Ferrovial has a Risk Management and Control Policy, approved by the Board of Directors, which sets out the general framework for the management and control of various types of risks that the management team may encounter to attaining the business objectives, as well as the acceptable risk and the level of tolerance for each risk factor.

The Board establishes and periodically reviews the risk appetite. The last update was carried out in July 2021.

EFFECTIVE RISK MANAGEMENT. FERROVIAL RISK MANAGEMENT

The company has a risk identification and assessment process called Ferrovial Risk Management (FRM), managed by the Compliance and Risk Department, promoted by the Management Committee and implemented in all the company’s business units, under the regular oversight of the Board of Directors’ Audit and Control Committee.

Through applying common metrics, the process allows for early detection and assessment of risk events based on their likelihood of occurrence and potential impact on business objectives, including corporate reputation. This enables Ferrovial to roll out the most appropriate mitigation measures according to the nature of the risk.

For each risk event identified, two assessments are carried out: one inherent, before the specific control measures put in place to mitigate the risk, and another residual, after implementing specific control measures.