Risks management in the Inditex Group is a process driven by the Board of Directors and the senior management, incumbent on each and every single member of the Organization, which aims at providing a reasonable safety in the achievement of the targets established by the Group, ensuring the shareholders, other stakeholders and the market in general, an appropriate level of guarantee which ensures protection of value built.

In this context, the Enterprise Risks Management Policy of the Group sets the overarching principles, key risk factors and the general action lines to manage and control the risks which affect the Group. This Policy is enforced on the whole Group and is at the basis of an Integral Risks Management System which is currently being implemented, gradually, starting at corporate level and in key business areas.

The Enterprise Risks Management Policy is developed and supplemented by specific policies with regard to certain areas or units of the Group. Among the policies developed and implemented by the above-mentioned areas regarding the management of the different risks, the following should be pointed out:

• Investment Policy
• Payment Management Policy
• Foreign Exchange Risk Management Policy
• Proxies Policy
• Code of Conduct and Responsible Practices
• Code of Conduct for Manufacturers and Suppliers
• Occupational Hazards Policy
• Environmental Risks Management Policy
• IT Safety Policy
• Health and Safety of the Product Policies (Safe to Wear and Clear to Wear)

The risk management process is described in detail in the Risks Management Manual in connection with this Policy. The whole process is based upon the identification and assessment of the factors which may have a negative impact on attainment of the business objectives, which translates into a risks map of the main risks which are classified in different groups together with an assessment thereof based upon their potential impact, their likelihood of occurrence and the level of preparedness of the Group to face up to them. The risks map is regularly reviewed to keep it updated, in order to include amendments related to the evolution of the Group itself and the environment where it operates. This risks management process also addresses a certain response vis-à-vis such factors, and the establishment of the control measures which are necessary for such response to be effective.

Within the Risks Management System, business units represent the first line of defense, and they report relevant information to the Risks Management Department, which coordinates the System as second line of defense.

Internal Audit acts as third line of defence, overseeing in an independent and objective manner the Risks Management System and reporting to the Board of Directors through the Audit and Control Committee.