Contents 1. Identification... 2 1.1. Purpose... 2 1.2. Scope... 2 1.3. Area of dissemination... 2 2. Definitions... 2 3. Development... 3 3.1. Prior considerations... 3 3.2. Responsibilities... 3 3.3. Assessing criminal risks... 4 4. Archive... 5 5. Referenced documents... 5 6. Record of changes... 5
1. Identification 1.1. Purpose This norm establishes the parameters to be analysed to assess criminal risks that may arise with respect to a project the business scope of which grows. 1.2. Scope This document applies to all companies controlled 1 by the Abertis Group. It must be observed by all Abertis Group managers and employees that are involved in growth projects, as well as Abertis Group suppliers that provide consultancy services for such projects. This norm does not apply to new acquisition processes that do not require partners and which are publicly tendered. 1.3. Area of dissemination The area of dissemination for this norm includes all companies controlled by the Group. Each company must ensure that the norm is made known to all areas and groups for which it is intended. At the very least it must be distributed to any Abertis Group company that is related to or interacts in any way with growth projects. 2. Definitions Due Diligence: study carried out with due diligence before signing any new business contract. For instance: assessing a company to be acquired in the future. Joint venture: a joint company, strategic alliance, business alliance or consortium. It refers to a type of long-term business investment agreement between two or more parties (normally legal persons) called venturers or partners. 1 Companies controlled: companies in which Abertis owns more than 50% or companies in which the shareholders agreements so determines. Page 2 of 5
3. Development 3.1. Prior considerations Legislation, best international practices and the majority of jurisdictions that are committed to greater legal security require an assessment of the criminal risks of all those activities undertaken by companies to avoid the criminal liabilities of companies that may exist and may, in turn, be proved. The aforementioned activities include growth projects. The possible risk of assuming criminal liability for those companies that become owners after a conversion, merger, take-over or split-up should also be added the aforementioned risks. Accordingly, it is very important to have conducted a criminal risk assessment before approving a growth project or investment. Due diligence enables the making of informed decisions, leveraging the quality and quantity of information available and ensuring that it is systematically used to deliberate thoughtfully about the issue and its related costs, risks and benefits. 3.2. Responsibilities Abertis Compliance Function Doing due diligence on the prevention of criminal risks in operations that involve an increase in business scope when led by the Corporate Development Area in accordance with the Abertis Group Growth and Investment Policy. Local Compliance Function Doing due diligence on the prevention of criminal risks in operations that involve an increase in business scope when led by the Business Unit and supervised by the Corporate Development Area in accordance with the Abertis Group Growth and Investment Policy. Corporate Development Area (CDA) Reporting to the Abertis Compliance Function concerning any proposal approved by it under the Abertis Group Growth and Investment Policy. Business Units When the operations are led by Business Units, these must report to their respective Compliance Functions on the aforementioned project proposals. Chief Compliance Officer Making recommendations, if so required with own or hired resources, where appropriate, regardless of whether the Corporate Development Area or Business Unit is leading the project. Page 3 of 5
Submitting recommendations to the Corporate Development Area to have them taken into account by governing bodies in their decision making. Reporting on their conclusions to the Abertis Audit and Control Committee as part of the monitoring to regulate Group compliance activity. Local Compliance Officer Making recommendations, if so required with own or hired resources, as befits each case. Submitting recommendations to the Business Unit and the Chief Compliance Officer. 3.3. Assessing criminal risks A business scope growth project can involve the simple acquisition of a new business either with or without joint venture involvement. A criminal risk analysis must be conducted on the new business, and where appropriate, on the potential partner. If criminal risks are detected and the project is approved by the respective Group Abertis company governing bodies, the Compliance functions affected by the project, as well as the Corporate Compliance function, must study action plans to mitigate them. Accordingly, the Chief Compliance Officer and the Local Compliance Officer, where appropriate, must take into account whether the business to be acquired and/or its future/potential partners have at least the following in place when assessing the criminal risks involved: A compliance structure. A criminal risk analysis. Internal criminal prevention standards. A compliance standards communication and rollout process. Training in compliance matters. Reporting channels. Moreover, a small-scale investigation must be carried out into reputational aspects. Page 4 of 5
4. Archive All related supporting documentation must be filed by the Compliance function for at least 10 years in electronic format whenever possible. Whatever the case, the archive must ensure the integrity and proper reading of data. Furthermore, the archive must also be conserved adequately, easily located and traceable. 5. Referenced documents Abertis Group Growth and Investment Policy 6. Record of changes See Date Changes Sections modified 1.0 13/02/2018 Initial draft of document All Compliance Due Diligence_v1 Date of publication: 13/02/2018 Approved by: Corporate Secretary and Corporate Managing Director Page 5 of 5