Risks

In the performance of its corporate objectives Ferrovial is exposed to diverse risk factors deriving from the nature of the sectors in which it operates, the countries in which its activities are located and the different regulations to which it is subject. Risk management is fostered throughout the Group and integrated in all key processes, from asset management to M&A.

Policy

The company has a Risk Control and Management Policy, in line with COSO ERM framework and the three line defense model as International reference standards, which provides the employees of Ferrovial with a general frame of action for the control and management of the risks of any nature that they face in the performance of the business objectives and the general strategy of Ferrovial. Following COSO´s guidance, risk appetite towards our strategic objectives has been determined by the BoD, and targets and tolerance identified for key risk factors, integrating them into decision-making.

The Policy, approved by the Board of Directors, is updated at least every three years and is communicated throughout the organization for implementation and employees receive specific training on internal risk management and control systems related to their activities.

Board of Directors

Ferrovial’s Board of Directors identifies and analyzes the risks associated with the strategy and activities of the Company and its businesses, in accordance with the Risk Control and Management Policy. It is responsible for risk management oversight, for establishing the risk appetite as well as the measures put in place in order to counter the risk taken. Based on risk assessment, the Board designs, implements and maintains adequate internal risk management and control systems.

The Board of Directors has the appropriate skills to perform its risk oversight function. A plan has been established to provide the Board of Directors with various training sessions related to their risk oversight function, among other areas. The annual training includes key topics, along with periodic, or as needed, sessions on specific topics, such as cybersecurity and sustainability. The aim is to further develop knowledge on the risks related to the diverse subjects and enhance decision-making processes.

Audit and Control Committee

The Audit and Control Committee assists the Board of Directors in fulfilling its responsibilities, discussing the Company’s policies with respect to risk assessment and risk management, and overseeing the Company’s enterprise risk management system.

Internal Audit

The Internal Audit function, acting as a third line of defense, supervises the company’s risk management system through internal audits of the company’s various risk management processes (financial, operational, compliance, etc.), issuing recommendations to correct any weaknesses detected.

Enterprise Risk department

The Enterprise Risk department, independent of the business lines and acting as second line of defense, is responsible for developing the risk management process, known as Ferrovial Risk Management. This ensures uniform risk management across Ferrovial and involves periodic reporting to the Audit and Control Committee and, where appropriate, to the Board of Directors on the risks that threaten the achievement of business objectives and compliance with the risk targets approved by the Board of Directors.

On the other hand, as part of the second line of defense, certain divisional and corporate directorates in their area of responsibility, are responsible for establishing policies and strategies regarding their specific risks and for the monitoring and oversight of risk management across the organization.

Business Managers

Business managers, acting as the first line of defense, are responsible for the identification and management of risks associated with the achievement of the objectives in their area of activity.

Ferrovial Risk Management

The Policy is complemented by the Ferrovial Risk Management (FRM) Procedure that describes in detail the different risk components (identification, evaluation, management, monitoring & reporting) and activities performed by the Group.

The risk identification and assessment, included in FRM, is a bottom-up process promoted by the Management Committee and implemented in all the company’s business areas, under the regular supervision of the Audit and Control Committee of the Board of Directors. The process is carried out twice a year.

Through the application of common metrics, the process allows risk events to be identified in advance and assessed in terms of their likelihood of occurrence and their potential impact on business objectives, including corporate reputation. In this way, the highest rated risks are prioritized in order to take the most appropriate mitigation measures according to the nature of the risk, as well as to take advantage of the opportunities that may arise from proper risk management.

For each risk event identified, two assessments are carried out: an inherent assessment prior to the specific control measures implemented to mitigate the risk, and a residual assessment, after specific mitigation measures have been implemented.

In a process of continuous improvement, Ferrovial periodically carries out reviews of the risk management process by means of an internal audit and an external consultancy exercise in order to detect weaknesses and improve the performance of the process in accordance with comparable international best practices.

Emerging Risks

The FRM process also identifies, assesses, and monitors emerging risks. In this regard, Ferrovial has launched an initiative that represents an important step forward in the proactive management of Ferrovial’s emerging risks, which will serve as a support tool in decision-making.

In March 2025, the first workshop on emerging risks brought together experts from various Ferrovial business units to identify and analyze potential risks to the company. Among the identified risks reported to BoD, the following are particularly noteworthy. Impact and mitigation actions were determined:

The emerging risk of Quantum computing has stood out as one of the most significant for Ferrovial. Quantum technology in computing offers exponentially higher processing power compared to traditional binary systems.
- Impact: This increase could significantly heighten cyber threat risks, as conventional encryption methods may become inadequate against quantum computing’s capabilities. This may lead to increased vulnerability to cyberattacks, information theft, and operational disruptions.
- Mitigating actions: We are monitoring technological advancements and industry use cases and forming strategic partnerships with capable entities to develop protective technologies.
Another emerging risk identified is changes in mobility patterns. Several emerging technologies and trends have the potential to change long-term mobility patterns in a way that could adversely impact Ferrovial’s business.
- Impact: The rise of vehicle automation has the potential to decrease travelers’ willingness to pay to save time on the road, while the expansion of AI may result in job displacement among current commuters, potentially decreasing overall travel demand.
- Mitigating actions: To address this risk, we are closely monitoring these and other emerging trends to ensure the resilience of our business model in response to evolving patterns in the movement of people and goods. In addition to monitoring trends, we are engaging in scenario analysis exercises and establishing strategic partnerships with leading companies.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	11 months 29 days 23 hours 59 minutes	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category ''Advertisement''.
cookielawinfo-checkbox-analytics	11 months 29 days 23 hours 59 minutes	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category ''Analytics''.
cookielawinfo-checkbox-language	11 months 29 days 23 hours 59 minutes	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookies will remember language preferences.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
csrftoken	11 months	This cookie is associated with Django web development platform for python. Used to help protect the website against Cross-Site Request Forgery attacks
lang		This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
PHPSESSID		This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp-wpml_current_language	1 day	Used by WPML to store language settings.

Cookie	Duration	Description
_csrf		Anti Cross-site request forgery cookie.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the collection of data on high traffic sites.
_gat_gtag_UA_5784146_31	1 minute	Google Used to distinguish users.
_gat_UA-141180000-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-20934186-10	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-5826449-38	1 minute	Used by Google Analytics to throttle request rate
_gat_UA-58630905-1	1 minute	Used by Google Analytics to monitor the rate of requests
_gat_UA-70491628-1	1 minuto	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	2 months	Used by Google AdSense to experiment with advertising efficiency across websites using its services.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visited in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjCachedUserAttributes	Session	This cookie stores User Attributes which are sent through the Hotjar Identify API, whenever the user is not in the sample. These attributes will only be saved if the user interacts with a Hotjar Feedback tool.
_hjClosedSurveyInvites	365 days	Hotjar cookie that is set once a visitor interacts with an External Link Survey invitation modal. It is used to ensure that the same invite does not reappear if it has already been shown.
_hjDonePolls	365 days	Hotjar cookie that is set once a visitor completes a survey using the On-site Survey widget. It is used to ensure that the same survey does not reappear if it has already been filled in.
_hjid	365 days	Hotjar cookie that is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	30 minutes	This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's pageview limit.
_hjIncludedInSessionSample	30 minutes	This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's daily session limit
_hjLocalStorageTest	Menos de 100ms	Esta cookie se usa para verificar si Hotjar Tracking Script puede usar almacenamiento local. Si puede, se establece un valor de 1 en esta cookie. Los datos almacenados en_hjLocalStorageTest no tienen fecha de caducidad, pero se eliminan casi inmediatamente después de su creación.
_hjMinimizedPolls	365 days	Hotjar cookie that is set once a visitor minimizes an On-site Survey widget. It is used to ensure that the widget stays minimized when the visitor navigates through your site.
_hjRecordingLastActivity	Session	This should be found in Session storage (as opposed to cookies). This gets updated when a visitor recording starts and when data is sent through the WebSocket (the visitor performs an action that Hotjar records).
_hjShownFeedbackMessage	365 days	Hotjar cookie that is set when a visitor minimizes or completes Incoming Feedback. This is done so that the Incoming Feedback will load as minimized immediately if the visitor navigates to another page where it is set to show.
_hjTLDTest	Session	When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
_hjUserAttributesHash	Session	User Attributes sent through the Hotjar Identify API are cached for the duration of the session in order to know when an attribute has changed and needs to be updated.
_smvs	23 hours 59 minutes	Records visitor behavior data on the web. This is used for internal analysis and web optimization.
_uetsid	1 day	This is a cookie used by Microsoft Bing Ads and it is a tracking cookie. Allows you to interact with a user who has already visited our website.
_uetvid	2 weeks	Cookie installed by Google Tag Manager to store and track visits between sites.
apbct_visible_fields	Session	Prevents spam content
apbct_visible_fields_count	Session
ct_checkjs	Session	Stores dynamic variables from the browser
ct_fkp_timestamp	Session	Stores visit time
ct_pointer_data	Session	Stores dynamic variables from the browser
ct_ps_timestamp	Session	Stores visit time
ct_timezone	Session	Stores visit time
dtCookie	Session
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
lumesse_language	50 years ago	This cookie determines language of Application Process user interface (labels, interface etc.)
MR	1 week	This cookie is used to measure the use of the website for analytical purposes.
smclient	10 years	A cookie itself does not contain any information that enables to identify contacts and to recognize e.g. personal data of the website visitor. Connection to the contact card takes place in the SALESmanago system.
test_cookie	14 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.

Cookie	Duration	Description
_fbp	2 months 28 days 23 hours 59 minutes	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
everest_g_v2	1 año	The cookie is set in eversttech.net domain. The purpose of the cookie is to assign clicks to other events on the customer's website.
fr	2 months 28 days 23 hours 59 minutes	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	2 years	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
lms_ads		It is used to identify LinkedIn members from designated countries for advertising purposes.
mid	9 years	The cookie is set by Instagram. The cookie is used to distinguish users and to show relevant content, for better user experience and security.
MUID	1 year	Used by Microsoft as a unique identifier. The cookie is set using embedded Microsoft scripts. The purpose of this cookie is to synchronize the identifier in many different Microsoft domains to allow user tracking.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
personalization_id	2 años	This cookie is set by twitter.com. It is used to integrate the sharing features of this social network. It also stores information about how the user uses the website for tracking and targeting.
uid	1 year	This cookie is used to measure the number and behavior of website visitors anonymously. The data includes the number of visits, the average duration of the visit on the website, the pages visited, etc. in order to better understand user preferences for targeted ads.
VISITOR_INFO1_LIVE	5 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC		This cookies is set by Youtube and is used to track the views of embedded videos.

Popularne kategorie