Main Risk Management Activities

Recurring activities

Recurring risk management activities and examples.
Risk management area	Recurring activities and examples
In-depth knowledge about key main sources of risk exposure	Development of the risk map with the main risks for the following year and the Business Plan horizon, with updates for the main risks during the year Quantitative analysis of exposures (based on expected loss and maximum loss) Development of the climate risk assessment Presence at national and international forums on risk management
Definition of risk management strategy	Support for explaining and reflecting on risk-return trade-offs (and risk appetite) in key management decisions Periodic updating of the risk appetite statement, formalised and disclosed in the Annual Report and Accounts Periodic updating of specific risk management policies
Active participation of risk in key management decisions and processes	Risk advice on the Business Plan and Budget exercises Support for investment decisions, including participation in the Investment Committee and definition of contingencies and stressed scenarios Support in defining coverage strategies for key exposures Analyses and advice on topics with possible impact on the Group's risk profile Follow-up and control of key exposures (through periodic reports at group level and for the most relevant Platforms) Periodical Risk Committees (for debate of key sources of risk exposures and treatment measures) Annual renewal of insurance programs
Formalisation of the risk governance model	Updating the EDP Group's risk management policies and principles
Promoting a solid risk culture throughout the organisation	Carrying out a wide range of awareness initiatives, adapted to the different target audiences: Training on risk issues and new trends in risk management at the Annual Meeting of the Audit Committees, for members of the General and Supervisory Board Specialised courses for all employees (e.g., ethics, health and safety, cyber security) Annual Risk Summit to promote a risk culture and train risk teams, as well as members of the Risk Committee (such as Internal Audit) and members of the General and Supervisory Board Programme to boost the EDP Group's network of risk teams: annual planning meeting, sharing of information in the Enterprise Risk Management Repository, quarterly masterclasses and participation in Risk Committees Presentation of the Risk Plan each year to the Board and the regional Management Teams Implementation of quarterly townhalls with all members of risk teams

Monitoring Risk

The EDP Group has a comprehensive risk monitoring framework to protect its operations and investments, with regular reporting to the Executive Board of Directors and Risk Committees.

At the forefront of this strategy is the annual risk mapping, complemented by quarterly updates, to identify, quantify and prioritise risks across all risk taxonomy. The quarterly risk appetite dashboard is another vital tool to evaluate risk exposure by comparing Key Risk Indicators against limits defined in the Risk Appetite Statement.

To reinforce the risk monitoring infrastructure, the EDP Group has several regular dedicated quarterly risk committees, namely Global Risk Committee, Risk Monitoring Committee and Financial Risk Committee. These committees are essential for monitoring risk exposure, setting risk mitigation policies and measures, and reviewing new analysis and policies. In addition, there are Platform-level reports monitor operational risk metrics, with some being updated daily.

Developments in 2025

Key developments in risk management areas.
Risk management area	Key developments
In-depth knowledge about key main sources of risk exposure	Finalization of in-depth analysis of the main IT/ OT risks Finalization of in-depth analysis of the main operational risks Close monitoring of potential impact of tariffs and geopolitical risks In-depth analysis of storage risks Implementation of external tool for Climate Risk quantification leveraging an external tool
Definition of risk management strategy	Creation of a market risk policy for the retail business Individual risk policies update (Energy Markets risk, Financial Risk Policy, Counterparty Risk Policy, Operational Risk Policy, Country Risk Policy, Investment Risk Policy) Development of an analysis of the current and future contracted profile Development of Net Profit Hedge framework
Active participation of risk in key management decisions and processes	Standardization of risk investment inputs, namely contingencies for CAPEX (Main Equipment and BOP/BOS) Introduction of an ESG framework analysis in new investments leveraging an external tool Creation of investment guidelines for storage
Formalisation of the risk governance model	Updating of EDP Group's Enterprise Risk Management
Promoting a solid risk culture throughout the organisation	Development of several sessions dedicated to risk for senior management (executives and non-executives): Global Risk Committees dedicated to analysing the main risk issues with senior executive management; Risk Monitoring Committees to review key risk exposures and to report on the status of all risk limits; participation in sessions of the Financial Matters Committee, plenary sessions with the General and Supervisory Board and sessions of CAN

The Internal Audit Business Enablement Function, as the third line, performs internal audits on the group´s processes that manage, control and monitor the different risks it faces. To do this, annually, it decides which audit activities should be part of the next year´s activity plan, based on, among other things, the inputs and concerns of the first and second lines. In this regard, for 2025, the Internal Audit Business Enablement Function did internal audits to the risk management process, carrying out specific assignments regarding core risks impacting the activity of the platforms and regions, of other business enablement functions and of global business services, covering topics such as energy management, investment projects, counterparty risk, regulatory reporting or Cybersecurity. In addition, Internal Audit monitors the degree of implementation of the set of recommendations pending implementation issued in 2025 and before, also verifying their effective implementation when they are reported as implemented. The Head of the Internal Audit Business Enablement Function is part of the Risk Committees, thus facilitating the monitoring of projects carried out by Risk.

Risk regularly meets with the General and Supervisory Board (GSB) and the Financial Matters Committee (FMC) to monitor the effectiveness of the risk management system. The Financial Matters Committee defines in its annual planning sessions dedicated to monitoring the main exposures and risk management issues, addressing matters related to strategic, ESG, business financial, counterparty and operational risks. In 2025, Risk had two meetings with the General and Supervisory Board, two with the Financial Matters Committee, one with the USA Business Affairs Monitoring Committee (CAN), and the yearly meeting of the Audit Committees, addressing several risk issues, namely the monitoring of EDP’s main exposures and Key Risk Indicators (KRIs), an overview of the Risk execution plan (financial and non-financial risks, including LT contracted profile analysis, risk analysis on BESS, net profit hedge, BOP/BOS and main equipment) and RISK strategic priorities for 2026

Priorities for 2026

Risk management priorities for 2026.
Risk management area	Priorities for 2026
In-depth knowledge about key main sources of risk exposure	Close monitoring of risk between FID and COD for selected projects Development costs: Risk mapping and risk management framework In-depth analysis of retail market liberalization in Brazil In-depth analysis of B2C risk in Portugal
Definition of risk management strategy	Creation of Insurance Management Policy Update of individual risk policies (Financial Risk Policy and Counterparty Risk Policy)
Active participation of risk in key management decisions and processes	Definition of CAPEX contingencies for Transmission and COD buffer for all businesses Revision of decommissioning assumptions for new investments Definition of framework for hedging merchant in medium/long-term Detailed analysis of operational exposures and identification of gaps in existing mitigation measures
Formalisation of the risk governance model	ERM maturity assessment
Promoting a solid risk culture throughout the organisation	Risk Culture Training program (within and outside Risk department)

EDP’s external audits also contribute to assess the degree of internal compliance with the risk management system. The last external audit took place in 2022 and focused on assessing the level of maturity of the Enterprise Risk Management system at Group and Business Unit levels. A new external audit to the risk maturity is being conducted and is expected to be closed in the first semester of 2026.

Main Risk Management Activities