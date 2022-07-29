Hypera pharma Public Information HYPERA S.A. CORPORATE RISK MANAGEMENT POLICY All rights reserved. The content of this document is intended for internal use only. Its duplication or external disclosure shall follow the classification described in the Information Security Policy. TABLE OF CONTENTS PURPOSE DEFINITIONS/ABBREVIATIONS APPLICATION RESPONSIBILITIES Board of Directors (BoD) Statutory Audit Committee Executive Boards and CEO - 1st line Risk Management Area - 2nd Line Compliance Area - 2nd Line Internal Audit Area - 3rd Line Internal Controls Area - 2nd Line Managers and employees - 1st Line

5.1 Corporate Risk Management Process Guidelines for risk management Methodology applied for risk management Stages in the risk management process 5.1.3.1 Risk identification

5.1.3.2 Risk analysis and assessment 5.1.3.3 Risk treatment

5.1.3.4 Risk Monitoring - Action Plans and Reporting Communication and Reports

EXECUTIVE SUMMARY This document was prepared with the purpose of guiding employees, members of the Board of Directors, of the Fiscal Council, the Statutory and Non-Statutory Executive Boards, as well as any area with technical or advisory functions, created or that may be created by the Company, with regard to guidelines for the management of corporate risks. 1. PURPOSE The purpose of this Policy is to establish guidelines and responsibilities in the stages of identification, analysis, assessment, treatment and monitoring of corporate risks that may impact the fulfilment of Hypera Pharma's strategic plan, so as to prevent the occurrence of these events and minimize their impact, in accordance with the acceptable exposure limits thus established by the Company. 2. DEFINITIONS/ABBREVIATIONS Whenever used in this Policy, whether singular or plural, feminine or masculine forms, these capitalized terms shall mean the following: Risk Appetite: level of risk, composed of qualitative and quantitative criteria, which the Company is willing to accept while pursuing its goals;

Control: measure that maintains and/or modifies the risk;

measure that maintains and/or modifies the risk; COSO: Committee of Sponsoring Organizations of the Treadway Commission - non-profit entity created in 1975, in the USA, dedicated to the improvement of financial statements through ethics, effectiveness of internal controls and corporate governance. This entity's recommendations are a reference for Companies' internal controls throughout the world;

- non-profit entity created in 1975, in the USA, dedicated to the improvement of financial statements through ethics, effectiveness of internal controls and corporate governance. This entity's recommendations are a reference for Companies' internal controls throughout the world; Event: occurrence of or change in a specific set of circumstances;

occurrence of or change in a specific set of circumstances; Risk factor: an element which, either individually or in combination with others, has the potential to give rise to a risk;

an element which, either individually or in combination with others, has the potential to give rise to a risk; Risk Guardian: Company employee, generally represented by a member of the Senior Management or the Executive Board, who is responsible for ensuring the risk is managed and treated adequately, in accordance with the established action plans;

Company employee, generally represented by a member of the Senior Management or the Executive Board, who is responsible for ensuring the risk is managed and treated adequately, in accordance with the established action plans; IBGC: Brazilian Institute of Corporate Governance;

Brazilian Institute of Corporate Governance; Policy: means this Corporate Risk Management Policy;

means this Corporate Risk Management Policy; Risk: effect of the uncertainty of events that may hinder the fulfilment of the Company's strategic plan and/or generation of business opportunities. The main risks from which the Company seeks to hedge are highlighted below: Strategic Risks: risks associated with the Company's strategic decisions in order to reach its business goals. Financial Risks: risks associated with the organization's financial circumstances. Financial risks may be classified as Market, Credit and Liquidity risks: Market Risks: stem from the possibility of losses (or lower gains than initially forecast) as a result of changes in market conditions (interest, exchange and inflation rate fluctuations, among others). Credit Risks: reflect the possibility of losses arising from uncertainties regarding the receipt of amounts due by clients and other counterparties with which the Company has financial contracts. They may also represent uncertainties regarding the availability of credit for the payment of the organization's suppliers.

Liquidity Risks: reflect the possibility of lack of means to fulfill financial obligations as a result of unavailability of funds or the existence of funds without adequate liquidity. Compliance Risks: risks associated with legal and regulatory sanctions, of financial or reputational loss that the Company may suffer as a result of failure to comply with norms, laws, agreements, regulations, ethics/conduct codes and/or internal policies. Operating Risks: risks stemming from the lack of consistency and/or failures in process or people management. Risk Matrix: tool used to carry out the integrated registration of risk management processes, including the mapping process that allows managers to measure, assess and prioritize (order) identified risks;

tool used to carry out the integrated registration of risk management processes, including the mapping process that allows managers to measure, assess and prioritize (order) identified risks; Nature: essence of the risk. 3. APPLICATION This Policy applies to all Hypera Pharma's macroprocesses and operations, and it shall be complied with by all employees, Board members, statutory and non-statutory Officers, and all areas with technical and advisory functions. 4. RESPONSIBILITIES It is the responsibility of the Company, its employees, the members of the Board of Directors, of the Fiscal Council and Statutory and Non-Statutory Officers, as well as any area with technical or advisory functions, created or that may be created by the Company: To know this Policy and comply with the guidelines established in this document; Respect the principles of the Company's Code of Ethical Conduct and Anticorruption Policy; Comply with requirements and/or approval levels contained in the Company's policies and corporate documents. 4.1.1 Board of Directors (BoD) The Board of Directors, without prejudice to its other legal and statutory duties, as well as other practices provided for in the Brazilian Code of Corporate Governance, is responsible for approving this policy and reviewing this document whenever necessary. This joint body shall also monitor the Company's risk exposure, as well as ensure an effective Ethics and Compliance Program for the Company, and that the Executive Board has tools to recognize, assess and control these risks in order to keep them at acceptable levels, according to the guidelines established by the Company. 4.1.2 Statutory Audit Committee It is the Statutory Audit Committee's responsibility, as per its regulations, to: Oversee the quality and integrity of financial statements, compliance with legal, statutory and regulatory norms, adequacy of procedures regarding the Risk Management and Compliance Office and the activities of internal and independent auditors; Assess, together with independent auditors, the adequacy of risk assessment methods used by the Company's management and their results; Assess the effectiveness (a) of this Policy; (b) of the risk management and internal controls systems; and (c) of the Company's Compliance program; Report to the Company's Board of Directors, upon request, the results of this assessment; and Assess and monitor the Company's Risk exposures, with the possibility of requiring detailed

information on policies and procedures. 4.1.3 Executive Boards and CEO - 1st line For the purposes of this policy, the Executive Board is the body that reports to the CEO and, together with him/her, is responsible for the following: Defining guidelines, resources and goals that ensure the fulfilment of the entire Risk Management Process; Identifying the risks that may expose the Company, thus compromising the fulfilment of its strategic plan; Assessing risk factors and possible consequences for the Company in case these risks become reality; Approving the risk appetite according to qualitative and quantitative criteria; Validating risk prioritization to be treated, in accordance with the applied methodology; Ensuring the implementation of action plans and/or internal controls for treating and managing risks; Assessing the effectiveness of the Corporate Risk Management Process and internal controls and Reporting on the management of these risks (identification, analysis/assessment and treatment) to the Risk Management Area and other governance bodies in the Company. 4.1.4 Risk Management Area - 2nd Line Leading the Corporate Risk Management process and ensuring that all its stages are fulfilled; Reinforcing and encouraging communication on the roles and responsibilities of participants of the Corporate Risk Management Process (Employees, Officers, CEO, Committees, among others), besides disseminating the Company's risk culture; Supporting the various areas in the Company in identifying, analyzing and assessing risks, besides proposing and updating the methodology regarding the process of Corporate Risk Management; Consolidating the Company's priority risk portfolio and communicating it to the risk guardians, the CEO and the Company's governance bodies; Helping the executive board in preparing mitigation strategies for identified risks; and Verifying the effectiveness of action plans that are aimed at treating risks and whether they are being fulfilled, as well as reporting on the monitoring/results to the CEO and the Company's governance bodies. 4.1.5 Compliance Area - 2nd Line Managing the Company's Ethics and Compliance Program with the mission to disseminate and promote a culture of ethics and integrity; Encouraging, together with the areas involved, the treatment of integrity risks identified through the Confidential Channel and other tools used by this area. 4.1.6 Internal Audit Area - 3rd Line The Internal Audit's Executive Department reports to the Statutory Audit Committee and is responsible for: Preparing the Annual Audit Plan so as to verify the efficacy of internal controls and the effectiveness of the risk management; Identifying and pointing out risks that may not yet have been mapped out by the organization, by