SYSTEMS FOR CONTROL OF RISKS
1. INDITEX’S RISK MANAGEMENT SYSTEM
Risks management in the Inditex Group is a process driven by the Board of Directors and the Senior Executives, incumbent on each and every single member of the Group, which seeks to provide reasonable safety in the achievement of the objectives established by the Group, ensuring the shareholders, other stakeholders and the market at large, an appropriate level of guarantee which ensures protection of value built.
In this context, the Enterprise Risks Management Policy of the Group sets the overarching principles, key risk factors and the general action lines to manage and control the risks which affect the Group. This Policy is enforced on the whole Group and is at the basis of an Integral Risks Management System.
The Enterprise Risks Management Policy is developed and supplemented by specific internal policies or regulations with regard to certain areas or units of the Group. Among the internal policies or regulations developed and implemented by these areas regarding the management of the different types of risks, the following should be pointed out:
- The Investment Policy.
- The External Financing Policy.
- The Payment Management Policy.
- The Financial Risk Management Policy.
- The Code of Conduct and Responsible Practices.
- The Policy on Criminal Risk Prevention.
- The Criminal Risk Prevention Procedure.
- The Internal Regulations of Conduct regarding Transactions in Securities.
- The Corporate Social Responsibility Policy.
- The Code of Conduct for Manufacturers and Suppliers.
- The Health and Safety at Work Policy.
- The Environmental Sustainability Policy.
- The Information Security Policy.
- The Procurement Policy.
- The Policy on Communication and Contact with Shareholders, Institutional Investors and Proxy Advisors.
- The Policy and Procedure for Representatives and Attorneys.
- The Policy on Human Rights.
- The Compliance Policy.
- The Tax Policy and the Tax Strategy.
- The Procedure to contract an auditor for the provision of additional services other than auditing of annual accounts.
The whole process is based upon the identification and assessment of the factors which may have a negative impact on the achievement of the business objectives, which translates into a risks map that includes the main risks which are classified in different groups, together with an assessment thereof based upon their potential impact, the likelihood of their occurrence and the level of preparedness of the Group to address them. The risks map is regularly reviewed to keep it updated, in order to include amendments related to the evolution of the Group itself and the environment where it operates. The risk management process continues with adopting a certain response to such factors, and establishing the control measures which are necessary for such response to be effective.
Within the Risks Management System, business units represent the first line of defense, and they report the relevant information to the Enterprise Risks Management Department, which coordinates the System as a second line of defense.
Internal Audit acts as a third line of defense, overseeing in an independent and objective manner the Risks Management System and reporting to the Board of Directors through the Audit and Control Committee.
2. CORPORATE BODIES RESPONSIBLE FOR DRAWING UP AND ENFORCING THE RISKS MANAGEMENT SYSTEM
The main responsibilities of the governing bodies and areas involved in Enterprise Risks Management at the Inditex Group are described below:
The Board of Directors is charged with:
- Approving the Enterprise Risk Management Policy, on the proposal of the Management. Such Policy defines the strategy in the field of risks management and disclosure thereof to the rest of the organization. Based upon such policy, the ERM System is implemented, as well as the mechanisms for the regular follow-up of internal information and control systems.
The Audit and Control Committee is charged with:
- Overseeing the control and risks management function.
- Periodically reviewing the Enterprise Risk Management Policy, including tax risks.
-
Ensuring that the Enterprise Risk Management Policy would include at least:
- The different types of risk (including without limitation, operational, technological, financial, legal, reputational and tax related) that the Company is faced with, including among such financial or economic risk, contingent liabilities and other off-balance sheet risks;
- The determination of the level of risk that the Company deems acceptable;
- The course of action planned to reduce the impact of the identified risks, should they materialize; and,
- The information and internal control systems that will be used to monitor and manage the aforementioned risks, including contingent liabilities and other off-balance sheet risks.
- Reviewing the information about the risks that the Group has to address, and about the risk control systems, that must be included in the Annual Corporate Governance Report, the management report attached to the annual accounts and the interim financial statements and in any other information instruments of the Company; and
- Evaluating any question regarding non-financial risks (including without limitation, operational, technological, regulatory, social, environmental, political and reputational) that the enterprise risk management policy and the risks management systems must contain.
The Financial Division (ERM Department belongs) is charged with:
- Ensuring the good running of the Risk Management System and namely that all relevant risks which affect the Company are duly identified, managed and quantified.
- Taking an active role in the preparation of the risk strategy and in the important decisions on risk management.
- Ensuring that the ERM System would appropriately mitigate risks.
- Overseeing the work and liaising with Risks Managers at each business unit or area, both at corporate or concept level, providing valid tools for risks assessment and management.
- Maintaining and updating knowledge, techniques, methodologies and tools allowing observance of the principles underlying the ERM system at maximum quality levels.
- Regularly reviewing the risks management policies and manuals and proposing the amendment and update thereof to the Board of Directors, where applicable.
- Coordinating and processing the information received by Risks Managers at each business unit or area, reporting to the Senior Executives and the Board of Director through the Audit and Control Committee.
- Promoting appropriate and effective communication channels between the ERM Department and the remaining Divisions and areas involved.
Risks Managers are charged with:
- Monitoring the risks under their remit, in accordance with the methodology and tools defined by the ERM Department.
- Identification of events which may entail potential risks and opportunities within the assigned scope of responsibility, reporting the necessary information to the ERM Department.
- Follow-up and notice of the risks management development, as well as the defined action plans.
The Internal Audit Department is charged with:
- Contributing to the improvement of risks management, control and governance processes, assuring to the Audit and Control Committee an effective and independent supervision of the internal control system and issuing recommendations for the Group which help reduce to reasonable levels the potential impact of risks which hamper the achievement of the objectives of the Company.
- Internal Audit function must always remain independent in respect of ERM System, and it shall not be responsible for making any key decisions regarding its operation.
Senior Executives are charged with:
- Raising awareness regarding the weight of the ERM System and its value for all the stakeholders of the Group, encouraging the creation of an all-encompassing risks management culture.
- Defining and validating functions, powers and responsibilities within the framework of the ERM System.
- Determining the level of risk that the Company may deem acceptable.
- Provision of appropriate and sufficient resources to implement Risks Management activities.
- Validation of action and work plans resulting from the risks management process itself.
- Follow-up on activities.
Additionally, certain specific Committees exist in respect of the follow-up of the major risks:Comité de Expansión.
- Expansion Committee
- Logistics Committee
- Committee of Ethics
- Business Monitoring Committee
- Code Compliance Supervisory Board
- Committee for Information Security
- Investments Committee
- Reputation Committee
3. MAIN RISKS THAT COULD PREVENT ATTAINMENT OF BUSINESS GOALS
In order to permit a streamlined and comprehensive risks management, the Group has established a definition of risk valid for the whole Organization. Thus, the Group defines risk as: “any potential event which might have a negative impact on the achievement of its business objectives”.
Risks reviewed are classified and grouped in the following categories:
3.1. BUSINESS ENVIRONMENT
These are risks stemming from external factors, associated with the Group’s business.
This category encompasses the risks regarding the difficulty in adjusting to the environment or market in which the Group operates, whether as regards procurement processes or distribution and sale of goods activities. This element is inherent in the fashion retail business and consists of the eventual inability of the Group to follow and offer a response to the development of its target market or to adjust to the new situations in procurement or distribution countries.
In this respect, geopolitical, demographic and social and economic changes that trigger the country risk in procurement or distribution countries, the emergence of new communication channels and changes in consumption habits or the consumption decline in certain markets are, inter alia, factors which may have an impact on the effective achievement of the business objectives of the Group.
3.2. REGULATORY RISK
Those are risks to which the Group is exposed arising from the different laws and regulations in force in the different countries where it conducts its business.
Included in this category are risks regarding tax, customs, employment, trade and consumption and industrial and intellectual property regulations, and risks associated with the remaining laws and regulations, namely regulatory risks of a criminal nature, regardless of whether or not they determine criminal liability of the natural person, as well as other risks of regulatory noncompliance.
Included in this category are risks regarding tax, customs, employment, trade and consumption and industrial and intellectual property regulations, and risks associated with the remaining laws and regulations, namely regulatory risks of a criminal nature, regardless of whether or not they determine criminal liability of the natural person, as well as other risks of regulatory noncompliance.
3.3. REPUTATION
Those are the risks which have a direct impact on the way the Group is perceived by its stakeholders (customers, employees, shareholders and suppliers) and by the society at large.
These risks stem from a potentially inappropriate management of the issues regarding corporate social responsibility and environmental sustainability, responsibility on account of health and safety of products, the corporate image of the Group, including in social media, as well as any other potential regulatory noncompliance which might have an impact on the reputation of the Organization.
3.4. HUMAN RESOURCES
The main risks related to the field of human resources are those arising out of a potential dependence on key personnel and of the difficulty in properly identifying and retaining talent, as well as in keeping an appropriate work environment at all work centres.
3.5. OPERATIONS
The main operational risks the Group addresses stem from a potential difficulty in recognizing and taking in the ongoing changes in fashion trends, and in manufacturing, supplying and putting on the market new models that fulfil customers’ expectations.
The risk arising out of business interruption is associated with the potential occurrence of extraordinary events beyond the control of the Group (natural disasters, fires, strikes of haulers or of key suppliers, power outage, discontinuance in the supply of fuel, goods detention during carriage, etc.,) that may significantly affect normal operations.
Given the way the Group operates, the main risks included in this category are to be found at logistics centres and in external operators charged with carriage of the goods. The distribution of apparel, footwear, accessories and homeware for all the concepts is based upon 14 hubs spread throughout Spain. Distribution logistics are also ensured by other smaller distribution centres located in different countries and by external logistics operators in charge of small volume distribution operations.
Other risks included in this category are those associated with real estate management, related to the search and selection of business premises and their profitability.
3.6. FINANCIAL
In the regular conduct of its business, the Group is exposed to financial risks. Included in this category are foreign exchange risk and counterparty credit risk. Additionally, given the ever-growing international dimension of the Group’s business, the Company is exposed to the country risk in different markets.
Euro is the functional currency of the Group. Its international transactions involve using a large number of currencies other than Euro, which gives rise to the foreign exchange risk. The Group has different investments abroad, the net assets of which are exposed to foreign exchange rate risk. As the consolidated financial statements of all the companies in the Group are prepared in the functional currency, i.e., Euro, it is faced with the foreign exchange risk on account of translation, in respect of all its entities outside the European Monetary Union. The company also addresses the risk resulting from transactions in currencies other than Euro in flows of collections and payments for acquisition of goods and provision of services both in respect of transactions within the Group and outside the Group.
The Group is not exposed to significant concentrations of counterparty credit risk. Most of its revenue results from retail sales, where payment is primarily made on demand, either in cash or with credit card. At any rate, the Group deals with the risk that counterparties, mainly financial ones, would fail to comply with the obligations stemming from investment of the company’s cash, loan agreements and other financial and securities vehicles, and from derivatives used for financial risks hedging.
3.7. INFORMATION FOR THE DECISION MAKING
The risks included in this group are those linked to the appropriate information at all levels: transactional and operational, financing-accounting, management, budgeting and control.
The different departments of the Group, and especially the Planning and Management Control Department and the Administration Department, which report to the Financial Division, are directly responsible for producing and overseeing the quality of such information.
3.8. TECHNOLOGY AND INFORMATION SYSTEMS
The risks in this group include those linked to the technological infrastructure, the effective management of information, of computer and robotic networks and of communications. Risks connected with the physical and technological IT security are also included, namely the risk of cyber-attacks against IT systems, which might eventually affect the confidentiality, integrity and availability of key information.
3.9. CORPORATE GOVERNANCE
This category includes the risk associated with the potential existence of an inappropriate management of the Group which might entail noncompliance with Corporate Governance and transparency regulations.
4. RISK TOLERANCE LEVEL OF THE COMPANY
The Inditex Group relies on standard criteria to identify, assess and prioritize risks, based upon the concept of risk tolerance as key tool.
It is incumbent on Senior Executives to establish strategy and risk tolerance, which must reflect the volume of risks that the company is willing to assume, to reasonably attain the goals and interests of the Group. Such tolerance is regularly updated, at least every time the Group strategy changes.
Once the risks tolerance for strategic and business objectives of the Group has been defined, it is duly disclosed to the Corporate Enterprise Risks Manager, who determines the assessment scales of key business risks (impact, likelihood and level of preparedness).
5. RISKS THAT HAVE MATERIALIZED DURING THE YEAR
During the year, risks inherent in the business model, the Group’s business and the market environment, have materialized as a result of circumstances inherent in the conduct of business and the prevailing economic climate. Although none of them has had a significant impact on the Organization, materialization of foreign exchange risk has had a higher weight.
The Group operates globally and therefore, it is exposed to the foreign exchange risk in respect of transactions in currencies, namely in US dollar, Russian ruble, Chinese renminbi, Mexican peso, Sterling pound and Japanese yen. In the course of the year, the depreciation of non-Euro currencies has had a relative negative impact on the growth rate of net sales of the Company, and a negative impact on the cost of sales, particularly during the first half of the year.
The foreign exchange risk is managed pursuant to the guidelines set out by the Management of the Group, which mainly cover the establishment of financial or natural hedging systems, constant monitoring of foreign exchange rates fluctuation, and other measures aimed at mitigating such risk.
The results of the referendum that took place in the UK on 23 June 2016, regarding the United Kingdom European Union membership, led to an unexpected commotion, and sent the markets into a spin. However, the impact of such vote has not been relevant for the Group during the financial year. The depreciation of the sterling pound resulting from Brexit has not entailed either a material increase of the foreign exchange risk, considering the behaviour of the Group’s exchange exposure portfolio, resulting from its high diversification and the foreign exchange management policy.
6. THE RESPONSE AND SUPERVISION PLANS FOR THE MAIN RISKS FACED BY THE ENTITY
The Group relies on response plans that seek to reduce the impact and likelihood of materialization of the critical risks described in section 3 of this Chapter, or to improve the level of preparedness versus risks.
The main response plans for each risk category are explained below:
6.1. BUSINESS ENVIRONMENT
In order to reduce the risk exposure in this area, the Group carries out a feasibility research for each new market, business line or store, considering pessimistic scenarios, and subsequently monitors whether the estimated figures are met or not. Moreover, the business model of the Group is based not only on managing new openings, but also on improving the efficiency and effectiveness of the markets, business lines and stores already existing, so that the growth achieved via expansion and diversification, be complemented by the organic growth of the existing business.
In line with the foregoing, the expansion policy, the multi-brand format of the Group and the use of new technologies as a communication and sale option for our customers, represents a way to diversify this risk, which downplays the global exposure to this business environment risk.
6.2. REGULATORY RISK
The General Counsel’s Office is charged with managing the Model of Compliance System of the Company. Namely, it discharges a triple function: organization, coordination and report.
Organization means that the General Counsel’s Office oversees the process of preparing the internal regulations (Polices, Procedures and Instructions) of the Company and, approves them, where appropriate.
The General Counsel’s Office is also responsible for coordinating compliance functions of other departments or areas where compliance risks exist, by means of a periodic reporting system.
Special mention should be made of criminal regulatory risks. For the purposes of reducing such risks, the Group relies on a Criminal Risk Prevention Model, overseen by the Committee of Ethics, made up of three different documents: the Policy on Criminal Risk Prevention, the Criminal Risk Prevention Procedure and the Scoping Matrix of Criminal Risks and Controls.
The Internal Audit Department conducts regulatory compliance audits on a regular basis with teams of independent professionals specializing in certain regulations which apply to the company’s business.
6.3. REPUTATION
The Group has implemented a Compliance Programme in respect of the Code of Conduct for Manufacturers and Suppliers through social audits and pre-Assessment audits, based on the external and independent verification of the facilities which are necessary to manufacture the fashion items that it distributes, for the purposes of minimizing any potential risks of damaging the image of the Group on account of improper behaviour by third parties. Said programme sets out the review procedures which ensure gathering information and evidence on the minimum working conditions that all manufacturers, suppliers and external workshops must comply with. Additional information on this Programme and on other programmes is available in the Annual Report and on the corporate website. Likewise, the Sustainability Department carries out technical and production audits on a regular basis and the Environment Department conducts audits and controls at the facilities where wet processes are carried out.
In such sizable and visible organizations as the Group, some conflicts might arise out of an inappropriate relationship with third parties alien to the proceedings of the Group (e.g., CNVM, media, investors, public authorities, etc.,).
The Group sets out, through the Communication and Corporate Affairs Division and the Sustainability Department, the procedures and protocols required to minimize this risk. Likewise, given their relevance, the General Counsel’s Office and the Capital Markets Department are charged with managing specifically the relationship with CNMV, and the latter is also charged with investors’ relations.
Additionally, different departments, including the Communication and Corporate Affairs Division, are responsible for tracking the image of the Group in the social media.
To reduce the risks associated with the description of finished product, ensuring that they do not entail any hazard for the health and safety of customers, the Group carries out controls and verifications of the health and safety of the products standards (Clear to Wear and Safe to Wear), whose enforcement is mandatory throughout the production line for all finished products, footwear and accessories.
The Group relies on a Code of Conduct and Responsible Practices and a Code of Conduct for Manufacturers and Suppliers. The Committee of Ethics is responsible for the enforcement and construction of both Codes, and the Code Compliance Office runs training on the Code of Conduct and Responsible Practices for employees.
6.4. HUMAN RESOURCES
To minimize these risks, the Human Resources Department carries out continuous recruitment and hiring processes of new personnel, including hunting processes for key personnel. It has also developed a regular training programme for its staff and has implemented specific systems:
- To combine quality in employees’ performance and the job satisfaction each of them may derive at the workplace;
- To facilitate the exchange of jobs among those employees wishing to broaden their experience in the different areas of the Organization
- To provide career opportunities to the most talented and diligent persons within the Organization.
On the other hand, the work system implemented within the Organization encourages the transfer of knowledge between employees in the different areas, thus minimizing the risk of depending excessively on the knowledge of key personnel Additionally, the use of career development, training and compensation policies seeks to retain key employees.
To ensure an appropriate work environment, the Human Resources Department follows a series of action lines which are described in greater detail in the Performance section of the Annual Report.
Meanwhile, a growing demand has arisen lately within the labour market, linked to the corporate social responsibility, which has become a key factor upon selecting a company for the job of choice. Thus, issues such as equal opportunities, remuneration systems other than salary or family and work balance are inter alia, factors that the Company takes into account, with policies designed for such purposes.
In this respect, the Inditex Group has implemented Equal Opportunities Plans, with measures that seek to meet different goals, including, without limitation fostering the commitment and effective implementation of the equal opportunities principle between female and male employees, contributing to reduce inequality and imbalance, preventing labour discrimination, fostering the Company’s commitment towards improving life quality, ensuring a healthy work environment and providing actions to promote family and work balance.
6.5. OPERATIONS
The Group reduces exposure to this risk through a production and procurement system that ensures a reasonably flexible response to unexpected changes in the demand from our customers. Stores are permanently in touch with the team of designers, through the Product Management Department, and this allows perceiving the changes of taste of the customers. Meanwhile, the vertical integration of the transactions allows reducing manufacturing and delivery times as well as the stock volumes, while at the same time, the reaction capacity to introduce new products throughout each season, is kept.
Given the relevance that an efficient logistics management has on the materialization of such risks, the Group conducts a review of all the factors which might have a negative impact on the target of achieving the maximum efficiency of the logistics management, to actively monitor such factors under the supervision of the Logistics Committee.
To mitigate the risk resulting from stoppage of operations, associated with the likelihood of occurrence of extraordinary events beyond the control of the Group, the size and use of all centres has been optimized, based upon the volume of each concept or the specific requirements of the geographical area which they service. Namely, part of the above mentioned logistics centres specialize in distribution of goods sold on-line. The different hubs have been set in such a manner as to be able to assume storage and distribution capacity from other centres in the event of any contingency resulting from potential accidents or stoppage of distribution activities.
Additionally, the Group takes active measures to reduce risk exposure in respect of this type of risks, by keeping high levels of prevention and protection in all its distribution centres, in addition to insurance policies covering both any potential property damage incurred by the facilities and stock, and any loss of profit which might arise out of any loss.
In order to ensure the growth of the Group and enhance the flexibility of its business model, the Logistics Expansion Plan assesses the need and considers, where appropriate:
- Investing in new hubs or extending the existing ones, so as to minimize the risk associated with the logistics planning and sizing.
- Investing towards improving and automating processes in the existing hubs for the purposes of increasing their capacity and efficiency and improving the internal control on goods stored in such centres. In this respect, mention should be made of the progressive application of RFID technology within the supply chain, which allows reaching a very high degree of control on goods.
- The search, approval and monitoring of external logistics operators, in different strategic points, with full integration in the logistics capacity of the company.
With regard to the potential risk of goods detention in the course of carriage, the Group relies on a network of agents in different procurement and distribution points, as well as on alternative routes for carriage of goods.
The Group reduces the risks associated with the real estate management, regarding the search and selection of business premises and the profitability thereof, by monitoring all the markets where it operates, considering the suitability of premises prior to their opening, and overseeing all new store openings through the Expansion Committee.
6.6. FINANCIAL
In order to reduce the foreign exchange risk, it must be managed in a proactive, sufficient and systematic manner. To achieve this, the Group has implemented the Financial Risk Management Policy with the main goals of reducing potential economic losses and volatility in the financial statements resulting from such risk. Exchange exposure materializes in terms of net investment, translation and transaction risks. Such Policy sets the guidelines to manage all such exposures and provides that exchange management is done at headquarters by the Financial Management department of the Group. The Policy sets forth the review and follow-up procedures regarding exchange exposure and the potential hedging strategies, the procedure to contract financial derivatives and the registration and documentation thereof. At present, the exchange risk insurance (forward contract) is the main hedging instrument. Additionally, other instruments, such as collars and swaps are used, to a lesser extent.
The Payment Management Policy addresses the principles aimed at ensuring compliance with the Group’s obligations, safeguarding its interests and setting up the required procedures and processes to ensure an effective payment management. Such policy determines the best method, currency and terms to make payments, in economic, accounting and legal terms. Finally, the Payment Management Policy covers the potential exceptions and the procedure to authorize them. Meanwhile, the Policy and Procedure for Representatives and Attorneys determines the different proxies included in each Group entitled to engage financial transactions on behalf of the company, including payments, the level of authorization according to the Group to which they belong, the authorized amount of the transaction and the required pairing of proxies according to such criteria.
The Investment Policy of the Group, which seeks to ensure security, integrity and liquidity of financial assets of the Company, provides the guidelines which need to be observed by counterparties, and classifies them in panels in accordance with their rating, solvency and relevance profile for the Group. Likewise, such Policy sets maximum exposure limits in terms of counterparty and provides procedures to ensure control, follow-up and monitoring of credit risk.
Such Policy sets guidelines with regard to the role of sovereign risk in terms of counterparty credit risk, and the influence thereof on financial assets and/or investment vehicles.
6.7. INFORMATION FOR THE DECISION MAKING
In order to reduce exposure to this type of risks, the Group regularly reviews the management information disclosed to the different supervisors and invests, inter alia, in systems for transmission of information, business monitoring and budgeting.
The IT Security Department, reporting to the IT Division, is responsible for ensuring that such information is available to and/or amended, exclusively by the persons authorized to do so, setting the parameters for the systems to ensure the reliability, confidentiality, integrity and availability of key information.
With regard to the risks associated with financial reporting, the Group has set up an Internal Control System on Financial Reporting (ICFR) aimed at achieving an ongoing follow-up and assessment of the main risks associated, which permits ensuring reasonably the reliability of the public financial information of the Group. Additional information on this issue is available in Section F of this report.
In addition, the consolidated Financial Statements and those of all relevant companies are subject to review by the independent auditors, who are also in charge of carrying out certain audit works regarding the financial information. Likewise, as regards the most significant companies of the Group, independent auditors are requested to issue recommendations on internal control.
6. 8. TECHNOLOGY AND INFORMATION SYSTEMS
Given the importance of the smooth running of technological systems to achieve the objectives of the Group, the IT Division exercises, through the IT Security area, and with the support of the Committee for Information Security, a permanent control aimed at ensuring streamlining and consistency of such systems, in addition to the security and stability required for business continuity. The Group is aware that its systems will require ongoing improvement and investment to prevent obsolescence and keep the response capacity thereof at the levels required by the Organization.
As a benchmark, aimed at keeping the safety of the information and of the elements which process it, the Group is governed by the Information Security Policy, which is accepted by all users with access to information. Such Policy is available on the INET.
For the specific purpose of keeping a continuous systems operation, the Group relies on technical and procedural contingency systems which would reduce the consequences of any breakdown or stoppage. Among such technical contingency systems, the main data centre, TIER IV certified, the storage of synchronous data in redundant locations exposed to different physical or geological risks, or the duplicity of teams and lines may be found.
Additionally, the IT Security area within the IT Division relies on continuous review mechanisms, which are regularly assessed by different internal and external audits, to prevent, detect and respond to any potential cyber-attack. Such controls would allow advancing and/or reducing the consequences of risk materialization, together with insurance policies covering loss of profit, expenses stemming from cyber-attack and public liability of the company for damages incurred by third parties. The Company considers, based upon the available information, that these controls have been successful to date.
However, taking into account that every year a large number of hackers attempts to gain access to the information of corporations globally, the Group is aware that technological risks progress exponentially, in an unpredictable and sometimes highly elaborate manner. For such reason, although Information Security is one of the top priorities of the Group, the possibility of a non-detectable attack, including to its services providers, which might have an impact on the operations or the information managed by the Organization, cannot be ruled out.
6.9. CORPORATE GOVERNANCE
In order to reduce these risks, compliance with the corporate governance system of the Company is required. Such system comprises the Articles of Association, the Board of Directors’ Regulations, the Regulations of the General Meeting of Shareholders, the Audit and Control Committee’s Regulations, the Nomination Committee’s Regulations and the Remuneration Committee’s Regulations, the corporate policies implemented for enterprise risk management, and the internal regulations of the Group (the Code of Conduct and Responsible Practices, the Code of Conduct for Manufacturers and Suppliers, and the Internal Regulations of Conduct regarding Transactions in Securities”, among others).
The Code Compliance Supervisory Board and the Code Compliance Officer are charged with overseeing and enforcing the IRC.
With regard to the Code of Conduct and Responsible Practices and the Code of Conduct for Manufacturers and Suppliers, the Committee of Ethics is responsible for the enforcement and construction thereof. Such Committee may act ex officio or at the behest of any of Inditex’s employees, manufacturers or suppliers, or any third party involved in a direct relationship and with a lawful business or professional interest, by submitting a report in good faith.
With regard to supervision, the Board of Directors and the Audit and Control Committee are the main governing bodies responsible for risks control.
1. BOARD OF DIRECTORS
The Board of Directors is the maximum authority responsible for identifying the main risks for the Group and for organizing the appropriate internal control and information systems.
2. AUDIT AND CONTROL COMMITTEE
Included in the duties of the Audit and Control Committee is that of assisting the Board of Directors in its duties to oversee and control the Group, by reviewing the internal control systems. The duties of the Audit and Control Committee are provided in the Articles of Association, the Board of Directors’ Regulations and the Audit and Control Committee’s Regulations.
The Audit and Control Committee’s Regulations provide that it is incumbent on the Audit and Control Committee, exclusively comprised of Non-executive Directors, inter alia: to oversee the effectiveness of the internal control of the Company, the internal audit and the risk management systems, including tax ones, and to review with the financial auditor the significant weaknesses of the internal control system revealed, as the case may be, in the conduct of the audit, and to supervise the process for preparing and releasing the regulated financial information.
Additionally, the Audit and Control Committee is responsible for overseeing the Internal Audit Department of the Group, approving its budget and the Internal Audit Plan, the annual report of activities of the Internal Audit department and ensuring that it relies on the appropriate material and human resources, whether internal or external, to discharge its duties, approving the budget of the Internal Audit function, the Internal Audit Plan and the annual activities report, ensuring that its activity is mainly focused on the risks which are relevant for the Company and its Group, and gathering periodic information on the proceedings of Internal Audit.
The Internal Audit Department is directly linked to the Board of Directors, to which it reports functionally, through the Chair of the Audit and Control Committee, thus ensuring the full independence of its acts.
The mission of the Internal Audit function is defined in the Group’s Internal Audit Charter, and it consists of contributing to the good running of the Group, by assuring an independent and effective supervision of the internal control system, and providing recommendations to the Group that help reduce to reasonable levels the potential impact of the risks that hamper the achievement of the objectives of the Organization.
Likewise, according to such Charter, the goals of the Internal Audit function are to promote the existence of appropriate internal control and risk management systems; the streamlined and efficient application of the policies and procedures which make up such internal control system; and to serve as communication channel between the Organization and the Audit and Control Committee, with regard to those matters under the remit of the Internal Audit function.