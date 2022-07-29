All rights reserved. The content of this document is intended for internal use only. Its duplication or external disclosure
TABLE OF CONTENTS
PURPOSE
DEFINITIONS/ABBREVIATIONS
APPLICATION
RESPONSIBILITIES
Board of Directors (BoD)
Statutory Audit Committee
Executive Boards and CEO - 1st line
Risk Management Area - 2nd Line
Compliance Area- 2nd Line
Internal Audit Area - 3rd Line
Internal Controls Area - 2nd Line
Managers and employees - 1st Line
5. GUIDELINES
5.1 Corporate Risk Management Process
Guidelines for risk management
Methodology applied for risk management
Stages in the risk management process 5.1.3.1 Risk identification
5.1.3.2 Risk analysis and assessment 5.1.3.3 Risk treatment
5.1.3.4 Risk Monitoring - Action Plans and Reporting
Communication and Reports
5.2 Adjustments to the Operating Structure
5.3 Penalties
5.4 Approval
6. ATTACHMENTS
7. OMISSIONS
EXECUTIVE SUMMARY
This document was prepared with the purpose of guiding employees, members of the Board of Directors, of the Fiscal Council, the Statutory and Non-Statutory Executive Boards, as well as any area with technical or advisory functions, created or that may be created by the Company, with regard to guidelines for the management of corporate risks.
1. PURPOSE
The purpose of this Policy is to establish guidelines and responsibilities in the stages of identification, analysis, assessment, treatment and monitoring of corporate risks that may impact the fulfilment of Hypera Pharma's strategic plan, so as to prevent the occurrence of these events and minimize their impact, in accordance with the acceptable exposure limits thus established by the Company.
2. DEFINITIONS/ABBREVIATIONS
Whenever used in this Policy, whether singular or plural, feminine or masculine forms, these capitalized terms shall mean the following:
Risk Appetite: level of risk, composed of qualitative and quantitative criteria, which the Company is willing to accept while pursuing its goals;
Company or Hypera Pharma:Hypera S.A.;
Control: measure that maintains and/or modifies the risk;
COSO:Committee of Sponsoring Organizations of the Treadway Commission - non-profit entity created in 1975, in the USA, dedicated to the improvement of financial statements through ethics, effectiveness of internal controls and corporate governance. This entity's recommendations are a reference for Companies' internal controls throughout the world;
Event: occurrence of or change in a specific set of circumstances;
Risk factor: an element which, either individually or in combination with others, has the potential to give rise to a risk;
Risk Guardian: Company employee, generally represented by a member of the Senior Management or the Executive Board, who is responsible for ensuring the risk is managed and treated adequately, in accordance with the established action plans;
IBGC: Brazilian Institute of Corporate Governance;
Policy: means this Corporate Risk Management Policy;
Risk: effect of the uncertainty of events that may hinder the fulfilment of the Company's strategic plan and/or generation of business opportunities.
The main risks from which the Company seeks to hedge are highlighted below:
Strategic Risks: risks associated with the Company's strategic decisions in order to reach its business goals.
Financial Risks: risks associated with the organization's financial circumstances. Financial risks may be classified as Market, Credit and Liquidity risks:
Market Risks:stem from the possibility of losses (or lower gains than initially forecast) as a result of changes in market conditions (interest, exchange and inflation rate fluctuations, among others).
Credit Risks:reflect the possibility of losses arising from uncertainties regarding the receipt of amounts due by clients and other counterparties with which the Company has financial contracts. They may also represent uncertainties regarding the availability of credit for the payment of the organization's suppliers.
Liquidity Risks:reflect the possibility of lack of means to fulfill financial obligations as a result of unavailability of funds or the existence of funds without adequate liquidity.
Compliance Risks: risks associated with legal and regulatory sanctions, of financial or reputational loss that the Company may suffer as a result of failure to comply with norms, laws, agreements, regulations, ethics/conduct codes and/or internal policies.
Operating Risks: risks stemming from the lack of consistency and/or failures in process or people management.
Risk Matrix: tool used to carry out the integrated registration of risk management processes, including the mapping process that allows managers to measure, assess and prioritize (order) identified risks;
Nature: essence of the risk.
3. APPLICATION
This Policy applies to all Hypera Pharma's macroprocesses and operations, and it shall be complied with by all employees, Board members, statutory and non-statutory Officers, and all areas with technical and advisory functions.
4. RESPONSIBILITIES
It is the responsibility of the Company, its employees, the members of the Board of Directors, of the Fiscal Council and Statutory and Non-Statutory Officers, as well as any area with technical or advisory functions, created or that may be created by the Company:
To know this Policy and comply with the guidelines established in this document;
Respect the principles of the Company's Code of Ethical Conduct and Anticorruption Policy;
Comply with requirements and/or approval levels contained in the Company's policies and corporate documents.
4.1.1 Board of Directors (BoD)
The Board of Directors, without prejudice to its other legal and statutory duties, as well as other practices provided for in the Brazilian Code of Corporate Governance, is responsible for approving this policy and reviewing this document whenever necessary.
This joint body shall also monitor the Company's risk exposure, as well as ensure an effective Ethics and Compliance Program for the Company, and that the Executive Board has tools to recognize, assess and control these risks in order to keep them at acceptable levels, according to the guidelines established by the Company.
4.1.2 Statutory Audit Committee
It is the Statutory Audit Committee's responsibility, as per its regulations, to:
Oversee the quality and integrity of financial statements, compliance with legal, statutory and regulatory norms, adequacy of procedures regarding the Risk Management and Compliance Office and the activities of internal and independent auditors;
Assess, together with independent auditors, the adequacy of risk assessment methods used by the Company's management and their results;
Assess the effectiveness (a) of this Policy; (b) of the risk management and internal controls systems; and (c) of the Company's Compliance program;
Report to the Company's Board of Directors, upon request, the results of this assessment; and
Assess and monitor the Company's Risk exposures, with the possibility of requiring detailed
information on policies and procedures.
4.1.3 Executive Boards and CEO - 1st line
For the purposes of this policy, the Executive Board is the body that reports to the CEO and, together with him/her, is responsible for the following:
Defining guidelines, resources and goals that ensure the fulfilment of the entire Risk Management Process;
Identifying the risks that may expose the Company, thus compromising the fulfilment of its strategic plan;
Assessing risk factors and possible consequences for the Company in case these risks become reality;
Approving the risk appetite according to qualitative and quantitative criteria;
Validating risk prioritization to be treated, in accordance with the applied methodology;
Ensuring the implementation of action plans and/or internal controls for treating and managing risks;
Assessing the effectiveness of the Corporate Risk Management Process and internal controls and
Reporting on the management of these risks (identification, analysis/assessment and treatment) to the Risk Management Area and other governance bodies in the Company.
4.1.4 Risk Management Area - 2nd Line
Leading the Corporate Risk Management process and ensuring that all its stages are fulfilled;
Reinforcing and encouraging communication on the roles and responsibilities of participants of the Corporate Risk Management Process (Employees, Officers, CEO, Committees, among others), besides disseminating the Company's risk culture;
Supporting the various areas in the Company in identifying, analyzing and assessing risks, besides proposing and updating the methodology regarding the process of Corporate Risk Management;
Consolidating the Company's priority risk portfolio and communicating it to the risk guardians, the CEO and the Company's governance bodies;
Helping the executive board in preparing mitigation strategies for identified risks; and
Verifying the effectiveness of action plans that are aimed at treating risks and whether they are being fulfilled, as well as reporting on the monitoring/results to the CEO and the Company's governance bodies.
4.1.5 Compliance Area - 2nd Line
Managing the Company's Ethics and Compliance Program with the mission to disseminate and promote a culture of ethics and integrity;
Encouraging, together with the areas involved, the treatment of integrity risks identified through the Confidential Channel and other tools used by this area.
4.1.6 Internal Audit Area - 3rd Line
The Internal Audit's Executive Department reports to the Statutory Audit Committee and is responsible for:
Preparing the Annual Audit Plan so as to verify the efficacy of internal controls and the effectiveness of the risk management;
Identifying and pointing out risks that may not yet have been mapped out by the organization, by
means of independent assessments of the internal control environment;
Reporting on the results of independent assessments in the internal controls environment to the Executive Board, the Board of Directors and the Advisory Committees, as well as to external assessment providers (independent auditors and other regulating bodies) whenever requested;
Supporting the business areas in planning mitigation actions and monitoring the implementation of action plans;
Carrying out special assignments upon request by the Statutory Audit Committee.
4.1.7 Internal Control Area - 2nd Line
The Internal Controls' Executive Department reports to the Statutory Audit Committee and is responsible for:
Advising officers when establishing guidelines related to the strengthening of the Company's control environment and the adoption of models and guides for good market practices;
Providing complementary expertise on senior management's decisions, helping achieve the Company's strategic goals;
Supporting the business areas in the monitoring and questioning regarding effective risk management, improvement of processes, structuring of controls, implementation of action plans, policies, norms and internal procedures, aiming to mitigate risks and ensure compliance with laws and regulations and assess the efficacy of internal controls;
Reporting the results obtained in the internal controls environment to the Executive Board, the Board of Directors and the Advisory Committees, as well as to external assessment providers (independent auditors and other regulatory bodies) whenever requested;
4.1.8 Managers and employees - 1st Line
They play the role of leading and carrying out actions to achieve the Company's goals, engaging in continuous dialogue with the other agents, reporting planned and fulfilled results, as well as the risks involved. Establishing adequate structures and processes for the management of operations, risks and their respective internal controls, thus also being responsible for ensuring compliance with internal policies, legal, regulatory and integrity norms.
5. GUIDELINES
5.1 Corporate Risk Management Process 5.1.1 Guidelines for risk management
Corporate risk management at Hypera Pharma is committed to the creation of value, with the spirit of protection of assets, promoting support in the decision-making process, so as to ensure business continuity.
This support is constantly improved through the dissemination of the risk culture, the optimization of processes, the efficient allocation of resources and the regular identification of threats and opportunities.
The Corporate Risk Management process at Hypera Pharma aims to identify and analyze the risks that may impact the fulfilment of Hypera Pharma's strategic plan, helping managers who are responsible for handling them establish action/control plans for the treatment, monitoring and communication of the aforementioned risks, in order to prevent their occurrence or minimize their impact, as well as contribute for the improvement of corporate governance at Hypera Pharma.
This process is based on ISO 31000:2018 - Risk Management Principles and Guidelines, on rules established by COSO, and good corporate governance practices recommended by IBGC.
This is an excerpt of the original content. To continue reading it, access the original document here.