Department conducts regulatory compliance audits on a regular basis with teams of independent professionals specializing in certain regulations which apply to business.
6.3. Reputation
The Group has developed a Compliance Programme in respect of the Code of Conduct for Manufacturers and Suppliers through Social Audits and Pre-Assessment, based on the external and independent verification of the facilities which are necessary to manufacture the fashion items that it distributes, in order to minimize the potential risks of harming the image due to improper behaviour by third parties. Said programme specifies the review procedures which secure the gathering of information and evidences on the minimum working conditions that all manufacturers, suppliers and external workshops must comply with. Additional information on this Programme and on other programmes is available in the Annual Report and at the corporate web page. Likewise, the Corporate Social Responsibility Department carries out technical and production audits on a regular basis and the Environment Department conducts audits and exercises controls regarding the facilities where wet processes are carried out.
In such sizable and visible organisations as the Group, some conflicts might arise out of an inappropriate relationship with third parties alien to the proceedings of the Group (CNVM, communication media, investors, public authorities, etc.,).
The Group, through its Communication and Institutional Relations Office and Corporate Social Responsibility Department, sets out the procedures and protocols required to minimize this risk. Likewise, given their relevance, the General Counsel’s Office and the Capital Markets Department are charged with managing specifically the relationship with CNMV and the latter is also charged with investors’ relations.
Likewise, the Communication and Institutional Relations Office is responsible for tracking the image of the Group in the social networks.
To reduce the risks associated with the features of finished product, ensuring that they do not entail any hazard for the health and safety of customers, the Group carries out controls and verifications of the health and safety of the products standards (“Safe to Wear” and “Clear to Wear”), whose enforcement is mandatory throughout the production line for all finished products, footwear and accessories.
The Group also relies on a Code of Conduct and Responsible Practices and a Code of Conduct for Manufacturers and Suppliers. The Committee of Ethics is responsible for the enforcement and construction thereof.
6.4. Human Resources
To minimize these risks, the Human Resources Department carries out continuous recruitment and hiring processes of new personnel, including hunting processes for key personnel. It has also developed a regular training programme for its staff and has implemented specific systems:
- to combine quality in employees’ performance and the job satisfaction each of them may derive at the workplace;
- to facilitate the exchange of jobs among those employees wishing to broaden their experience in the different areas of the Organisation
- to provide career opportunities to the most talented and diligent persons within the Organization.
On the other hand, the work system implemented within the Organization favours the transfer of knowledge between the relevant employees in the different areas, thus minimizing the risk linked to depending excessively on the knowledge of key personnel. Additionally, the use of career development, training and compensation policies seek to retain key employees.
To ensure the appropriate working climate, the Human Resources Department is governed by a series of action lines which are thoroughly reviewed in the Performance section of the Annual Report.
Meanwhile, a growing demand has arisen lately within the labour market, linked to the social responsibility of companies, which has become a key factor upon selecting a company for the job of choice. Therefore, such issues as equal opportunities, remuneration systems other than salary or labour and work-family balance are inter alia, factors that the company takes into account, with policies designed for such purposes.
With this respect, the INDITEX Group has implemented Equal Opportunities Plans, with measures that seek to meet different goals, such as, inter alia: fostering the commitment and effective implementation of the equal opportunities principle between female and male employees, contributing to reduce inequality and imbalance, preventing labour discrimination, fostering the company’s commitment towards improving life quality, ensuring a healthy work environment and providing actions to promote family and work balance.
6.5. Operations
The Group reduces exposure to this risk through a manufacturing and procurement system that ensures a reasonably flexible answer to unexpected changes in our customers demand. Stores are permanently in touch with the team of designers, through the Product Management Department, and this allows perceiving the changes of taste of the customers. Meanwhile, the vertical integration of the transactions allows reducing manufacturing and delivery terms as well as the stock volumes, while at the same time, the reaction capacity to introduce new products throughout the season, is kept.
Given the relevance that an efficient logistics management has on the appearance of such risks, the Group conducts a review of all the factors which may have a negative impact on the target of achieving the maximum efficiency of the logistics management, to actively monitor such factors under the supervision of the Logistics Committee.
To mitigate the risk resulting from stoppage of operations, associated with the likelihood of occurrence of extraordinary events beyond the control of the Group, mainly in connection with logistics centres and external operators charged with trucking of goods, the size and use of all centres has been optimized, based upon the volume of each format or the specific requirements of the geographic area which they service. Namely, part of the above-mentioned logistics centre specializes in distribution of goods sold on-line. The different centres have been set in such a manner as to be able to assume storage and distribution capacity from other centres in the event of any contingency resulting from potential accidents or stoppage of distribution activities.
Additionally, the Group takes active measures to reduce risk exposure, by keeping high levels of safety and protection in all its distribution centres, together with insurance policies covering both the potential property damage incurred by the facilities and stock, as well as any loss of profit which might arise out of any loss.
In order to ensure the growth of the Group and enhance the flexibility of its business model, the Logistics Expansion Plan assesses the need and envisages, where appropriate:
- investing in new distribution centres or in the extension of the existing ones, so as to minimize the risk associated with the logistics planning and sizing.
- investments made to improve and automate processes in the existing centres, for the purposes of increasing their capacity and efficiency and to improve the internal control on goods stored in such centres. In this respect, mention should be made of the progressive application of RFID technology within the supply chain, which allows reaching a very high degree of control on goods.
- The search, approval and control of external logistics operators, in different strategic points, with full integration in the logistics capacity of the company.
With regard to the potential risk or retaining goods in the course of carriage, the Group relies on a network of agents in different procurement and distribution points, as well as on alternative routes for carriage of goods.
The Group reduces the risks associated with the real estate management, regarding the search and selection of business premises and the profitability thereof, through the monitoring of local markets where it operates and through the evaluation and supervision of new openings by the Expansion Committee.
6.6. Financial
In order to reduce the foreign exchange risk, it must be managed in a proactive, sufficient and systematic manner. To achieve this, the Group has implemented the Foreign Exchange Risk Management Policy with the main goals of reducing potential economic losses and volatility in the financial statements resulting from such risk. Exchange exposure materializes in terms of net investment, translation and transaction risks. The above-referred Policy sets the guidelines to manage all such exposures and provides that exchange management is done centrally by the Financial Management Department of the Group. The Policy sets forth the review and follow-up procedures regarding exchange exposure and the potential hedging strategies, the procedure to contract financial derivatives and the registration and documentation thereof. At present, the exchange risk insurance (forward contract) is the main hedging instrument.
Payment Management Policy addresses the principles leading to ensure compliance with Group’s obligations, safeguarding its interests and setting up the required procedures and processes to ensure an effective payment management. Such policy determines the best method, currency and terms to make payments, in economic, accounting and legal terms. Finally, the Payment Policy covers the potential payment exceptions and the procedure to authorize such exceptional payments. Meanwhile, the Proxies Policy determines the different proxies included in each Group authorized to approve financial transactions on behalf of the company, including payments, the level of authorization according to the Group to which they belong, the authorized amount of the transaction and the required pairing of proxies according to such criteria.
The Investment Policy of the Group, which aims at ensuring security, integrity and liquidity of financial assets of the company, provides the guidelines which need to be observed by counterparties and classifies them in panels in accordance with their rating and solvency profile and their relevance for the Group. Likewise, such Policy sets maximum exposure limits in terms of counterparty and provides procedures to ensure control, follow-up and monitoring of credit risk.
Such Policy sets guidelines with regard to the role of sovereign risk in terms of counterparty credit risk, and the influence thereof on financial assets and/or investment vehicles.
6.7. Information for the decision making
In order to reduce exposure to this kind of risk, the Group regularly reviews the management information disclosed to the different officers. The Group invests in IT, monitoring and budgeting systems, among others.
The Ethical Hacking Department, reporting to the IT Division, is responsible for ensuring that such information is available and/or amended, exclusively by the persons authorized to do so, setting the parameters for the systems to ensure the reliability, confidentiality, integrity and availability of key information.
With regard to the risks associated with financial reporting, the Group has set up an Internal Control System on Financial Reporting (SCIIF, Spanish acronym) aimed at achieving an ongoing follow-up and assessment of the main risks associated, which permits ensuring reasonably the reliability of the public financial information of the Group. Additional information on this issue is available in Section F of this report.
In addition, the consolidated Financial Statements and those of each and every relevant company are subject to review by the independent auditors who are also in charge of carrying out certain audit works regarding the financial information. Likewise, as regards the most significant companies of the Group, independent auditors are requested to issue recommendations on internal control.
6.8. Technology and IT
Given the importance of the smooth running of technological systems to attain the goals of the Group, the IT Division exercises, through the Ethical Hacking area and with the support of the Committee for Information Security, a permanent control aimed at ensuring streamlining and consistency of such systems, in addition to the security and stability required for business continuity. The Group is aware that its systems will require ongoing improvement and investment to prevent obsolescence and keep the response capacity thereof at the levels required by the Organization.
As a benchmark, aimed at keeping the safety of the information and of the elements which process it, the Group is governed by the IT Safety Policy, which is accepted by all users with access to information. Such Policy is available at the corporate intranet.
For the specific purpose of keeping a continuous systems operation, the Group relies on technical and procedural contingency systems which would reduce the consequences of any breakdown or stoppage. Among such technical contingency systems, the main data centre, TIER IV certified, the storage of synchronous data in redundant locations exposed to different physical or geological risks, or the duplicity of teams and lines may be found.
Additionally, the Ethical Hacking area within the IT Division relies on continuous review mechanisms, which are regularly assessed by different internal and external audits, to prevent, detect and respond to any potential cyber-attack. Such controls would allow advancing and/or reducing the consequences of risk materialization, together with insurance policies covering loss of profit, expenses stemming from cyber-attack and public liability of the company for damages incurred by third parties. The company considers, based upon the available information, that these controls have been successful to date.
However, taking into account that each year there is a large number of hackers attempting to gain access to the information of corporations globally, the Group is aware that technological risks progress exponentially, in an unpredictable and sometimes highly elaborate manner (advanced hacking, cyber terrorism, cyber war, etc.,). For such reason, although Security Information is one of the top priorities of the Group, the possibility of a non detectable attack, including to its services providers, which might have an impact on the operations of the information managed by the Organization, cannot be ruled out.
6.9. Corporate Governance
In order to reduce these risks, compliance with the corporate governance system of the company is required. Such system comprises the Articles of Association, the Board of Directors’ Regulations, the Regulations of the General Meeting of Shareholders, the corporate policies implemented for enterprise risk management, and the internal regulations of the Group (the Code of Conduct and Responsible Practices, the Code of Conduct for Manufacturers and Suppliers, and the Internal Regulations of Conduct regarding Transactions in Securities– hereinafter, IRC).
The Code Compliance Supervisory Board and the Code Compliance Officer are charged with overseeing and enforcing the IRC.
With regard to the Code of Conduct and Responsible Practices and the Code of Conduct for Manufacturers and Suppliers, the Committee of Ethics is responsible for the enforcement and construction thereof. Such Committee may act ex officio or at the behest of any of Inditex’s employees, manufacturers or suppliers, or any third party involved in a direct relationship and with a lawful business or professional interest, by submitting a report in good faith.
With regard to corporate governance supervision, the Board of Directors and the Audit and Control Committee are the main governing bodies responsible for risks control.
1.- The Board of Directors
The Board of Directors is responsible for identifying the main risks for the Group and for organising the appropriate internal control and information systems.
2.- The Audit and Control Committee
The Audit and Control Committee assists the Board of Directors in its supervision and control duties by reviewing the internal control systems. The duties of the Audit and Control Committee are provided in the Articles of Association and the Board of Directors’ Regulations.
The Board of Directors’ Regulations provide that it is incumbent on the Audit and Control Committee, exclusively comprised of non-executive directors of the Group, to supervise the process for preparing and presenting the regulated financial information and the effectiveness of the internal control systems of the Group, (namely, of the internal control system on financial information) and to check the appropriate type and integrity of said systems. Additionally, the Audit and Control Committee is charged with overseeing the Internal Audit Department of the Group, approving the budget of the Department and the Internal Audit Plan, the annual report of activities of the Internal Audit Department and supervising the material and human resources thereof, whether internal or external, to discharge its duties.
The Internal Audit Department is directly linked to the Board of Directors, to which it reports, through the Audit and Control Committee, thus ensuring the full independence of its acts.
In accordance with the Internal Audit Charter of the Group, the mission of the Internal Audit function is that of contributing to the good running of the Group, by assuring an independent supervision of the internal control system, and by providing recommendations to the Group that help reduce to reasonable levels the potential impact of the risks that hinder the accomplishment of the objectives of the Organization.
Likewise, according to the Charter, the goals of the Internal Audit function are to promote the existence of appropriate internal control and risk management systems, the homogeneous and efficient application of internal control system policies and procedures which make up such internal control system and to serve as communication channel between the Organization and the Audit and Control Committee, in relation to those matters under the remit of the Internal Audit function.