5 Risk Management

At Madrileña Red de Gas we are fully aware of the importance of managing our risks in order to carry out adequate strategic planning and achieve the objectives established, which is why we have a solid Risk Management Model.

The main objective of this model is to help identify events and to evaluate, prioritise, respond to and monitor Risks that may prevent the achievement of the company’s strategic vision and the annual objectives approved in the MRG Business Plan and Budget. This is a key tool for managing uncertainty in the area divisions and departments at MRG.

The entire organisation at MRG is responsible for Risk Management in its corresponding field, and relevant information should be channelled in order for this to be adequately managed.

There are two main types of Reporting relating to Risk Management at MRG:

The Audit and Risks Committee reports directly to the Board of Directors and operates in accordance with the provisions of its internal operating regulations, mainly performing the following

  • An analysis of MRG’s critical risks, ensuring that the company’s Risk exposure is consistent with the strategic positioning required at all times and, where appropriate, promoting specific Action Plans.
  • Identifying Best Practices in the field of Risk Management and applicable to MRG, being responsible for the Continuous Improvement of the Function.

Said committee comprises representatives from the Board of Directors of each of the four shareholders, various members of the Management Committee and the Risk Management Department.

We have developed an in-house methodology at MRG for risk assessment. Taking as inspiration an integrating vision of Risk Management, we have adopted a methodological approach inspired by “Enterprise Risk Management” (also known as COSO II), which allows additional added value to be provided to all stakeholders while allowing us to identify, create, capture and sustain the value of business Risk Management.

The MRG Risk Map currently contemplates the ten most common risks, which are evaluated applying a criterion based on:

  • The probability of occurrence of a risk on a scale of one to ten.
  • The impact of the combination of the effect on current net value and on reputational impact, both on a scale of one to ten. The effect on the current net value considers both the direct economic impact for the next twenty years and any possible sanctions.

The result of said evaluation gives our Risk Map, which identifies those critical risks for the organization, which must be the 10 most significant ones, ordered from highest to lowest.

Risk-Management field
Corporate risk map of MRG, 2022

Compared to previous years, in 2022 the risks related to cybersecurity, the volatility of natural gas prices and permanent losses in the gas balance, as well as the interest rates of debt refinancing, have increased in relevance as a new added risk, the definition and evaluation of which has been perfected as detailed information on the potential consequences that may occur should they arise has become available.

As in previous years, the greatest risk for MRG is clearly the regulatory risk.

5.1 Regulatory risk

The distribution of natural gas is a regulated activity, therefore at MRG we are continually exposed to changes in the distribution model and possible market restrictions. As a result, we are faced with the following risks:

  • The European, national and regional requirements that adaptation to climate change entails make it difficult for the company to comply with all applicable laws and regulations. The strong regulatory push for “green energy” is advancing more slowly than the technical development offered by the sector, thus jeopardising MRG’s ability to contribute to net- zero objectives.

    One of these new regulatory requirements is the modification of Regulation 2019/942 of the European Parliament and of the Council, which creates the European Union Agency for the Cooperation of Energy Regulators, on the reduction of methane emissions, which is scheduled to enter into force in 2023.

    This modification implies a risk due to the greater requirement of methane emission regulations, as well as a significant economic impact, due to the additional capital expenditure that we would be obliged to carry out to comply with said regulations.

    At MRG we are actively following the changes in the draft of said regulation, jointly and with an open dialogue with Sedigas. In addition, pilot studies are being carried out in the field with additional activities to identify methane leaks, with the objective of determining variations in the number of leaks identified and the civil works needed to repair them.

  • Another risk whose relevance has increased during this financial year is the permanent loss in the gas balance arising from measurement differences, in terms of both volume and price.

    To combat the impact of this risk, MRG has implemented the Dark Gas Project to mitigate fraud, and is holding talks with the National Market and Competition Commission (CNMC) to promote an increase in the percentage measurement differences allowed.

    In this sense, and related to this risk, in 2022 the CNMC has approved two resolutions that will encourage gas system agents to manage their imbalances (differences between gas inputs and outputs) at the Virtual Balance Point (PVB) in a more active manner and, in addition, they will allow the gas accumulated in the loss balance account to be used to cover the operating gas purchasing needs of Enagás, the technical manager of the system.

    These two resolutions promote the participation of agents in the market and improve the economic sustainability of the gas system.

  • Another of the new requirements that will be applicable to MRG is the Draft Law that regulates the corporate information framework on environmental, social and governance issues, a rule that will transpose Directive 2022/2464, regarding the presentation of information on sustainability by companies, known as CSRD into the national legal system.

    MRG will be obliged to report on how the group’s activity affects sustainability, which is taken to include environmental, social, human rights and governance factors, including all information related to personnel and the fight against corruption and bribery.

    In this sense, in recent years we have made progress in said ESG-related information reporting with the preparation of our Sustainability Reports, such as this one, although we will study in advance all those modifications and new requirements, adapting ourselves to the requirements of said law.

specific assessment of the above risks

5.2 Climate change and the energy transition: our main challenge

Our aim at MRG is to be a company clearly committed to the fight against climate change and provide solutions to society.

The adverse effects resulting from climate change and the energy transition imply risks for the installations, and for MRG’s business, from three perspectives:

  1. Risks for the company due to emerging regulations, new requirements and social awareness of the necessary energy transition.
  2. Risk to the business due to increasing temperatures and new consumption habits, which affects gas consumption.
  3. Risks or impacts that the meteorological effects derived from climate change may have on our installations.

The result of the evaluation is medium risk in both perspectives, after analysing the probability and value of the impact.

We want to turn the current risk that the energy transition may represent into an opportunity for the company; be prepared for regulatory and market changes, and gain a reputation among the public, collaborating with them to achieve cleaner cities and clearly investing in renewable energy alternatives, such as hydrogen.

At Madrileña Red de Gas we are working along several lines aimed at fighting climate change.

Actions at MRG to combat climate change

A detailed description of the above projects and strategies, together with other initiatives undertaken by the company to combat climate change and its possible physical risks, are included in the Sustainable Business and Environmental Impact sections of this report.

5.3 Economic, financial and fiscal risks

Risks evaluated in the annual accounts audit at MRG

The volatile economic situation and economic slowdown that we are experiencing, together with the increase in inflation and interest rates, make it difficult for MRG to efficiently manage cash flows and obtain financial resources, thus hindering the achievement of its strategic objectives, investment, the ability to carry out projects and meaning that the company has to face the following risks:

  • Due to the increase in uncertainty and the evolution of energy prices, the volatility of gas prices may mean that our customers are not able to deal with the new cost of gas, therefore MRG has established a short- and long-term strategy to mitigate said impact.
    The probability of this risk has slowly decreased as the market has adjusted to the new prices.
  • Another of the risks to which we are exposed is the interest rate risk in each refinancing period, which is a result of the increase in market interest rates, with the impact being calculated for those bonds to be refinanced in 2023 and 2025. We are analysing interest rate hedging options for the next round of refinancing in order to mitigate this risk.
  • In addition, the update of the CPI rates, considering the rates published by the European Central Bank in September 2022, shows a possible economic impact, due to the rise in prices and the increase in inflation. Although most of MRG’s contracts are not subject to CPI indexing, some suppliers that are pushing to renegotiate those prices. To mitigate this impact, at MRG we attempt to negotiate to reach agreements that are beneficial for both parties.

To manage the risks mentioned above, as well as to guarantee the correct economic and financial management of the company, at MRG we have different formally established procedures and methodologies. In addition, these risks, along with others relevant to our business, as well as our legal compliance in economic and financial matters, are evaluated as part of our annual audit of accounts.

5.4 Integrity of assets and management of critical incidents

At Madrileña Red de Gas we are fully aware of the importance of the prevention, evaluation and control of incidents and accidents that can seriously damage both health and the environment, as well as the economy of communities and infrastructures. As such, we have two robust and consolidated Management Systems, which cover 100% of the company’s activities.

  • An Integrated Management System certified as per the following international standards:
    • UNE-EN ISO 9001:2015 Quality Management Systems
    • UNE-EN ISO 14001:2015 Environmental Management Systems
    • UNE-EN ISO 45001:2018 Occupational Health and Safety Management Systems

    The Integrated Management System Committee is the maximum authority as regards aspects related to quality, the environment and health and safety.

  • UA Serious Accident Management System, which interprets and incorporates the requirements of Royal Decree 840/2015, which approves control measures for the risks inherent to serious accidents involving dangerous substances (more commonly known as SEVESO regulation).
    The Serious Accidents Prevention Committee is the maximum authority as regards the prevention of serious accidents.

Incorporated into the aforementioned systems, the mechanisms that we have at MRG to deal with risks that may damage our physical and human assets, as well as the environment that surrounds them, are the following:

Operational control

At MRG we identify those operations and activities that are associated with the hazards for which the implementation of controls to manage the risk is necessary.

This control of our processes is carried out following established procedures, continuously supervising their state of execution through a complete control panel of process indicators (KPIs) in different areas:

  1. Cante comercial
    Report showing the evolution of the commercial registrations by pressure type.
  2. List of KPIs Committee
    Summary of the evolution of the general KPIs at Madrileña Red de Gas.
  3. Operational report DO, Complaints and Registrations
    Includes and operational report of the domestic operations, complaints and registrations operations at MRG.
  4. Analysis of historic complaints
    Includes an evolution of the complaints from the origin of MRG to the date of the report (volume, costs, departments, etc.).
  5. Maintenance report
    Includes the operational and economic analysis of the maintenance operations at MRG.
  6. Operational reading report
    Follow-up of closure of VO complaints, Platform and TPA per day, by department.
  7. Daily monitoring SLA
    Seguimiento del cierre de reclamaciones de OV, Plataforma y ATR en un día por departamentos.
  8. Surveys
    Results of surveys corresponding to the fieldwork analysis questions defined by the contract SLA.
  9. Overall ranking of PI inspectors
    This report provides the positioning of the different PI inspectors based on their field-work efficiency.
  10. Call analysis by PI phase
    Analysis of calls received compared with PI phase in which said call is received (periodic inspections).
  11. Operational PI report
    Includes the operational analysis of the periodic inspections operations at MRG.
  12. General and IT expenses
    Summary of the general expenses at MRG by category and department.

Preventive control

At MRG we implement, organise and execute the controls and/or preventive measures needed to correct the risks identified in terms of Health and Safety, and perform periodic monitoring, in order to guarantee a correct application of the preventive management defined in the company and avoid damage to the health of our workers.

The results of said management in 2022 can be seen in detail in the Health and Safety section of this report.

Industrial safety and serious accidents

To contend with the risks that may affect our facilities, at MRG we carry out a series of specific actions, both in our LNG plants, conventional LPG plants, and those LPG plants affected by Royal Decree 840/2015.

These activities include:

  • Regulatory inspections and audits
  • Drafting and revision of the pertinent Emergency Plans and Self-Protection plans
  • Performance of drills
  • Verification of explosive atmospheres (ATEX)
  • Annual visit from a safety adviser for the transport of dangerous goods by road (ADR)
  • Inspections of fire protection systems, as indicated in Article 20 of R.D. 513/2017

Industrial safety and serious accidents

As indicated in the Environmental Impact section of this report, the accident scenarios with environmental damage associated with MRG’s installations are mostly forest fires. In the case of THT, diesel oil and antifreeze, they also involve additional scenarios such as soil and/or water contamination and discharges into surface waters.

Given this information, and taking into account that reparation measures are only adopted once the specific damage has occurred, proposing specific reparation measures in each case, the measures available at MRG’s installations and activities can be summarized as follows:

  • Preventive measures against forest fires
  • Measures based on emergency, safety and/or self-protection plans
  • Specific measures found in each type of activity/installation

Emergency management

At MRG we watch over and take care of our physical assets, carrying out the necessary preventive and corrective maintenance, providing the optimal conditions in our influencing, maximizing the correct functioning of equipment and guaranteeing the supply to our customers, as indicated in the Reliability and continuity of supply section.

We also have the necessary tools to prevent and reduce the eventual impact derived from potential accidents and emergency situations. To that end, we identify two possible emergency situations.

Preventive measures at MRG installations
Possible emergency situations
Types of activity involved in Risk management

To manage communication in the event of a serious contingency, there is a “Manual for communication management in crisis situations”, which defines the protocols that must be followed by those responsible for the different business areas and the procedures for correct management of the incident by the Crisis Committee.

5.5 Cybersecurity and management of risks when treating information

One of the main challenges for large organizations is to protect the information they handle on a daily basis. Nowadays, companies must face malicious attacks from individuals trying to find weaknesses to access information systems.

At MRG we are fully aware of the risks involved in the integration of technology into business processes, the large-scale implementation of remote working, the large-scale migration of data to the cloud and security in the supply chain, therefore we have a complete Information Security System that manages cybersecurity-related risks.

5.5.1 Information Security and Personal Data Protection

In 2022 Madrileña Red de Gas completed the implementation and certification of its Information Security Management System, as per ISO 27001, a model that is fully aligned with the current Integrated Management System and in the scope of which the Personal Data Protection Management model has also been included.

Madrileña Red de Gas has appointed a Data Protection Officer, who is the highest Authority in the matter and has a seat on the Management Committee, the Audit and Risks Committee and the Cybersecurity Committee. In addition, a person responsible for the Information Security management system has been appointed, along with a person in charge of Technical Security, who is supported by a team of administrators.

We have established a Management of Risks in the Treatment of Information methodology that includes both a determination of the company’s assets and the assessment and evaluation of threats and an analysis of risks and their management at acceptable levels, establishing a process review to ensure its continuity over time.

We have identified 11 groups of assets, which are broken down into 111 types of assets, and have assessed the criticality of each of them based on their confidentiality, integrity and availability, to subsequently assess risk as a combination of the criticality, probability and impact.

Similarly, the Information Security Management model contemplates an interaction with interested parties in several ways:

  1. Publication of the information security and personal data protection policies, as well as information regarding the processing of personal data intended for interested parties, and whose dissemination is also reinforced through the various communications that are delivered to users, on the website.
  2. Active management of the personal data protection officer’s mailbox, which has received a significant number of requests.
  3. Employee training and awareness activities.
  4. Interaction with organisms and authorities, such as the National Data Protection Agency (AEPD) and the National Cybersecurity Institute (INCIBE).

As relevant novelties with respect to previous years, it is worth mentioning the following:

  • Identification of the most sensitive suppliers from the point of view of information security, classifying them according to IT risk, determining the criticality of the supplier as regards the activity carried out for MRG, as well as the type of activity and of access to information. As a result, they have been classified into three types:
  • A new personal data protection training course in which the new aspects of this legislation published over the past few years is discussed, aimed at the entire company workforce, and which at the end of December had been completed by 58% thereof; it is to be continued into 2023.

5.5.2 Cybersecurity

The World Economic Forum (WEF) continues to define cyber-attacks as one of the most probable and highest-impact risks for institutions and companies, therefore it is essential to place cybersecurity among its priorities, the main focus being the provision of cyber-intelligence, in real-time, to technical and human resources.

Classification of suppliers from an information security viewpoint and based on IT risk
Technological context at MRG

To assess our level of maturity in Cybersecurity, two evaluations were carried out in 2022:

  1. Evaluation of the maturity level based on Deloitte’s CyberIndustrial Strategy Framework (CISF) v2.0
    The objectives of this evaluation include a review of projects established in the Master Plan, evaluation of the Cybersecurity maturity level itself, a Benchmarking of the current position of MRG within the sector, as well as the identification of the objective maturity level, strengths and weaknesses and definition of the Action Plan to achieve said objective.
  2. Re-evaluation of the maturity level of the OT (Operational Technologies) environment using the C2M2 standard
    Following completion of the second evaluation of the maturity level of the OT environment (carried out in 2019), using the C2M2 standard, Logitek has been requested to carry out a re-evaluation using the same standard, taking into account the results presented during the second evaluation and the set of activities carried out by MRG to increase its current level of maturity.
CURRENT STATUS (AS-IS)

The efforts made over the past three years have borne fruit. The evaluation obtained in this financial year is much better than that obtained previously. The effort made over this period to create and document various documents, policies and procedures to define the governance of cybersecurity is noticeable.

Once the previously mentioned audits had been carried out, the following Cybersecurity Action Plan for 2022 to achieve the established objectives was defined, showing at the same time its degree of compliance.

Evolution of level of maturity

This plan has allowed us to improve the prevention and action lines by following best practice in cybersecurity, with actions including:

  • Network penetration tests: “Pentesting” is a technique based on simulating the role of malicious users using the same techniques in order to discover possible vulnerabilities that can be exploited to access unauthorized information. Of the 78 services analysed, eight vulnerabilities, none of which were critical, were found.
  • Simulation of incidents and disaster recovery: simulation of a ransomware attack on a company computer or server, with the aim of minimizing the effects of a disaster or event and being able to quickly regain control.
  • Study of exposure and sale of credentials: investigation related to the overexposure of information associated with assets of Madrileña Red de Gas on the internet with the aim of identifying possible vulnerabilities or unduly exposed services.
  • Phishing simulation: to check the level of maturity of users and whether they have internalized the desired behaviour in the event of this type of attack. This campaign includes the sending of malicious emails impersonating Google in order to harvest user credentials.
  • Training and awareness: awareness of cybersecurity is essential for MRG. To that end, we have launched a new training plan to help raise awareness of the risks that exist in the digital world and prevent any attempted cyberattack, both in the professional and personal environment.

Our goal is for all MRG employees and collaborators to be the first line of defence against cyber threats, in order to guarantee the security and protection of all our information.

This is a dynamic plan adapted to the profile of each user, with multimedia content, and which, through videos and interactive games, ensures that all users are in continuous training and alert by spending just a few minutes a week.

Cybersecurity Action Plan for 2022

All the above is reinforced with informative campaigns related to cybersecurity that establish the training content and raise awareness to the highest level.

Among Others:

Discover the imposters:

The space ship needs your help to return to Earth. Demonstrate your cybersecurity knowledge.

You learn to identify phishing:

We teach you some tips to analyse the emails you receive every day.

The time machine:

Travel through time testing your understanding of cybersecurity.

Do you know how to create a safe password?:

Learn to detect the most common errors when choosing your password.

Results of the phishing simulation campaign

Conclusions

  • 16% of users (22) clicked the link.
  • 6% of users (8) shared their credentials (36% of those who clicked).
  • 112 of the 134 users did not click the link or enter credentials.
  • Similarly, many employees were able to spot warning signs on the landing pages, as not everyone who clicked entered their credentials.
Information Security Management System

5.5.3 Information Security in figures

In addition to the information provided above, some of the main indicators used as a reference for the Information Security Management System are described below, comparing them only with the previous year in which their measurement began.