Companhia Brasileira de Distribuiçao Netherlands B : Risk Management Policy
PURPOSE
Establishing principles, concepts, guidelines, and responsibilities in the Risk Management of Companhia Brasileira de Distribuição and its subsidiaries that are not publicly traded companies (collectively, "GPA") regarding the identification, review, and assessment of risks that may affect their strategic goals and the effective creation and protection of value for GPA.
Defining, from inherent risks, exposure control and monitoring devices, incorporating the risk vision into strategic decision-making in compliance with the applicable legal requirements, best practices and applicable market methodologies.
SCOPE
Applicable to all macro processes and business operations of Companhia Brasileira de Distribuição and its subsidiaries that are not publicly traded companies.
TERMS, EXPRESSIONS, AND DEFINITIONS
Risk Appetite: this means the degree of risk the Company is willing to accept in accordance with the risk/return ratio, to achieve its goals within the limits set by the senior management.
Capacity: the resources available for the Company to meet its strategic plan, such as financial capital resources, technologies, processes and people, among others.
COAUD: Company's Audit Committee.
COMEX: Company's Executive Committee.
Company: Companhia Brasileira de Distribuição.
Risk Consequences: these are aggravating factors in the outcomes and impacts of an Event that could positively or negatively affect the Company's ability to achieve its goals.
DIREX: Company's Board of Officers.
Event: an occurrence or set of events, the impact of which can affect GPA's results, whether positively or
negatively.
Risk Management: a set of coordinated and structured activities aiming at aligning the Risk Appetite with the strategic decision-making cycle in order to optimize the results set forth in the strategic planning and the effective creation and protection of GPA's value.
GPA: Companhia Brasileira de Distribuição and its subsidiaries that are not publicly traded companies.
Impact: these are aggravating factors or consequences if the risk materializes, which can be categorized into Financial and Reputation.
Key Performance Indicator (KPI): metrics used to measure and monitor process performance and results, which can also be used for risk monitoring.
Probability: it is the possibility of the Risk to materialize, and can be reported qualitatively, quantitatively and by frequency.
Risk: factors and/or events that may have negative impacts, compromising the Company's ability to achieve its strategic goals and the effective creation and protection of GPA's value.
Inherent Risk: degree of risk intrinsic to the operation of the business or activity, without considering the performance of controls and direct actions able to reduce its exposure; also called gross risk.
Prioritized risks: a list of risks deliberately set by Senior Management that describes exposure levels that may enhance high impacts to the business, the management of which should be prioritized in a structured manner. Residual Risk: degree of risk already considering all controls and actions identified to reduce exposure.
Tolerance: the limits of acceptable variation in the performance against the achievement of business goals.
4. RESPONSIBLE AREAS, ROLES AND RESPONSIBILITIES
We describe herein below all interested parties that are within the context and life cycle of the Risk Management process, with their corresponding responsibilities:
Function
Responsibilities
Board of Directors
∙ Establishing general Risk guidelines aligned with the business context and the strategic
planning cycle;
∙ Establishing acceptable Risk Appetite limits under GPA's Capacity and Tolerance;
∙ Evaluating, deliberating, and approving the strategic and Prioritized risk matrix aligned
with the Risk Appetite;
∙ Influencing and sponsoring the monitoring of Priority Risks, within the management
forums;
∙ Influencing and sponsoring the risk culture within GPA;
∙ Assessing, annually, the sufficiency of the structure and the budget of the Internal
Auditors for the performance of their duty;
∙ Revising and approving the general definitions of Risk Management strategies;
∙ Approving the risk policy, its evolution and future reviews.
COAUD
∙ Following the activities of the Internal Auditors and the area of internal controls of GPA.
∙ Evaluating and monitoring the exposure Risks of GPA.
∙ Proposing, to eligible forums, definitions and guidelines that will compose the Risk
Management model within GPA;
∙ Monitoring and supporting the Risk Management process in defining Priority Risks
aligned with the business context and the Board of Directors' guidelines;
∙ Supervising Risk Management activities by complying with legal laws, policies, rules
and internal procedures of GPA;
∙ Evaluating and monitoring the Priority Risks found by the revisions of the Risk
Management areas, reporting it to the Board of Directors and assisting it to assess
action plans and recommendations;
∙ Evaluating, approving, and monitoring how Prioritized Risks are addressed and
monitored.
∙ Evaluating, approving and recommending to the administration the correction or
improvement of the internal policies of GPA.
∙ Evaluating the company's quarterly information, interim statements and financial
statements.
Human Resources
∙ Preparing the planning and ensuring that the Risk Management is actually put into
and Corporate
operation, considering all dimensions of the structure set, encompassing strategic,
Governance
tactical, and operative activities of GPA;
Committee
∙ Assisting the Board of Directors in applying the Risk Management methodology in
Sustainability and
GPA;
Diversity
∙ Supporting the Board of Directors in defining both the Risk Appetite and GPA's priority
Committee
risks;
∙ Supporting GPA in reviewing and approving of the Risk Management strategy;
∙ Assisting the Audit Committee and the Board of Directors on risk exposure levels;
∙ Assessing the effectiveness of GPA's Risk Management process;
∙ Identifying the risks arising from GPA's strategic and policy changes under the
approval by the Board of Directors.
COMEX/DIREX
∙ Promoting the integration and risk culture in GPA and in management cycles and
strategic planning;
∙ Ensuring the implementation of an efficient Risk Management model, aligned with
business purposes and business goals. Applying the general guidelines set by the
Board of Directors to assign the acceptable Risk Appetite level for GPA;
∙ Monitoring all Risks managed to ensure the effectiveness of control measures;
∙ Taking part in the validation rituals and risk prioritization of GPA.
∙ Following up KPIs and Priority Risk mitigation strategies;
∙ Assessing and monitoring how business risks are addressed, aligned with the
performance of strategic planning;
∙ Assessing, on a timely basis, the effectiveness and applicability of risk policy
guidelines;
∙ Assessing and supporting the suitability of the structure for the management process,
considering human, financial and technological resources.
Risk Management
∙ Setting and improving the Risk Management methodology, which shall be integrated
Director
and aligned with the value chain over the entire GPA;
∙ Managing GPA's Risk Management process cycle, covering all business units;
∙ Ensuring the information flow management within all business units aligned with the
concepts, methodology, and deadlines set for each Risk Management cycle;
∙ Supporting business units in the risk identification, assessment, treatment, and
monitoring cycle to assist them in reducing risk exposure levels;
∙ Managing the Prioritized Risk matrix, reporting their status and exposure levels to the
key management forums;
∙ Supporting business areas in identifying and assessing the impact of Risks.
∙ Following up the implementation of the action plans by the responsible area and
report possible delays and/or increment of Risks to GPA.
Risk Owner
∙ Identifying, ranking, and managing the Risks of the corresponding areas according to
mitigation strategies, together with the Risk Management area;
∙ Appointing the professional who will answer as facilitator in Risk Management with the
Risk Management area;
∙ Ensuring the implementation of action plans and monitoring of KPIs;
∙ Having technical knowledge of the processes in which Risks are inserted;
Person in charge
∙ Being the responsible person for updating the mapping information and Risk
treatment of his/her business unit;
∙ Keep information updated in a timely manner, respecting the planning calendar of the
Risk Management cycle;
∙ Monitoring the status of action plans with those ones responsible for implementing
control measures.
Internal Auditors
∙ Measuring the quality and effectiveness of the company's processes related to Risk
Management, control and governance;
∙ Identifying and pointing out opportunities for improving Internal Control and Risk
Management processes;
∙ Auditing information and controls connected to KPIs developed and monitored by
functional areas;
∙ Reporting periodically to COAUD and its audited clients the results of independent,
unbiased, and timely assessments of the effectiveness of Risk Management in GPA.
Associates
∙ Ensuring that Risk Management is put into operation, becoming part of the process of
identification, assessment and measurement, implementing preventive and corrective
actions;
∙ Taking part in training sessions able to allow the conscious dissemination of the Risk
Management culture.
External Auditors
∙ Assessing the quality of internal controls focused on prepare financial statements,
reporting to GPA the weaknesses on those controls if found it.
Table 1: Roles and Responsibilities
5. SPECIFIC GUIDELINES
Our general guidelines are our commitment to GPA's value proposition, aligned with our code of ethics and conduct so that we can create a Risk Management culture that reaches all our associates.
Risk Management is part of GPA's Audit and Corporate Governance process and is an integral part of the decision- making process, contributing to the performance of its strategy. Risks are identified and addressed to ensure compliance with the goals set out in the strategic planning.
For that purpose, the Risk Management structure considers the joint action of the corporate governance and management areas, according to the concept of the 4 lines of defense as described in table 2 below:
1st line
2nd line
3rd line
4th line
- This line is composed of
- This line is composed by
- This line is in charge of
- This line represents the
Operations Management,
areas
of
control
and
assurance
functions,
functions
of
the
represented by the boards
supporting
functions,
represented
by
the
Independent
External
of
executive
officers,
represented
by
the
Risk
Internal Audit, responsible
Audit, entity that has as
managers,
and
other
Management
Director,
for
conducting audits or
mission the evaluation of
associates of the business
that
may
require
the
reviews
of
Risk
the quality of the internal
units that operate in day-
advice by
the
internal
Management and Internal
controls used to elaborate
to-day operations and
areas of GPA responsible
Control practices, as well
the financial
statements.
tasks.
for
Compliance
matters,
as
governance
This line also represents a
-
They
must
manage
Internal
Controls
and
effectiveness,
identifying
line of defense, since the
performance
and
Risks
Information Security.
problems
and
Independent
External
taken in
compliance with
-
They
should guide,
opportunities
for
Audit has to report to the
the policy.
monitor,
and
assess
improvement
with
Company all the liabilities
- They implement controls,
adherence to all standards
independence, objectivity,
in such internal controls,
action plans,
and
timely
and
policies
set,
in
and
authority
for
may they find any.
report
information
addition to support the first
recommendations.
connected
to
Risk
line
of
defense
in
Management.
achieving
GPA's
purposes.
They should make it easier, disseminate, and monitor Risk Management practices and assist in
identifyingRisks according to the set Risk Appetite.
Table 1: Lines of Defense
