Componentes del Sistema de Agua Potable

Risk in the Group is controlled within the risk governance framework which incorporates both the Court, risk committees appointed by the Court (e.g. Court Risk Committee, Group Audit Committee), and also the Group Risk Policy Committee and its appointed committees (e.g. Group Credit Committee, Asset & Liability Committee etc.).

The risk governance framework is supported by the Group’s management body, with risk responsibilities extending throughout the organisation based on a three lines of defence approach.

20MAR201522313097

identification and management of risk at business unit / Group function level including the implementation of appropriate controls and reporting to the Group in respect of all major risk events. Business Units / Group functions are accountable for the risks arising in their businesses / functions, and are the first line of defence for the Group managing them.

• Second line of defence: central risk management functions are responsible for maintaining independent risk oversight and ensuring that a risk control framework is in place. They formulate risk policy and strategy, and provide independent oversight and analysis and centralised risk reporting.

• Third line of defence: Group Internal Audit (GIA) provides independent, reasonable assurance to key stakeholders on the effectiveness of the Group’s risk management and internal control framework. GIA carries out risk based assignments covering Group businesses and functions (including outsourcing providers), with ratings assigned as appropriate. Findings are communicated to senior management and other key stakeholders, with remediation plans monitored for progress against agreed completion dates. Group Credit Review (GCR), an independent function within GIA, is responsible for reviewing the quality and management of credit risk assets across the Group.

The organisational structure for risk management is designed to facilitate reporting and escalation of risk concerns from business units, Group functions and Group Internal Audit upwards to Group Risk Policy Committee (GRPC), the Court Risk Committee (CRC), the Group Audit Committee (GAC) and the Court of Directors, and conveying approved risk management policies and decisions to business units. Risk governance framework

The Court of Directors is responsible for ensuring that an appropriate system of internal control is maintained and for reviewing its effectiveness.

The identification, assessment and reporting of risk in the Group is controlled through risk committees appointed by the Court of Directors and also the Group Risk Policy Committee (appointed by the Court Risk Committee) and its appointed committees.

Each of the risk committees has detailed terms of reference, approved by the Court or their parent committee, setting out their respective roles and responsibilities. In summary, the following are the key responsibilities of the Group’s risk committees.

Court of Directors Group Nomination & Governance Committee Group Remuneration Committee Non-Equity Capital Committee Group Investment Committee Court Risk Committee

Group Risk Policy Committee Group Audit

• The Court, comprising the Governor, 9 Non-executive Directors and 2 Executive Directors, is responsible for approving high level policy and strategic direction in relation to the nature and scale of risk that the Group is prepared to assume to achieve its strategic objectives. It approves the Group Risk Framework which identifies the Group’s formal governance process around risk and the approach to risk identification, analysis, measurement, management and reporting. It regularly reviews reports on the size and composition of key risks facing the Group as well as the minutes of direct committees. The Court approves the Group’s Risk Appetite Statement (incorporating risk identity and high level risk limits), thereby defining the amount and nature of risk the Group is prepared to accept in pursuit of its financial objectives, and forming a boundary condition to strategy. It has reserved authority to review and approve a number of key risk policies. The Court approves the Group’s Recovery Plan. The Court also approves the Group Internal Capital Adequacy Assessment Process (ICAAP) report which is a key process for the Group and facilitates the Court and senior management in adequately identifying, measuring and monitoring the Group’s risks and ensures that the Group holds adequate capital to support its risk profile.

• The Court Risk Committee (CRC) comprises Non-executive Directors and its primary responsibilities are to make recommendations to the Court on risk issues where the Court has reserved authority, to maintain oversight of the Group’s risk profile (including adherence to Group risk principles, policies and standards), and to approve material risk policies within delegated discretion. It also ensures risks are properly identified and assessed, that risks are properly controlled and managed and that strategy is informed by and aligned with the Group’s risk appetite. The committee met 11 times during 2014. • The Group Audit Committee (GAC) comprises Non-executive Directors. In close liaison with the CRC, it

reviews the appropriateness and completeness of the system of internal control, reviews the manner and framework in which management ensures and monitors the adequacy of the nature, extent and effectiveness of internal control systems, including accounting control systems, and thereby maintains an effective system of internal control. It assists the Court in meeting obligations under relevant Stock Exchange Listing Rules, and under applicable laws and regulations, including the Sarbanes Oxley Act, as well as other regulatory requirements (e.g. Pillar III Disclosures), and monitors the integrity of the financial statements. The committee met 9 times during 2014.

• The Group Risk Policy Committee (GRPC) is the most senior risk management committee and reports to the CRC. It is chaired by the Chief Credit & Market Risk Officer (CCMRO) and its membership comprises members of the Group Executive team and Group wide divisional and control function executives. It met 21 times during 2014. The GRPC is responsible for managing all risk types across the Group, including monitoring and reviewing the Group’s risk profile and compliance with risk appetite and other approved policy limits, approving risk policies and actions within discretion delegated to it by the CRC. The GRPC reviews and makes recommendations on all risk matters where the Court and the CRC has reserved authority. The CRC oversees the decisions of the GRPC through a review of the GRPC minutes and reports from the Committee Chairman. The GRPC delegates specific responsibility for oversight of the major classes of risk (including credit, market, liquidity, operational, regulatory and tax) to committees that are accountable to it. The relevant committees are set out in the following diagram.

20MAR201522313292

Group Risk Policy Committee

Group Regulatory Compliance

& Operational Risk Committee Governance of regulatory compliance & operational risk Portfolio Review Committee (PRC) Risk Measurement Committee (RMC) Governance of all credit risk model

validation

Asset & Liability Committee

(ALCO)

Oversight of interest rate, market & liquidity risk,

capital & funding

Group Credit Committee

(GCC)

Approval of all large credit transactions Group Equity Underwriting Committee Approval of equity underwriting transactions Private Equity Governance Committee

Approval of private equity investments

Group Liquidity / Capital Committee

Invoked during periods of market disruption2 Group Tax

Committee

Oversight of tax policy and approval of tax proposals

Assessment of the composition of the loan portfolio, concentrations,

RAR1

(1) Risk-adjusted returns (RAR).

(2) The committee ceased meeting in 2013 as circumstances no longer warranted its invocation. Management oversight of risk

Consistent with the three lines of defence approach to risk management, business units and relevant Group functions are the first line of defence and are accountable for the risks in their business unit / Group function and are responsible for the identification and management of those risks.

Central risk and Group management functions are responsible for establishing a risk control framework and for risk oversight. These are referred to as ‘Risk Owners’.

Risk Owners are responsible for ensuring that:

• a policy or a process is in place for the risks assigned to them;

• exposure to the risk is correctly identified, assessed according to the Group’s materiality criteria, and reported; and

• identified risk events are appropriately managed or escalated.

There are two key functions in the Group responsible for managing different aspects of risk—the Credit & Market Risk function and Group Governance Risk function:

• Credit & Market Risk is responsible for the independent oversight of credit risk and the monitoring of market risk within the Group as well as for the centralised management of certain challenged portfolios. It assists the Court in the setting of risk appetite for the Group and the formulation of credit and market risk policies. It is also responsible for oversight of risk models and for integrated risk reporting within the Group;

• Group Governance Risk is responsible for the management of regulatory, compliance and operational risk, Group Legal Services and the Group Secretariat.

In addition a number of other Group functions have responsibility for the Group’s other key risk types, namely Group Treasury (liquidity risk), Group Communications (reputation risk) and Group Finance (pension risk). Business and strategic risk is managed by the relevant Divisional Chief Executive Officers, Group Strategy Development and Group Finance; life insurance risk is managed within NIAC, an independent regulated subsidiary with its own independent board.

2.3 Risk identification, measurement and reporting