Risk Management
Risk management processes
In order to ensure that the most relevant risks are duly identified, measured, managed and controlled, the General Risk Policy establishes the principles for action in risk management, which include the following:
- Integration. Risk management is part of all processes within the organisation. A risk management culture must be maintained at all levels of decision-making.
- Integral management. Group entities must identify, measure, manage and control all their significant risks, establishing the appropriate policies, procedures, structure and resources for each of them. The Risk Map provides an overview of the most material risks —both financial and non-financial— to which the company is exposed, including tax risks.
- Review and constant improvement of risk management. The adequacy, appropriateness and efficiency of risk management is regularly reviewed and assessed, with the aim of finding opportunities to improve internally due to lessons learned from past incidents, or to improve externally due to the availability of new tools and knowledge acquired by the organisation.
Review of the risk exposure
Línea Directa has defined a risk map that has associated indicators (KRIs) and internal controls, through which company’s risk exposure is reviewed monthly, quarterly, twice a year or in particular cases, annually, as long as the type of control does not allow it to be carried out more frequently.
Risk Management Process Audit
In 2023, the Internal Audit area carried out three audits related to the risk management system:
- Audit of Internal control System over financial information (SCIIF) - Processes of CAR and LDA - Intercompany and Debt Simultaneous: the objective of the audit is the review of some of the processes included in the Internal control system over financial information (SCIIF) of Centro Avanzado de Reparaciones (CAR, S.L.,) related to; a) bank accounts, b) payrolls and provision of bonuses, c) supplies (purchases), d) inventories, e) operating expenses, f) loans and income. Likewise, a fundamental part of this audit is the review of the adequate execution of controls, their design, compliance with control objectives, custody and archiving of evidence.
- Audit of the Degree of Implementation of the Regulatory Compliance Risk Management System: the objective of the audit is to review the government processes regarding sustainability and adequate performance in the management of environmental risks. Leaving social or government risks out of reach.
- Audit of the Key Risk Indicators: the objective of the audit is to review the reporting, identification and design process, as well as the correct monitoring of the Key Risk Indicators, and usability of the KRI Dashboard.
In the three audits the result was similar, obtaining a positive assessment but with some weaknesses.
Risk Culture
Línea Directa has developed a risk culture since its inception, and more exhaustively since its IPO in 2021. The creation of the Corporate Risk area in 2022 and raising awareness at all levels of the company regarding risks have been key to the exponential advancement of said culture.
Additionally, every year, a high proportion of the workforce has financial incentives linked to objectives related to risk management, from Senior Management to the chain of command or back-office employees. In 2023, these objectives were closely linked to updating the company's risk map, the definition of a scorecard for risk indicators or the evaluation of specific risks, such as climate change or the regulatory risk associated with the Regulation of Data Protection.