Itaú Unibanco S A : 4Q 21 Risk and capital management Pillar 3 Fourth quarter of 2021 - Form 6-K

4Q
21
Risk and capital management Pillar 3
Fourth quarter of 2021

Contents
Objective 1
Key indicators 1
Prudential Metrics and Risk Management 2
KM1: Key metrics at consolidated level 2
OVA: Bank risk management approach 3
Scope and main characteristics of risk management 3
Risk and Capital Governance 4
Risk Appetite 5
Risk Culture 5
Stress Testing 6
Recovery Plan 7
Capital Adequacy Assessment 8
Capital Adequacy 8
OV1: Overview of risk-weighted assets (RWA)
Links between financial statements and regulatory exposures
LIA: Explanations of differences between accounting and regulatory exposure amounts
LI1: Differences between accounting and regulatory scopes of consolidation and mapping of financial statement categories with regulatory risk categories
LI2: Main sources of differences between regulatory exposure amounts and carrying values in financial statements
9
10
10
11
12
PV1: Prudent valuation adjustments (PVA) 12
Institutions that comprise the Financial Statement of Itaú Unibanco Holding 13
Non Consolidated Institutions 17
Material Entities 17
Composition of Capital 18
CCA: Main features of regulatory capital instuments 18
CC1: Composition of regulatory capital 19
CC2: Reconciliation of regulatory capital to balance sheet 21
Macroprudential Indicators 22
CCyB1: Geographical distribution of credit risk exposures considered in the calculation of the 22
Countercyclical Capital Buffer
GSIB1: Disclosure of G-SIB indicators 22
Leverage Ratio 22
LR1: Summary comparison of accounting assets vs leverage ratio exposure measure (RA) 23
LR2: Leverage ratio common disclosure 23
Liquidity Ratios 24
LIQA: Liquidity Risk Management Information 24
Framework and Treatment 24
LIQ1: Liquidity Coverage Ratio (LCR) 25
LIQ2: Net Stable Funding Ratio (NSFR) 26
Credit Risk 27
CRA: Qualitative information on credit risk management 27
CR1: Credit Quality of Assets 28
CR2: Changes in Stock of defaulted loans and debts securities 29
CRB: Additional disclosure related to the credit quality of assets Credit risk mitigation 29
Exposure by industry 30
Exposure by remaining maturity 30
Overdue exposures 31
Exposure by geographical area in Brazil and by country 31
Largest debtors exposures 32
Restructured exposures 32

CRC: Qualitative disclosure related to Credit Risk Mitigation techniques 32
CR3: Credit Risk mitigation techniques - overview 33
CR4: Standardized Approach - Credit Risk exposure and credit risk mitigation effects 34
CR5: Standardized Approach - exposures by asset classes and risk weights 34
Counterparty Credit Risk (CCR) 34
CCRA: Qualitative disclosure related to CCR 34
CCR1: Analysis of CCR exposures by approach 35
CCR3: Standardized approach - CCR exposures by regulatory portfolio and risk weights 35
CCR5: Composition of collateral for CCR exposures 36
CCR6: CCR associated with credit derivatives exposures 36
CCR8: CCR associated with Exposures to central counterparties 37
Securitization Exposures 37
SECA: Qualitative disclosure requirements related to securitisation exposures 37
SEC1: Securitisation exposures in the banking book 38
SEC2: Securitisation exposures in the trading book 38
SEC3: Securitisation exposures in the banking book and associated regulatory capital requirements - 38
bank acting as originator or as sponsor
SEC4: Securitisation exposures in the banking book and associated capital requirements - bank acting 38
as investor
Market Risk 39
MRA: Qualitative disclosure requirements related to market risk 39
MR1: Market risk under standardized approach 41
MRB: Qualitative disclosures on market risk in the Internal Models Approach (IMA) 41
MR2: RWA flow statements of market risk exposures under an IMA 44
Exposures subject to market risk 44
MR3: IMA values for trading portfolios 44
MR4: Comparison of VaR estimates with gains/losses 45
Backtesting 45
Total Exposure associated with Derivatives 46
IRRBB 46
IRRBBA: IRRBB risk management objectives and policies 46
Framework and Treatment 47
IRRBB1 - Quantitative information on IRRBB 49
Other Risks 49
Insurance products, pension plans and premium bonds risks 49
Social and Environmental Risk 50
Model Risk 51
Regulatory or Compliance Risk 51
Reputational Risk 51
Country Risk 53
Business and Strategy Risk 53
Contagion Risk 54
Operational Risk 54
Crisis Management and Business Continuity 55
Independent Validation of Risk Models 56
Glossary of Acronyms 57
Glossary of Regulations 62

Risk and Capital Management-Pillar 3
Objective
This document presents Itaú Unibanco Holding S.A. (Itaú Unibanco) information required by the Central Bank of Brazil (BACEN) through Resolution BCB nº 54 and subsequent amendments, which addresses the disclosure of information on risks and capital management, the comparison between accounting and prudential information, the liquidity and market risk indicators, the calculation of risk-weighted assets (RWA), the calculation of the Total Capital ("Patrimônio de Referência"-PR), and the compensation of management members. 1
The referred Resolution brought several amendments in the disclosure format of the Pillar 3 information, besides changes in the scope and frequency of the information disclosed. All these amendments, implemented by the Central Bank, aim the convergence of the Brazilian financial regulation to the recommendations of the Basel Committee, seeking to harmonize the information disclosed by financial institutions at an international level, and taking into account the structural conditions of the Brazilian economy.
The disclosure policy of the Risk and Capital Management Report presents the guidelines and responsibilities of the areas involved in its preparation, as well as the description of the information that must be disclosed and the integrity endorsement and approval governance, as established by the article 56 of the Resolution nº. 4,557.
Key indicators
Itaú Unibanco's risk and capital management focuses on maintaining the ins titution in line with the risk strategy approved by the Board of Directors. The key indicators based on the Prudential Consolidation, on December 31, 2021, are summarized below.
1 Compensation of management members data is reported annually.

Itaú Unibanco

1
Risk and Capital Management-Pillar 3
Prudential Metrics and Risk Management
Itaú Unibanco invests in robust and company -wide risk management processes to serve as a basis for its strategic decisions intended to ensure business sustainability.
The key prudential metrics related to regulatory capital and information on the bank's integrated risk management are presented below.
KM1: Key metrics at consolidated level
In order to ensure the soundness of Itaú Unibanco and the availability of capital to support business growth, Itaú Unibanco maintains capital levels above the minimum requirements, as demonstrated by the Common Equity Tier I, Additional Tier I Capital and Total CapitaI ratios.
On December 31, 2021, the Total Capital (PR) reached R$ 169,797 million, R$ 149,912 million of Tier I and R$ 19,885 million of Tier II.
Itaú Unibanco

Risk and Capital Management-Pillar 3
The Basel Ratio reached 14.7% on December 31, 2021, remaining at the September 30, 2021 level. In this period, the increase in the result of the period was offset by the growth of the loan portfolio.
Besides, Itaú Unibanco has a R$ 77,490 million capital excess in relation to its minimum required Total Capital. It corresponds to 6,7 pp above the minimum requirement (8%) and higher than the Capital Buffer requirement of 3.0% (R$ 34,615 million). Considering the Capital Buffers, the capital excess would be 3,7 pp.
The fixed assets ratio shows the commitment percentage of adjusted Referential Equity with the adjusted permanent assets. Itaú Unibanco falls within the maximum limit of 50% of adjusted PR, established by BACEN. At December 31, 2021, fixed assets ratio reached 16.9%, showing a surplus of R$ 56,280 million.
OVA - Bank risk management approach
Scope and main characteristics of risk management
To undertake and manage risks is one of the activities of Itaú Unibanco. For this reason, the institution must have clearly established risk management objectives. In this context, the risk appetite defines the nature and the level of risks acceptable for the institution, while the risk culture guides the attitudes required to manage them. Itaú Unibanco invests in robust risk management processes, that are the basis for its strategic decisions to ensure business sustainability and maximize shareholder value creation.
These processes are in line with the guidelines of the Board of Directors and Executives who, through corporate bodies, define the institution's global objectives, which are then translated into targets and thresholds for the business units that manage risks. Control and capital management units, in turn, support Itaú Unibanco's management through the processes of analysis and monitoring of capital and risk.
The principles that provide the risk management and the risk appetite foundations, as well as guidelines regarding the actions taken by Itaú Unibanco's employees in their daily routines are as follows:
• Sustainability and customer satisfaction: the vision of Itaú Unibanco is to be a leading bank in sustainable
performance and customer satisfaction. For this reason, the institution is concerned about creating shared values for employees, customers, shareholders and society to ensure the longevity of the business. Itaú Unibanco is concerned about doing business that is good for customers and for the institution;
• Risk culture: the institution's risk culture goes beyond policies, procedures and processes. It strengths the individual and collective responsibility of all employees to manage and mitigate risks consciously, respecting the ethic way of doing business. The risk culture is described in the item "Risk Culture";
• Risk Pricing: Itaú Unibanco operates and assumes risks in business that it knows and understands, avoids the ones that are unknown or that do not provide competitive advantages, and carefully assesses risk-return ratios;
• Diversification: the institution has low appetite for volatility in its results. Accordingly, it operates with a diversified base of customers, products and business, seeking risk diversification and giving priority to low-risk transactions;
• Operational excellence: Itaú Unibanco intends to provide agility, as well as a robust and stable inf rastructure, in order to offer high quality services;
Itaú Unibanco

Risk and Capital Management-Pillar 3
• Ethics and respect for regulations: at Itaú Unibanco, ethics is non-negotiable. For this reason, the institution promotes an institutional environment of integrity, educating its employees to cultivate ethical relationships and businesses, as well as respecting the norms, and therefore looking after the institution's reputation.
Since August, 2017, the Resolution CMN 4,557 came into force, which established the structure of risk and capital management. The resolution highlights are the implementation of a continuous and integrated risk management framework; the requirements for the definition of the Risk Appetite Statement (RAS) and the stress test program; the establishment of a Risk Committee; the indication, before BACEN, of the Chief Risk Officer (CRO); and the CRO's roles, responsibilities and independence requirements.
Risk and Capital Governance
The Board of Directors is the main body responsible for establishing the guidelines, policies and authority levels regarding risk and capital management. In turn, the Risk and Capital Management Committee (CGRC) provides support to the Board of Directors in the performance of their duties relating to risk and capital management. At the executive level, corporate bodies headed by Itaú Unibanco's Chief Executive Officer (CEO) are established to manage risks and capital. Their decisions are overseen by the CGRC.
Additionally, the Itaú Unibanco Holding has corporate bodies that perform delegated duties in the risk and capital management, under the responsibility of CRO (Chief Risk Officer).
To support this structure, the Risk Area is structured with specialized departments. The objective is to provide independent and centralized management of the institution's risks and capital, and to ensure the accordance with the established rules and procedures.
Itaú Unibanco's risk management organizational structure complies with Brazilian and international regulations in place and is aligned with the market's best practices, including governance for identifying emerging risks, which are those with medium and long-term impact potentially material about the business.
Responsibilities for risk management at Itaú Unibanco are structured according to the concept of three lines of defense, namely:
• in the first line of defense, the business and corporate support areas manage risks they give rise to, by identifying, assessing, controlling and reporting such risks;
• in the second line of defense, an independent unit provides central control, so as to ensure that Itaú Unibanco's
risk is managed according to the risk appetite and established policies and procedures. This centralized control provides the Board and executives with a global overview of Itaú Unibanco's exposure, to ensure correct and timely corporate decisions;
• in the third line of defense, internal audit provides an independent assessment of the institution's activities, so that senior management can see that controls are adequate, risk management is effective and institutional standards and regulatory requirements are being complied with.
Itaú Unibanco uses robust automated systems for full compliance with capital regulations, as well as for measuring risks in accordance with the regulatory determinations and models in place. It also monitors adherence to the qualitative and quantitative regulators' minimum capital and risk management requirements.
Itaú Unibanco

Risk and Capital Management-Pillar 3
Risk Appetite
Itaú Unibanco has a risk appetite policy, which was established and approved by the Board of Directors and guides the institution's business strategy. The bank's risk appetite is grounded on the following declaration of the Board of
Directors:
"We are a universal bank, operating predominantly in Latin America. Supported by our risk culture, we operate based on rigorous ethical and regulatory compliance standards, seeking high and growing results, with low volatility, by means of the long-lasting relationship with clients, correctly pricing risks, well-distributed fund-raising and proper use of capital."
Based on this declaration, the bank established five dimensions, each of which comprising a set of metrics associated with the key risks involved, combining complementary measurements and seeking a comprehensive view of its exposure:
• Capitalization: establishes that Itaú Unibanco should have sufficient capital to protect itself against a serious recession or stress events without the need to adjust its capital structure und er adverse circumstances. It is monitored by following up the bank's capital ratios, in usual or stress situations, and the institution's debt issue ratings.
• Liquidity: establishes that the institution's liquidity should be able to support long stress periods. It is monitored by following up on liquidity ratios.
• Composition of results: establishes that business will mainly focus on Latin America, where Itaú Unibanco will have a diversified range of customers and products, with low appetite for results volatility and high risk. This dimension includes business and profitability, as well as market and credit risks aspects. The metrics monitored by the bank seek to ensure, by means of exposure concentration limits such as, for example, industry sectors, quality of counterparties, countries and geographic regions and risk factors, a suitable composition of the bank's portfolios, aiming at low volatility
of results and business sustainability.
• Operational risk: focuses on controlling operational risk events that may adversely impact the bank's business strategy and operations. This control is carried out by monitoring key operational risk events and incurred losses.
• Reputation: deals with risks that may impact brand value and the institution's reputation before its customers, employees, regulators, investors and the general public. In this dimension, risks are monitored by following up on customers' satisfaction or dissatisfaction, media exposure and observation of the institution's conduct.
The Board of Directors is responsible for approving risk appetite guidelines and limits, performing its activities with the support of the Risk and Capital Management Committee (CGRC) and the Chief Risk Officer (CRO).
Metrics are regularly monitored and must comply with the limits defined. The monitoring is reported to the risk commissions and to the Board of Directors, guiding the use of preventive measures to ensure that exposures are within the limits provided and in line with the bank's strategy.
Risk Culture
Aiming at strengthening its values and aligning the behavior of its employees with risk management guidelines, the institution adopts several initiatives to disseminate and strengthen its Risk Culture, which is based on four principles: conscious risk taking, discussions and actions on the institution's risks, and each and everyone's responsibility for risk management.
Itaú Unibanco

Risk and Capital Management-Pillar 3
Chart 1-Risk Culture
Besides the risk management policies, procedures and processes, the institution promotes its Risk Culture by emphasizing a behavior that helps people of all company levels to undertake and manage risks in a conscious way. By disseminating these principles, the institution fosters the understanding and the open discussion about risks, so that they are kept within the risk appetite levels established and each employee individually, regardless of their position, area or duties, may also assume responsibility for managing the risks of the business.
Itaú Unibanco also makes some channels available for communication of operating failures, internal or external fraud, conflicts at the workplace, or cases that may result in inconveniences and/or losses for the institution or its customers. All employees or third parties are responsible for informing any problems immediately, as soon as they become aware of the situation.
Stress Testing
The stress test is a process of simulating extreme economic and market conditions on Itaú Unibanco's results, liquidity and capital. The institution has been carrying out this test in order to assess its solvency in plausible scenarios of crisis, as well as to identify areas that are more susceptible to the impact of stress that may be the subject of risk mitigation.
For the purposes of the test, the economic research area estimates macroeconomic variables for each stress scenario. The elaboration of stress scenarios considers the qualitative analysis of the Brazilian and the global conjuncture, historical and hypothetical elements, short and long term risks, among other aspects, as defined in CMN Resolution 4,557.
In this process, the main potential risks to the economy are assessed based on the judgment of the bank's team of economists, endorsed by the Chief Economist of Itaú Unibanco and approved by the Board of Directors. Projections for the macroeconomic variables (such as GDP, the basic interest rate and inflation) and for variables in the credit market (such as raisings, lending, rates of default, margins and charges) used are based on exogenous shocks or through use of models validated by an independent area.
Then, the stress scenarios adopted are used to influence the budgeted result and balance sheet. In addition to the scenario analysis methodology, sensitivity analysis and the Reverse Stress Test are also used.
Itaú Unibanco

Risk and Capital Management-Pillar 3
Itaú Unibanco uses the simulations to manage its portfolio risks, considering Brazil (segregated into wholesale and retail) and External Units, from which the risk-weighted assets and the capital and liquidity ratios are derived.
The stress test is also an integral part of the ICAAP (Internal Capital Adequacy Process), the main purpose of which is to assess whether, even in severely adverse situations, the institution would have adequate levels of capital and liquidity, without any impact on the development of its activities.
This information enables potential offenders to the business to be identified and provides support for the strategic decisions of the Board of Directors, the budgeting and risk management process, as well as serving as an input for the institution's risk appetite metrics.
Recovery Plan
In response to the latest international crises, the Central Bank issued the Resolution No. 4,502, which requires the development of a Recovery Plan for the financial institutions that are classified in the Segment 1, with a total exposure of more than 10% of Gross Domestic Product (GDP). This plan aims to reestablish adequate levels of capital and liquidity, above the regulatory requirements, through appropriate strategies in the event of severe stress shocks of a systemic or idiosyncratic nature. Accordingly, each institution would be able to preserve its financial feasibility and, at the same time, mitigate the impact on the National Financial System.
Itaú Unibanco has a Recovery Plan that contemplates the entire Conglomerate, including foreign subsidiaries, and contains the description of the following items:
I. Critical functions rendered by Itaú Unibanco to the market, activities that, if abruptly interrupted, could impact the National Financial System (SFN) and the functioning of the real economy;
II. Institution's essential services: activities, operations or services which discontinuity could compromise the bank's viability;
III. Monthly monitoring program, establishing critical levels for a set of indicators, with a view to risk monitoring and eventual trigger for the execution of the Recovery Plan;
IV. Stress scenarios, contemplating events that may threaten the busines s continuity and the viability of the institution, including reverse tests, which seek to identify remote risk scenarios, contributing to an increase of the management sensitivity;
V. Recovery strategies in response to different stress scenarios, including the main risks and barriers, as well as the mitigators of the latter and the procedures for the operationalization of each strategy;
VI. Communication plan with stakeholders, seeking its timely execution with the market, regulators and ot her
stakeholders;
VII. Governance mechanisms necessary for the coordination and execution of the Recovery Plan, such as the
definition of the director responsible for the exercise at Itaú Unibanco.
This plan is reviewed annually and is subjected to the approval of the Board of Directors.
With this practice, Itaú Unibanco has been able to continuously demonstrate, that even in severe scenarios, with remote probability of occurrence, it has strategies capable of generating sufficient resources to ensure the sustainable maintenance of critical activities and essential services, without losses to customers, to the financial system and to other participants in the markets in which it operates.
Itaú Unibanco

Risk and Capital Management-Pillar 3
Itaú Unibanco ensures the exercise maintenance to guarantee that strategies remain up-to-date and viable in the face of organizational, competitive or systemic changes.
Capital Adequacy Assessment
For its capital adequacy assessment process, the annual Itaú Unibanco's procedure is as follows:
Identification of material risks and assessment of the need for additional capital;
Preparation of the capital plan, both in normality and stress situations;
Internal assessment of capital adequacy;
Structuring of capital contingency and recovery plans;
Preparation of management and regulatory reports.
By adopting a prospective stance regarding capital management, Itaú Unibanco implemented its capital management structure and its ICAAP in order to comply with National Monetary Council (CMN) Resolution 4,557, BACEN Circular 3,846 and BACEN Circular Letter 3,907.
The result of the last ICAAP, which includes stress tests - dated as of December 2020 - showed that, in addition to having enough capital to face all material risks, Itaú Unibanco has a significant buffer, thus ensuring the soundness of its equity position.
Capital Adequacy
Itaú Unibanco, through the ICAAP process, assesses the adequacy of its capital to face the incurred risks, composed by regulatory capital for credit, market and operational risks and by the necessary capital to face other risks. In order to ensure the soundness and the availability of Itaú Unibanco's capital to support business growth, the Total Capital levels were maintained above the minimum requirements.
Itaú Unibanco
8

Risk and Capital Management-Pillar 3
OV1 - Overview of risk-weighted assets (RWA)
According to CMN Resolution 4,193 and subsequent amendments, for assessing the minimum capital requirements, the RWA must be calculated by adding the following risk exposures:
RWA = RWACPAD + RWAMINT + RWAOPAD
• RWACPAD = portion related to exposures to credit risk, calculated using standardized approach;
• RWAMINT = portion related to the market risk capital requirement, made up of the maximum between the internal model and 80% of the standardized model, and regulated by BACEN Circulars 3,646 and 3,674;
• RWAOPAD = portion related to the operational risk capital requirement, calculated using standardized approach.
The higher amount of credit risk-weighted assets (RWACPAD) was mainly due to the increase in loan portfolio in the period.
Itaú Unibanco
9

Risk and Capital Management-Pillar 3
Links between financial statements and regulatory exposures
LIA: Explanations of differences between accounting and regulatory exposure amounts
The main difference between the accounting carrying value and the amounts considered for regulatory purposes is the non-consolidation of non-financial companies (especially Insurance, Pension Plan and Capitalization companies) in the regulatory consolidated, a difference that also impacts the elimination of related parties transactions.
Within the regulatory scope, the procedures for assessing the need for prudent valuation adjustments (PVAs) arising from the pricing of financial instruments, as well as the description of the systems and controls used to ensure its reliability are described below.
The pricing methodology for the financial instruments subject to Resolution No. 4,277, of October 31st, 2013, conducted by an independent area from the business areas, considers, in addition to benchmarks, the risks listed in the closeout uncertainty, market concentration, early termination, model risk, investing and funding costs, unearned credit spread and others.
The fair value measurement at Itaú Unibanco follows the principles enclosed in the main regulatory bodies, such as CVM and BACEN. The institution follows the best practices in terms of pricing policies, procedures and methodologies and is committed to secure the pricing of financial instruments in its balance sheet with prices quoted and disclosed by the market, and in the impossibility of doing so, expends its best efforts to estimate which would be the fair price at which financial assets would be effectively traded, maximizing the use of relevant observable data and, under specific conditions, these instruments can be valued on a model basis. In all of these situations, the organization has control over its pricing methods and model risk management.
The process of independent price verification (IPV) follows the guidelines included in Resolution No. 4,277, with daily verification of prices and market inputs, which is performed by a team independent from the pricing team. This process is also subject to an independent evaluation by the internal control, internal audit and external audit teams.
The institution has a hybrid model for assessing the need for prudent valuation adjustments with two components. The first component is a timely assessment model that assesses new products, operations and risk factors traded and verifies the compliance and liability with any components of the existing prudent valuation adjustments. The second is a periodic assessment that aims to analyze the existing prudent valuation adjustments in relation to adequate pricing. The process and methodology are evaluated periodically and independently by internal controls and internal audit.
In the line Other Differences of the table LI2, are reported the transactions subject to credit risk and counterparty credit risk, which are not accounted for in the balance sheet or in the off-balance sheet amounts.
Itaú Unibanco
10

Risk and Capital Management-Pillar 3
LI1: Differences between accounting and regulatory scopes of consolidation and mapping of financial statement categories with regulatory risk categories
Itaú Unibanco
11
R$ million, at the end of the eeriod 1213112021
Carrying values of items:
Carrying values
Carrying values Not subject to
as reported in
under scope of Subject to
Subjectto
Subject to the Subject to the
capital
published
regulatory credit risk
counterparty
securitisation market risk
requirements or
financial consolidation credit risk subjectto statements frameworX framework framework framework deduction from
capital
Assets
Current assets and Long-term receivables 2,136,498 1,907,804 1,545,801 321,856 10,265 215,267 27,428
Cash 44,512 44 ,373 44,373 9,310
Interbank investments 243,916 241,601 75,460 166,141 15,635
Securities and derivative financial instruments 706,306 485,672 403,084 68,708 10,265 30,984 1,161
Interbank accounts 160,354 160,354 149,064 11,290
lnterbranch accounts 369 369 369
Loan, lease and other credit operations 774,927 775,796 768,312 62,487 7,484
Other receivables 202,661 196,373 102,242 87,007 96,851 7,124
Deferred tax assets 56,065 49,019 7,046
Sundry 140,308 53,223 87,007 96,851 78
Other assets 3,453 3,266 3,266
Permanent assets 29,521 46,744 28,711 18,033
Investments 6,676 25,018 22,681 2,337
Real estate 6,417 5,937 5,937
Goodwill and Intangible assets 16,428 15,789 93 15,696
Goodwill 2,608 2,808
Intangible assets 13,088 13,088
Other 93 93
Total assets 2,166,019 1,954,548 1,574,512 321 ,856 10,265 21 5,267 45,461
Liabilities
Current and Long-term Liabilities 2,007,337 1,795,858 297,785 227,484 1,498,073
Deposits 850,372 860,024 55,494 860,024
Deposits received under securities repurc hase 271 ,051 271,104 255,922 14 15,182
agreements
Funds from acceptances and issuance of securities 143,138 143,138 16,931 143,138
Interbank accounts 64,307 64 ,307 64,307
lnterbranch accounts 8,992 8,995 144 8,995
Borrowings and onlending 97,005 97,005 10,495 97,005
Derivative financial instruments 63,969 63,974 41 ,883 774 22,111
Technical provision for insurance, pension plan and 217,558
capitalization
Provisions 16,240 15,869 15,869
Allowance for financial guarantees provided and loan
4,784 4 ,784 4,784
commitments
Other l iabilities 269,921 266,658 143,632 266,658
Deferred tax liabilities 2,511 2,511
Sundry 264,147 143,632 264,147
Deferred income 3,106 3,178 3,178
Total liabilities 2,010,443 1,799,036 297,785 227,484 1,501 ,251

Risk and Capital Management-Pillar 3
LI2: Main sources of differences between regulatory exposure amounts and carrying values in financial statements
PV1: Prudent valuation adjustments (PVA)
Itaú Unibanco
12

Risk and Capital Management-Pillar 3
Institutions that comprise the Financial Statements of Itaú Unibanco Holding
The lists below provide the institutions that comprise the financial statements and the Prudential Consolidation of Itaú Unibanco Holding S.A..
Itaú Unibanco
13

Risk and Capital Management-Pillar 3
Itaú Unibanco
14

Risk and Capital Management-Pillar 3
Institutions that comprise the Financial Statements of Itaú Unibanco Holding
Itaú Unibanco
15

Risk and Capital Management-Pillar 3
Itaú Unibanco
16

Risk and Capital Management-Pillar 3
The institutions presented in the tables above represent the total scope of companies of Itaú Unibanco Holding.
Non Consolidated Institutions
Material entities
Total assets, stockholders' equity, country and the activities of the material entities, including those subject to the risk weight for the purpose of capital requirements are as follows:
Itaú Unibanco
17

Risk and Capital Management-Pillar 3
Composition of Capital
CCA: Main features of regulatory capital instruments
The authorized regulatory capital instruments may be extinguished according to the criteria established in Resolution nº 4,192 in articles 17, item XV, or 20, item X, such as non-compliance with the minimum regulatory ratios, decree of temporary special administration regime or intervention, application of public resources or upon the Central Bank of Brazil determination. Should any criteria for the extinction of subordinated instruments be triggered, the area responsible for Itaú Unibanco's Capital management will activate the areas involved to execute the following action plan:
• The treasury, through the payment agent of the subordinated instruments or straight through the central
depository, will notify its holders and take actions to ensure that Itaú Unibanco's trading desks cease to trade such instruments;
• The operational and accounting areas will carry out the necessary procedures for the proper treatment of the extinction; and
• The Investor Relations area will communicate the market of the extinction of the subordinated instruments.
The table CCA-Main features of regulatory capital instruments, is available at www.itau.com.br/investor-relations, section "Results and Reports", "Regulatory Reports", "Pillar 3".
Itaú Unibanco
18

Risk and Capital Management-Pillar 3
CC1-Composition of regulatory capital
Itaú Unibanco
19

Risk and Capital Management-Pillar 3
Itaú Unibanco
20

Risk and Capital Management-Pillar 3
CC2: Reconciliation of regulatory capital to balance sheet
Itaú Unibanco
21

Risk and Capital Management-Pillar 3
Macroprudential Indicators
CCyB1: Geographical distribution of credit risk exposures considered in the calculation of the Countercyclical Capital Buffer
The following table details the geographic distribution of credit risk exposures considered in the calculation of the Countercyclical Capital Buffer, according to Circular 3,769 of 29 October 2015:
GSIB1: Disclosure of G-SIB indicators
The GSIB1 table, disclosure of global systemically important bank (G-SIB) indicators, will be available on the website www.itau.com.br/investor-relations, section "Reports", "Pillar 3 and Global Systemically Important Banks", within the period stipulated by BCB Resolution 54/20.
Leverage Ratio
The Leverage Ratio is defined as the ratio between Tier I Capital and Total Exposure, calculated according to BACEN Circular 3,748. The ratio is intended to be a simple measure of non-risk-sensitive leverage, and so it does not take into account risk weights or risk mitigation.
As required by BACEN Circular Letter 3,706, Itaú Unibanco monthly reports to BACEN the Leverage Ratio, which minimum requirement is of 3%.
The following information is based on the methodology and standard format introduced by BACEN Circular 3,748.
Itaú Unibanco
22

Risk and Capital Management-Pillar 3
LR1: Summary comparison of accounting assets vs leverage ratio exposure measure (RA)
LR2: Leverage ratio common disclosure
Itaú Unibanco
23

Risk and Capital Management-Pillar 3
Liquidity Ratios
LIQA: Liquidity Risk Management Information
Framework and Treatment
Liquidity risk is defined as the likelihood of the institution not being able to effectively honor its expected and unexpected obligations, current and future, including those from guarantees commitment, without affecting its daily operations or incurring in significant losses.
In line with the fundraising strategy, Itaú Unibanco has diversified and stable sources of funding available, monitored through concentration and maturity indicators, in order to mitigate liquidity risks, in accordance with the institution's risk appetite.
The governance of the liquidity risk management is based on advisory boards, subordinated to the Board of Directors or the executive structure of Itaú Unibanco. Such boards establish the institution's risk appetites, define the limits related to the liquidity control and monitor the liquidity indicators.
The control of the liquidity risk is carried out by an area that is independent of the business areas, responsible for defining the composition of the reserve, estimating the cash flow and the exposure to liquidity risk in different time horizons and monitoring short and long term liquidity indicators (LCR and NSFR respectively). In addition, it proposes minimum limits to absorb losses in stress scenarios for each country where Itaú Unibanco operates and reports any non-compliance to the competent authorities. All activities are subject to verification by the independent validation, internal controls and audit departments.
Additionally, and pursuant to the requirements of Resolution 4,557, BACEN Circular 3,749 and Circular 3,869, the Liquidity Risk Statement (DRL-LCR) and the Long Term Liquidity Statement (DLP-NSFR) are monthly sent to BACEN. Finally, the following items are periodically prepared and submitted to senior management for monitoring and decision support:
• Stress of liquidity indicators based on macroeconomic scenarios, simulation of reverse stress based on risk appetite, and projection of the main liquidity indicators to support decisions;
• Contingency and recovery plans for crisis situations, with actions that provide for a gradation according to the level of criticality determined by the easiness of implementation, taking into account the characteristics of the local market in which it operates, seeking a rapid restoration of liquidity indicators;
• Reports and graphs that describe risk positions;
• Concentration indicators of funding providers and time.
The document that details the liquidity risk control institutional policy is on the Investor Relations website https://www.itau.com.br/investor-relations,section "Itaú Unibanco", under "Corporate Governance", "Rules and Policies, Reports".
Itaú Unibanco
24

Risk and Capital Management-Pillar 3
LIQ1: Liquidity Coverage Ratio (LCR)
Itaú Unibanco has High Quality Liquidity Assets (HQLA) that amounted to R$ 307.3 billion on average for the quarter, mainly composed of Sovereign Securities, Central Bank Reserves and Cash. Net Cash Outflows amounted to R$ 193.1 billion on average for the quarter, which are mostly comprised of Retail Funding, Wholesale, Additional Requirements, Contractual and Contingent Obligations, offset by Cash inflows from loans and other Cash inflows.
The table shows that the average LCR in the quarter is 159.1%, above the limit of 100% and therefore the institution has high quality liquidity resources comfortably available to support the losses in the standardized stress scenario for the LCR.
Itaú Unibanco
25

Risk and Capital Management-Pillar 3
LIQ2: Net Stable Funding Ratio (NSFR)
Itaú Unibanco has an Available Stable Funding (ASF) amounted to R$ 1,017.0 billion in the 4 quarter, mainly composed of Capital, Retail Funding and Wholesale. In addition, the Required Stable Funding (RSF) amounted to R$ 839.8 billion
Itaú Unibanco
26

Risk and Capital Management-Pillar 3
in the 4 quarter, which is mostly composed of loans and financing granted to wholesale, retail, central economies and central bank operations.
The table shows that the NSFR at the end of the quarter is 121.1%, above the limit of 100%, and therefore the institution has Available Stable Funding to support the Required Stable Funding comfortably in the long -term, according to the metric.
Credit Risk
CRA: Qualitative information on credit risk management
Itaú Unibanco defines credit risk as the risk of loss associated with: failure by a borrower, issuer or counterparty to fulfill their respective financial obligations as defined in the contracts; value loss of credit agreements resulting from deterioration of the borrower's, issuer's or counterparty's credit rating; reduction of profits or income; benefits granted upon subsequent renegotiations; or debt recovery costs.
The management of credit risk is intended to preserve the quality of the loan portfolio at levels compatible with the institution's risk appetite for each market segment in which Itaú Unibanco operates. The governance of credit risk is managed through corporate bodies, which report to the Board of Directors or to the Itaú Unibanco executive structure. Such corporate bodies act primarily by assessing the competitive market conditions, setting the credit limits for the institution, reviewing control practices and policies, and approving these actions at the respective authority levels. The risk communication and reporting process, including disclosure of institutional and supplementary policies on credit risk management, are also function of this structure. Itaú Unibanco manages the credit risk to which it is exposed during the entire credit cycle, from before approval, during the monitoring process and up to the collection or recovery phase, with the periodic monitoring of troubled assets, which are defined as:
• Overdue Transactions for more than 90 days;
• Restructured Operations for Troubled Assets;
• Counterparties that present inability to pay, whether by legal measures, bankruptcy, loss, among others;
• Significant deterioration in credit quality, which can be identified by deterioration in internal rating metrics, guarantees honored, overdue exposure, among others.
Additionally, if it is identified that a CNPJ may contaminate the counterparties, they may be marked as Troubled Assets.
The monitoring contains information on significant exposures, including recovery history and prospects, as well as restructuring information. These analyzes are generated monthly for executives and quarterly for the Board of Directors through the Risk and Capital Management Committee (CGRC).
There is a credit risk management and control structure, centralized and independent of the business units which defines operational limits, risk mitigation mechanisms and processes, and instruments to measure, monitor and control the credit risk inherent to all products, portfolio concentrations and impacts to potential changes in the economic environment. Such structure is subjected to internal and external auditing processes. The credit's portfolio, policies and strategies are continuously monitored so as to ensure compliance with the rules and laws in effect in each country. The key assignments of the business units are (i) monitoring of the portfolios under their responsibility, (ii) granting of credit, taking into account current approval levels, market conditions, the macroeconomic prospects and changes in markets and products, and (iii) credit risk management aimed at making the business sustainable.
Itaú Unibanco
27

Risk and Capital Management-Pillar 3
Itaú Unibanco's credit policy is based on internal factors, such as: client rating criteria, performance and evolution of the portfolio, default levels, return rates and allocated economic capital, among others; and also take into account external factors such as: interest rates, market default indicators, inflation and changes in consumption, among others.
With respect to individuals, small and medium companies, retail public, the credit ratings are assigned based on statistical application (in the early stages of relationship with a customer) and behavior score (used for customers with whom Itaú Unibanco already has a relationship) models.
For wholesale public, the classification is based on information such as the counterparty's economic and financial situation, its cash-generating capacity, and the business group to which it belongs, the current and prospective situation of the economic sector in which it operates. Credit proposals are analyzed on a case-by-case basis through the approval governance. The concentrations are monitored continuously for economic sectors and largest debtors, allowing preventive measures to be taken to avoid the violation of the established limits.
Itaú Unibanco also strictly controls credit exposure to clients and counterparties, acting to reverse occasional limit breaches. In this sense, contractual covenants may be used, such as the right to demand early payment or require additional collateral.
To measure credit risk, Itaú Unibanco takes into account the probability of default by the borrower, issuer or counterparty, the estimated amount of exposure in the event of default, past losses from default and concentration of borrowers. Quantifying these risk components is part of the lending process, portfolio management and definition of limits.
The models used by Itaú Unibanco are independently validated, to ensure that the databases used in constructing the models are complete and accurate, and that the method of estimating parameters is adequate.
Itaú Unibanco also has a specific structure and processes aimed at ensuring that other aspects of credit risk, such as country risk, are managed and controlled, described in the item "Other Risks".
In compliance with CMN Resolution 4,557, the document "Public Access Report-Credit Risk," which describes the guidelines established in the institutional ruling on credit risk control, can be viewed on the website www.itau.com.br/investor-relations, section "Itaú Unibanco", under "Corporate Governance", "Rules and Policies", "Reports".
CR1: Credit Quality of Asset
Itaú Unibanco
28

Risk and Capital Management-Pillar 3
CR2: Changes in Stock of defaulted loans and debts securities
CRB: Additional disclosure related to the credit quality of assets
The tables below contain additional disclosure related to the credit quality exposures reported in the table CR1. Where is informed breakdown of exposures by geographical area, industry and defaulted exposures. In addition, the total exposures by residual maturity by delay range, the total of restructured exposures and the percentage of the ten and one hundred largest exposures are reported.
Itaú Unibanco
29

Risk and Capital Management-Pillar 3
Exposure by industry
Exposure by remaining maturity
Itaú Unibanco
30

Risk and Capital Management-Pillar 3
Overdue exposures
Exposure by geographical area in Brazil and by country
Itaú Unibanco
31

Risk and Capital Management-Pillar 3
Largest debtors exposures
Restructured exposures
CRC: Qualitative disclosure related to Credit Risk Mitigation techniques
Itaú Unibanco uses guarantees to increase its recovery capacity in operations subject to credit risk. The guarantees used can be financial, credit derivatives, fiduciary, real, legal structures with mitigation power and offsetting agreements. For these guarantees to be considered as credit risk mitigating instruments, it is necessary that they comply with the requirements and determinations of the that regulate them, whether internal or external, and that they are legally enforceable (effective), enforceable and regularly evaluated.
The information regarding the possible concentration associated with the mitigation of credit risk considers these different mitigating instruments, segregating by type and by provider. For reasons of confidentiality, the institution determines the non-disclosure of information beyond the classification of the type of guarantor, but ensuring adherence to the general requirements.
• Financial Guarantees: the borrower or third party highlights a financial asset (deposits, bonds, shares, shares of low-risk equity, among others), in such a way as to guarantee the creditor's reimbursement in case of default.
• Fiduciary Guarantees and credit derivatives: a third party assumes the responsibility for fulfilling the obligation contracted by the debtor, which falls on the general equity of that third party. Avals, sureties and CDS are examples of these guarantees.
Fiduciary guarantees are segregated into the following providers: Legal Entities; Multilateral Development Entities (EMD); Financial Institutions, Sovereigns, National Treasury or Central Bank.
Itaú Unibanco also uses credit derivatives to mitigate the credit risk of its securities portfolios. These instruments are priced based on models that use the fair price of market variables, such as credit spreads, recovery rates, correlations and interest rates. They are also segregated into: Legal Entities; Multilateral Development Entities (EMD); Financial Institutions and Sovereigns.
Itaú Unibanco
32

Risk and Capital Management-Pillar 3
• Real Guarantees: the borrower himself or a third party highlights an asset or a set of assets, movable or immovable, in such a way as to guarantee the reimbursement of the creditor in case of default. Examples of instruments and assets: mortgages on real estate, pledge of goods, fiduciary sale of real estate, vehicles, machinery and equipment. These guarantees are segregated by type: financial collateral, bilateral contracts and assets.
• Clearing and Settlement of Obligations Agreement and legal structures with mitigating power : the clearing agreement aims to reduce the risk of credit exposure of one party to the other, resulting from transactions entered into between them, so that, in case of maturity, after offsetting, the net amount owed by the debtor to the creditor is identified. It is commonly used in derivative transactions, but it can also cover other types of financial transactions.
In legal structures with mitigation power and compensation agreements, mitigation is based on methodologies established and approved by the business units responsible for credit risk management and by the centralized credit risk control area.
Such methodologies consider factors related to the legal enforceability of the guarantees, the costs necessary for such and the expected value in the execution, taking into account the volatility and liquidity of the market.
To control the mitigating instruments, there is periodic monitoring that monitors the level of compliance with the use of each instrument when compared to internal measurement policies, even including corrective action plans when there is noncompliance, analyzing concentration, types, providers, formalization. The parameters used are: HE (Haircut of execution) which evaluates the probability of success in executing the guarantee, HV (Volatility Haircut) represents the liquidity of the collateral being offered, and LMM (Maximum Mitigation Limit) which is the mitigation ceiling for real guarantees.
CR3: Credit Risk mitigation techniques-overview(1)
Increase in credit concession mainly observed in the lines of companies and in retail, in credit card. In debt securities the main variation comes from the reduction in exposures to central governments partially offset by the growth in private securities.
Itaú Unibanco
33

Risk and Capital Management-Pillar 3
CR4: Standardized Approach - Credit Risk exposure and credit risk mitigation effects
CR5: Standardized Approach - exposures by asset classes and risk weights
The increase in the total exposure in tables CR4 and CR5 occurred mainly in the in the corporates and retail exposures and was partially offset by the reduction in exposures linked to governments and central banks.
Counterparty Credit Risk (CCR)
CCRA: Qualitative disclosure related to CCR
Counterparty credit risk is the possibility of noncompliance with obligations related to the settlement of transactions that involve the trading of financial assets with a bilateral risk. It encompasses derivative financial instruments, settlement pending transactions, securities lending and repurchase transactions.
Itaú Unibanco has well-defined rules for calculating its managerial and regulatory exposure to this risk, and the models developed are used both for the governance of consumption of limits and management of counterparties sub-limits, as well as for the allocation of capital, respectively.
Itaú Unibanco
34

Risk and Capital Management-Pillar 3
The managerial volatility of the potential credit risk (PCR) of derivatives (interpreted as the amount of potential financial exposure that an operation can reach until its maturity) and the volatility of repurchase agreements and foreign exchange transactions are monitored periodically to maintain the exposure at levels considered acceptable by the institution's management.
The risk may be mitigated by the use of margin call, initial margin or other mitigating instrument.
Currently, Itaú Unibanco does not have impact in the amount of collateral that the bank would be required to provide given a credit rating downgrade. The regulatory exposures of counterparty credit risk are presented as follows.
CCR1: Analysis of CCR exposures by approach
CCR3: Standardised approach - CCR exposures by regulatory portfolio and risk weights
In the tables CCR1 and CCR3 there was a decrease in the exposure of repo operations mainly in central governments and central banks and in financial institutions and others authorized by the Central Bank of Brazil.
Itaú Unibanco
35

Risk and Capital Management-Pillar 3
CCR5: Composition of collateral for CCR exposures
CCR6: CCR associated with credit derivatives exposures
Itaú Unibanco
36

Risk and Capital Management-Pillar 3
CCR8: CCR associated with Exposures to central counterparties
Decrease in non-segregated initial margin.
Securitisation Exposures
SECA: Qualitative disclosure requirements related to securitisation exposures
Currently, Itaú Unibanco coordinates and distributes issues of securitized securities in the capital market with or without a firm placement guarantee. In case of exercising the firm guarantee, the bank will assume the risk as an investor in the operation.
Itaú Unibanco does not act as a sponsoring counterpart of any specific purpose company with the objective of operating in the securitisation market, nor does it manage entities that acquire securities issued or originated by their own.
In relation to accounting, it should be noted that (i) assets representing third-party securitisations are accounted for as well as other assets owned by the Bank, according to the brazilian accounting standards; and (ii) securitisation credits originating from Itaú Unibanco's own portfolio remain accounted for in cases of credit assignment with co-obligation.
In 2021, Itaú Unibanco did not carry out the sale of credit assets without substantial risk retention and did not assign exposures with substantial risk retention, which have been honored, repurchased or written off as loss.
Itaú Unibanco
37

Risk and Capital Management-Pillar 3
SEC1: Securitisation exposures in the banking book
SEC2: Securitisation exposures in the trading book
In Itaú Unibanco's current securitization portfolio, there are no exposures to be reported in table SEC2.
SEC3: Securitisation exposures in the banking book and associated regulatory capital requirements - bank acting as originator or as sponsor
In Itaú Unibanco's current securitization portfolio, there are no exposures to be reported in table SEC3.
SEC4: Securitisation exposures in the banking book and associated capital requirements-bank acting as investor
Itaú Unibanco
38

Risk and Capital Management-Pillar 3
Market Risk
MRA: Qualitative disclosure requirements related to market risk
Market risk is the possibility of losses resulting from fluctuations in the market values of positions held by a financial institution, including the risk of operations subject to variations in foreign exchange rates, interest rates, equity and commodity prices, as set forth by CMN. Price Indexes are also treated as a risk factor group.
The institutional policy for market risk is in compliance with Resolution 4,557 and establishes the management structure and market risk control, which has the function of:
• Provide visibility and comfort for all senior management levels that market risks assumed must be in line with Itaú Unibanco risk-return objectives;
• Provide a disciplined and well informed dialogue on the overall market risk profile and its evolution over time;
• Increase transparency as to how the business works to optimize results;
• Provide early warning mechanisms to facilitate effective risk management, without obstructing the business objectives; and
• Monitoring and avoiding the concentration of risks.
Market risk is controlled by an area independent of the business units, which is responsible for the daily activities: (i) measuring and assessing risk, (ii) monitoring stress scenarios, limits and alerts, (iii) applying, analyzing and stress testing scenarios, (iv) reporting risk to the individuals responsible in the business units, in compliance with Itaú Unibanco´s governance, (v) monitoring the measures needed to adjust positions and/or risk levels to make them viable, and (vi) supporting the secure launch of new financial products.
The market risk management framework categorizes transactions as part of either the Trading Book or the Baking Book, in accordance with general criteria established by CMN Resolution 4,557 and BACEN Circular 3,354. Trading Book is composed of all trades with financial and commodity instruments (including derivatives) undertaken with the intention of trading. Banking Book is predominantly characterized by portfolios originated from the banking business and operations related to balance sheet management, are intended to be either held to maturity, or sold in the medium and in the long term.
The market risk management is based on the following key metrics:
• Value at Risk (VaR): a statistical metric that quantifies the maximum potential economic loss expected in normal market conditions, considering a defined holding period and confidence interval;
• Losses in Stress Scenarios (Stress Testing): a simulation technique to evaluate the impact, in the assets, liabilities and derivatives of the portfolio, of various risk factors in extreme market situations (based on prospective and historic scenarios);
• Stop Loss: metrics that trigger a management review of positions, if the accumulated losses in a given period reach specified levels;
• Concentration: cumulative exposure of certain financial instrument or risk factor calculated at market value ("MtM-Mark to Market"); and
Itaú Unibanco
39

Risk and Capital Management-Pillar 3
• Stressed VaR: statistical metric derived from VaR calculation, aimed at capturing the biggest risk in simulations of the current trading portfolio, taking into consideration the observable returns in historical scenarios of extreme volatility.
In addition to the risk metrics described above, sensitivity and loss control measures are also analyzed. They include:
• Gap Analysis: accumulated exposure of the cash flows by risk factor, which are marked -to-market and positioned by settlement dates;
• Sensitivity (DV01 - Delta Variation Risk): impact on the market value of cash flows when a 1 basis point change is applied to current interest rates or on the index rates; and
• Sensitivities to Various Risk Factors (Greeks): partial derivatives of a portfolio of options on the prices of the underlying assets, implied volatilities, interest rates and time.
In an attempt to fit the transactions into the defined limits, Itaú Unibanco hedges its client transactions and proprietary positions, including investments overseas. Derivatives are the most commonly used instruments for carrying out these hedging activities, and can be characterized as either accounting or economic hedge, both of which are governed by institutional regulations at Itaú Unibanco.
The structure of limits and alerts is in alignment with the board of directors' guidelines, being reviewed and approved on an annual basis. This structure extends to specific limits and is aimed at improving the process of risk monitoring and understanding as well as preventing risk concentration. Limits and alerts are calibrat ed based on projections of future balance sheets, stockholders' equity, liquidity, complexity and market volatility, as well as the Itaú Unibanco's risk appetite.
The consumption of market risk limits is monitored and disclosed daily through exposure and sensitivity maps. The market risk area analyzes and controls the adherence of these exposures to limits and alerts and reports them timely to the Treasury desks and other structures foreseen in the governance.
Itaú Unibanco uses proprietary systems to measure the consolidated market risk. The processing of these systems takes place in an access-controlled environment, being highly available, which has data safekeeping and recovery processes, and counts on an infrastructure to ensure the continuity of business in contingency (disaster recovery) situations.
Itaú Unibanco
40

Risk and Capital Management-Pillar 3
MR1: Market risk under standardized approach
The variations observed in the Market Risk-Weighted Assets were not significant.
MRB: Qualitative disclosures on market risk in the Internal Models Approach (IMA)
In the internal models approach, the stressed VaR and VaR models are used. These models are applied to operations in the Trading Book and Banking Book. For the Trading Book, the risk factors considered are: interest rates, inflation rates, exchange rates, stocks and commodities. For the Banking Book, exchange rates and commodities are considered. The VaR and stressed VaR models are used in the companies of the Prudential Conglomerate that are presented in the following table:
Itaú Unibanco
41

Risk and Capital Management-Pillar 3
Itaú Unibanco
42

Risk and Capital Management-Pillar 3
Itaú Unibanco, for regulatory purposes, uses the historical simulation methodology to calculate the VaR and Stressed VaR. This methodology uses the returns observed in the past to calculate the gains and losses of a portfolio over time, with a 99% confidence interval and a holding period of at least 10 days. On December 31, 2021, VaR represented 56% of the capital requirement, while the stressed VaR represented 44%. The same methodology is used for management purposes, that is, there are no differences between the managerial and regulatory models.
In relation to the VaR model, the historical returns are daily updated. Itaú Unibanco uses in its VaR model both the unweighted approach, in which historical data have the same weight, and the weighted by the volatility of returns. For the calculation of volatilities, the Exponentially Weighted Moving Average method is used. The Historical VaR methodology with 10-day maintenance periods assumes that the expected distribution for possible losses and gains for the portfolio can be estimated from the historical behavior of the returns of the market risk factors to which this portfolio is exposed. The returns observed in the past are applied to current operations, generating a distribution of probability of losses and simulated gains that are used to estimate the Historical VaR, according to the 99% confidence level and using a historical period of 1,000 days. Losses and gains from linear operations are calculated by multiplying mark-to-market by returns, while non-linear operations are recalculated using historical returns. The returns used in simulating the movements of risk factors are relative.
Regarding the Stressed VaR model, the calculation is performed for a time horizon of 10 working days, considering the 99% confidence level and simple returns in the historical period of one year. The historical stress period is periodically calculated for the period since 2004 and can be revised whenever deemed necessary. This can occur when the composition of Itaú Unibanco's portfolios changes significantly, when changes are observed in the results of the simulation of historical returns or when a new market crisis occurs. Losses and gains from linear operations are calculated by multiplying mark to market by returns, while non-linear operations are recalculated using historical returns.
In addition to the use of VaR, Itaú Unibanco carries out daily risk analysis in extreme scenarios through a diversified framework of stress tests, in order to capture potential significant losses in extreme market situations. The scenarios are based on historical, prospective crises and predetermined shocks in risk factors. One factor that has a great influence on the results of the tests, for example, is the correlation between the assets and the respective risk factors, and this effect is simulated in several ways in the various scenarios tested.
In order to identify its greatest risks and assist in the decision-making of treasury and senior management, the results of stress tests are assessed by risk factors, as well as on a consolidated basis.
The effectiveness of the VaR model is proven by backtesting techniques, by comparing hypothetical and actual daily losses and gains, with the estimated daily VaR, according to BACEN Circular 3,646. The number of exceptions to the established VaR limits must be compatible, within an acceptable statistical margin, with three different confidence intervals (99%, 97.5% and 95%), in three different historical windows (250, 500 and 750 working days). This includes nine different samples, therefore ensuring the statistical quality of the historical VaR hypothesis.
Itaú Unibanco has a set of processes, which are periodically executed by the internal control teams, whose objective is to independently replicate the metrics that influence market risk capital by internal models. In addition to the results of the periodic processes, Itaú Unibanco assesses the process of measuring time horizons by risk factors and the estimate of the stress period for calculating the stressed VaR. The validation of the internal model includes several topics considered essential for the critical analysis of the model, such as, the evaluation of the model's limitations, the adequacy of the parameters used in the volatility estimate and the comprehensiveness and reliability of the input data.
Itaú Unibanco
43

Risk and Capital Management-Pillar 3
MR2: RWA flow statements of market risk exposures under an IMA
Exposures subject to market risk
The following table presents the exposures subject to market risk in the internal models approach, for calculating the capital requirement.
The decrease in RWAMINT compared to the previous quarter was mainly due to the reduction in the risk levels of the positions held by Itaú Unibanco.
MR3: IMA values for trading portfolios
The following table presents the VaR and stressed VaR values determined by the internal market risk models.
VaR increased in relation to the previous quarter due to increased volatility in interest rates. Stressed VaR decreased compared to the previus quarter duo to the lower level of risk in equities.
Itaú Unibanco
44

Risk and Capital Management-Pillar 3
MR4: Comparison of VaR estimates with gains/losses
Backtesting
The effectiveness of the VaR model is validated by backtesting techniques, comparing daily hypothetical and actual results with the estimated daily VaR. The daily VaR is calculated over a one-day maintenance horizon, according to the 99% confidence level and using a historical period of 1,000 days. The percentage of capital requirement associated with this model is 100%.
The backtesting analysis presented below considers the ranges suggested by the Basel Committee on Banking Supervision (BCBS). The ranges are divided into:
• Green (0 to 4 exceptions): backtesting results that do not suggest any problem with the quality or accuracy of the adopted models;
• Yellow (5 to 9 exceptions): intermediate range group, which indicates an early warning monitoring and may indicate the need to review the model; and
• Red (10 or more exceptions): need for improvement actions.
The following chart shows the comparison between VaR and actual and hypothetical results:
The exceptions in relation to the hypothetical results occurred on 10/19/2021 and 10/21/2021, in the amo unts of R$ 37,7 and R$ 7,9 million, respectively. These excesses were caused by the increased level of local interest market volatility.
In relation to the actual results, the exceptions also ocurred on 10/19/2021 and 10/21/2021, in the amounts of R$ 23,2 and R$ 3,5 million, respectively. These excesses were caused by the increased level of local interest market volatility.
The actual results do not include fees, brokerage fees and commissions. There are no profit reserves.
Itaú Unibanco
45

Risk and Capital Management-Pillar 3
Total Exposure associated with Derivatives
The main purpose of the derivative positions is to manage risks in the Trading Book and in the Banking Book in the corresponding risk factors.
Derivatives: Trading and Banking
IRRBBA: IRRBB risk management objectives and policies
BACEN's (Central Bank of Brazil) Circular 3,876, published in January 2018, states on methodologies and procedures for evaluation of the capital adequacy, held to cover interest rates risk from instruments held in the banking book.
For the purposes of this Circular, are defined:
• â^†EVE (Delta Economic Value of Equity) is defined as the difference between the present value of the sum of
repricing flows of instruments subject to IRRBB in a base scenario, and the present value of the sum of repricing flows of the same instruments in an interest-rate shocked scenario;
• â^†NII (Delta Net Interest Income) is defined as the difference between the result of financial intermediation of instruments subject to IRRBB in a base scenario, and the result of financial intermediation of the same instruments in an interest-rate shocked scenario.
The sensibility analysis introduced here are just a static evaluation of the portfolio interest rate exposure, and, therefore, don´t consider the dynamic management of the treasury desk and risk control areas, which hold the responsibility for measures to mitigate risk under an adverse situation, minimizing significant losses. Moreover, it is highlighted, though, the results presented do not translate into accountable or economic results for certain, because this analysis has, only, an interest rate risk disclosure purpose and to demonstrate the principle protection actions, considering the instruments fair value, apart from any accounting practices adopted by Itaú Unibanco.
The institution uses an internal model to measure â^†EVE and â^†NII. â^†EVE results do not represent immediate impact in the stockholders' equity. Meanwhile, â^†NII results indicate potential volatility in the projected interest rates results.
In compliance with the circular 3,876, the following demonstrates qualitative and quantitative details of risk management for IRRBB in Itaú Unibanco.
Framework and Treatment
Interest rate risk in the banking book refers to the potential risk of impact on capital sufficiency and/or on the results of financial intermediation due to adverse movements in interest rates, taking into account the principal flows of instruments held in the banking book.
Itaú Unibanco
46

Risk and Capital Management-Pillar 3
The main point of assets and liabilities management is to maximize the risk-return ratio of positions held in the banking book, taking into account the economic value of these assets/liabilities and the impact on actual and future bank's results.
The interest rate risk managing on transactions held in the banking book occurs within the governance and hierarchy of decision-making bodies and under a limits structure and alerts approved specifically for these purpose, which is sensitive due to different levels and classes of market risk.
The management structure of IRRBB has it owns risk policies and controls intended to ensure adherence to the bank's risk appetite. The IRRBB framework has granular management limits for several other risk metrics and consolidated limits for â^†EVE and â^†NII results, besides the limits associated with stress tests.
The asset and liability management unit is responsible for managing timing mismatches between asset and liability flows, and minimizes interest rate risk by through strategies as economic hedge and accounting hedge.
All the models associated with IRRBB have a robust independent validation process and are approved by a CTAM (Technical Model Assessment Commission). In addition, all the models and processes are assessed by internal audit.
The interest rate risk framework in the banking book uses management measurements that are calculated daily for limit control. The â^†EVE and â^†NII metrics are calculated according to the risk appetite limits and the other risk metrics in terms of management risk limits.
In the process of managing interest rate risk of the banking book, transactions subject to automatic options are calculated according to internal market models which split the products, as far as possible, into linear and non -linear payoffs. The linear payoffs are treated similarly to any other instruments without options, and for non-linear payoffs an additional value is computed and added on the â^†EVE and â^†NII metrics.
In general terms, transactions subject to behavioral options are classified as deposits with no contractual maturity date defined or products subject to early repayment. Non-maturity deposits are classified according to their nature and stability to guarantee compliance with regulatory limits. A survival analysis model treats the products subject to pre-payment, using the historical dataset to calibrate its parameters. The instruments flows with homogeneous characteristics are adjusted by specific models to reflect, in the most appropriate way, the repricing flows of the instruments.
The banking book consists of asset and liability transactions originating in different commercial channels (retail and wholesale) of Itaú Unibanco. The market risk exposures inherent in the banking book consists of various risk factors, which are primary components of the market in price formation.
IRRBB also includes hedging transactions intended to minimize risks deriving from strong fluctuations of market risk factors and their accounting asymmetries.
Market risk generated from structural mismatches is managed by a variety of financial instruments, such as exchange-traded and over-the-counter derivatives. In some cases, operations using derivative financial instruments can be classified as accounting hedges, depending on their risk and cash flow characteristics. In these cases, the supporting documentation is analyzed to enable the effectiveness of the hedge and other changes in the accounting process to be continuously monitored. The accounting and administrative procedures for hedging are defined in BACEN Circular 3,082.
The IRRBB model includes a series of premises:
• â^†EVE and â^†NII are measured on the basis of the cash flows of the banking book instruments, broken down into their risk factors to isolate the effect of the interest rate and the spread components;
Itaú Unibanco
47

Risk and Capital Management-Pillar 3
• For non-maturity deposits, the models are classified according to their nature and stability and distributed over time considering the regulatory limits;
• The institution uses survival analysis models to handle credit transactions subject to prepayment, and empirical models for transactions subject to early redemption;
• The medium-term repricing attributed to non-maturity deposits is defined as 1.71 years;
• The maximum-term repricing attributed to non-maturity deposits is defined as 30.00 years.
The article 16 of the BCB Resolution 54 defines the need to publish â^†EVE and â^†NII, using the standard shock scenarios described in article 11 of the BACEN Circular 3,876.
The table below are presented the main results due the change in the interest rates over the banking book in the standardized scenarios. It is important to note that, following the normative rules, the potential losses are represented by positive values and potential gains by negative values (between parentheses).
• Parallel Up: increasing in the short-term and in the long-term interest rates;
• Parallel Down: decreasing in the short-term and in the long-term interest rates;
• Short-term increase: increasing in the short-term interest rates;
• Short-term reduction: decreasing in the short-term interest rates;
• Steepener: decreasing in the short-term interest rates and increasing the in the long-term interest rates;
• Flattener: increasing in the short-term interest rates and decreasing the in the long-term interest rates.
Itaú Unibanco
48

Risk and Capital Management-Pillar 3
IRRBB1 - Quantitative information on IRRBB
Potential Loss of Instruments Classified in the Banking Book arising from Interest Rate Variation Scenarios (1)
(Losses are represented by positive values, while gains are represented by negative values between parentheses)
For the outlier test, the maximum variation of the â^†EVE, with standardized shocks was R$ 10,406 million as of December
31, 2021, corresponding to a potential loss of 6.94% of Tier I, which is less than 15%-percentage that defines the institution as outlier (according to Art. 44 of Circular 3,876).
The â^†NII, with internal shocks, for a horizon of a year, has maximum loss of R$ 1,724 million in the Parallel High
Scenario.
Other Risks
Insurance products, pension plans and premium bonds risks
Products that compose portfolios of insurance companies of Itaú Unibanco are related to life and elementary insurance, as well as pension plans and premium bonds. The main risks inherent in these products are described below and their definitions are given in their respective chapters.
• Underwriting Risk: possibility of losses arising from insurance products, pension plans and premium bonds that go against institution's expectations, directly or indirectly associated with technical and act uarial bases used for calculating premiums, contributions and technical provisions;
• Market Risk;
• Credit Risk;
• Operational risk;
Itaú Unibanco
49

Risk and Capital Management-Pillar 3
• Liquidity risk.
In line with domestic and international best practices, Itaú Unibanco has a risk management structure which ensures that risks resulting from insurance, pension and special savings products are properly assessed and reported to the relevant forums.
The process of risk management for insurance, pensions and premium bond plans is independent and focus on the special nature of each risk.
The aim of Itaú Unibanco is to ensure that assets serving as collateral for long-term products, with guaranteed minimum returns, are managed according to the characteristics of the liabilities, so that they are actuarially balanced and solvent over the long term.
Social and Environmental Risk
Itaú Unibanco understands social and environmental risk as the risk of potential losses due to exposure to social and environmental events arising from the performance of its activities, according to CMN Resolution 4,327/14.
The Social and Environmental Responsibility and Sustainability Policy (PRSA) establishes the guidelines, strategies and main principles for social and environmental management, starting from institutional issues, and addressing, through specific procedures, the most relevant risks to the institution's operation.
Mitigation actions on social and environmental risk are carried out through the mapping of processes, risks and controls, the monitoring of new regulations on the subject, and the listing of occurrences in internal databases. In addition to identification, the stages of prioritization, risk response, monitoring and reporting of the assessed risks complement the management of this risk at Itaú Unibanco.
The management of this risk is carried out by the first line of defense, business areas that manage it in their daily activities, following the PRSA guidelines, manuals and specific procedures supplemented by the specialized assessment of the dedicated teams of Corporate Compliance, Modeling and Credit Risk and Legal and Institutional department, which work integrated in the management of all the dimensions of Social and Environmental Risk linked to the Conglomerate activities. Business units also have the governance for the approval of new products and services, which includes the social and environmental risk assessment, that ensures the compliance in the new products and processes employed by the institution, as well as with specific social and environmental processes applicable to the institution's own operation (equity, branch infrastructure and technology), suppliers, credit, investments and key subsidiaries. The second line of defense, in turn, is represented by Modeling and Credit Risk, Int ernal Controls, as well as Compliance, through the Social and Environmental Risk Management, which supports and ensures the governance of the activities of the first line. The third line of defense, composed of Internal Audit, acts independently, carrying out the mapping and assessment of the risk's management, controls and governance.
The Social and Environmental Risk Governance also includes the Social and Environmental Risk Committee, which is primarily responsible for debating and deciding on institutional and strategic issues, as well as deciding on products, operations, services, among others, that involve Social and Environmental Risk, including Climate Risk.
Itaú Unibanco constantly seeks to evolve in the management of social and environmental risk, always attentive to the challenges demands of society. Therefore, among other actions, Itaú Unibanco has assumed and incorporated into Itaú
Unibanco's internal processes a number of national and international voluntary commitments and pacts aimed at integrating social, environmental and governance aspects into Itaú Unibanco business. The main ones are the Principles for Responsible Investment (PRI), the Charter for Human Rights - Ethos, the Equator Principles (EP), the Global Pact, the Carbon Disclosure Project (CDP), the Brazilian GHG Protocol Program, the Pacto Nacional para Erradicação do Trabalho Escravo (National Pact for Eradicating Slave Labor), the Task Force on Climate-Related
Itaú Unibanco
50

Risk and Capital Management-Pillar 3
Financial Disclosures (TCFD), among others. Itaú Unibanco efforts to increase the knowledge of the assessment of the social and environmental criteria have been recognized as models in Brazil and abroad, as shown by the recurring presence of the institution in the major sustainability indexes abroad, such as the Dow Jones Sustainability Index, and recently, in Sustainability Index Euronext Vigeo - Emerging 70, and in Brazil, for example in the Corporate Sustainability Index, as well as the numerous prizes which Itaú Unibanco has been awarded.
Model Risk
The model risk arises from the incorrect development or maintenance of models, such as mistaken assumptions, and inappropriate use or application of the model.
The use of models can lead to decisions that are more accurate and therefore it is a major practice in the institution. The models have supported strategic decisions in several contexts, such as credit approval, pricing, volatility curve estimation, calculation of capital, among others.
Due to the increasing use of models, driven by the application of new technologies and the expansion of data use, Itaú Unibanco has improved its governance in relation to its development, implantation, use and monitoring, through the definition of guidelines, policies and procedures aimed at assuring the quality and mitigation of the associated risks.
The performance of the areas responsible for models is evaluated by the Operational Risk and Internal Audit teams to ensure adherence to such policies. The opportunities for improvement found during these assessments are duly addressed with action plans, which are followed up by the 3 lines of defense and by senior management until their conclusion.
Regulatory or Compliance Risk
Regulatory or Compliance risk is the risk associated with any nature, financial losses or damage to reputation, arising from non-compliance with external or internal standards, commitments to regulators, or other commitments undertaken voluntarily by adhering codes of self -regulation, methods or codes of conduct related to the activities of the Conglomerate.
This risk is managed through a structured process aimed at identifying changes in the regulatory environment, analyzing their impacts on the departments of the institution and monitoring the actions directed at adherence to the regulatory requirements and other commitments mentioned above.
This structured process includes the following actions: (i) to understand the changes in the regulatory environment; (ii) to monitor regulatory trends; (iii) to care for the relationship between the institution and the regulator, self-regulatory bodies and the representation entity; (iv) to monitor action plans on regulatory or self -regulatory compliance; (v) to coordinate a program to comply with significant norms, such as Integrity and Ethics; and (vi) to report regulatory issues in Operational and Compliance Risk forums, according to the structure of committees established in internal policies.
Reputational Risk
Itaú Unibanco understands reputational risk as the risk arising from internal practices and/or external factors that may generate a negative perception of Itaú Unibanco by customers, employees, shareholders, investors, regulatory bodies, government, suppliers, the press and the society in general. It can impact the bank's reputation, the value of its brand and/or result in financial losses. Besides, this can affect the maintenance of existing business relationships, access to
Itaú Unibanco
51

Risk and Capital Management-Pillar 3
sources of fundraising, the attraction of new business and talent to compose the company's staff or even the license to operate.
The institution believes that its reputation is extremely important for achieving its long-term goals, which is why it seeks the alignment of the speech, the action and the ethical and transparent practice, essential to raise the confidence of
Itaú Unibanco's stakeholders. Itaú Unibanco's reputation depends on its strategy (vision, culture and skills) and derives from direct or indirect experience of the relationship between Itaú Unibanco and its stakeholders.
Since the reputational risk directly or indirectly permeates all operations and processes of the institution, Itaú Unibanco's governance is structured in a way to ensure that potential risks are identified, analyzed and managed still in the initial phases of its operations and analysis of new products, including the use of new technologies.
The treatment given to reputational risk is structured by means of many processes and internal initiatives, which, in turn, are supported by internal policies, and their main purpose is to provide mechanisms for the moni toring, management, control and mitigation of the main reputational risks. Among them are (i) risk appetite statement; (ii) process for the prevention and fight against unlawful acts; (iii) crisis management process and business continuity; (iv) processes and guidelines of the governmental and institutional relations; (v) corporate communication process; (vi) brand management process; (vii) ombudsman offices initiatives and commitment to customer satisfaction; and (vii) ethics guidelines and prevention of corruption.
Financial institutions play a key role in preventing and fighting illegal acts, in particular money laundering, terrorist financing and fraud, in which the challenge is to identify and suppress increasingly sophisticated operations that seek to conceal the origin, location, disposition, ownership and movement of goods and money derived, directly or indirectly, from illegal activities. Itaú Unibanco has introduced a corporate policy in order to prevent its involvement in illegal acts and to protect its reputation and image towards employees, clients, strategic partners, suppliers, service providers, regulators and society, through a governance structure based on transparency, strict compliance with rules and regulations, including BACEN Circular 3,978/20 among others, and cooperation with police and judicial authorities. It also seeks a continuously alignment with local and international best practices for preventing and fighting against illegal acts, through investing and training eligible employees.
In compliance with the guidelines of this corporate policy, Itaú Unibanco established a program to prevent and fight against illegal acts based on the following pillars:
• Policies and Procedures;
• Client Identification Process;
• Know Your Customer (KYC) Process;
• Know Your Partner (KYP) Process;
• Know Your Supplier (KYS) Process;
• Know Your Employee (KYE) Process;
• Assessment of New Products and Services;
• Compliance with Sanctions;
• Monitoring, Selection and Analysis of Suspicious Operations or Situations;
Itaú Unibanco
52

Risk and Capital Management-Pillar 3
•
•
Reporting Suspicious Transactions to the Regulatory Bodies; and
Training.
This program applies to the entire institution, including subsidiaries and affiliates in Brazil and abroad. The preventing and combating unlawful acts governance is carried out by the Board of Directors, Audit Committee, Operational Risk Committee, Risk and Capital Management Commitee and Anti-Money Laundering Committees. The document that presents the guidelines established in the corporate program to prevent and combat unlawful acts may be seen on the www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Policies, Corporate Policy for Prevention and Fight Against Illegal Acts.
In addition, Itaú Unibanco has been developing various data analysis models to improve customer risk classification, transaction monitoring and KYC methodology to provide greater accuracy in its analysis and to decrease false-positives. Itaú Unibanco has also been innovating its modeling solutions using new methods based on machine learning techniques to identify potentially suspicious activities.
Moreover, Itaú Unibanco is committed to protecting corporate information and ensuring client and general public privacy in any transactions. To this end, it has a Corporate Information Security Policy and Cyber Secutity and has a monitoring process and a control structure that covers technology, business areas and international units, ad hering to principal regulatory bodies and external audits, and best market practices and certifications. Additionally, a Security Operation
Center (SOC) that works 24/7 contributes to the cyber security of Itaú Unibanco's electronic channels and IT infrastructure, to the monitoring of operations and thus the minimization of the risk of a security incident.
The Corporate Information Security and Cyber Security Policy can be viewed on the website www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Policies, Corporate Policy on Information Security and Cyber Security.
Country Risk
The country risk is the risk of losses related to non-compliance with obligations in connection with borrowers, issuers, counterparties or guarantors, as a result of political-economic and social events or actions taken by the government of the country.
Itaú Unibanco has a specific structure for the management and control of country risk, consisting of corporate bodies and dedicated teams, with responsibilities defined in policies. The institution has a structured and consistent procedure, including: (i) establishment of country ratings; (ii) determination of limits for countries; (iii) monitoring the use of limit s.
Business and Strategy Risk
Business and strategy risk is the risk of a negative impact on the results or capital as a consequence of a faulty strategic planning, the making of adverse strategic decisions, the inability of Itaú Unibanco to implement the proper strategic plans and/or changes in its business environment.
Itaú Unibanco has implemented many mechanisms that ensure that both the business and the strategic decision -making processes follow proper governance standards, have the active participation of executives and the Board of Directors, are based on market, macroeconomic and risk information and are aimed at optimizing the risk -return ratio. Decision-making and the definition of business and strategy guidelines, count on the full engagement of t he Board of Directors, primarily through the Strategy Committee, and of the executives, through the Executive Committee. In order to handle risk adequately, Itaú Unibanco has governance and processes to involve the Risk Area in business and strategy
Itaú Unibanco
53

Risk and Capital Management-Pillar 3
decisions, so as to ensure that risk is managed and decisions are sustainable in the long term. They are: (i) qualifications and incentives of board members and executives; (ii) budget process; (iii) product assessment; (iv) evaluation and prospecting of proprietary mergers and acquisitions; and (v) a risk appetite framework which, for example, restricts the concentration of credit and exposure to specific and material risks.
Contagion Risk
Contagion Risk is the possibility of losses occurring for entities that are part of the Prudential Conglomerate as a result of financial support to unconsolidated entities, in a stressful situation, in the absence or in addition to the obligations provided for in the contract.
Itaú Unibanco has a structure for risk management and control, a dedicated team and a policy that defines roles and responsibilities. This structure covers (i) the identification of entities in relation to the potential generation of contagion risk, (ii) the assessment of risks in relationships, (iii) the monitoring, control and mitigation of contagion risk, (iv) the assessment of impact on capital and liquidity and (v) reports.
It is part of the scope of contagion risk governance: Related Party audiences, mainly composed of controllers, controlled and related entities (as defined in Res. 4,693 / 18), foundations, investments in non-consolidated entities, suppliers of critical products and services, assigness, buyers and sellers of relevant assets, third parties with products distributed by Itaú Unibanco and third parties to whom Itaú Unibanco distributes products, besides all the analysis of the international Units.
Operational Risk
Operational risk is defined as the possibility of losses arising from failure, deficiency or inadequacy of internal process, people or systems or from external events that affect the achievement of strategic, tactical or operational objectives. It includes legal risk associated with inadequacy or deficiency in contracts signed by the institution, as well as penalties due to noncompliance with laws and punitive damages to third parties arising from the activities undertaken by the institution.
Itaú Unibanco internally classifies its risk events in:
• Internal fraud;
• External fraud;
• Labor claims and deficient security in the workplace;
• Inadequate practices related to clients, products and services;
• Damages to own physical assets or assets in use by Itaú Unibanco;
• Interruption of Itaú Unibanco's activities;
• Failures in information technology (IT) systems, processes or infrastructure;
• Failures in the performance, compliance with deadlines and management of activities at Itaú Unibanco.
Itaú Unibanco
54

Risk and Capital Management-Pillar 3
Operational risk management includes conduct risk, which is subject to mitigating procedures to assess product design and incentive models. The inspection area is responsible for fraud prevention. Irrespective of their origin, specific cases may be handled by risk committees and integrity and ethics committees. Itaú Unibanco has a governance process that is structured through forums and corporate bodies composed of senior management, which report to the Board of Directors, with well-defined roles and responsibilities in order to segregate the business and management and control activities, ensuring independence between the areas and, consequently, well-balanced decisions with respect to risks. This is reflected in the risk management process carried out on a decentralized basis under the responsibility of the business areas and by a centralized control carried out by the internal control, compliance and operational risk department, by means of methodologies, training courses, certification and monitoring of the control environment in an independent way.
The managers of the executive areas use corporate methods constructed and made available by the Operational Risk and Corporate Compliance and Money Laundering Prevention Areas. Among the methodologies and tools used are the self -evaluation and the map of the institution's prioritized risks, the approval of processes, products, the monitoring of key risk indicators and the database of operational losses, guaranteeing a single conceptual basis for managing processes, risks, projects and new products and services.
Within the governance of the risk management process, regularly, the consolidated reports on risk monitoring, controls, action plans and operational losses are presented to the business area executives.
In line with CMN Resolution 4,557, the document "Public Report - Integrated Management of Operational Risk /Internal Controls/Compliance", summarized version of the institutional operational risk management policy can be found on the website www.itau.com.br/investor-relations, section Itaú Unibanco, under Corporate Governance, Rules and Policies, Reports.
Crisis Management and Business Continuity
Itaú Unibanco's Business Continuity Program's purpose is to protect its employees, ensure the continuity of the critical functions of its business lines and sustain both the stability of the markets in which it operates and the confidence of its customers and strategic partners in its provision of services and products.
It establishes the Business Continuity Plan (BCP), which consists of modular procedures that are available for use in the event of incidents. The descriptions/characteristics of the existing plans are:
• Disaster Recovery: it aims to ensure the availability and integrity of Information Technology resources and communication in the event of a failure in the primary Data Center to maintain the processing of critical systems;
• Workplace Contingency: alternative facilities to perform the activities in the event the administrative buildings become unavailable;
• Operational Contingency: alternatives to carry out critical processes whether they are systemic, procedural or emergency responses.
In order to keep the continuity solutions aligned with the business requirements (processes, minimum resources, legal requirements, etc) the Program applies the following tools to assess the institution:
• Business Impact Analysis (BIA): evaluates the criticality and resumption requirement of the processes that support the delivery of products and services.
Itaú Unibanco
55

Risk and Capital Management-Pillar 3
• Threats and Vulnerabilities Analysis (AVA): identification of threats near to Itaú Unibanco's buildings.
Considering the dependence that some processes have on third -party services, the Business Continuity Program conducts an assessment of the risk of unavailability of services provided with a view to resilience to threats of interruption.
The institution has a Crisis Management Program, which is aimed at managing business interruption events, natural disasters, impacts of an environmental, social, and infrastructure/operational (including information technology) or of any other nature that jeopardize the image and reputation and/or viability of Itaú Unibanco's processes with its employees, clients, strategic partners and regulators, with timely and integrated responses.
The Program establishes a frequent flow of acculturation with the company's senior management, as well as a constant analysis of high-impact scenarios and events to establish response plans in line with current threats. To assess efficiency and identify points for improvement in crisis response plans, tests are carried out at least once a year.
Independent Validation of Risk Models
Itaú Unibanco validates the processes and risk models independently. This is done by a department which is separate from the business and risk control areas, to ensure that its assessments are independent.
The validation method, defined in an internal policy, meets regulatory requirements such as those of BACEN Circulars 3,646 and 3,674 and Resolutions 2,682 and 4,557. The validation stages include:
• Verification of mathematical and theoretical development of the models;
• Qualitative and quantitative analysis of the models, including the variables, construction of an independent calculator and the use of appropriate technical;
• When applicable, comparison with alternative models and international benchmarks;
• Historical Backtesting of the model;
• The correct implementation of the models in the systems used.
Additionally, the validation area assesses the stress testing program.
The performance of the independent validation area and the validation of the processes and models are assessed by Internal Audit and reported to the specific senior management committees. Action plans are prepared to address opportunities identified during the independent validation process, and are monitored by the 3 lines of defense and by senior management until the conclusion.
Itaú Unibanco
56

Risk and Capital Management-Pillar 3
Glossary of Acronyms
A
• ASF - Available Stable Funding
• AT1 - Additional Tier 1 Capital
• AVA - Avaliação de Vulnerabilidade e Ameaças(Threats and Vulnerabilities Analysis)
B
• BACEN-Banco Central do Brasil (Central Bank of Brazil)
• BCB-Banco Central do Brasil (Central Bank of Brazil)
• BCP - Business Continuity Plan
• BCBS-Basel Committee on Banking Supervision
• BIA - Business Impact Analysis
• BIS - Bank for International Settlements
C
• CCF - Credit Conversion Factor
• CCP - Non-Qualified Central Counterparty
• CCR - Counterparty Credit Risk
• CDP - Carbon Disclosure Project
• CEM-Current Exposure Method
• CEO-Chief Executive Officer
• CET 1-Common Equity Tier I
• CGRC-Comitê de Gestão de Risco e Capital (Risk and Capital Management Committee)
• CMN-Conselho Monetário Nacional (National Monetary Council)
• Comef-Comitê de Estabilidade Financeira (Financial Stability Committee)
• CRI - Real State Receivables Certificate
Itaú Unibanco
57

Risk and Capital Management-Pillar 3
• CRM - Credit Risk Mitigation
• CRO-Chief Risk Officer
• CTAM - Comissão Técnica de Avaliação de Modelos (Technical Model Assessment Commission)
• CVA-Credit Valuation Adjustment
• CVM-Comissão de Valores Mobiliários (Brazilian Securities and Exchange Commission)
D
• DLP-Long- Term Liquidity Statement
• DRL-Liquidity Risk Statement
• D-SIB-Domestic Systemically Important Banks
• DV-Delta Variation
E
• EAD - Exposure at Default
• ECL - Expected Credit Losses
• EMD - Entidades Multilaterais de Desenvolvimento (Multilateral Development Entities)
• EP - Equator Principles
• EVE - Economic Value of Equity
F
• FIDC - Credit Rights Investment Funds
• FCC-Credit Conversion Credit
• FPR-Fator de Ponderação de Risco(Weighting Factor)
G
• GAP-Gap Analysis
• GDP-Gross Domestic Product
• GHG - Greenhouse Gas Protocol
Itaú Unibanco
58

Risk and Capital Management-Pillar 3
• Greeks - Sensitivities to Various Risk Factors
• G-SIB - Global Systemically Important Banks
H
• HE - Haircut of Execution
• HQLA - High Quality Liquid Assets
• HV - Volatility Haircut
I
• ICAAP - Internal Capital Adequacy Assessment Process
• IMA - Internal Models Approach
• IPV - Independent Price Verification
• IRRBB - Interest Rate Risk in the Banking Book
• IT - Information Technology
K
• KYC - Know your Customer
• KYP - Know your Partner
• KYS - Know your Supplier
• KYE - Know your Employee
L
• LCR - Liquidity Coverage Ratio
• LMM-Limite de Mitigação Máxima (Maximum Mitigation Limit)
M
•
N
•
MtM-Mark to Market
NII - Net Interest Income
Itaú Unibanco
59

Risk and Capital Management-Pillar 3
• NSFR - Net Stable Funding Ratio
O
• OTC - Over-the-Counter
P
• PR - Patrimônio de Referência (Total Capital)
• PRI - Principles for Responsible Investments
• PRSA - Política de Sustentabilidade e Responsabilidade Socioambiental (The Social and Environmental Responsability and Sustainability Policy)
• PCR - Potential Credit Risk
• PVA - Prudent Valuation Adjustments
Q
• QCCP - Qualified Central Counterparties
R
• RA - Leverage Ratio
• RAS-Risk Appetite Statement
• RSF - Required Stable Funding
• RWA- Risk Weighted Assets
• RWACPAD-Portion relating to exposures to credit risk
• RWACPrNB-amount of risk-weighted assets corresponding to credit risk exposures to the non-banking private sector, calculated for jurisdictions whose ACCPi is different from zero
• RWAMINT-Portion relating to exposures to market risk, using internal appro ach
• RWAMPAD-Portion relating to exposures to market risk, calculated using standard approach
• RWAOPAD-Portion relating to the calculation of operational risk capital requirements
S
• SA - Joint-Stock Company
Itaú Unibanco
60

Risk and Capital Management-Pillar 3
• SA-CCR - Standardised Approach to Counterparty Credit Risk
• SFN - Sistema Financeiro Nacional(National Financial System)
• SFT - Securities Financing Transactions
• SOC - Security Operation Center
T
• TCFD - Task Force on Climate-Related Financial Disclosures
• TLAC - Total Loss-Absorbing Capacity
• TVM-Títulos de valores mobiliários(Securities)
V
• VaR-Value at Risk
Itaú Unibanco
61

Risk and Capital Management-Pillar 3
Glossary of Regulations
BACEN Circular No. 3,354, of June 27th, 2007
BACEN Circular No. 3,644, of March 4th, 2013
BACEN Circular No. 3,646, of March 04th, 2013
BACEN Circular No. 3,674, of October 31st, 2013
BACEN Circular No. 3,748, of February 26th, 2015
BACEN Circular No. 3,749, of March 05th, 2015
BACEN Circular No. 3,751 of March 19th, 2015
BACEN Circular No. 3,769, of October 29th, 2015
BACEN Circular No. 3,809, of August 25th, 2016
BACEN Circular No. 3,846, of September 13rd, 2017
BACEN Circular No. 3,869, of December 19th, 2017
BACEN Circular Letter No. 3,706 of May 05th, 2015
BACEN Circular Letter No. 3,907 of September 10th, 2018
BACEN Circular Letter No. 4,068 of July 7th, 2020
BACEN Circular Letter No. 3,876 of January 31st, 2018
BACEN Circular Letter No. 3,082 of January 30th, 2012
BACEN Circular Letter No. 3,978 of January 23rd, 2020
BACEN Communication No. 37.942, of November 18th, 2021
BCB Resolution No. 54, of December 16th, 2020
CMN Resolution No. 2,682, of December 22nd, 1999
CMN Resolution No. 4,192, of March 1st, 2013
CMN Resolution No. 4,193, of March 1st, 2013
Itaú Unibanco
62

Risk and Capital Management-Pillar 3
CMN Resolution No. 4,327, of April 25th, 2014
CMN Resolution No. 4,502, of June 30th, 2016
CMN Resolution No. 4,557, of February 23rd, 2017
CMN Resolution No. 4,589, of June 29th, 2017
CMN Resolution No. 4,693, of October 29th, 2018
CMN Resolution No. 4,783, of March 6th, 2020
Itaú Unibanco
63