Risks

In fulfilling its business objectives, Ferrovial is exposed to a variety of risk factors arising from the nature of the sectors in which it operates, the countries in which its activities are located and the different regulatory frameworks to which it is subject.

Policy

The company has a Risk Control and Management Policy, approved by the Board of Directors, which establishes the general framework of action for the control and management of risks of different nature that the management team may encounter in the achievement of the business objectives, as well as the acceptable risk and the tolerance level per risk factor.

Monitoring

Board of Directors

Ferrovial’s Board of Directors analyzes the risks associated with the strategy and activities of the Company and its businesses. It is also responsible for establishing the acceptable risk and tolerance levels that the Company is willing to assume in the development of its activities.

The Board oversees the operation of internal risk management and control systems and conducts a periodic evaluation of their design and effectiveness at least once a year.

The Non-Executive Directors oversee the policies, management and general affairs of the Company and its business, including shareholder relations, with emphasis on the effectiveness of the Company’s internal risk management and control systems.

The Board of Directors has the necessary skills to effectively perform its risk oversight function. 50% of the Non-Executive Directors have specific expertise in risks and compliance, audit and sustainability (5 out of 10 Directors).

Audit and Control Committee

The members of the Audit and Control Committee, and especially its chairman, are appointed based on their knowledge and experience in accounting, auditing and risk management, both financial and non-financial.

The Audit and Control Committee advises the Board in its decision-making, among other matters, on the supervision of the integrity and quality of the Company’s financial and sustainability information and on the effectiveness of the Company’s internal risk management and control systems.

Likewise, the Audit and Control Committee supervises and evaluates the control and management systems for financial and non-financial risks relating to the Company and the Ferrovial Group, including operational, technological, legal, social, environmental, political, reputational and corruption-related risks.

Compliance and Risk Direction

The Compliance and Risk Direction, reporting directly to the Audit and Control Committee of the Board of Directors and independent of the business lines, is responsible for managing the risk assessment and identification process, known as Ferrovial Risk Management, and for periodically informing the Audit and Control Committee and, where appropriate, the Board of Directors of the risks that threaten compliance with the business objectives.

Ferrovial Risk Management

The company has a risk identification and assessment process, called Ferrovial Risk Management (FRM), managed by the Compliance and Risk Department, promoted by the Management Committee and implemented in all the company’s business areas, under the periodic supervision of the Audit and Control Committee of the Board of Directors. The process is carried out twice a year.

Through the application of common metrics, the process makes it possible to identify risk events in advance and assess them in terms of their probability of occurrence and their potential impact on business objectives, including corporate reputation. In this way, Ferrovial can take the most appropriate mitigation measures according to the nature of the risk, as well as taking advantage of the opportunities that proper risk management can bring.

For each risk event identified, two assessments are performed: an inherent assessment, prior to the specific control measures implemented to mitigate the risk, and a residual assessment, after specific control measures have been implemented.