The internal control practices adopted by the Company are aligned with the complexity of its business and activities and are intended to ensure (i) compliance with applicable laws and regulations, and (ii) the quality and integrity of the Company’s financial statements.
The Company has a Risk Management Policy, approved in November 2022, following the COSO ERM methodology. The policy defines guidelines and responsibilities for managing various risks:
- Cyber Risk: Refers to the exploitation of vulnerabilities that may compromise the confidentiality, integrity, and availability of information, impacting personal and sensitive data.
- Compliance Risk: Relates to the risk of legal sanctions, financial losses, or reputational damage due to non-compliance with laws, regulations, and internal policies.
- Credit Risk: Involves the possibility of losses due to uncertainty in receiving payments from customers or financial institutions.
- Business and/or Strategic Risk: Refers to risks associated with the Company’s strategy, influenced by changes in the external and internal environment, affecting value creation and growth.
- Reputational Risk: Arises from negative brand exposure in the media, potentially impacting the Company’s reputation.
- Liquidity Risk: Relates to the inability to conduct transactions in a timely manner or meet financial commitments due to mismatches between assets and liabilities.
- Market Risk: Involves changes in exchange rates, interest rates, and prices that may affect earnings or the value of the Company’s financial assets.
- Operational Risk: Refers to failures in internal processes and personnel management that may prevent the Company from achieving its objectives.
- Technological Risk: Relates to the risk of not keeping up with technological advances, impacting the continuity and growth of operations.
The risk management framework implemented by the Company considers the joint role of corporate governance and management bodies, in accordance with the concept and framework of the widely recognized three-lines model. It should be noted that the informed structures for risk management are not yet operational and will come into effect upon the entry into force of the Participation Agreement in the Novo Mercado, which is conditional upon a public offering of shares by the Company.
Administrative Body: Refers to the Board of Directors. It reports to and is accountable to all stakeholders and is responsible for:
- setting the organization’s direction, defining vision, mission, values, and organizational risk appetite; and
- delegating responsibility for achieving the organization’s objectives to management, along with the necessary resources.
1st Line: Refers to operational management, represented by the executive officers, managers, and other employees involved in the Company’s operations. It reports to the Board and, together with it, is responsible for:
- identifying, assessing, monitoring, and mitigating Risks (treatment) in accordance with the Company’s guidelines;
- implementing action plans and controls; and
- promptly communicating/reporting relevant information related to risk management.
2nd Line: Refers to the Risk and Internal Controls Management and Compliance areas, whose members do not hold dual functions or subordinate roles to directors responsible for operational areas. It reports to the Board of Directors, the Compliance, Risk, and Internal Controls Committee, and is responsible for:
- analyzing, evaluating, and monitoring risks identified by operational management;
- facilitating and monitoring the implementation of risk management practices by operational management (1st line) according to the Company’s Risk Appetite;
- promptly communicating/reporting relevant information related to risk management; and
- assisting in the identification of risks and development of processes and controls.
3rd Line: Refers to the role of Internal Audit in evaluating and supervising the adherence and effectiveness of the Company’s risk management process. It operates independently and objectively, periodically reporting to the Compliance, Risk, and Internal Controls Committee, when established, and at least semiannually to the Board of Directors or as necessary. The Company may seek support from external consulting firms to assist in internal audit tasks, when needed.
The Risk and Internal Controls Management area assists business and operations managers in identifying their risks and evaluating the controls of their processes, using a process mapping methodology with identification of risks and controls, aiming to implement internal controls to mitigate risks. Furthermore, the Risk and Internal Controls Management area will be responsible for defining and monitoring, together with business and operations areas, action plans for implementing or improving controls that did not perform well in tests conducted by Internal Audit. The progress of these actions until their implementation is complete will be reported to the Compliance, Risk, and Internal Controls Committee.
The Internal Audit area, currently in the implementation phase, will be responsible for performing tests on key controls identified to assess control effectiveness. The results will be reported to the areas responsible for control, to the Company’s Management, and to the Compliance, Risk, and Internal Controls Committee.