6. Response and supervision plans for the main risks faced by the entity
The Group relies on response plans seeking to reduce the impact and likelihood of materialization of the critical risks described in section 3 above, or to improve the level of preparedness versus risks.
The main response plans for each risks category are explained below:
6.1. Business environment
In order to reduce the risk exposure in this area, the Group carries out a feasibility research for each new market, business line or store, considering pessimistic scenarios, and subsequently monitors whether the estimated figures are met or not. Moreover, the business model of the Group is not only based upon managing new openings, but also on improving the efficiency and effectiveness of the markets, business lines and stores already existing, so that the growth achieved via expansion and diversification, be complemented by the organic growth of the current business.
In line with the foregoing, the expansion policy, the multi-brand format of the Group and the use of new technologies as a communication and sale option for our customers, represents a way to diversify this risk, which downplays the global exposure to this business environment risk.
6.2. Regulatory risk
In order to reduce risk exposure in this area and ensure the appropriate enforcement of the prevailing local laws and regulations in force, the Legal, Tax, Industrial Property, Human Resources, Internal Audit and Corporate Social Responsibility departments, in addition to the General Counsel’s Office, liaise with the different supervisors and the legal external advisors of each country or geographical area.
Special mention should be made of criminal regulatory risks. For the purposes of reducing such risks, the Group relies on a Manual on Criminal Risks Prevention, overseen by the Committee of Ethics.
Additionally, the Group relies on an internal control system that seeks to mitigate tax and customs-related risks.
The Internal Audit department conducts regulatory compliance audits on a regular basis with teams of independent professionals specializing in certain regulations which apply to business.
6.3. Reputation
The Group has developed a Compliance Programme in respect of the Code of Conduct for Manufacturers and Suppliers through Social Audits and Pre-Assessment, based on the external and independent verification of the facilities which are necessary to manufacture the fashion items that it distributes, in order to minimize the potential risks of damaging the brand image, due to improper behaviour by third parties. Said programme sets out the review procedures which ensure gathering information and evidence on the minimum working conditions that all manufacturers, suppliers and external workshops must comply with. Additional information on this Programme and on other programmes is available in the Annual Report and at the corporate websiste. Likewise, the Corporate Social Responsibility Department carries out technical and production audits on a regular basis and the Environment Department conducts audits and exercises controls at the facilities where wet processes are carried out.
In such sizable and visible organisations as the Group, some conflicts might arise out of an inappropriate relationship with third parties alien to the proceedings of the Group (CNVM, media, investors, public authorities, etc.,).
The Group sets out, through the Communication and Institutional Relations Office and the Corporate Social Responsibility Department, the procedures and protocols required to minimize this risk. Likewise, given their relevance, the General Counsel’s Office and the Capital Markets Department are charged with managing specifically the relationship with CNMV and the latter is also charged with investors’ relations.
Likewise, different departments, including the Communication and Institutional Relations Office, are responsible for tracking the image of the Group in the social networks.
To reduce the risks associated with the description of finished product, ensuring that they do not entail any hazard for the health and safety of customers, the Group carries out controls and verifications of the health and safety of the products standards (“Safe to Wear” and “Clear to Wear”), whose enforcement is mandatory throughout the production line for all finished products, footwear and accessories.
The Group relies on a Code of Conduct and Responsible Practices and a Code of Conduct for Manufacturers and Suppliers. The Committee of Ethics is responsible for the enforcement and construction of both Codes, and the Code Compliance Office holds training days on the Code of Conduct and Responsible Practices for certain employees.
6.4. Human Resources
To minimize these risks, the Human Resources Department carries out continuous recruitment and hiring processes of new personnel, including hunting processes for key personnel. It has also developed a regular training programme for its staff and has implemented specific systems:
- to combine quality in employees’ performance and the job satisfaction each of them may derive at the workplace;
- to facilitate the exchange of jobs among those employees wishing to broaden their experience in the different areas of the Organisation
- to provide career opportunities to the most talented and diligent persons within the Organization.
On the other hand, the work system implemented within the Organization encourages the transfer of knowledge between the employees involved in the different areas, thus minimizing the risk of depending excessively on the knowledge of key personnel Additionally, the use of career development, training and compensation policies seeks to retain key employees.
To ensure an appropriate work environment, the Human Resources department follows a series of action lines which are thoroughly reviewed in the Performance section of the Annual Report.
Meanwhile, a growing demand has arisen lately within the labour market, linked to the social responsibility of companies, which has become a key factor upon selecting a company for the job of choice. Thus, issues such as equal opportunities, remuneration systems other than salary or family and work balance are inter alia, factors that the Company takes into account, with policies designed for such purposes.
In this respect, the Inditex Group has implemented Equal Opportunities Plans, with measures that seek to meet different goals, such as, inter alia: fostering the commitment and effective implementation of the equal opportunities principle between female and male employees, contributing to reduce inequality and imbalance, preventing labour discrimination, fostering the company’s commitment towards improving life quality, ensuring a healthy work environment and providing actions to promote family and work balance.
6.5. Operations
The Group reduces exposure to this risk through a production and procurement system that ensures a reasonably flexible answer to unexpected changes in our customers demand. Stores are permanently in touch with the team of designers, through the Product Management Department, and this allows perceiving the changes of taste of the customers. Meanwhile, the vertical integration of the transactions allows reducing manufacturing and delivery terms as well as the stock volumes, while at the same time, the reaction capacity to introduce new products throughout the season, is kept.
Given the relevance that an efficient logistics management has on the materialization of such risks, the Group conducts a review of all the factors which might have a negative impact on the target of achieving the maximum efficiency of the logistics management, to actively monitor such factors under the supervision of the Logistics Committee.
To mitigate the risk resulting from stoppage of operations, associated with the likelihood of occurrence of extraordinary events beyond the control of the Group, the size and use of all centres has been optimized, based upon the volume of each concept or the specific requirements of the geographical area which they service. Namely, part of the above mentioned logistics centres specialize in distribution of goods sold on-line. The different centres have been set in such a manner as to be able to assume storage and distribution capacity from other centres in the event of any contingency resulting from potential accidents or stoppage of distribution activities.
Additionally, the Group takes active measures to reduce risk exposure, by keeping high levels of prevention and protection in all its distribution centres, in addition to insurance policies covering both any potential property damage incurred by the facilities and stock, and any loss of profit which might arise out of any loss.
In order to ensure the growth of the Group and enhance the flexibility of its business model, the Logistics Expansion Plan assesses the need and considers, where appropriate:
- Investing in new distribution centres or extending the existing ones, so as to minimize the risk associated with the logistics planning and sizing.
- Investing towards improving and automating processes in the existing centres, for the purposes of increasing their capacity and efficiency and improving the internal control on goods stored in such centres. In this respect, mention should be made of the progressive application of RFID technology within the supply chain, which allows reaching a very high degree of control on goods.
- The search, approval and control of external logistics operators, in different strategic points, with full integration in the logistics capacity of the company.
With regard to the potential risk of goods detention in the course of carriage, the Group relies on a network of agents in different procurement and distribution points, as well as on alternative routes for carriage of goods.
The Group reduces the risks associated with the real estate management, regarding the search and selection of business premises and the profitability thereof, through the monitoring of all markets where it operates, the evaluation of the feasibility of premises prior to their opening, and the supervision of all new store openings by the Expansion Committee.
6.6. Financial
In order to reduce the foreign exchange risk, it must be managed in a proactive, sufficient and systematic manner. To achieve this, the Group has implemented the Financial Risk Management Policy with the main goals of reducing potential economic losses and volatility in the financial statements resulting from such risk. Exchange exposure materializes in terms of net investment, translation and transaction risks. Such Policy sets the guidelines to manage all such exposures and provides that exchange management is done at headquarters by the Financial Management department of the Group. The Policy sets forth the review and follow-up procedures regarding exchange exposure and the potential hedging strategies, the procedure to contract financial derivatives and the registration and documentation thereof. At present, the exchange risk insurance (forward contract) is the main hedging instrument. Additionally, other instruments, such as collars and swaps are used to a lesser extent.
Payment Management Policy addresses the principles aimed at ensuring compliance with Group’s obligations, safeguarding its interests and setting up the required procedures and processes to ensure an effective payment management. Such policy determines the best method, currency and terms to make payments, in economic, accounting and legal terms. Finally, the Payment Management Policy covers the potential payment exceptions and the procedure to authorize such exceptional payments. Meanwhile, the Proxies Policy determines the different proxies included in each Group entitled to approve financial transactions on behalf of the company, including payments, the level of authorization according to the Group to which they belong, the authorized amount of the transaction and the required pairing of proxies according to such criteria.
The Investment Policy of the Group, which seeks to ensure security, integrity and liquidity of financial assets of the company, provides the guidelines which need to be observed by counterparties and classifies them in panels in accordance with their rating, solvency and relevance profile for the Group. Likewise, such Policy sets maximum exposure limits in terms of counterparty and provides procedures to ensure control, follow-up and monitoring of credit risk.
Such Policy sets guidelines with regard to the role of sovereign risk in terms of counterparty credit risk, and the influence thereof on financial assets and/or investment vehicles.
6.7. Information for the decision making
In order to reduce exposure to this type of risks, the Group regularly reviews the management information disclosed to the different officers and invests, inter alia, in IT systems, business monitoring and budgeting systems.
The Ethical Hacking department, reporting to the IT Division, is responsible for ensuring that such information is available and/or amended, exclusively by the persons authorized to do so, setting the parameters for the systems to ensure the reliability, confidentiality, integrity and availability of key information.
With regard to the risks associated with financial reporting, the Group has set up an Internal Control System on Financial Reporting (SCIIF, [Spanish acronym] ) aimed at achieving an ongoing follow-up and assessment of the main risks associated, which permits ensuring reasonably the reliability of the public financial information of the Group.Additional information on this issue is available in Chapter SCIIF, page 248.
In addition, the consolidated Financial Statements and those of all relevant companies are subject to review by the independent auditors, who are also in charge of carrying out certain audit works regarding the financial information. Likewise, as regards the most significant companies of the Group, independent auditors are requested to issue recommendations on internal control.
6.8. Technology and IT
Given the importance of the smooth running of technological systems to achieve the objectives of the Group, the IT Division exercises, through the Ethical Hacking area and with the support of the Committee for Information Security, a permanent control aimed at ensuring streamlining and consistency of such systems, in addition to the security and stability required for business continuity. The Group is aware that its systems will require ongoing improvement and investment to prevent obsolescence and keep the response capacity thereof at the levels required by the Organization.
As a benchmark, aimed at keeping the safety of the information and of the elements which process it, the Group is governed by the IT Safety Policy, which is accepted by all users with access to information. Such Policy is available at the corporate intranet.
For the specific purpose of keeping a continuous systems operation, the Group relies on technical and procedural contingency systems which would reduce the consequences of any breakdown or stoppage. Among such technical contingency systems, the main data centre, TIER IV certified, the storage of synchronous data in redundant locations exposed to different physical or geological risks, or the duplicity of teams and lines may be found.
Additionally, the Ethical Hacking area within the IT Division relies on continuous review mechanisms, which are regularly assessed by different internal and external audits, to prevent, detect and respond to any potential cyber-attack. Such controls would allow advancing and/or reducing the consequences of risk materialization, together with insurance policies covering loss of profit, expenses stemming from cyber-attack and public liability of the company for damages incurred by third parties. The Company considers, based upon the available information, that these controls have been successful to date.
However, taking into account that every year a large number of hackers attempts to gain access to the information of corporations globally, the Group is aware that technological risks progress exponentially, in an unpredictable and sometimes highly elaborate manner. For such reason, although Information Security is one of the top priorities of the Group, the possibility of a non-detectable attack, including to its services providers, which might have an impact on the operations or the information managed by the Organization, cannot be ruled out.
6.9. Corporate Governance
In order to reduce these risks, compliance with the corporate governance system of the Company is required. Such system comprises the Articles of Association, the Board of Directors’ Regulations, the Regulations of the General Meeting of Shareholders, the Audit and Control Committee’s Regulations, the Nomination Committee’s Regulations and the Remuneration Committee’s Regulations, the corporate policies implemented for enterprise risk management, and the internal regulations of the Group (the Code of Conduct and Responsible Practices, the Code of Conduct for Manufacturers and Suppliers, and the Internal Regulations of Conduct regarding Transactions in Securities (hereinafter, IRC)).
The Code Compliance Supervisory Board and the Code Compliance Officer are charged with overseeing and enforcing the IRC.
With regard to the Code of Conduct and Responsible Practices and the Code of Conduct for Manufacturers and Suppliers, the Committee of Ethics is responsible for the enforcement and construction thereof. Such Committee may act ex officio or at the behest of any of Inditex’s employees, manufacturers or suppliers, or any third party involved in a direct relationship and with a lawful business or professional interest, by submitting a report in good faith.
With regard to corporate governance supervision, the Board of Directors and the Audit and Control Committee are the main governing bodies responsible for risks control.
1. The Board of Directors
The Board of Directors is the maximum authority responsible for identifying the main risks for the Group and for organising the appropriate internal control and information systems.
2. The Audit and Control Committee
Included in the duties of the Audit and Control Committee is that of assisting the Board of Directors in its duties to oversee and control the Group, by reviewing the internal control systems. The duties of the Audit and Control Committee are provided in the Articles of Association, the Board of Directors’ Regulations and the Audit and Control Committee’s Regulations.
The Audit and Control Committee’s Regulations provide that it is incumbent on the Audit and Control Committee, exclusively comprised of Non-executive Directors, inter alia: to oversee the effectiveness of the internal control of the Company, the internal audit and the risk management systems, including tax ones, and to review with the financial auditor the significant weaknesses of the internal control system revealed, as the case may be, in the conduct of the audit, and to supervise the process for preparing and releasing the regulated financial information.
Additionally, the Audit and Control Committee is responsible for overseeing the Internal Audit Department of the Group, approving its budget and the Internal Audit Plan, the annual report of activities of the Internal Audit department and ensuring that it relies on the appropriate material and human resources, whether internal or external, to discharge its duties, approving the budget of the Internal Audit function, the Internal Audit Plan and the annual activities report, ensuring that its activity is mainly focused on the risks which are relevant for the Company and its Group, and gathering periodic information on the proceedings of Internal Audit.
The Internal Audit Department is directly linked to the Board of Directors, to which it reports functionally, through the Chair of the Audit and Control Committee, thus ensuring the full independence of its acts.
The mission of the Internal Audit function is defined in the Group’s Internal Audit Charter, and it consists of contributing to the good running of the Group, by assuring an independent and effective supervision of the internal control system, and providing recommendations to the Group that help reduce to reasonable levels the potential impact of the risks that hamper the achievement of the objectives of the Organization.
Likewise, according to such Charter, the goals of the Internal Audit function are to promote the existence of appropriate internal control and risk management systems; the standard and efficient application of internal control system policies and procedures which make up such internal control system; and to serve as communication channel between the Organization and the Audit and Control Committee, in relation to those matters under the remit of the Internal Audit function.