ENTERPRISE RISK MANAGEMENT POLICY

1. MEETING MINUTES OF APPROVAL

Agenda Item No. 879 dated 15.08.2022

2. SCOPE

This policy applies Company-wide as a mandatory requirement. In addition, it is recommended that this Policy be implemented in all wholly-owned subsidiaries.

For affiliates and jointly-owned entities, the guidelines in this Policy should be viewed as recommendations for alignment on risk management.

3. PRINCIPLES

  1. Life, in all its forms, must be respected and protected, and the Company's rights, obligations, facilities, processes, information and reputation must be safeguarded against threats arising from intentional or unintentional actions.
  2. Risk management is an integral part of our commitment to act with integrity, in line with our principles and applicable laws and regulations.
  3. Our approach to risk management must be aligned and consistent with our Business Plan and, above all, with our strategic objectives.
  4. Risks must be taken into account in all decision-making, and risk management must be undertaken in an integrated manner, spanning all areas of the Company.
  5. Action in response to identified risks must take into account any long-term and far-reaching consequences of risks, and should be designed to preserve shareholder value and ensure business continuity.

4. GUIDELINES

  1. Strengthen risk management as the cornerstone of our Integrity Management Framework.
  2. Capture opportunities and proactively address threats affecting our strategic, economic, financial, operational, or compliance objectives.
  3. Standardize concepts and methods in identifying, analyzing, assessing, and addressing risks to enhance information reliability and process transparency.

Public

4.4. Comprehensively manage risks associated with business, management, and supporting processes, keeping exposure at acceptable levels.

4.5. Align risk management practices with those of our internal controls and internal audit functions, using the Three Lines of Defense approach.

  1. Enhance autonomy in risk management and segregate duties between risk takers and monitors.
  2. Facilitate a continuous and transparent flow of information to directors, investors, and other stakeholders regarding key risks and their management, while observing information confidentiality levels, policies, and other internal standards on enterprise security.
  3. Ensure that employees and contractors (through their contracts) receive continuous risk management training consistent with their responsibilities.
  4. Improve our approach to monitoring and reviewing the risk management process as part of an ongoing corporate governance improvement program.
    4.10. Monitor Very High impact risks which, if materialized, could cause significant business disruption, irrespective of their likelihood.

5. TERMS AND DEFINITIONS

  • Top-downapproach: Identifying, assessing and monitoring key risks affecting strategic objectives and drivers.
  • Bottom-upapproach: Identifying, assessing and monitoring risks affecting processes related to the value chain.
  • Risk analysis: Understanding the nature of a risk and its potential to positively or negatively influence established goals (ISO Guide 73 - Adapted).
  • Risk appetite: Amount and type of risk that an organization is willing to incur, in qualitative terms, in pursuing its strategic goals.
  • Internal Audit: Internal audit is an independent and objective exercise, conducted using a systematic and disciplined approach, to evaluate and improve the effectiveness of risk
    management, control, and governance processes. (Institute of Internal Auditors - IIA Brazil - adapted)
  • Risk assessment: Identifying and assessing events which could potentially threaten the achievement of business objectives.
  • Risk catalog: A database consolidating and standardizing the different risk categories and sub- categories.

Public

(ISO Guide
(Business Continuity Management
  • Risk owner: A risk owner is responsible for managing a particular risk within the organization's risk management process and internal control systems, representing the 1st line in the Three Lines of Defense Model.
  • Risk Management Framework: Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization (ISO Guide 73).
  • Event: Occurrence or change of a particular set of circumstances. (ISO 31.000/2018).
  • Risk Management: A set of coordinated activities to direct and control an organization or department with regard to risk (ISO - Adapted).
  • Crisis management: Managing external and internal communications and top management's response to reverse the impacts of a disaster. This includes establishing

metrics to identify crisis situations and the appropriate response."

(BCM) - adapted)

  • Corporate governance: The system by which companies and other organizations are directed, monitored, and incentivized, including relationships between a company's shareholders, the board of directors, management, oversight and control bodies, and other stakeholders (IBGC Code of Best Corporate Governance Practices - 5th Edition).
  • Risk identification: Risk identification consists of identifying, understanding the external and internal context of, and describing risks that might help or prevent an organization from achieving its objectives (ISO 31.000/2018).
  • Key risk indicator: Used to identify and measure certain events or conditions that are likely
    to cause a risk event to arise or occur" (The Institute of Internal Auditors (IIA Global) - adapted).
  • Impact: Result or effect of an event.
  • Uncertainty: The state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood (ISO Guide 73).
  • Risk matrix: A risk matrix is populated based on the combination of risk likelihood and impact, enabling a comparison to be made between potential risk events so they can be prioritized for treatment.
  • Three Lines of Defense Model: Helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk
    management (Institute of Internal Auditors (IIA), 2020).
  • Risk monitoring: Continual checking, supervising, critically observing or determining the

status in order to identify change from the performance level required or expected

73).

  • Objectives: Concise statements about future situations to be achieved. Objectives can relate to different enterprise aspects such as business, safety, the environment and financial performance. Objectives can be classified into different categories, such as strategic, compliance and operational (ISO Guide 73 - adapted).
  • Opportunity: A situation or event that favorably influences established objectives (COSO-

ERM).

Public

  • Business Continuity Plan: A plan designed to swiftly resume normal operational activities with minimal disruption after a catastrophic event (The Institute of Internal Auditors (IIA Global) - adapted).
  • Likelihood: The probability that a given event will occur (COSO-ERM).
  • Risk: Effect of uncertainty on objectives (ISO 31.000/2018).
  • Basic risk: Risk arising from Enterprise Risk, identified using criteria defined by the Enterprise Risk owner.
  • Enterprise risk: The key business, operational, cyber, sustainability, financial and regulatory risks that affect activities or established objectives.
  • Severity: The combination of risk likelihood and impact (COSO - ERM 2017 - adapted).
  • Risk tolerance: The amount of risk that an organization, based on its risk appetite, is willing to tolerate to achieve its strategic objectives. It can also be understood as an acceptable range of risk appetite, measured based on key risk indicators.
  • Risk treatment: Following a risk assessment, the appropriate risk treatment is defined and how the relevant risks should be monitored and communicated to stakeholders. Risk treatment essentially consists of deciding whether to accept, mitigate, transfer or eliminate a risk. The decision depends primarily on the Company's risk appetite.

6. ROLES AND RESPONSIBILITIES

Scale

Proposed treatment

Approval authority

Informed

(Accept/mitigate/transfer/eliminate)

Board of Directors,

Very

Executive Board

preceded by Audit &

Risk & Financial Committee

High

Risk Committee

assessment

Statutory Audit Committee,

High

Vice President

Executive Board

Board of Directors

and

Risk & Financial Committee

Medium

Executive Manager or

Vice President

Executive Board

Officer

Low

Manager/Coordinator

Executive Manager

Vice President

or Officer

Very

Low

Public

  1. Board of Directors (BoD)
  • Approve the risk appetite and tolerance proposed by the Executive Board.
  • Systematically oversee risk management.
  • Approve the Company's Corporate Risk Management Policy and Methodology, as well as their subsequent revisions.
  • Approve risks classified as having very high severity, following an assessment conducted by the Risk & Financial Committee.
  1. Statutory Audit Committee (SAC)
  • Advise the Board of Directors in establishing global policies on risk management and on any revisions submitted for approval.
  • Evaluate and monitor the Company's risk exposure.
  • Monitor the risk management framework and management's risk management activities against guidelines and policies established by the Board of Directors.
  • Evaluate, monitor, and provide recommendations on corporate risks.

Public

  • Review the corporate risk management methodology for approval by the Board of Directors.
  • Review and monitor the risk tolerance levels proposed by the Executive Board for approval by the Board of Directors.
  • Review the risk appetite statement proposed by the Executive Board for approval by the Board of Directors.
  1. Risk & Financial Committee
  • Provide strategic and financial advice to the Board of Directors, including on the assessment and issuance of recommendations regarding risks related to financial management, and other guidelines established in its charter.
  • Evaluate, monitor, and issue recommendations on prospective external risks associated with strategic planning.
  1. Internal Audit
  • Systematically evaluate the risk management process and recommend improvements.
  1. Executive Board
  • Propose Vibra Energia's risk appetite levels, primarily during but not limited to the development of the Company's strategic plan and business plan.
  • Propose risk tolerance levels and provide opinions on the need for changes/revisions.
  • Facilitate the implementation and continuous monitoring of measures necessary for alignment between risk appetite and Vibra Energia's strategies.
  • Monitor exposure to strategic and operational risks.
  • Review the Enterprise Risk Management Policy, including its subsequent revisions, submitting them for review by the Statutory Audit Committee and approval by the Board of Directors.
  • Validate risk assessments with directors and managers and, to the extent required by the level of authority for risk treatment, inform the Statutory Audit Committee, the Risk and Financial Committee, and the Board of Directors.
  • Assess the impact and likelihood of occurrence of strategic and operational risks as proposed by directors and managers.
  • Develop a draft risk appetite statement and provide recommendations on the need for changes/revisions.

Public

  1. The Integrity function responsible for enterprise risk management (ERM)
  • Establish a corporate risk management methodology based on an integrated and systemic vision, enabling continuous risk monitoring across hierarchical levels.
  • Foster integration and capture risk management synergies across different organizational units and across business, management, and corporate services processes.
  • Disseminate knowledge about risk management.
  • Develop, measure, and report on risk tolerance indicators as updated from time to time.
  • Monitor and periodically report to the Executive Board, the Statutory Audit Committee, the Risk
    & Financial Committee, and the Board of Directors on the impact of key risks on Vibra Energia's consolidated results.
  • Evaluate the need for addressing risks exceeding the Company's risk appetite.
  • Where necessary, hold risk owners accountable for any non-conformity to action plans developed by ERM and the Executive Board to address risks.
  • Monitor and report on adherence to risk appetite.
  • Review risk categories (level 1) and business risks (level 2) every two years and/or in the event of any significant changes in the Company's structure and/or a revision of its strategic plan.
  • Develop a corporate risk matrix based on external and internal sources of information, and conduct periodic updates.
  • Analyze, validate, and communicate the list of risks affecting strategic objectives and drivers (top-down approach) and risks affecting processes (bottom-up approach).
  1. Those responsible for the overall risk management framework (Vice Presidents)
  • Coordinate, orchestrate and oversee risk management activities within their respective areas of responsibility.
  • Provide inputs to, evaluate, and validate the Company's risk matrix with the support of the organizational unit responsible for enterprise risk management.
  • Provide inputs to, evaluate, and validate risk tolerance definitions and results with the support of the organizational unit responsible for enterprise risk management.
  • Establish and implement Crisis Management Protocols and Business Continuity Plans for risks under their responsibility, especially Very High and High impact (severity) risks and other risks where applicable. These protocols and plans must be regularly and adequately tested, including via simulations.
  1. Heads of organizational units (Directors/Managers)

Public

  • Proactively identify risks and manage them as necessary, assess the likelihood of occurrence, and take measures to prevent and minimize risks in line with this policy and other corporate guidelines and standards on risk management, in coordination with the organizational unit responsible for enterprise risk management.
  • Timely provide the organizational unit responsible for enterprise risk management with all necessary information for integrated risk assessment, monitoring and reporting to the Executive Board, the Statutory Audit Committee, the Risk and Financial Committee, and the Board of Directors.
  • Identify and support to the development of risk tolerance levels suitable for their operational processes.
  • Furnish data to the organizational unit responsible for enterprise risk management for measuring risk tolerance indicators.
  • Define the treatment for risks not conforming to the Company's risk appetite and meet the deadlines established in action plans.

Public

Attachments

  • Original Link
  • Original Document
  • Permalink

Disclaimer

Petrobras Distribuidora SA published this content on 29 May 2024 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 29 May 2024 15:07:26 UTC.