1Company

The 2021 financial year brought changes both in legislative terms and in how network access tariffs are structured. MRG has met these challenges to adapt to the new regulations and has focused its efforts on strengthening and improving the company’s cyber security and on protecting its customers’ data protection rights. In 2021 we were given five-star rating by GRESB (Global Real Estate Sustainability Benchmarks) in recognition of our commitment to implementing best practices on matters of corporate responsibility in terms of environmental, social and governance, an achievement of which we feel justly proud.

1.1 Board of directors

Consilia Asesores, S. L. Chairman and Director
(Pedro Mielgo, legal representative)
Dennis van Alphen Director
Andrew Scott Wilkie Director
Martijn Jaap Gijsbertus Verwoest Director
Jaime Francisco Fernández-Cuervo Infiesta Director
Suyu Wu Director
Romain Thierry Victor Bruneau Director
Pierre Alexandre Marie Jean Benoist d’Anthenay Director
Simon George Davy Director
María Martín Secretaria (non-Director)

 

1.2 Executive committee

Alejandro Lafarga General Director
Rafael Fuentes Legal Director
Inés Zarauz Financial Director
David Ortiz Carreras Expansion Director
Glen Lancastle Operation Director
María Vázquez Human Resources Director
Félix Blasco Network Operations Director

 

1.3 Regulatory framework

In its Memorandum 4/2020, the National Commission on Financial Markets and Competition (CNMC) established the natural gas payment methodology that will bring about a new five-year regulatory period: 2021-2026. On 1 October 2021, it also established the methodology to calculate tariff rates for transport, local networks and regasification of natural gas. It was published in Memorandum 6/2020, of 22 July.

This regulatory change classes the tariff period as the gas year, which changes from being the calendar year to the period from 1 October to 30 September of the following year.

The new local network access tariff structure is also altered solely by volume of consumption and not by pressure (there is an adaptation transition for consumers, between 0.3 and 15 GWh/year, which differentiates prices by supply pressure. Access tariffs were published for the 2022 gas year in the CNMC ruling of 27 May 2021.

Additionally, with the new legislation enacted, there is also a new system of liquidations – the LIQUID system – that came into force in November 2021. This system obliges the distributor to adapt to the new requirements in stages.

Before 30 September 2021, MRG successfully met the challenge of adapting its computer systems to the structure and billing conditions for transport and local network tariffs, and other regasification costs, as a result of the new regulation. To that end a transition was carried out that did not have any impact or cause any problems for end customers, as a result of the multiple coordination meetings held with some suppliers and the lesson learned from the electricity sector.

New tariff groups MRG

On the other hand, and with regard to the coefficients of recognised losses, the CNMC Memorandum 7/2021, of 28 July, establishing the methodology for calculating, supervising, assessing and liquidating losses in the gas system, which also came into force on 1 October 2021, modifies the coefficients for recognised losses in distribution networks, as follows:

  • For networks with a pressure equal to or less than 4 bar: 1.50% of consumption (previously 1%), except those fed by satellite plant, which remains at 2% of consumption.
  • For networks with pressure greater than 4 bar: 0.38% of consumption (previously 0.39%).

1.4 Preventing criminal offences

In accordance with Organic Law 1/2015, of 30 March, Madrileña Red de Gas has a management model in place for preventing criminal offences, which includes an internal map of criminal risks and an internal prevention protocol.

In terms of adopting new measures to ensure the prevention of criminal offences, MRG has a firm commitment to adopt the appropriate risk management tools for this purpose.

In the 2021 financial year, these risk management tools were used to study the current situation of the established monitoring controls in place, analysing both their effectiveness and their degree of compliance. As a result of this analysis, an annual report is produced with the results obtained, the level of compliance and the effectiveness of the prevention system, which is submitted for approval by the governing body, along with the action plan to improve said system.

Additionally, in collaboration with an independent service provider, Madrileña Red de Gas has a complaints channel on the corporate website (https://www.canaldedenuncias.com/es/madrilena)by which any member of the organisation, regardless of their rank, responsibilities or geographic location, as well as staff from any MRG contractor or supplier, and any customer or third party, can lodge a complaint about any irregularity or unlawful behaviour, with every guarantee of confidentiality and without reprisals.

For MRG it is essential that the entire workforce is made aware of this. To that end, to help improve understanding and the extent of the management model with regard to the prevention of criminal offences, training courses are held on both general and specific topics, as per the needs detected through annual monitoring processes.

1.5 Cybersecurity

Cyber attacks are one of the largest risks that businesses face. These cyber incidents increase every year and no one is safe from falling victim to them: businesses, government, financial institutions and end users can all find themselves exposed to online threats.

MRG keeps a close watch on how cyber attacks evolve, with the aim of implementing new strategies, plans and best practices in the company to prevent and react to any security risks that arise in our IT and OT networks.

In this regard, as with most of the activities that we carry out online and/or on electronic devices, ensuring the security of our operations and generating trust among our users, suppliers and so on is a primary MRG goal. Throughout 2021 we established the following courses of action in this regard:

Madrileña Red de Gas has created a specialist cyber security team, backed by significant investment and with all areas of the company involved

  • Create a specialist cyber security team, backed by significant investment, to carry out the courses of action put forward in our cyber security management plan.
  • Implement a model of governance consisting of cyber security specialists and representatives from all of the company’s business areas.
  • Prepare a prevention and action framework to deal with threats by activating a Security Operations Centre and an events and security management solution.
  • Review and improve the framework of security regulations, and formalise a security incident management framework.
  • Train everyone in the company on matters of cyber security through specific courses depending on each staff member’s profile and level of risk.

1.6 Corporate risk management

Faced with the growing complexity of risks, businesses need a map of corporate risks that provides a global and shared vision of everything that could constitute a risk or a crisis. This is why implementing a corporate risk management system is one of the main challenges facing businesses, regardless of their size and/or complexity, as it enables them to improve their profitability or minimise losses in the event of any incident. To do this requires a common framework to be established that acts as a guide when faced with risks that threaten the compliance of strategic goals. To this must be added good corporate governanceand best business practices, something which in the medium and long term acts as an added value for the company.

MRG risk map

According to the internal rules of procedure at Madrileña Red de Gas, the Risks and Audit Committee, which is comprised of representatives on the Board of Directors from each of the four shareholders, several members of the Executive Committee and the Risk Management department, reports directly to the Board of Directors and operates in accordance with said rules, which define the committee’s objectives, functions and composition.

Recurring agenda topics that are discussed at the committee’s regular meetings, which are held prior to every Board of Directors meeting, consist of the following: monitoring the map of corporate risks, the most relevant risks and the established or proposed checks and mitigation plans, accounts audits, audits of the integrated prevention, environment and quality system, matters relating to sustainability, the policy on the prevention of criminal offences and cyber security risks. They are agreed on internally at the beginning of each financial year.

The Risks and Audit Committee, which is comprised of representatives on the Board of Directors from each of the four shareholders, several members of the Executive Committee and the Risk Management department

Being able to assess and monitor these activities in common, rather than in isolation, gives MRG a global view of what the main threats are to the company. This enables us to issue recommendations intended for risk management and/or for the Board of Directors, always with the aim of reducing the risks and turning them into actual opportunities to help ensure a sustained form of growth.

Monitoring the evolution of the risks map specific to COVID-19 also remained in place in 2021. In this case, risks of a financial nature were taken into account, as well as the potential impacts on operating margins, liquidity and credit risk, as well as risks relating to difficulties in carrying out interventions in the homes of users affected by the pandemic, the availability of resources for the continuity of operations and/or failures in the supply chain, as well as monitoring the functionality of the business continuity plan and checks to monitor the prevention of risks in the workplace.

The progressive implementation of cross-sectional risk analyses, involving MRG’s business and corporate units with the strongest ties to the affected processes, means we can anticipate the risk and ensure the strategic goals and objectives set by the company, which forms part of the agenda at regular Executive Committee meetings, incorporating information on how the risks map is evolving in the reports sent out to our shareholders.

The MRG risks map sets out the ten most common risks, which are assessed by applying risk occurrence probability criteria on a scale of one to ten, the impact of the combination of the disruption caused on the net present value (considering both the direct economic impact for the next 20 years and any possible sanctions) and the reputational impact, both on a scale of one to ten. It also adds new high-level checks to those already in place, helping to mitigate the consequences of said risks.

In comparison with previous financial years, in 2021 the risks relating to the LPG business margin and the volatility of natural gas prices acquired particular relevance, with an emphasis on perfecting their definition and evaluation according to the detailed information available on the potential consequences should they materialise. The company is also developing a strategy aimed at preventing and mitigating any potential impacts associated with these risks.

1.7 Corporate social responsibility

In 2021, Madrileña Red de Gas was awarded a five-star rating in terms of its international assessment of infrastructure sustainability by GRESB (Global Real Estate Sustainability Benchmarks), which gave MRG a score of 93 out of 100. This meant that our company has improved its global ranking position, setting the standard in this area at an international level.

The international assessment of infrastructure sustainability conducted by GRESB (Global Real Estate Sustainability Benchmarks) awarded MRG a five-star rating

Today, MRG is the second European gas distributor in international benchmarking, and stands above the average 72-point rating awarded to the more than 500 companies assessed. The company is also working to integrate the 2030 Sustainable Development Goals adopted by the United Nations into its strategy.

GRESB also granted two special mentions to MRG, in terms of “Infrastructure Asset Most Improved” and recognition as the company that has achieved most progress within its sector and its region.

This improved score in the GRESB benchmark and the five-star rating are proof of our firm commitment to implementing best practice on matters of corporate responsibility in terms of social and environmental governance, and enable us to establish a vision of both how the company is evolving with regard to previous financial years and its degree of ESG maturity, as well as setting a comparison with other companies in the gas sector.

The GRESB initials are a worldwide sustainability index that assesses and rates the work carried out by more than 500 funds and assets in different sectors in order to promote sustainable development, based on a global standard on environmental, social and governance matters. Since 2009, this organisation has sought to assess and compare the non-financial performance of businesses and financial institutions by publishing an annual benchmark. This ranking, which is used throughout the world to measure the performance of companies with regard to sustainability, provides data that is standardised and has been validated by the financial markets.

GRESB assessments are guided by what investors and the industry feel are important issues regarding the sustainability of real estate investments, and are adapted to the Global Reporting Initiative (GRI) and Principles for Responsible Investment (PRI), among other international reports.

There was a rise in the number of businesses taking part in GRESB infrastructure assessment in comparison with the previous year. In 2021, more than 500 organisations were assessed, a response to the growing interest of investors in sustainable business models and the importance of ESG factors in the decision-making process.

Based on the formidable GRESB result obtained, Madrileña Red de Gas proceeded to conduct an in-depth analysis in order to continue to move forward. As a result of the report, it was possible to identify which improvements should be implemented in our sustainability management model based on the ISO 26001 standard that will be developed throughout 2022.

Finally, the sustainability report includes specific chapters on ESG, drawn up in accordance with the GRI standard. This report was also submitted for external verification by BVQi, and the Global Reporting Initiative (GRI) was duly informed.

1.8 Data protection

Information is one of the most important assets of any company, regardless of its size and/or activity. Businesses not only have the right to safeguard information relating to their processes and activities, they are also under the obligation to ensure that the data they hold about their customers, suppliers, investors and so on is appropriately managed. To that end, the different areas of management in the organisation that manage or handle information of this type need to be made involved, implementing preventive and reactive measures aimed at preserving and protecting the confidentiality, availability and integrity of said information.

In order to protect people’s privacy and any information relating to them, the law grants citizens the power to be in control of the personal data, a fundamental right that is set out in the Constitution. This right grants people the possibility to learn and obtain information about the personal data that businesses handle, as well as to modify, correct and cancel any such information that they deem appropriate, oppose any inappropriate or excessive processing, and so on. This not only protects privacy and personal information, it also helps ensure transparency in how the information is processed and helps prevent it being accessible by third parties who could use it for other purposes.

The MRG data protection officer is the highest authority on this matter and has an active role on the Executive Committee, the Risks and Audit Committee and the Cyber Security Committee. Managing the rights of those affected, managing incidents and resolving queries, many of which relate to how current legislation is interpreted and to individuals exercising their personal data protection rights, are the most relevant activities that were carried out in 2021 with regard to data protection management.

Furthermore, in 2021 Madrileña Red de Gas decided to implement an information security management system, based on the ISO 27001 standard, an initiative that is fully aligned with the current integrated management system and which will cover the current personal data protection management model. Based on the structure of ISO management systems, this model uses existing synergies alongside the other MRG systems, which helps ensure ultimate alignment with the ISO 27001 standard. In accordance with the information security and data protection policy, the company has a management manual that has been developed according to more than a dozen personal data protection procedures, which are subject to regular revisions to ensure their content is kept up to date. By implementing the risk and impact assessment model for the different ways in which data protection is handled, data protection management has been organised according to the priorities and opportunities identified, such as, for example, the policies relating to identifying the parties concerned.

The management model also includes interacting with stakeholders by various means: by making the personal data protection policy and information on how personal data is processed available on the company’s website to ensure stakeholders were kept up to date. Users are also informed of the availability of this information in the various ways that we communicate with them and active management of communications received by the personal data protection officer.

Actions to coordinate business activities relating to data protection with data processors, through meetings, unifying criteria and best practice agreements, are also fully integrated into the MRG management model; monitoring the data protection performance of our chain of suppliers, through the information provided by the Repro-Achilles website on the maturity of their privacy policies, as well as through the audit reports issued by the Repro-Achilles community, interaction with the Spanish Data Protection Agency (AEPD), as a result of various processes protecting the rights of the affected parties and the record of data protection incidents, investigation into which helps to bring about improvements in how information is managed.

Similarly, it is commonplace to review personal data protection clauses in service provision agreements to make any adjustments that may be necessary to ensure a base level of alignment with our policy.

A significant increase of queries about personal data protection was recorded in 2021 compared with previous years. Nine personal data protection incidents were recorded; none of them led to a breach of data protection security, but the investigations carried out made it clear that improvements needed to be incorporated into how personal data was managed and processed. Furthermore, the courts rejected the only sanction proposed by the AEPD relating to data protection that has been recorded since the company began.

A significant increase of queries about personal data protection was recorded in 2021 compared with previous years

Finally, and with the aim of promoting our internal data protection culture, the MRG internal regulation library released information on revisions and updates made over the course of the year, ensuring that the documentation it contains is kept up to date.