Risk Governance Model

The EDP Group adopts a widely recognized risk governance model based on the three lines of defences, which can be, in certain situations, supplemented by a fourth line through external audit and regulatory supervision . Each line of defence has defined entities and forums at Corporate, Platform, and Regional levels to ensure coordination, avoid overlaps, and promote collaboration.

The Three Lines of Defense Risk Governance Model

The diagram shows three lines: Business, Risk, and Audit, with external auditing and regulation or supervision shown in vertical side columns. At the bottom, Operative Committees and Risk Committees feed into EBD and then GSB through FMC.

1st line: Business
(responsibility for risk)

2nd line: Risk
(risk analysis & monitoring support)

3rd Line: Audit
(independent supervision)

4^th Line:
External Supervision

Mission

Rational

Involved
areas
(not
exhaustive)

Daily running business, including proactive management of risks, aligned with established risk policies.

Support in the identification, analysis, evaluation and monitoring of risk (to support business).

Performance and coordination of auditing exercises, seeking improvement of risk management, control and corporate governance processes.

Those who benefit most from risk-taking are those who should be held accountable for their risks

Given the tendency to encourage business risk-taking, it is advantageous to have a specialised and independent risk function

It is advantageous to have an independent entity responsible for verifying and evaluating the risk management and control processes

Platforms and Regions
Business Enablement Functions (with decision responsibilities)

Risk
Ethics & Compliance
Investor Relations & ESG
Safety, Security & Business Continuity

Internal Audit

External Auditing

Regulation/ Supervision

Operative Committees

Risk Committees

EBD

GSB through FMC

Risk management is embodied by the Risk Business Enablement Function (Risk), encompassed by overarching Centres of Excellence (CoE) and Platform Business Partners (BP), ensuring fluid articulation and communication throughout EDP regarding the main sources of exposure and risk mitigation measures. Additionally, Regional focal points are also defined to ensure an overarching perspective of the risk of each region and serve as a link to the Region organization.

Corporate Functions

The structure starts with Risk Leadership, CoE Corporate, CoE Counterparty, CoE Financial and Region Focal Points. These connect to an Executive Board of Directors circle and to a central Executive Board of Directors block with Risk Monitoring Committee and Financial Risk Committee. The bottom layer has four MT blocks connected to four BP RISK blocks through dashed upward reporting arrows.

Hierarchy and reporting structure:

Top governance:
- Risk Leadership
- CoE Corporate
- CoE Counterparty
- CoE Financial
- Region Focal Points
Executive governance:
- Executive Board of Directors
- Risk Monitoring Committee
- Financial Risk Committee
Operational layer:
- MT Renewable Generation Assets with BP RISK Renewable Generation Assets
- MT Client Solutions with BP RISK Client Solutions
- MT Global Energy Management with BP RISK Global Energy Management
- MT Global Business Services with Insurance
Line meaning:
- Solid arrow: single reporting
- Dashed arrow: double reporting
Abbreviations:
- CoE means Centre of Excellence
- BP means Business Partner
- MT means Management Team

RISK Leadership

CoE Corporate

CoE Counterparty

CoE Financial

Region Focal Points

Executive
Board of
Directors

Executive Board of
Directors

Risk Monitoring
Committee

Financial Risk
Committee

MT Renewable
Generation Assets

MT Client Solutions

MT Global Energy
Management

MT Global Business
Services

BP RISK Renewable
Generation Assets

BP RISK Client
Solutions

BP RISK Global Energy
Management

Insurance

Single reporting
Double reporting

CoE Centre of Excellence
BP Business Partner
MT Management Team

Moreover, the group has several Risk Committees, where top management and relevant specialists meet to examine, discuss, and advise on key risk exposures for the group, their limits and mitigation actions.

The risk management strategy encompasses structured support for articulating and analysing risk‑return trade‑offs, including the organisation’s risk appetite, to inform key management decisions. It also involves the periodic review and update of the Risk Appetite Statement, which is formally approved and disclosed in the Annual Integrated Report, as well as the regular revision of specific risk management policies to ensure their continued adequacy and alignment with the organisation’s strategic objectives.

Download the PDF below for a detailed description of EDP Group’s competent bodies, their respective responsibilities, and the Risk Committees.

EDP Group's Risk Governance Model

PDF . 158.86 KB

Risk Governance Model