Risk Management - GRI Summary

Board of directors

• Approve the Risk Management Policy;
• Define, support and disseminate the risk management culture;
• Approve the prioritized risks for monitoring by the Company; and
• Deliberate on any matter submitted thereto or, if deemed necessary, on risks and possible action plans.

Audit and Related Parties Committee:

• Evaluate the Company’s risk exposure control mechanisms, and it may request information about policies and procedures related to the topic.

Boards:

• Disseminate and promote the risk management culture;
• Monitor, based on the information reported periodically by the Risk Committee, the risk management of the Company and its subsidiaries, ensuring its appropriate functioning and taking any necessary measures for its improvement;
• Validate the risks reported to Risk Management and Internal Controls by their respective Business areas;
• Ensure the existence of material and human resources at adequate levels, which allow the effective compliance with this Risk Management Policy and procedures as a whole in their respective Business areas;
• Assist the Risk Commission in handling risks; and
• Assist the respective Business areas in executing action plans, as well as in the implementation of any recommendations or measures related to risk management.

Risk Commission:

• Recommend the Risk Management Policy to the Board of Directors and, in this context, establish the internal procedures used by the Company and its subsidiaries in risk management;
• Assess and monitor the most relevant risks reported by the Risk Management and Internal Controls, as well as their respective action plans;
• Validate the action plans proposed by the Business areas and the Boards, after validation by Risk Management and Internal Controls; and
• Report periodically, or whenever deemed necessary, to the Executive Board and the Board of Directors the relevant information related to the risk management of the Company and its Subsidiaries.

Risk Management and Internal Controls:

• Propose the Risk Management Policy and its updates;
• Identify, monitor and periodically control risks, including with regard to the implementation of action plans;
• Report the risks and their respective action plans to the Risk Commission;
• Assist the Business areas and boards in the design and implementation of internal controls or risk management indicators;
• Conduct a critical analysis of the action plans defined by the business areas to mitigate risks; and
• Provide training and a communication plan related to risk management.

Business Areas

• Monitor the risks related to their activities and communicate to the Risk and Internal Controls Department, through the manager in charge, any change in their business processes that may give rise to new risks or alter the status of those previously identified;
• Assist the Risk and Internal Controls Department in identifying risks;
• Assist the Risk Committee (or Commission) in handling risks;
  Execute the action plans;
  Establish appropriate controls and/or indicators to manage the risks; and
• Ensure that the recommendations of the Risk and Internal Controls Department, the Risk Committee (or Commission) and the respective boards are effectively followed and that any deviations from the Risk Management Policy and the internal procedures applicable to risk management are promptly identified and reported.