Sustainability Report 2022

Chief risks to be monitored The activities of the Group's businesses and the execution of its strategic roadmap are subject to risks that can be grouped into the following five risk categories : risks related to the financial condition and equity situation; strategic and operational risks; reputational risks; risks related to criminal compliance; and ESG risks. Non-financial risks are classified into categories described in Law 11/2018 on non-financial information and diversity . Reputational risks are risks associated with a potential negative impact on the Group and its results, as a consequence of behavior that does not meet the expectations of the market and the various stakeholders, including conduct related to corruption and lack of integrity as defined in the Group's Anti-Corruption Policy. Criminal compliance risks are risks associated with the committing of crimes defined in the Penal Code as chargeable against a juridical person. Some business activities exist in which a crime could theoretically be committed by one of the Group's employees. In this context, to minimize such risks, which include corruption, bribery, money laundering, workplace harassment and violation of privacy, compliance models are established and regularly reviewed for their continuous improvement. ESG risks are summarized below, and each chapter of the report provides further information on the indicators for monitoring and evaluating such risks. The table at the end of this report shows how the information is linked to the GRI Standards indicators. ESG risks Category Definition Main risks Indicators Climate change Includes risks associated with the exposure of Group operations to climate change Sustainable and responsible supply of raw materials % of sustainably sourced paper purchased Related to atmospheric emissions Scope 1,2 and 3 emissions Waste generation and circular economy Paper from renewable or recycled sources Governance, social and personnel management Includes risks associated with lack of transparency, non-compliance with good practices, recommendations and corporate governance standards, as well as those related to talent and diversity In the ability to attract and retain talent Involuntary turnover rate In promoting equality % of workforce covered by equality plans Work-life balance % of employees covered by work disconnection policies Society Includes cybersecurity and privacy risks, and risk of impact on consumers, users, listeners and readers Affecting consumers Number of complaints received Cybersecurity and information privacy (staff, consumers and supply chain). Events involving the risk of leaking private information Supply chain Refers to the risk of linking to third parties Linking to third parties without an approval or certification process % of payments to certified or approved suppliers or those who adhere to the Code of Ethics for Suppliers Risk management Area of application Risk control andmanagement systems PRISA's Risk Control and Management Policy , in force since November 2020 and updated at the beginning of 2023, establishes the framework of reference for the control and management of the risks associated with its activity. Its objective is to establish the basic principles for control and management of both the financial and non-financial risks faced by the Company and the Group. The Policy is embodied in a risk control and management system , designed to identify, evaluate and manage the financial and non- financial risks that the Company faces, including, among financial or economic risks, contingent liabilities and other off-balance sheet risks, with the ultimate goal of providing reasonable security in the achievement of the PRISA’s objectives. This Policy is applicable to all the companies that make up the Group, as well as to investee companies that are not part of the Group but over which the Company has effective control . The risk control and management system is based on a proper definition and assignment of roles and responsibilities at different levels and a series of control and management methodologies, tools and procedures. Through this system, the Group identifies, monitors and analyzes risks. It also defines and executes, where appropriate, the necessary measures to mitigate any risks that might materialize. PRISA has a global risk map, as well as specific non-financial risk maps (covering ESG risks, and the risks associated with the criminal compliance model), which are generally reviewed annually. These are used to identify and assess the risks related to the activities of the businesses and of the Group. The risk management and control system works by business unit. The identification of risks is carried out by the heads of the business units and the corporate center . The managing bodies of the respective businesses are entrusted with determining who shall be responsible for managing each risk and for the action plans and controls. At the corporate level, risk management is consolidated through the integrated management model . The I nternal Audit Department aggregates and standardizes the risks identified by each business unit in order to draw up the Group and business risk maps. The Risk Control Department consolidates the action plans and the teams responsible for them, as identified for each risk by the business unit. Thus, it integrates risk management into the business strategy . This allows the company to draw conclusions about the i mpact/probability of each risk in the estimated scenario. The risk maps, their associated action plans and the conclusions on the impact/probability of each risk in the estimated scenario are reported to the Audit, Risk and Compliance Committee . The Committee is also responsible for monitoring and regularly evaluating the Group's risk control and management system and proposing to the Board of Directors a level of risk that is deemed acceptable , based on risk aversion, tolerance or appetite in each specific case. PRISA also has an I nternal Control over Financial Reporting System (ICFR) , adapted to the COSO 2013 methodological framework , and a Crime prevention and Detection Model in place in Spain, and has developed compliance models in the key countries where the Group is present: Brazil, Mexico and Colombia. These compliance models cover environmental, labor relations, and corruption and bribery risks for each business activity. 34 Committed governance