Integrity

CODE OF BUSINESS ETHICS

“Our complete commitment to the ethics and integrity of the people who make up Ferrovial has positioned us a benchmark in the market for being a serious company that is commited to its stakeholders” Rafael del Pino, Chairman.

The Ferrovial Code of Business Ethics*, which is applicable to all Group companies, establishes the basic principles and commitments to which said companies and their administrators, managers and employees must adhere.

These principles are embodied in a number of commitments toward stakeholders in Ferrovial’s professional activity and are reflected in policies and procedures aimed at fostering professional performance in accordance with ethics, integrity and compliance with pertinent legislation. Highlights of the regulations include:

The Board of Directors Regulations*; the Internal Conduct Regulations in the Securities Markets*; Compliance Policy*; the Crime Prevention Model; the Anti-Corruption Policy*; the Policy on Control and Risk Management; the Human Rights Policy*, the Health and Safety Policy*; the Corporate Responsibility Policy*; the Competition Policy; the Quality and Environment Policy*; the Procedure for approving and monitoring sponsorship and patronage actions and donations; Corporate Procedure on the Ethical Mailbox; Corporate Procedure on Representation Expenses; due diligence procedure to ensure the ethical integrity of Partners; due diligence procedure to ensure the ethical conduct of Suppliers; due diligence procedure governing the selection, hiring and mobility of Candidates.

All employees adhere to the principles and commitments contained in the Code of Ethics. They commit to comply with it and enforce it upon external collaborators who perform activities on behalf of Ferrovial.

 *Available at www.ferrovial.com

COMPLIANCE MODEL

Ferrovial has a Compliance Model in place that aims to provide a transversal process spanning the entire company for monitoring and controlling compliance risks under the principle of zero tolerance toward criminal acts. This due diligence framework embodies the company’s firm commitment to observing applicable law and to applying the highest ethical standards when going about its business. The management and analysis of how the Model works is the responsibility of the Compliance and Risk Division, whose independence and effectiveness has been reinforced, providing it with new resources and it reports directly to the Audit and Control Committee.

The Compliance Model is described in the Compliance Policy and its main objective is to foster a culture of business ethics across the organization and permeating all decision-making processes in order to shape and guide the conduct and intentions of directors, managers and employees and erect a common and standard framework for monitoring, controlling and managing compliance risks (especially measures to prevent criminal conduct). The policy also develops the different phases of the Compliance Model in place at the company and stipulates the competencies and remit of its governance and management bodies and those of its employees in relation to regulatory compliance.

The phases in which the Compliance Model is structured cover the phases of a continuous improvement cycle:

1. Identification and evaluation of risks.

• Identification of compliance risks based on the company’s activities.
• Assessing risks based on their impact and probability of occurrence.

2. Establishment and update of processes and control tools.

• Identification of the monitoring and control measures implemented to avoid or mitigate the occurrence of risks.
• Periodic evaluation of control measures to detect possible shortfalls or areas of improvement that require specific action plans.

3. Raising awareness and training.

• Training for company employees and executives in the principles and commitments included in the Code of Ethics, in the Compliance Policy and the other policies that support the Model.
• Due diligence of third party collaborators, who must know and share ethics and integrity policies.

4. Detection of and response to possible irregularities.

• Reception, assessment and investigation of detected breaches and application of appropriate corrective and/or disciplinary measures.

5. Supervision of the Model by the Audit and Control Committee.

6. Information to the company’s governing bodies.

• Information on how the Compliance Model works and monitoring the action plans put in place to ensure their continuous improvement.
• The Compliance Model includes a Crime Prevention Model designed to prevent or significantly reduce the risk of committing criminal acts, especially those that would lead to the company being held criminally liable, in accordance with Organic Law 1/2015 reforming the Criminal Code.

7. Verification of the effectiveness of the Compliance Program.

• The Compliance Model includes a Crime Prevention Model designed to prevent or significantly reduce the risk of committing criminal acts, especially those that would lead to the company being held criminally liable, in accordance with Organic Law 1/2015 reforming the Criminal Code.

ANTI-CORRUPTION POLICY

Ferrovial has an Anti-Corruption Policy that governs the behavior of all administrators, managers and employees, and their collaborators, in the development of the business, under the principle of “zero tolerance” with any practice that could be qualified as active or passive corruption or bribery.

The policy requires strict compliance with pertinent anticorruption laws, notably the Spanish Criminal Code (and that of the other jurisdictions in which Ferrovial operates), the US Foreign Corrupt Practices Act and the UK Bribery Act.

TRAINING

Training for employees in the values and principles enshrined in the Code of Ethics and the Compliance Policy is one of the cornerstones of the company’s Compliance Model. During 2019, the online training plan on the Code of Business Ethics and Compliance Policy (Prohibited Behaviors) and the face-to-face course on anticorruption matters continued according to the level of risk exposure of certain groups, including the Management Committee. The training volume of these courses amounted to 4,923 hours, accumulating more than 12,000 hours in the last two years.