Risk management is part of the culture of NH Hotel Group and is integrated across all of the Company’s operations.

Responsibility for Risk Management

The Company’s Board of Directors is responsible for supervision of the risk management system, in accordance with the provisions of article 5 of the Board Regulations. As regulated in article 25 b) paragraph 3 of these Regulations, the Audit and Control Committee provides support to the Board of Directors in the supervision of the effectiveness of internal control, internal audit and risk management systems, including tax risks management.

During the different meetings held in 2019, the principal risks to which the Company is exposed have been controlled and monitored, together with the evolution of these risks in recent years and the main mitigation and response measures.

Furthermore, the duties of the Company’s Management Committee include risks management and control based on tolerance to risk, assigning responsibility for the main risks, periodic monitoring of their evolution, identification of mitigating actions and the definition of response plans. For these purposes, the Executive Risk Committee, made up of members of the Management Committee and Senior Executives, provides support to the Management Committee in this supervision, as well as promoting a risk culture in the Company. To this end the Company has an internal risk management manual that details the principles, processes and controls currently in place.

The Risk Management function, integrated in the Internal Audit department, is responsible for ensuring that the Company’s risk management and control system operates correctly and is linked to the strategic goals. To ensure that there are no conflicts of independence and that the risk management and control system of NH Hotel Group works as planned in the Corporate Risk Management Policy, an independent third party has reviewed its operation annually in the last two years.

To ensure independence, the Risk Management functions is independent of the Business Units and, like the Internal Audit department, is functionally dependent on the Audit and Control Committee.

Adapted from the Guide issued by ECIIA/FERMA on the 8th EU Company Law Directive, article 41

  • First line of defence: provided by the functions or Business Units and Corporate Units that own the risks and their management (Operations, Sales, Marketing, etc.).
  • Second line of defence: provided by the functions in charge of oversight of the risks (Risk Management, Compliance, Data Protection, Internal Control, etc.)
  • Third line of defence: provided by the Internal Audit function which provides independent assurance.

The object of the Corporate Risk Management Policy of NH Hotel Group (approved in 2015 by the Board of Directors), and the internal manual developing it, is to define the
basic principles and the general framework of action for the identification and control of all kind of risks that could affect the companies over which NH Hotel Group has effective control, and to assure alignment with the Company’s strategy.

There is also a range of specific policies that complement the Corporate Risk Management Policy, and which are established in relation to certain specific risks:

Risk management model

The NH Hotel Group risk management model has been rolled out both at Group corporate headquarters and in the Business Units. Its object is to identify events that could have a negative impact on the attainment of goals of the Company’s Strategic Plan, with the aim of obtaining the highest possible assurance for shareholders and stakeholders, while protecting the Company’s interests.

The model established for risk management is based on the COSO IV ERM integrated framework of Enterprise Risk Management, is managed through an internal tool and encompasses a range of methodologies, procedures and support tools, as shown below:

In relation to the management of risks in the Company

According to NH risk profile and aligned with the defined strategy

Identification, assessment, prioritization and response to the risks

Monitoring and control of indicators and action plans, in the framework of a continuous improvement model

Regularly to the main governance bodies (Management Committee, Executive Risk Committee, Audit and Control Committee and Board of Directors), with the aid of internal tools


Risk categories and identification, supervision and monitoring process

The Group’s Risk Map is updated every year and approved by the Board of Directors, after being reviewed and validated by the Audit and Control Committee. In 2019 the Company has updated its Risk Map through a process in which 37 Senior Executives identified and assessed the main risks faced by the Company. The updated map was approved in July 2019.

For the main risks in the Risk Map, the Audit and Control Committee receives a half-yearly report that details the operation of the risk management and control system and presents conclusions in this regard. To this end, the measurement of key indicators is included, with information as to whether they are within the established tolerance values or whether an adjustment is necessary. The report also includes the implementation status of the previously agreed action plans.

In addition, each of the main risks in the Risk Map is assigned a risk owner, who is a member of the Management Committee. Each risk owner attends the Audit and Control Committee meetings on a regular basis to present the existing or ongoing mitigation measures for their risks, the implementation status of action plans and measurement of key indicators according to the established tolerances.

Every year, when the Risk Map is updated, the Risk Management function undertakes a reassessment of the catalogue of risks, both financial and non-financial. The definitive catalogue is validated with the Senior Executives who participate in the process, as well as the bodies involved in its validation (Management Committee, Executive Risk Committee and Audit and Control Committee) and approval (Board of Directors).

The six categories into which the risks NH Hotel Group is exposed to are classified are shown below:

ESG risks

A specific analysis was performed in 2019 to identify the risks (out of the total of 65 risks identified in the Company’s Risk Map) related to ESG (Environmental, Social and Governance) criteria.

As a result, it was determined that 24 out of the 65 risks, 36.9% of the total, are concerned with Environmental, Social and Governance matters. Most of them come under the categories of “Business” and “Strategic” risks.

Risk factors and management and control measures

Emerging risks and new challenges

Emerging risks are risks that are expected to have a significant impact on the Company’s operations and, therefore, on its financial results in the future in the long term, -3 to 5 or more years- although in some cases they may have already started to impact NH Hotel Group’s business now.

Accordingly, during the periodic process for the identification, supervision and monitoring of risks, the Company has adequate mechanisms to ensure that emerging risks and new challenges are taken into consideration. Additionally, the internal tool allows risk owners to report at any time any emerging risks or new risks detected, so that the Risk Office can proceed to analyse and consider them.

Technologic risks

Cyberattacks, information security, technological innovation

Risks related to social behaviour patterns

Collaborative economic, changing customer preferences, demographic changes

Risks related to climate change

Natural disasters, extreme weather phenomena

Regulatory risks

New General Data Protection Regulation (GDPR), new environmental legislation

Dependence on intermediaries

Especially online travel agencies (OTA) and distributors, and the sophistication of technological booking tools

Certain geopolitical risks

Terrorism, change in economic cycle, political instability and, to a lesser extent, Brexit

Risks deriving from external factors

Pandemics, strikes, both internal (hotel employees) and external (e.g. air traffic controllers)