This complicated year 2022 has brought with it regulatory changes related to gas supply prices, as well as improvements for the sector in the management of its imbalances.

In addition, MRG has made a great effort in Information Security and Personal Data Protection, certifying our system according to the ISO 27001 Standard and carrying out an ambitious and robust Cybersecurity plan, one of our main risks.

On the other hand, regarding the GRESB Infrastructure Sustainability Index, we have once again obtained the highest “Five Star” rating, with a more than excellent result in this international benchmarking; we obtained the second position as a gas infrastructure company at a European level and the first position in Spain.

Board of Directors and Management Committee

Board of Directors

 

Management Committee

 

Regulatory Framework

The Spanish National Markets and Competition Commission (CNMC), in the development of the supervisory functions of the energy markets, approved Circular 4/2008, for the request for supply prices of the Spanish wholesale gas market, which has facilitated the supervision of the natural gas sector, as well as the preparation of a reference index for consumers and users of the cost of gas supply in Spain, published since then by the energy regulator.

After more than ten years of validity, it is necessary to replace Circular 4/2008 with a new text better adapted to the reality of the gas market, both in terms of the information required and the formats in which it is sent. In this way, during 2022, the CNMC published Circular 1/2022 on natural gas and renewable gas supply prices.

The purpose of this Circular is to gather precise information on supply prices for liquefied natural gas, natural gas and renewable gases, as well as information from the obligated parties that act in the wholesale gas market.

During 2022, the Spanish National Markets and Competition Commission (CNMC) adopts several measures that improve the operation of the gas system.
On the other hand, during 2022, the CNMC has also approved two resolutions that will encourage gas system agents to manage their imbalances (differences between gas inputs and outputs) at the Virtual Balancing Point (PVB) in a more active way (RDC/DE/001/22) and will also allow the gas accumulated in the shrinkage balance account to be used to cover the operating gas purchase needs of Enagás, the system’s technical manager (RDC/DE/002/22).

• The first of the approved resolutions modifies the Resolution of July 1, 2020, of the CNMC, which approves the methodology for calculating daily imbalance tariffs. In particular, it establishes a method for calculating imbalance tariffs at the Virtual Balancing Point (PVB) that better reflects the gas price on the imbalance day. These measures will decrease the number of balancing actions on the organized market by the technical system manager and lower the cost of operating the gas system.
• The second resolution allocates the gas in the system’s shrinkage balance account to cover the needs of the technical system manager for the purchase of operating gas. This will facilitate a more efficient operation of the facilities, since this gas can hinder the use of the available capacity of the facilities, and the operating costs of the gas system will also reduce.

Además de lo anterior, a finales de año, la a CNMC aprueba la Resolución por la que se establecen los valores de los peajes de acceso a las redes de transporte y distribución de electricidad para 2023. (RAP/DE/009/22).

In addition to the above, at the end of the year, the CNMC approves the Resolution establishing the values of the access tolls to the electricity transport and distribution networks for 2023. (RAP/DE/009/22).

In particular, the part of the transport remuneration considered in the calculation of the tolls for the year 2023, is 6.7% lower than that considered in the calculation of the tolls for the year 2022, as a result of a 3.6% reduction in remuneration and the imputation of the deviations for 2021.
In turn, the remuneration considered in the calculation of distribution tolls is 3.8% lower than that considered in the calculation of tolls for 2022, as a result of a 2.5% increase in distribution remuneration, offset by the allocation of deviations for 2021. Source: https://www.cnmc.es/.

Prevention of criminal offenses

The Madrileña Red de Gas Crime Prevention Risk Management System is based on the general principles of legality, due diligence, integrity and responsible leadership, compliance monitoring, review and updating, and systematic risk management adapted to the changes.

In accordance with the provisions of Law 1/2015, which again modifies the Criminal Code and further regulates the criminal liability of legal persons, establishing the duty of commercial companies to implement effective crime prevention measures in their organizations within the scope of their activity, Madrileña Red de Gas has a robust Criminal Offenses Management System, which is composed of a Crime Prevention Policy, a criminal risk map and its own prevention protocol, being the Criminal Compliance Officer responsible for said system.

The performance controls determine what information is required and the way to act in the event of situations involving non-compliance with regulations and/
or practices contrary to the values and principles established in the Code of Ethics and in the MRG AntiCorruption Policy.

In this regard, MRG has a Complaints Channel (managed by an independent provider) through which anymember of our organization, regardless of their rank or responsibilities as well as any customer, supplier or third party is allowed to Report any irregularity or behavior contrary to the law, or to the rules and procedures established by the company, with the maximum guarantees of confidentiality and non-retaliation.

During the year 2022, the risk related to the crimes included in the company’s risk map has been evaluated again, in order to detect behaviors that may involve a violation of the corresponding regulations and that may entail some responsibility. As a result of this evaluation, the annual compliance review report and the annual action plans are prepared with the needs detected. In addition, we have continued to provide the relevant training on the prevention of criminal offenses, which is currently provided upon incorporation to the company as part of the induction plan.

Corporate risk management

The Risk Management philosophy of Madrileña Red de Gas is the set of shared beliefs and attitudes that characterize how Risk is contemplated in the company, from the development and implementation of the strategy to its daily activities.

It reflects the company’s values, influences its culture and operating style, and affects how the components of risk management are applied, including the identification of risks, the types of risks accepted and how they are managed.

MRG is aware of the importance of managing its risks in order to carry out adequate strategic planning and achieve the objectives set, being the MRG Risk Management Model a comprehensive and systematic approach. Its main objective is to help identify events and evaluate, prioritize, respond to and monitor risks that may impede the achievement of the organization strategic vision and the annual objectives approved in the MRG Business Plan and Budget. It is a key tool for managing uncertainty in the different departments.

MRG Risk Management Model is not limited to a specific aspect or circumstance. It is a dynamic process, which extends its scope to all strategic and operational aspects of the organization permanently over time.

The Audit and Risk Committee reports directly to the Board of Directors and operates in accordance with its internal operating regulations, which define its objectives, functions and composition. This committee is made up of representatives of the Board of Directors of each of the four shareholders, several members of the Management Committee and the Risk Management Department.

The contents of the agenda to be discussed at the committee’s periodic meetings, which are held prior to each Board of Directors’ meeting, are agreed internally at the beginning of each new fiscal year. Among the recurring matters are:

• Monitoring of the corporate risk map.
• The most relevant risks and the controls and mitigation plans established or proposed.
• The audit of accounts and the audits of the Integrated Management System.
• The criminal offense prevention model.
• Sustainability Issues.
• Cybersecurity risk and information Security System audits.

The result of these activities allows the Audit and Risk Committee to issue recommendations for risk management and/or the Board of Directors.

MRG Risk Management Model is not limited to a specific aspect or circumstance. It is a dynamic process, which extends its scope to all strategic and operational aspects of the organization permanently over time

The integration of Risk Management Policy in the company has been articulated through the progressive implementation of transversal risk analyses involving the business and corporate units most closely linked to the affected processes. Likewise, risk management occupies a part of the agenda in the periodic meetings of the Management Committee.

Currently, the MRG Risk Map contemplates a wide variety of risks, focusing its attention on the ten most material risks, whose evaluation has been carried out applying a criterion based on:

• The probability of occurrence of a risk on a scale of one to ten.
• The impact of the combined impact on net present value and reputational impact, both on a scale of one to ten. The impact on net present value considers both the direct economic impact for the next twenty years and possible penalties.

The map includes emerging risks through regular updates of its contents, and new high-level controls are established in addition to the existing ones. The action plans implemented help to mitigate the consequences of these risks.

Compared to previous years, risks related to cybersecurity, volatility of natural gas prices and interest rates on debt refinancing have increased in relevance in 2022, and the definition and assessment of these risks has been refined as detailed information has become available on the potential consequences that may arise in the event of their materialization.

At the same time, a strategy has been developed to prevent and mitigate the potential impacts associated with these risks.

Corporate social responsibility

GRESB (Global Real Estate Sustainability Benchmark) is a global sustainability index that evaluates and rates the work done by more than 500 funds and assets from different sectors to promote sustainable development, under a global standard in environmental, social and corporate governance matters. Since 2009, this organization proposes to evaluate and compare the extra-financial performance of companies and financial institutions through the publication of an annual benchmark.

This ranking provides standardized data validated by the capital markets, being a world benchmark for measuring the performance of companies in terms of sustainability.

The GRESB assessments are guided by what investors and the industry consider important issues regarding the sustainability of real estate asset investments, and are adapted to international reports, such as the GRI (Global Reporting Initiative) and the PRI (Principles for Responsible Investment) Madrileña Red de Gas has participated for the seventh consecutive year in this international evaluation, where it has already consolidated its position as a global benchmark in infrastructure sustainability. The total score achieved of 96 points out of the maximum possible 100 allows it to maintain the maximum rating of five stars in a clear recognition of its commitment to ESG (Environmental, Social and Governance), which the company is working to integrate into its strategy in the sustainable development goals for 2030.

Madrileña Red de Gas is ranked number 1 as the best Spanish gas infrastructure company in the GRESB international infrastructure sustainability assessment.
In addition, MRG is positioned as the second European gas distribution company in this international Benchmark and is above the average of 79 points of the companies evaluated, out of a total of approximately 650 participating companies. This result of 96 points also places us in a leading position in the Management (40 out of 40), Environment (28 out of 28) and Social (45 out of 46) indicators.

After the significant progress achieved in 2021 and in which Gresb awarded MRG two special mentions, as recognitions to the company that has improved/progressed the mostin its sector and region, in 2022 we have consolidated our leadership position by achieving a position among the top 5 in 6 of the 9 excellence indicators, as well as among the top 50 companies with the highest scores (position 44), especially highlighting the first place in the “management” section.

Madrileña Red de Gas is ranked number 1 as the best Spanish gas infrastructure company in the GRESB international infrastructure sustainability assessment

The results allow us to have a vision, both of the evolution of the company with respect to previous years, and of its degree of maturity in good practices in the area of ESG and in comparison with other companies belonging to the same sector.

On the other hand, the number of participants in the GRESB infrastructure assessment has again increased with respect to the previous year, reaching 652 entities assessed. These numbers respond to the growing interest of investors in sustainable business models and the importance of ESG factors in decision-making.

From the in-depth analysis of the good results obtained in GRESB, we have identified improvements that have been implemented in our sustainability management model based on ISO 26001 and SR10, with which we will continue to make progress throughout 2023. In addition, in 2022, MRG has formalized the first loan with interest rates linked to its sustainability performance results.

In 2022, Madrileña Red de Gas has formalized the first loan with interest rates linked to its sustainability performance results

It should be noted that, in order to publicize our strategies and actions carried out in terms of sustainability, a specific section on commitment to Sustainability has been added to the MRG website. It has been divided into three sections where you can find the main lines of action in this matter: corporate governance, communication and transparency, social and environment.

Sustainability Report

In 2022, the second MRG Sustainability Report was elaborated, corresponding to the year 2021, which has successfully passed the external verification process by a qualified body. In this report, we have described the performance in the economic, social, environmental and governance performance of our company.
To prepare this report, we have relied on the GRI (Global Reporting Initiative) guide, which is the leading international standard for sustainability reporting. The GRI Standards

are designed to inform the general public of a variety of economic, environmental and social impacts. Sustainability reports drawn up on the basis of these standards provide information on organizations’ positive or negative contributions to sustainable development.

Among the objectives of preparing this report are:

• Improve our strategy for managing reputational risks and improving the company’s image.
• Improve the management of risks and opportunities associated with social responsibility.
• Provide stakeholders with information on environmental, social and economic performance.
• Establish a strategy for sustainability challenges: climate change, circular economy, etc. Act for the Sustainable Development Goals (United Nations).

During this period, both the identification of Stakeholders and the Materiality Analysis carried out the previous year were reviewed in depth, involving a large number of these stakeholders through direct interviews with them.

Cybersecurity

During 2022, the great effort and performance carried
out by Madrileña Red de Gas in terms of Cybersecurity is 5. noteworthy, improving the lines of prevention and action and following the best practices in cybersecurity.

In this sense, there are six most important milestones carried out during the year 2022:

1. Disaster Recovery Simulation
   The main objective of the Disaster Recovery Plan is to minimize the effects of a disaster on the operation of the organization, so that, in the event of any eventuality, it can quickly renew its functions, defining the processes, procedures and responsibilities during the service recovery flow.
2. Network penetration testing
   By performing an external penetration test, it is possible to know the state of an organization’s perimeter security, as well as the risks to which it could be exposed. This process attempts to demonstrate how far a malicious user can go without having any knowledge of the organization.
3. Contingency plan simulation
   In order to test the action protocol in the event of an attack, ensuring the correct operation and isolation of the affected equipment.
4. EDR (End Point Detection Response) Implementation
   EDR, or end point detection and response, is a software designed to automatically protect end users, endpoint devices and IT assets against cyber threats that overcome the barriers of antivirus software and other traditional endpoint security technologies.
5. Cybersecurity training for employees
   For MRG, cybersecurity awareness is fundamental. To this end, we have launched a new training plan to help raise awareness of the risks that exist in the digital world and to prevent any attempt of cyber-attack, both in the professional and personal environment.

   Our goal is for all MRG employees and collaborators to be the first line of defense against cyber threats, in order to guarantee the security and protection of all our information.

   This is a dynamic plan, adapted to the profile of each user, with multimedia content, and which, through videos and interactive games, ensures that, by dedicating just a few minutes a week, all users are continuously trained and alert.

   All of this is reinforced with phishing and vishing campaigns, which strengthen the educational content and raise everyone’s awareness at the highest level.

6. Renewal of cybersecurity audits
   • Reassessment of the maturity level of the OT environment of the Madrileña Gas network based on the Oil and Natural Gas Subsector Cybersecurity capability Maturity Model (ONG-C2M2 v.2) standards.
   • Evaluation of Madrileña Red de Gas Cybersecurity maturity level based on Deloitte’s Cyber Industrial Strategy Framework (CISF) v2.0.

Cybersecurity maturity must continue to increase, but the effort being made is perfectly reflected

Although the sector is still in the process of improving its maturity, having gone from 1.84 in 2020 to 2.31 in 2022, Madrileña Red de Gas has managed to evolve to get in line in quite a few capacities and, in some cases, to improve it.

Information Security and Personal Data Protection

As stated in the Madrileña Red de Gas Information Security Policy, the information must be adequately protected in any of the phases of its life cycle in order to ensure its continuity, minimizing damage and maximizing business opportunities. It is essential to avoid the interruption of business activities by protecting critical processes against disasters and serious failures of information systems and guaranteeing their rapid recovery.

In this way, In 2022, Madrileña Red de Gas has completed the implementation and certification of its Information Security Management System according to the ISO 27001 Standard, a model that is fully aligned with the current Integrated Management System and whose scope also includes the Personal Data Protection Management Model.

Based on the Information Security and Personal Data Protection policies, we have Management Manuals that are developed in more than eighteen Information Security and Personal Data Protection procedures. These procedures are periodically reviewed in order to keep their contents up to date.

With the implementation of the risk and impact assessment model for the various data protection processes, management has been organized around the priorities and opportunities that have been identified.

The asset inventory has identified 11 groups of assets that are broken down into 111 types of assets, having assessed the criticality of each of them from the perspective of their confidentiality, integrity and availability, in order to subsequently evaluate the risk as the combination of criticality, probability and impact.
In order to determine the materiality of threats to assets, a standardized list of threats has been considered, selecting those that may affect each of these assets. The impact is assessed as the combination of the elements of confidentiality, integrity and availability. And to assess the magnitude of the threat, the probability combined with said impact is considered, the residual threat being the one that remains after considering all the controls and treatment plans.

In the statement of applicability of the Information Security Management System, in addition to indicating the scope of applicability of the control measures, the extraordinary actions that have been developed to mitigate the risks are included.

On the other hand, the Information Security and Personal Data Protection model contemplates interaction with stakeholders through various channels:

• Publication on the website of the Information Security and Personal Data Protection Policies, as well as the information on the processing of personal data for the interested parties.
• Employee awareness and training activities.
• Interaction with organizations and authorities, such as the Spanis Agency for Data Protection (AEPD) ande National Institute od Cybersecurity (INCIBE).
• Active management of the mailbox of the personal data protection officer, which has received a significant number od requests.

They are also fully integrated into our management model:

• The establishment of contractual clauses on Information Security and Personal Data Protection.
• Identification of the most sensitive suppliers from the point of view of Information Security.
• Actions for the coordination of business activities in the field of Data Protection with data processors through meetings, unification of criteria and agreements on good practices.
• Monitoring the Information Security and Data Protection performance of our chain of suppliers through the information they provide on the ReproAchilles portal on the maturity of their privacy policies, as well as through the audit reports carried out by the Repro-Achilles Community.
• Register of Information Security and Data Protection incidents, the investigation of which contributes to improvements in information management.

On the other hand, once again this year, in the area of Personal Data Protection Management, the most relevant activities have focused mainly on the management of data subjects’ rights, incident management and the resolution of queries, many of which are related to the interpretation of the legislation in force and the exercise of data subjects’ personal data protection rights.

Madrileña Red de Gas has appointed its Data Protection Delegate, who is the highest authority in the matter, participating in the Management Committee, the Audit and Risk Committee and the Cybersecurity Committee.

An Information Security Management System manager has also been appointed, as well as a Technical Security manager, who is supported by a team of administrators.
Relevant new developments with respect to previous years include the following:

• Increase in the number of queries on personal data protection, compared to previous years.
• Record of eighteen pesonal data protection incidents, none of them at the level of a data pretection security breach, whose investigations revealed the need to incorporte improvements in the management and processing of personal data.
• New personal data protection training course, where the news regarding this legislation published these years ago have been disclosed, aimed at the entire company workforce, and wich at the end of December has been completed by 58% of the same, with its continuity scheduled for 2023.

Likewise, in order to promote the internal culture of data protection, news about revisions and updates have been published in the internal regulations’ repository, maintaining control of the validity of the documentation compiled therein.