Gerdau S A : Risk Management Policy

RISK MANAGEMENT POLICY

1. OBJECTIVE

Establish corporate guidelines for risk management, scope, definitions and organizational structure.

Designate business area responsible for identifying and facilitating appropriate conduct and behaviors, in order to prevent and minimize risk to Gerdau.

2. SCOPE

This Policy applies to all Gerdau Entities, Business Divisions and Operations.

Includes all known risk factors monitored by the company's management team, described in section 4, See Reference Form (document published on the Gerdau website and filed in Brazilian Securities and Exchange Commission - CVM). Those risks are grouped as strategic, operational, regulatory, financial, political, technological, and environmental.

3. DEFINITIONS

1. Risksare certain factors or events that can cause impact and exposure not aligned with Gerdau's business objectives
2. Strategic risksare related to those that impact the business' goals and successes.
3. Operational risksare related to occurrences resulting in loss due to failure of sufficiency or compliance of any internal processes involving persons or systems directly related to company operations.
4. Regulatory riskis related to the company's ability to monitor, interpret, act, and anticipate laws and regulations in the markets in which it operates.
5. Financial riskis related to economic performance, and linked to corporate finances such as profitability, indebtedness, return, liquidity, indices, etc.
6. Political riskis related to the participation with activities, decisions, events or political-economic conditions that can significantly affect the profitability and exposure of the company.
7. Technological riskis related to cyber attacks, data leakage, and system misuse that supports administrative and operational processes.
8. Environmental riskis related to the exposure of the company's operations which have impacts on the environment, either by the extraction of natural resources or by the effect of productive processes on natural systems.
9. Corruption riskis related to noncompliance with legal practices or company policies, procedures and guidelines, resulting from internal or external behaviors that are illegal.
10. Reputational risk:damages to a firm's reputation, consequent to an adverse event even if the company is not found guilty.
11. Risk Committee:Company corporate committee, comprised of the CEO and managers from the main areas responsible in risk analysis (Audit, Compliance, Financial, ICC/IG, Tax, Accounting, Legal, etc.).
12. Ethics Channel- Company tool available on the internet and intranet, to report ethical complaints and concerns or to inquire questions related to risk management.

RISK MANAGEMENT POLICY

1. Fiscal Council: independent supervisory committee comprised of a Board of Directors and Operational Directors and Officers. The members are elected at the General Shareholders' Meeting, comprised of independent advisors who perform certain functions in alignment with the company's Audit Committee.

4. GUIDELINES

4.1 Risk Indentification and Treatment:

1. The Gerdau Risk Management structure is decentralized to benefit from technical management knowledge and professional experience in each area. Process Managers should identify and resolve risks that may affect or impact the company's objectives.
2. When a risk presents the probability of or is a relevant impact, it is the Process Managers' responsibility to identify controls to mitigate and monitor the risk, its impact, and the mitigation process; as well as report all matters to the managers, upper levels as appropriate, and areas impacted.
3. Risks should be identified and evaluated considering the probability of occurrence and its impact on the company's business and image, as well as in compliance with the laws where the company conducts business. Mitigation actions must be compatible with the degree and exposure of such risk(s).
4. For operational risks, the cost vs. risk exposure, must be established under the Three Lines Model:

• 1st line: Environmental controls with routine activities, procedures, limits for approvals, automatic blocks, access restriction, reconciliations, etc. This includes all processes affected by operational risks, risking financial losses, fraud or impacts to the company's image must comply with the company's Guidelines in defining procedures, processes responsibility and accountability.
• 2nd line: Activities of management, monitoring, process analysis, internal control management, and accountability. The second line are compound by process managers that monitor their risks and support areas acting to improve the control environment:
  o The Internal Controls Area should analyze the environment, process and risk, evaluate changes, and conduct assessments in accordance with the Sarbanes-Oxley Act (SOX). o The company's Compliance Area must align and maintain the company's integrity and compliance of its activities, limiting risk exposure, complying with the company's ethical guidelines, compliance with anti-corruption laws, regulations and practices. The Compliance Area is responsible for conducting trainings to distribute to company employees and third parties (where applicable), the company's the Code of Ethics and Conduct and Guidelines; as well as monitoring and maintaining records, Ethics Channel
  reporting, and any evaluations.
• 3rd line: Internal and/or external audits in all processes. Internal Audit is responsible for defining the annual plans, risk mapping and analysis, results of audits performed, Sarbanes- Oxley Act Certification test results, collection of interview data and documentation with Board of Directors, historical risks in locations, and information received from Process Managers.

RISK MANAGEMENT POLICY

1. The company provides an anonymous and confidential Whistleblower Channel, which is available to all employees and third parties, where complaints are filed and controlled by the Corporate Compliance area and handled by the appropriate area(s), with all significant occurrences reported to the Board.
2. Risks must be assessed under the processes and assigned area and include support documentation identifying the company's exposure. Managers are responsible to evaluate risks internal or external, which can or will represent loss, impact to the company's image, strategic business plans and operations, and/or economic sustainability.

4.1.6.1 Main risks to be considered:

1. Economic: Economic Crisis / slowdown, Cyclical demand
2. Political: Government policies; Social risks; changes in laws and regulations
3. Financial: Inflation; Interest rate; Credit risk; Exchange Rate Variation; Capital management (relation between financial debts and equity); Liquidity Risk; Exposure of the capital market; Financial cost of capital
4. Strategy: Mergers, acquisitions, divestitures; new business; market and competitors; trade barriers; confidentiality of information
5. Reputation: Communication; Image; Relationship with the community
6. Environmental: environmental legislation; environmental liabilities; relationship with community
7. Operational and Technological: Supply risks; Energy; Equipment and productive capacity; Costs management; Information and Control Systems
8. Human Resources: Succession and retention; Culture and Organizational Climate; Trade union movements
9. Regulatory: Adherence to Laws and Regulations; Ethics and Compliance.

1. It is the responsibility of each area within the company's business operations, divisions and locations to identify and monitor any potential risk of exposure, identify potential scenarios and monitor external information which can create a risk, implement KPIs, hire technical analysts (when necessary); identify discrepancies and causes of a risk; map the organizational climate to eliminate risk exposure, and enforce company's policies, procedures and governance structure.
2. Process Managers are responsible for assessing any and all risks using tools, planning (SWOT), budget tracking, results and future scenario assessments.
3. In all new business evaluations, divestments of an operation, relevant changes in routines or objectives, revisions of plans, the responsible manager must evaluate the impacts, and identify any potential for risk present or future.

5. ORGANIZATIONAL STRUCTURE IN RISK MANAGEMENT

5.1 Risk Committee

The Risk Committee must evaluate periodically risk indicators, status of SOX internal control evaluations, perform audits, evaluate Ethics Channel complaints, monitor and identify relevant topics of Compliance under all areas, identify risks to the company's image, information security risks, legal contingencies, and any other risks reported to the Risk Committee.

RISK MANAGEMENT POLICY

5.2 Fiscal Council (Audit Committee)

Independent inspector committee, acting in under specific functions of the Audit Committee, attributing to those described in Article 13 of the Company's Bylaws, as well as monitor the responsibilities and work performed of internal and external auditors, SOX results, and when appropriate, supporting risk management.

5.3 Operational Committee

Committee that supports processes of the various area within the company, responsible for evaluating the company results, review risk causes, variations and future scenario perspectives based on internal and external variables. Examples are: Business Operations Committee, Strategy and Sustainability Committee, Credit Committee, Compensation Committee, Industrial Committee, etc.

This policy was reviewed and approved at a meeting of the company's Board on March 30th, 2021.

********