Compliance and ethics management in the DIA Group

Compliance and ethics management in the DIA Group

(102-16)

DIA’s compliance model is made up of a closely linked set of rules, procedures, and managers, split into three organisational levels:

1. A demanding regulatory level in terms of Good Governance: This level includes the statutes and regulations of the company’s governance bodies.
2. A procedural level to provide internal control and legal security: This level is made up of the above-mentioned risk management system, a regulatory roadmap that is updated annually, and the internal control system relating to financial information (SCIIF).
3. A cultural level for the prevention and detection of illicit conduct, or conduct that is not in accordance with the company’s values. The DIA Group’s Code of Ethics, the crime prevention model, and the anti-fraud programme are all involved in the aim of creating and disseminating among DIA employees a professional and ethical culture in which the company’s values are aligned with employees’ behaviour.

DIA compliance model

CORPORATE GOVERNANCE	INTERNAL CONTROL AND LEGAL SECURITY	FRAUD PREVENTION AND DETECTION
OBJETIVES	OBJETIVES	OBJETIVES
To have a strict regulatory body in the area of Good Governance UGA, CdA and RIQ Statutes and Regula- tions Issue of AGC, IAR and Relevant Facts Control of Securities and Treasury Stock operations and Privileged Information Adoption of company agreements in accordance with the Law Control and coordination of Subsidiarles Design of a framework for the delegation of safe powers (centralization of powers, joint signature and financial restríctions) (centralization of powers, joint signature and financial restríctions)	To have an internal control system and rísk management that ensures an adequate control environment Risk Management Control System Implementation of Regulations Internal Control (SCIIF + operations) Corporate and Local Insurance Program- mer Provide legal certainty to the company in business trade Regulatory Map Contractual Control (standard model) Data Protection (Consultation Office)	To embody a culture of compliance through an ethical model for employees Code of Ethics Críme Prevention Model (Spain) Anti-Fraud and Anti-Corruption Programmer To have channels for the detection of bad conduct Ethical Channel Forensic actions (DD in compliance in M&A)
AREAS RESPONSIBLE FOR SUPERVISION AND CONTROL
Secretary of the Board Legal Counsel and Compliance Department	Internal Audit Financial Department Legal Counsel and Compliance Department	Ethics Committees Legal Counsel and Compliance

DIA Compliance Structure

The DIA Group’s Code of Ethics represents the foundation of the company’s corporate values (Efficiency, Initiative, Respect, Team, and Customer), and is one of the main instruments with which to promote this ethical culture, as it formalises the patterns of behaviour that are to be followed by all the people who take part in the company’s activity. As with the other rules defined by the Company, the Code of Ethics is mandatory in all the countries in which the company is present, and applies to all of its employees.

The company has a Corporate Ethics Committee at group level and an Ethics Committee in each of the countries in which it operates. These Committees are involved in managing the company’s Code of Ethics and hold the following responsibilities:

• Disseminate the values in the Code of Ethics and make them easy to understand.
• Ensure for the proper running of the Ethics Channel that was set up to help implement the Code of Ethics.
• Analyse and reply to all communication received through the Ethics Channel, whether related to queries related to interpretation or complaints, in accordance with the applicable regulations, both internal and external.
• Prepare quarterly reports related to compliance and performance, which are submitted to the Audit Commission of the Board of Directors as a consolidated report, on an annual basis.

100% of DIA’s employees have received training related to the content of the Code of Ethics (205-2). The Ethics Channel allows employees to ask questions and report incidents anonymously, by email or postal address, although those who identify themselves benefit from an absolute guarantee of confidentiality and non-retaliation. Suppliers, franchisees, and contractors, who have also been proactively informed about the Ethics Code, can also use this communication channel with the Ethics Committee, and have the same guarantees as any other employee (102-17).

Of the 79 reports, 68 were made by employees (86%), 3 by suppliers (4%) and the other 8 (10%) were anonymous.

At 31 December, 57 reports were resolved and 22 are still under investigation. Of the reports settled, 36 were shelved due to insufficient evidence (63%); 13 were resolved with training actions for the reported parties (23%); 5 resulted in disciplinary dismissals (9%); and the last three (5%) were resolved when disciplinary measures to temporarily suspend the reported party were applied.

Regarding the consultations, 28 were made by employees (93%), 1 by suppliers (3%) and 1 by franchisees (3%).

At 31 December, 24 reports were resolved and 6 are still under investigation. Of the consultations settled, 14 of the doubts were directly resolved by the Ethics Committee (59%); 8 were submitted to the Human Resources Department so that it directly resolved the employees' doubts (33%); and 2 were submitted to the management department and the issue raised by the sender was clarified or solved (8%).

In order to strengthen the Code of Ethics, the DIA Group has developed and implemented a crime prevention model with the aim of establishing the most appropriate internal procedures and control policies to prevent illegal acts from taking place. This model is integrated into the “Regulatory roadmap” which identifies and details all the regulation applicable to DIA, with a special focus on the key legislation in the main supply-chain processes. The risk of crimes being committed is evaluated by each of the departments, and each region has a person responsible for crime prevention who reports to the Ethics Committee and to the DIA Group’s Regulatory Compliance Director.

In turn, the company has a specific anti-fraud programme, which has been implemented in all the jurisdictions in which the company operates, in accordance with a risk matrix developed for each region. Accordingly, a fraud prevention manager has been designated in each country, and this person is also responsible for crime prevention.

During 2017, a case of corruption was detected within the Group, and led to an employee being dismissed. In total, in the current reporting period, there are two lawsuits of this type ongoing (205-3).