GENERAL CORPORATE RISK MANAGEMENT POLICY

Neoenergia's Board of Directors is responsible for approving, updating and supervising corporate policies, which include those related to corporate governance and compliance with regulations, risks and sustainable development.

Among the risk policies, the General Corporate Risk Management Policy ("Policy") identifies the main risks of the group and organizes the internal control systems and adequate information, as well as their monitoring.

1. Object

The objective of the Policy is to establish the basic principles and the general framework for the control and management of risks of all types to which the Neoenergia group is exposed.

This Policy unfolds and is complemented by specific policies risks related to certain risks, corporate functions and group business.

2. Application

The General Corporate Risk Management Policy applies to all companies in the group, and must be reproduced by its subsidiaries, observing their respective bylaws and applicable legislation.

In subsidiary companies in which it is not a controlling shareholder, Neoenergia group recommends the promotion of principles, guidelines and risk limits consistent with its General Corporate Risk Management Policy, in addition to maintaining adequate information channels to ensure knowledge and monitoring of risks.

3. Risk Factors - Definitions

In general, a risk is considered any threat in which an event, action or omission could prevent the group from reaching its objectives and successfully executing its strategies.

The risk factors to which the group is exposed are, in general, those listed below:

  1. Governance risk: The Neoenergia group should pursue the achievement of corporate objectives and sustainable maximization of its long-term economic value in accordance with its corporate interest, culture and corporate vision, taking into account the legitimate public or private interest that permeates all business activities, particularly among different stakeholders, such as the communities and territories where the Company operates, its subsidiaries and its workforce.
  2. Market risks: understood as the exposure of the group's results and assets to changes in prices and other market variables, such as, for example, adverse movements in energy prices in the short and long term and the effects of other

factors and risks that impact energy prices, such as: (i) changes in key business variables such as demand and supply, hydrology, entry or delay of new projects in the energy matrix, strategy of the other agents; (ii) changes in the current regulation or in its interpretation; (iii) extra cost caused by changes in volume or price in open positions due to technological failures, human error or any other operational cause, exchange rates, interest rates, price indexes, prices of commodities, energy prices, CO2 emission rights and values of financial assets, among others.

  1. Credit risk: defined as the possibility of non-compliance with financial and contractual obligations of counterparties, including the risk of bankruptcy and replacement cost, such as default or 'non-performance', resulting in an economic or financial loss for the group. Counterparties can be end customers, counterparties in the financial or energy markets, partners, suppliers, financial entities and insurance companies, among others.
  2. Business risks: established as the uncertainty regarding the behavior of key variables intrinsic to the group's businesses, such as the balance of supply/demand for electricity, hydrology and the strategy of other agents.
  3. Regulatory and political risks: risks coming from the creation or change of the rules issued by regulatory agencies over which the electric sector supports its operations, such as changes in the level of control of regulated activities and supply conditions, or also relating to environmental regulation or tax, including risks of political change that may affect legal certainty and the legal framework applicable to business in each jurisdiction, nationalization or expropriation of assets, cancellation of licenses, partial or total contractual breach and legal risk of fraud.
  4. Operational, technological, environmental, social and legal risks: they are the risks related to the occurrence of economic or financial losses, direct or indirect, resulting from external events or inadequate internal processes, including those arising from:
    • technological failures, human errors and technological obsolescence;
    • cybersecurity and information systems;
    • climate change and pandemics;
    • fraud and corruption; and
    • tax litigation, arbitration and contingencies.

In relation to cybersecurity risks - arising from unauthorized access, misuse or disclosure, degradation, alteration, modification or destruction of information or of Neoenergia group's information and communication systems and services, including possible acts of terrorism, in particular, caused by the accessibility of third parties to them - It is important to mention that, on 09/18/2020, the General Data Protection Law 13.709/18, approved on 08/14/2018, came into force, with the exception of applying fines from 2021, with the objective of ensuring right to

2

privacy and protection of personal data of individuals and companies. The Law regulates a number of aspects, among them, it fixes the hypotheses of data collection and treatment, it brings the rights of the data subjects, details special conditions for sensitive data and segments and imposes sanctions in case of violations.

  1. Reputational risks: potential negative impact on Neoenergia group value due to conduct, behavior and positioning from the company disagreeing with the expectations created by the various interest groups, as defined in Politics of Relationship with Interest Groups, including behaviors or conduct related to corruption.

Given the multidimensional nature of the risks, the taxonomy defined in the system includes additional classification variables for better monitoring, control and reporting of them, through monitoring tools. In these additional categories, we highlight:

  • Classification of risks into structural, current ("Hot Topics") and emerging, with the latter being understood as possible new threats, with an uncertain impact and indefinite probability, but with an upward trend and the possibility of becoming relevant to the group.
  • Inclusion of secondary risk factors, such as financial, environmental, social, governance ("ESG"), those related to fraud and corruption, tax, health and safety, cybersecurity and those related to third parties.

4. Basic principles

Neoenergia is subject to several risks of the different businesses in the energy market and the activities it develops, which can prevent it from reaching its objectives and successfully executing its strategies.

The Board of Directors of Neoenergia, aware of the importance of this aspect, undertakes to develop all its capabilities so that the relevant risks of all activities and businesses of the Neoenergia group are properly identified, measured, managed and controlled, in addition to establishing, through this Policy, the mechanisms and basic principles for an adequate risk-opportunity management, with a level of risk that allows:

  1. to achieve the group's strategic objectives with controlled volatility, using risk management as a strategic tool to support decision making;
  2. to provide maximum level of security and guarantees to shareholders;
  3. to defend the interests of shareholders, customers and other stakeholders;
  4. to contribute to the fulfillment of the Sustainable Development Goals (SDGs) approved by the United Nations, with emphasis on the seventh (Clean and Accessible Energy) and the thirteenth (Action Against Global Climate Change);
  5. to protect the results and reputation of the Neoenergia group;

3

  1. to ensure corporate stability and financial strength in a sustainable manner over time;
  2. to spread the risk culture among Neoenergia group employees, through communication and training

In order to maintain the commitment expressed in the basic principles, the Board of Directors counts on the collaboration of the Audit Committee and the Executive Board, supported by the supervision of the Risk Management Superintendence, which, as an advisory body, supervises and reports on the adherence of controls and the management of significant risks, together with the Internal Audit and the Superintendence of Internal Controls of Neoenergia.

All risk control and mitigation actions must comply with the following basic principles:

  1. To integrate the risk-opportunity view in the management of the group, through the definition of the strategy and the risk appetite, as well as incorporating this variable in the strategic and operational decisions;
  2. To segregate, at the operational level, the functions between the risk-taking areas and the areas responsible for their analysis, control and supervision, ensuring an adequate level of independence;
  3. To guarantee the correct use of risk mitigation instruments and their registration in accordance with the requirements of the applicable rules and regulations;
  4. To inform regulatory bodies and main external interest groups, in a transparent manner, on the risks faced by the group and on the functioning of the risk management systems, maintaining adequate channels to favor communication;
  5. To secure the proper compliance with corporate governance standards through a Governance and Sustainability System and the updating and continuous improvement of this system, observing and implementing the best market practices in relation to transparency and good governance; and
  6. To act permanently under the terms of the law and the Governance and Sustainability System of the Neoenergia group and, in particular, in accordance with the values and standards of conduct reflected in the code of ethics and in the group's integrity policies, with the "zero tolerance" principle for illicit acts and situations of fraud, according to the Anti-CorruptionPolicy.

5. Integrated Risk Control and Management Model

The General Corporate Risk Management Policy and its basic principles are implemented through an integrated risk control and management model, supported by the Risk Committee and supported by an adequate definition and establishment of functions and responsibilities at different levels (operational and control), and in procedures, methodologies and support tools appropriate to the different stages and activities of the model, which include:

4

  1. The establishment of a structure of policies, guidelines, limits and risk indicators, as well as the respective mechanisms for their approval and development, reviewing and establishing the risk appetite assumed annually in a qualitative and quantitative manner, in accordance with the objectives established in the multi-annual plan and annual budgets.
  2. The continuous identification of relevant risks and threats, taking into account their possible impact on corporate objectives and results (including contingency liabilities and other risks off the balance sheet);
  3. The analysis of these risks, both in each of the businesses or corporate functions, as well as in a consolidated way in the Neoenergia group;
  4. The measurement and control of risks following procedures and standards that are homogeneous and common to the group;
  5. The analysis of the risks associated with new investments, as an essential element in decision making, assessing their risk-return, including the risks of integrality of assets and associated with climate change.
  6. The maintenance of a system of internal controls to comply with policies, guidelines and limits, through appropriate procedures and systems, including the contingency plans necessary to mitigate the impact of the materialization of risks.
  7. The continuous assessment of the suitability and efficiency of the application of a system of best practices and recommendations in relation to risks, for its eventual incorporation into the management model; and
  8. The audit of the integrated risk control and management model by the Internal Audit Superintendence.

6. Risk Limits and Policies

The General Corporate Risk Management Policy unfolds and is complemented by corporate risk policies and by specific risk policies for businesses group, also approved by the Board of Directors:

  • Corporate risk policies:
    • Financial Risk Policy
    • Credit Risk Policy
    • Operational Risk Policy in Market Transactions
    • Energy Market Risk Policy
    • Insurance Policy
    • Purchasing Policy
    • Investment Policy

5

This is an excerpt of the original content. To continue reading it, access the original document here.

Attachments

  • Original document
  • Permalink

Disclaimer

COELBA - Companhia de Eletricidade do Estado da Bahia published this content on 18 May 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 25 May 2021 18:26:02 UTC.