Risk management is part of the culture of NH Hotel Group and is integrated across all the Company’s operations.


The Company’s Board of Directors is the body responsible for supervising the risk management system, in accordance with the provisions of article 5 of the Board Regulations.

As regulated in article 25 b) paragraph 3 of the Company’s Board Regulations, the Audit and Control Committee provides support to the Board of Directors in the supervision of the effectiveness of internal control, internal audit and risk management systems, including tax risk management. In this regard, as in previous years, in 2020 the Audit and Control Committee has supervised and validated the update of the Risk Map and the correct implementation of the actions plans that contribute to mitigating the main risks totally or partially.

Furthermore, the duties of the Company’s Management Committee include risk management and control based on tolerance to risk, assigning responsibility for the main risks, periodic monitoring of their evolution, identification of mitigating actions and the definition of response plans. For these purposes, the Executive Risk Committee, made up of members of the Management Committee and Senior Executives, provides support to the Management Committee in this supervision, as well as promoting a risk culture in the Company. To this end, the Company has an internal risk management manual that details the principles, processes and controls currently in place.

The Risk Management function, integrated in the Internal Audit department, is responsible for ensuring that the Company’s risk management and control system operates correctly and is linked to the strategic goals.

To ensure that there are no conflicts of independence and that the risk management and control system of NH Hotel Group works as planned in the Corporate Risk Management Policy, an independent third party periodically reviews its operation.

Also, and as guarantee of independence, the Risk Management function is independent of the Business Units and, like the Internal Audit department, is functionally dependent on the Audit and Control Committee.

In line with the above, NH Hotel Group follows the Three Lines model updated in July 2020 by the Institute of Internal Auditors (IIA) on a worldwide level.

  • First line: provided by the functions (Business Units and Corporate Units) that own the risks and their management (Operations, Sales, Marketing, etc.).
  • Second line: provided by the functions in charge of overseeing the risks (Risk Management, Compliance, Data Protection, Internal Control, etc.)
  • Third line: undertaken by the Internal Audit function which provides independent assurance.

The object of the Corporate Risk Management Policy of NH Hotel Group (approved in 2015 by the Board of Directors), and the internal manual developing it, is to define the basic principles and the general framework of action for the identification and control of all kind of risks that could affect the companies over which NH Hotel Group has effective control, and to assure alignment with the Company’s strategy.


The NH Hotel Group’s risk management model, which has been rolled out both in the corporate headquarters and in the Business Units, seeks to identify events that could have a negative impact on the attainment of the goals of the Company’s Strategic Plan, obtaining the highest possible assurance for shareholders and stakeholders, while protecting the Company’s interests and its reputation in the short, medium and long term.

The model established for risk management is based on the COSO ERM 2017 integrated framework of Enterprise Risk Management and encompasses a range of methodologies, procedures and support tools, that allow NH Hotel Group to:

  • Apply suitable governance in relation to risk management in the Company and promote an appropriate risk management culture.
  • Ensure that the objectives defined in the Company are aligned with its strategy and its risk profile.
  • Identify, assess and prioritise the most relevant risks that could affect the attainment of strategic goals. Identify measures to mitigate such risks and establish action plans in line with the Company’s risk tolerance.
  • Monitor periodically the action plans established for the main risks, in the framework of a continuous improvement model.
  • Report periodically to the Company’s main governing bodies on the status of the main risks and the actions plans.


The Group’s Risk Map is updated every year and approved by the Board of Directors, after being reviewed and validated by the Audit and Control Committee. In 2021, the Company has updated its Risk Map through a process in which 28 Senior Executives from all Departments identified and assessed the main risks faced by the Company. The updated map was approved by the Board of Directors at its meeting held on July 28th, 2021.

For the main risks in the Risk Map, the Audit and Control Committee receives periodically a report on the implementation status of the previously agreed action plans.

In addition, each of the main risks in the Risk Map is assigned a risk owner, who is a member of the Management Committee.

Every year, when the Risk Map is updated, the Risk Management function undertakes a reassessment of the catalogue of risks, both financial and non-financial. The definitive catalogue is validated with the Senior Executives who participate in the process, as well as the bodies involved in its validation (Management Committee, Executive Risk Committee and Audit and Control Committee) and approval (Board of Directors). In addition, during the year the risk owners can report/suggest a new risk to the Risk Office if they consider it necessary.

The six categories into which the risks NH Hotel Group is exposed to are classified are shown below:

In line with the COSO methodology, NH uses the concepts of inherent and residual risk. Inherent risk is considered to be the risk that exists without considering the mitigating effect of the controls put in place by the Company. Residual risk, however, does consider the effect of these mitigating controls, and is therefore known as the risk level that persists after applying all the control measures in place in NH.

ESG risks

Of the 78 risks identified in the Company’s risk catalogue, an analysis was performed to identify the risks related to ESG (Environmental, Social and Governance) criteria.

As a result, it was determined that 27 out of the 78 risks, 35% of the total, are concerned with Environmental, Social and Governance matters. Most of them come under the categories of “Business” and “Compliance” risks.




Emerging risks are risks that are expected to have a significant impact on the Company’s operations and, therefore, on its financial results in the long-term future (from 3 to 5 or more years), although in some cases they may have already started to impact NH Hotel Group’s business now.

Accordingly, during the periodic process of supervision and monitoring of risks in the Executive Risk Committee and in the Audit and Control Committee, as well as during the annual risk identification and assessment process, the Company has adequate mechanisms to ensure that emerging risks and new challenges are taken into consideration and given an adequate response. The final result of this analysis is reflected in the corporate Risk Map which is submitted annually to the Board of Directors for approval.

Additionally, risk owners can report at any time any emerging risks or new risks detected, so that the Risk Office can proceed to analyse and consider them.

The emerging risks that the Company has already detected and on the monitoring and analysis, impact assessment and mitigation of which it is working, are described below:


Risks related to social behaviour patterns | Collaborative economy, changing customer preferences, demographic changes

Considering the changes in consumer behaviour (with a shift towards self-service options and apartment and house swaps) and the arrival of new market players whose offers and business models alter the codes of the hotel industry, NH Hotel Group needs to expand its offer to diversify the opportunities proposed to travellers and meet their expectations better, while attracting new guests. If the Group does not detect new consumer behaviour and does not respond quickly by offering suitable experiences to its guests, its market share and level of activity could be adversely affected, with a negative impact on both revenues and net income.

The Group responds to these changes by adapting its products and services to the new generations and new businesses. The Group has an Innovation Committee dedicated to exploring new business and innovation opportunities to strengthen the Group’s experience when it comes to offering specific disruptive solutions to guests and preparing growth in the future.

To take advantage of the growing attractiveness for the market of distinctive brands with a strong personality, which offer an excellent work environment for urban nomads and an ideal meeting place, the Group has also opted to redouble its efforts to expand its nhow brand in one of the fastest-growing segments in the hotel industry, referred to as “lifestyle “.

Technological risks | Cyberattacks, information security, technological innovation

The Group’s business is based on a variety of processes and software that support both employees and guests when their book their stays. Some of these processes and apps depend on complex information systems and IT infrastructure to collect, process and store growing quantities of operational and strategic data which are essential to support the value creation process. These data, which are collected, sorted and processed directly by the Group or by external service providers, may suffer accidental or malicious damage. The Group’s systems could suffer directly or indirectly the consequences of viruses, service refusal or other attacks, hardware or software technical breakdowns, sabotage, intrusion or piracy, that have a negative effect on the availability and integrity of data as well as the confidentiality of such data. These threats may also arise internally due to malicious intent, errors or derived from possible obsolescence of infrastructures. Whatever their origin, any alteration, theft, disclosure or unavailability of the Group’s data could have a negative impact on the attainment of its strategic objectives.

Assuring the security, protection and availability of strategic data is a priority for the Company. The Information Systems Security Department has the task of protecting the entire infrastructure, the IT systems and software needed for the Group’s operations. Its function consists of:

  • Preventing intruder access, viruses and attacks through the administration of all the dedicated system hardware and software security and conducting intrusion tests,
  • Carrying out awareness-raising campaigns and training for employees (for example, alerting on phishing risks).

As far as payment methods are concerned, every year the Company renews its PCI DSS certification, a key factor in the prevention of risks that affect guests’ bank data.

In addition, NH Hotel Group has a business continuity plan to guarantee the continuity of operations and preserve data confidentiality.

Risks related to climate change | Natural disasters, extreme weather phenomena and regulatory

In most of the countries where NH operates, the Group is exposed to the risk of extreme natural events (such as earthquakes, floods, snowfall and cyclones) the frequency and / or gravity of which may be amplified by climate change.

The occurrence of any such event could have a direct or indirect impact on guests and employees, but also on the Group’s business and assets, adversely affecting its activity and compromising its financial situation.

Protecting guests and employees is a priority for the Group. For this reason, permanent or temporary protection measures are implemented as soon as these risks are identified, such as evacuating hotels in accordance with the Group’s procedures. For seismic risks in particular, drills are carried out periodically by the teams in the countries identified (such as Mexico), so that they can respond efficiently in the event of an earthquake.

Furthermore, regulatory changes such as the European Union Green Deal and the Fit for 55 package of measures to adapt European legislation to its climate goals will have an impact for the Company both in terms of investments and in the renovation of hotels or the acquisition of new hotels.

Aware of the effects of climate change, and with the aim of managing operating costs more efficiently, the Group is taking measures to limit the carbon emissions generated by its operations and its entire value chain. More information on NH Hotel Group’s climate strategy can be found in the section NH ROOM4 Planet.

Certain geopolitical risks | Terrorism, change in economic cycle, political uncertainty and, to a lesser extent, Brexit

The evolution of the geopolitical situation exposes the Group to the risk of terrorist attacks, among others, in the countries where NH operates. The occurrence of such events could have a direct or indirect impact on guests, employees, business and assets, and have a negative effect on the attainment of the Company’s strategic objectives. Furthermore, acts of terrorism, political unrest or the outbreak of war would affect tourism and the Group’s business (by causing a fall in the number of guests, closure of hotels and abandoned development projects) in the regions in questions, as well as threatening the safety of employees.

Protecting guests and employees is a priority for the Group. To protect them effectively against the main threats identified, the Group has developed a safety and protection strategy aligned with the severity of the estimated risks.
The strategy is based on organization, a monitoring system and security measures that evolve in line with the evolution of each situation. These measures are designed to guarantee the safety of employees, guests and assets, while also assuring the continuity of operations. In the event of an alert, the internal crisis management system is activated immediately to guarantee the safety of our guests and employees. Damage to property is covered by the Group’s insurance programme.

Risks deriving from external factors | Pandemics, strikes, both internal (hotel personnel) and external (e.g., air traffic controllers)

The Group’s operations may be affected by epidemics in the regions where it welcomes guests or by worldwide epidemics. In the last 24 months, NH Hotel Group, like all the hotel companies in the world, has suffered the consequences of the COVID-19 pandemic which has caused a fall in the hotel occupancy rate and in events due to the health restrictions in place in all countries. Revenues have been negatively affected even though the group has contingency and business continuity plans that partially mitigate the fall in revenue while contributing to assure the health and safety of its guests and employees.