The Risk Control and Management System at Indra is a process driven by the Board of Directors and Senior Management, the responsibility of each and every member of the company, which aims to provide reasonable security in the achievement of the established objectives, providing value and an appropriate level of guarantees to shareholders, other stakeholders and the market in general. In order to develop the aforementioned commitment, the Board of Directors, through its Audit and Compliance Committee, supervises the adequacy of the system of evaluation and internal control of the relevant risks.

As part of the publication of the consolidated annual accounts and the interim report at the end of the first half of the year, Indra updates and publishes information on the company's exposure to risks. All this information is supervised and approved by the Audit and Compliance Committee and the Board of Directors.

The process of drawing up the Risk Map includes a prior review of the Risk Catalogue, as well as an analysis of possible emerging risks of an internal or external nature that may affect the Group. Subsequently, the risks are assessed and prioritised by management and each of the main risks on the Risk Map is associated with mitigation plans established as a response measure, which have been defined by the owners of the risks. The Global Risk Map report is submitted to the Risk Coordination Unit (RCU) and senior management for validation and is subsequently submitted to the Audit and Compliance Committee and the Board of Directors as a support tool to facilitate the exercise of their responsibilities related to risk management and control.

As a result of the latest update of the risk map, Indra has identified talent, supply chain and information security as some of the highest priority risks for the organisation.

For those risks that are exposed to a higher level of volatility, the company carries out sensitivity analyses or stress tests to determine the potential financial impact on the company under extreme conditions. This type of analysis is applied to financial and non-financial risks such as interest rates, exchange rates, solvency, investments, project execution, supply costs, litigation, taxes, regulatory changes and asset valuation, among others. The Group's Risk Control and Management Policy is aimed at achieving a moderate risk profile through appropriate management. The tolerance framework is established around guidelines, rules and procedures to ensure that this management environment keeps risks within acceptable levels. The Group does not seek to eliminate all risks, but rather to assume a prudent level that allows it to generate recurring and sustainable value, optimise opportunities while maintaining acceptable levels of risk. At the global level, the risk tolerance framework is set out in the overall risk assessment methodology. This methodology includes the use of semi-quantitative scales to determine different levels of risk, in terms of probability and impact on revenues/contracting, cash/EBITDA, strategy and reputation. Likewise, the Risk Control and Management Policy details the risk criteria that define tolerance by risk category.