Operating and business continuity: the BME Group has a comprehensive IT Contingency Plan in place (capable of
dealing with the most complex situations) to guarantee the continuity of its IT services. There is a back-up centre
where copies are automatically generated to guarantee the availability of all information in the event of an emer-
gency. The Company carries out tests to guarantee the correct functioning of its contingency plan.
Segregation of duties: the development and operation of the financial IT systems is carried out by a large group
of professionals with clearly differentiated and segregated functions. The staff of the business unit in question are
responsible for defining the requirements and final validation tests before any system is rolled out. The rest of the
duties fall to different persons within the IT area:
• The project leaders carry out functional analyses and manage the development projects, developmental and
operational management and integration tests.
• The development teams are in charge of technological design, construction and tests, always adhering to
the development methodologies defined by the Group. Access to information to resolve incidences must be
formally requested and authorised internally.
The IT systems contain user profiles based on the roles of each of the people that require access to them. Staff compe-
tent in every application or environment manage these requests and permissions and verify that incompatible
permission is not assigned.
Management of changes: the BME Group has established mechanisms and policies to ensure that possible failures in
the service, caused by updates or changes to the IT systems, are avoided. There are change and monitoring commit-
tees which ensure that the established management procedures for changes are complied with. These include secu-
rity measures aimed at mitigating risks. All changes to the systems are carried out by controlled staff and the changes
identified and upgrades indexed to production environments.
Incident management: the policies and procedures in this matter are in place to resolve incidents in the shortest time
possible. There are incident communication channels and registration tools in place. Efficient incident management
is achieved by correctly prioritising and following-up incidents according to importance, reducing communication
times and, finally, determining problems and identifying suggestions for improvement.
Incident monitoring and improvement plans are reported periodically to the pertinent committees and are aimed at
monitoring the service provided.
3.3. Internal control policies and procedures for overseeing the management of outsourced activities, and of the
appraisal, calculation or valuation services commissioned from independent experts, when these may materially
affect the financial statements.
BME has in place Procedures for managing outsourced activities which stipulate that the need to outsource activities
must be based on the existence of sufficient reasons or legal provisions which justify this need in order for the BME
Group to attain its goals or meet legal arrangements. To proceed with the subcontracting/outsourcing, a minimum of
two and a maximum of three suppliers shall be considered, in so far as this is possible.
In all cases, the outsourcing of activities and subcontracting to third parties shall be carried out through service
contracts between the supplier and the relevant BME Group company, clearly indicating the service to be provided
and the means to be used to provide these services. According to the nature or an assessment of the risks identified,
the department responsible for subcontracting/outsourcing shall notify suppliers that the service provision contract
will include clauses stating that the staff at the contracted company must comply with BME Group regulations.
Before services can be subcontracted/outsourced, the department responsible for the subcontracting/outsourcing
must send the offer and the conclusions of the preliminary risk study to the Legal Department.
The list of BME Group suppliers is revised and, if applicable, updated each year. Likewise, the controls in place at the
suppliers are monitored.
In order to appraise, calculate or value the services commissioned from independent experts when these may materi-
ally affect the financial statements, the Group has in place a system to assess the competence, ability, credentials and
independence of all independent experts, prior to their selection. When monitoring this appraisal, BME verifies the
reasonableness of the assumptions used by the expert, as well as the completeness of the data and the methods used.
4.- Information and communication.
The entity should state whether it has at least the following components in place, specifying their main characteristics:
4.1. A specific function in charge of defining and maintaining accounting policies (accounting policies area or
department) and settling doubts or disputes over their interpretation, which is in regular communication with
the team in charge of operations.
The responsibility for defining, interpreting and settling doubts or disputes regarding the accounting criteria and
policies of the BME Group, among other functions, falls to the Finance Department.
To this end, the BME Group has a Procedures and Criteria manual which describes the accounting treatment of the
different types of transactions which may materially affect financial information. This Procedures and Criteria manual
is updated periodically to include any legislative amendments as well as new transaction types which may require
new criteria and accounting policies to be established. Once updated, this procedures manual is made available to all
BME Group employees.
Appendix to the Annual Corporate Governance Report
In compliance with the Sustainable Economy Law
Report 2012
1...,206,207,208,209,210,211,212,213,214,215 217,218,219,220,221,222