2. Corporate bodies responsible for drawing up and enforcing the Risks Management System

The main responsibilities of the governing bodies and areas involved in Enterprise Risks Management at the Inditex Group are described below:

Board of Directors

  • Approval of the Enterprise Risks Management Policy, on the proposal of the Management, wherein strategy in the area of risks management and disclosure thereof to the organization is defined. Based upon such policy, the ERM System is implemented, as well as the mechanisms for the regular follow-up of internal information and control systems.

Audit and Control Committee

  • Overseeing the control and risks management function.
  • Periodically reviewing the Enterprise Risk Management Policy, including
  • Ensuring that the Enterprise Risk Management Policy would include at least:
    1. The different types of risk (including without limitation, operational, technological, financial, legal, reputational and tax related) that the Company is faced with, including among such financial or economic risk, contingent liabilities and other off-balance sheet risks;
    2. The determination of the level of risk that the Company deems acceptable;
    3. The measures planned to reduce the impact of the identified risks, should they materialize; and,
    4. The information and internal control systems that will be used to monitor and manage the aforementioned risks, including contingent liabilities and other off-balance sheet risks;
  • Reviewing the information about the risks that the Group is faced with, and about the risk control systems, that must be included in the Annual Corporate Governance Report, the management report attached to the annual accounts and the interim financial statements and in any other information instruments of the Company; and
  • Evaluating any question regarding non-financial risks (including without limitation operational, technological, legal, social, environmental, political and reputational) that the control policy and the risks management systems must contain.

Financial Division (ERM Department)

  • Ensuring the good running of the Risk Management System and namely that all relevant risks which affect the company are duly identified, managed and quantified.
  • Taking an active role in the preparation of the risk strategy and in the important decisions on their management.
  • Ensuring that the ERM System would appropriately mitigate risks.
  • Overseeing and coordinating the work of Risks Managers at each Business Unit or Area, both at corporate or concept level, providing valid tools for risks assessment and management.
  • Maintaining and updating knowledge, techniques, methodologies and tools allowing observance of the principles underlying the ERM system at maximum quality levels.
  • Regularly reviewing the risks management policies and manuals and proposing the amendment and update thereof to the Board of Directors, where applicable.
  • Coordinating and processing the information received by Risks Managers at each Business Unit or Area, reporting to the Senior Managers and the Board of Director through the Audit and Control Committee.
  • Promoting appropriate and effective communication channels between ERM Division and the remaining Divisions and areas involved.

Risks Managers

  • Monitoring the risks under their remit, in accordance with the methodology and tools defined by the ERM Department
  • Identification of events which may entail potential risks and opportunities within the assigned scope of responsibility, reporting the necessary information to the ERM Department.
  • Follow-up and notice of the risks management evolution, as well as the defined action plans.

Internal Audit

  • Contributing to the improvement of risks management, control and governance processes, assuring to the Audit and Control Committee an effective and independent supervision of the internal control system and issuing recommendations for the Group which help reduce to reasonable levels the potential impact of risks which hamper the achievement of the objectives of the Organization.
  • Internal Audit function must always remain independent in respect of ERM System, and it shall not be responsible for making any key decisions regarding its operation.

Senior Executives

  • Raising awareness regarding the weight of the ERM System and its value for all the stakeholders of the Company, encouraging the creation of an all-encompassing risks management culture.
  • Defining and validating functions, powers and responsibilities within the framework of the ERM System.
  • Determining the level of risk that the Company may deem acceptable. Provision of appropriate and sufficient resources to implement Risks Management activities.
  • Validation of action and work plans resulting from the risks management process itself.
  • Follow-up of activities.

Additionally, certain specific Committees exist in respect of the follow-up of the major risks:

  • Expansion Committee
  • Logistics Committee
  • Committee of Ethics
  • Business Monitoring Committee
  • Code Compliance Supervisory Board
  • Committee for Information Security
  • Investments Committee
  • Reputation Committee