Corporate Risk Management and Internal Controls

Review History

 

Version: Date of Review: History:
1 04/20/2017 Document created.
This policy replaces the former policy PLT_007 Management of Corporate Risks.
2 02/20/2019 Title changed from “Integrated Management of Corporate Risks, Internal Controls and Compliance” to “Management of Corporate Risks and Internal Controls”;
Updating the entire content of the policy in compliance with the Cielo’s current practices.
3 23/01/2020 Including Servinet Serviços Ltda, Aliança Pagamentos e Participações Ltda, and Stelo S.A within the scope of this Policy. Including Guidelines 1.4 for Internal Controls, 3.5 and 3.6 for Operational Risk, 5.1 and 5.2 for Strategic Risk, 6.1 and 6.2 for Reputation Risk. Including Item 8 on money laundering risk and financing of terrorism and Item 9 on compliance risk. Proofreading Guidelines 1.1, 1.3, 1.5, 2.1, 2.3, 2.4, 2.5, 3.1, 3.5, 3.6, 4.1, 4.2, 5.6 and 6.4. Proofreading the Item Responsibilities.

 

I. Purpose

Establishing the main guidelines regarding the management of corporate risks and internal controls, in compliance with the applicable regulations and good market practices.

II. Abrangência

All members of the Management (officers, members of the Board of Directors and members of the Advisory Committees), members of the Fiscal Council and employees of the companies Cielo S.A., Servinet Serviços Ltda., Aliança Pagamentos e Participações Ltda. and Stelo S.A., hereinafter (“Cielo” or “Company”).
All of the Company’s Subsidiaries must establish their directives based on the guidance provided in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.
Regarding the Affiliated Companies, the Company’s representatives working in the Management of Affiliated Companies should make efforts to set their directives based on the guidance provided for in this Policy, considering the specific needs and legal and regulatory aspects to which they are subject.

III. Guidelines

1. Regarding the management of internal controls, Cielo:

1.1. Has an internal method based on models and guides to good market practices (“method”) that provides information to identify, evaluate, answer, monitor and report to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as appropriate, the state of its control environment.

1.2. Aligns the structure of internal controls to its purposes, internal regulations, business strategies, complexity and risks of the operations carried out.

1.3. Prioritizes the identification, assessment and mitigation of operational risk in processes based on qualitative and/or quantitative criteria, which consider aspects related to image, regulatory requirements, financial impact, impact on clients and operational impacts.

1.4. Focuses on organizing its structure in a manner compatible with its activities, ensuring the necessary segregations to mitigate any conflicts in the conduct of business.

1.5. Continuously assesses the risks in the control environment regarding aspects of impact and vulnerability of the controls environment, to allow its prioritization for treatment purposes, promoting an effective internal controls system.

1.6. Manages the occurrences of risk and addresses mitigating and/or corrective action plans for the risks identified.

2. Regarding the business continuity and crisis management, Cielo:

2.1. Has a method that provides information to identify, assess, answer, monitor and report events of business discontinuity and crises to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as the case may be.

2.2. Identifies internal and external threats that may compromise the continuity of the Company’s operations, as well as potential impacts on the operation deriving from the materialization of these threats.

2.3. Has contingency plans and mechanisms to ensure the continuity of payment services provided.

2.4. Has a crisis management and response structure, supported by adequate levels of authority and competence, which ensure effective and timely communication to stakeholders, including the Central Bank of Brazil (BACEN), when there is an indication of relevance for such, in compliance with the current regulations and with the internal rules (NRM_105 Crisis Management).

2.5. Implements and keeps an evolutionary process of Business Continuity Management, focused on ensuring the maintenance of its critical activities in an acceptable service level, during the recovery after unavailability, monitoring and protecting its image and the consequent reputational risk, according to the internal rule (NRM_034 Management of the Business Continuity).

2.6. Holds training sessions, tests, and analyses that ensure the maintenance and good operation of the business continuity plans.

3. Regarding the management of operational risks, Cielo:

3.1. Has a method that provides information to identify, assess, answer, monitor and report events of operational risk to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as the case may be.

3.2. Identifies and assesses the operational risks in products, services, systems, and processes, and keeps an updated list of main operational risks to which the Company is exposed.

3.3. Has a database of operational losses incorporating the main attributes of the loss events, according to objective and transparent criteria.

3.4. Manages the operational risk by monitoring the limits established and the evolution of operational losses focused on addressing action plans to adjust the control environment and reduce the company’s exposure to such risk.

3.5. Monitors risks related to Information Technology and, among others, applies assessment questionnaires, which are based on decision criteria regarding the outsourced data processing and storage and cloud computing services, to select its suppliers, in compliance with the guidelines established in the Procurement Policy and in line with the regulations in force.

3.6. Evaluates, manages and monitors the operational risk arising from outsourced data processing and storage and relevant cloud computing services, for its regular operation.

4. Regarding the management of social and environmental risks, Cielo:

4.1. Has a method that provides information to identify, assess, answer, monitor and report events of social and environmental risks to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as the case may be.

4.2. Identifies and assesses social and environmental risks in products, services, systems, and processes.

4.3. Manages the social and environmental aspects and impacts of its processes and operations, seeking:

4.3.1. Reduces water and electric energy consumption;

4.3.2. Properly manages waste;

4.3.3. Helps build a low-carbon economy from a climate governance strategy based on four areas of activity;

  • Assessing the impact, which includes preparing the greenhouse gas inventory, risks and opportunities deriving from climate changes;
  • Reducing emissions;
  • Offsetting emissions; and
  • Articulating and committing to transparency.

4.3.4. Contributes to society’s development through investment in social projects.

4.3.5. Promotes relations based on ethics and respect for human rights, valuing diversity and rebuffing any type of discrimination.

4.3.6. Ratifies, contracts and evaluates key suppliers, considering social and environmental aspects that may represent potential risks to Cielo and its clients.

5. Regarding the management of strategic risks, Cielo:

5.1. Has a method that provides information to identify, assess, answer, monitor and report strategic risks to the Executive Board, the Board of Directors, the Risk Committee and the regulatory bodies, as the case may be.

5.2. Identifies and assesses strategic risks in products, services, systems, and processes.

5.3. Carries out cycles of strategic planning every three (3) years and annually reviewing the previously planned cycle.

5.4. Carries out market researches with the focus on identifying changes and movements in the market, as well as any inadequacies in Cielo’s value proposal.

5.5. Assesses the market trends for the operating segments, the powers & duties required to implement the strategy and the initiatives to be developed to comply with the plan.

5.6. Identifies, measures, monitors, and reports emerging business risks and opportunities that may affect the fulfillment of its strategy, as well as weekly monitors the progress of strategic initiatives with the main stakeholders.

6. Concerning the management of reputation risks, Cielo:

6.1. Has a method that provides information to identify, assess, answer, monitor and report the main image promoters and detractors to the Executive Board, the Board of Directors through the Risk Committee and the regulatory bodies, as the case may be;

6.2. Identifies and assesses reputation risks in products, services, systems, and processes.

6.3. Has a strategy to disseminate information, including the communication flow with stakeholders, describing the actions necessary according to the institutional impact identified.

6.4. Continuously monitors its image and its reputation risk through a tracking survey of its brand and through mentions and posts on social networks, in the press and on specialized websites.

6.5. Holds a reputation survey with its stakeholders.

7. Regarding the management of financial risks, Cielo:

7.1. Has a revised and updated Credit, Liquidity and Market Risk Management Policy, which establishes the guidelines, roles, and responsibilities to manage these risks.

8. Regarding the management of the risk of Money Laundering and Financing to Terrorism (LD/FT), Cielo:

8.1. Has a revised and updated Policy to Prevent Money Laundering and Financing to Terrorism, which establishes the guidelines, roles, and responsibilities to manage these risks.

9. Concerning the management of Compliance risks, Cielo:

9.1. Has a revised and updated Compliance Policy, which establishes the guidelines, roles, and responsibilities to manage these risks.

IV. Management of Consequences

Employees, suppliers and other stakeholders that see any deviations from the guidelines of this Policy may report this deviation through the Ethics Channel (www.canaldeetica.com.br/cielo or 0800 775 0808), anonymously, if they so wish. Internally, the non-compliance with this Policy will lead to actions under the management of consequences, which may vary from a guidance on how to proceed to cancel or at least minimize any issues created, to the dismissal for just cause of those responsible.

V. Responsibilities

Cielo adopts the concept of three (3) lines of defense to operate its Corporate Risk and Internal Controls management structure, so that to ensure the compliance with guidelines defined.

1st Line of Defense: Represented by all business areas and support managers, who must ensure an effective risk management within the scope of its direct organizational responsibilities.

2nd Line of Defense: Represented by the Risk, Compliance and Prevention Board, which works on a consulting and independent basis with business and support areas, assessing and reporting the management of risks, compliance, management of business continuity, crises management and control environment to Cielo’s Executive Board and Board of Directors, through the Risk Committee. The activities under the 2nd line of defense are separate and independent from the activities and management of the business and support areas and Internal Audit.

3rd Line of Defense: Represented by the Internal Audit and has the purpose to provide independent opinions to the Board of Directors, through the Audit Committee, on the risk management process, the effectiveness of internal controls and corporate governance.

  • Board of Directors:
    • Approves the guidelines, strategies and risk management policies.
    • Approves the limits and risk levels established in the Risk Appetite Statement.
    • Authorizes, when necessary, exceptions to strategies, guidelines, policies and risk levels defined in the Risk Appetite Statement.
    • Resolves on undertaking risks with high or very high impact;
    • Ensures that the compensation structure adopted by Cielo does not interfere with the independence of areas’ work and foments behaviors compatible with the risk appetite levels considered acceptable by Cielo;
    • Ensures proper and sufficient funds to carry out the risk management activities;
    • Promoting the dissemination of the risk management culture at Cielo.
  • Executive Board:
    • Ensures that Cielo’s compliance with strategies, guidelines and risk management policies, as well as the limits and risk levels set forth in the Risk
    • Appetite Statement;
    • Resolves on undertaking risks with high or very high impact;
    • Ensures proper and sufficient funds to carry out the risk management activities;
    • Promoting the dissemination of the risk management culture at Cielo.
  • Risk, Compliance and Prevention Board
    • Monitors the compliance with the guidelines set forth herein, reviews and updates the policy to reflect any changes in Cielo’s guidance and to support any doubts regarding the content and its application;
    • Promotes the development, implementation, and performance of the risk management structure, including its improvement;
    • Identifies and assesses risks in Cielo’s products, services, systems, and processes.
    • Has an updated list of the main risks to which Cielo is exposed, as well as continuously evaluates and monitors these risks in terms of impact and probability, to allow their prioritization when addressing such risks;
    • Monitors the operational losses incurred, as well as certifies the sufficiency and effectiveness of the internal controls, considering the internal regulatory and strategic purposes;
    • Supports the Business and Support Areas to develop compensatory and/or final action plans to answer to the identified risks, as well as monitors these plans, including those originated by the Audit and Regulators;
    • Manages Business Continuity and Crisis;
    • Ensures the governance of Risk Management, Internal Controls, and Business Continuity Management, periodically reporting to the competent bodies;
    • Subsidized the strategic decision-making process with information on risks, the environment of internal controls and business continuity;
    • Carries out the risk assessment process in controlled companies;
    • Articulates and translates the Risk Appetite, making it relevant, for the business and support areas through tolerance limits and indicators;
    • Monitors the compliance with the Risk Appetite and reports to the Executive Board and the Board of Directors, through the Risk Committee;
    • Disseminates the culture of Risk Management, Internal Controls and Compliance and Business Continuity at Cielo, through a training program for employees.
  • Sustainability Management
    • ­ Identifies social and environmental risks incurred by Cielo, considering the goals adopted in the corporate sustainability program;
    • Subsidizes and participates in the strategic decision-making process regarding the management of social and environmental risks;
    • Ensures the governance of social and environmental management by periodically reporting to the competent bodies.
  • Strategic Planning Board:
    • ­ Subsidizes and participates in the strategic decision-making process related to strategy management;
    • Ensures the governance of strategy monitoring by periodically reporting to the competent bodies.
  • Marketing Board
    • ­ Monitors the social media and identifies potential detractors to the image of Cielo and its monitored subsidiaries;
    • Subsidizes and participates in the strategic decision-making process related to image management;
    • Ensures the governance of image management by periodically reporting to the competent bodies.

VI. Additional Documents

VII. Concepts and Acronyms

  • Control Environment: Set of controls representing a given risk.
  • Central Bank of Brazil (BACEN): Body responsible for disciplining the incorporation, operation, and inspection of payment institutions, as well as the discontinuity of their services.
  • Internal Controls: Policies, rules, procedures, methods and mechanisms created with the goal to provide a reasonable degree of confidence in the effectiveness and efficiency of operations, financial reporting, and compliance with regulatory requirements, as well as achieving the business purposes, preventing or detecting and correcting undesirable events.
  • Business Continuity: Activity integrated to risk management, which uses the business impact analysis tool (BIA) as a guide to mitigate discontinuity risks. Provides a framework to develop organizational resilience, making it possible to identify in advance and answer to impacts caused by the interruption of Cielo’s main processes.
  • Risk Appetite Statement (RAS): Document that formalizes the levels of risk that Cielo supports to achieve its strategic and business purposes.
  • Risk: Possibility of events that happen and hinder the fulfillment of Cielo’s strategy and purposes.
  • Operational Risk: Possibility of losses resulting from the following events: a) failure to protect and secure sensitive data related to both the credentials of end-users and other information exchanged for the purpose of making payment transactions; b) failure to identify and authenticate the end-user; c) failure to authorize payment transactions; d) internal fraud; e) external fraud; f) labor demands and poor safety in the workplace; g) inadequate practices regarding end-users, payment products, and services; h) damage to physical assets owned or used by the institution; i) occurrences that lead to the interruption of the payment institution’s activities or the discontinuity of the payment services; j) failures in information technology systems, processes or infrastructure; and k) failures to execute, comply with deadlines and manage the activities involved in payment transactions. Operational risk includes the legal risk related to the inadequacy or deficiency in agreements signed by the payment institution, sanctions due to a non-compliance with legal provisions and compensation for damages to third parties resulting from activities involved in payment transactions.
  • Social and Environmental Risk: Possibility of financial, operational and image losses resulting from social and environmental damage, such as pollution, damage to human health, security, transparency, impacts on communities, threats to biodiversity, among others.
  • Strategic Risk: Risk arising from adverse changes in the business environment or the use of inadequate assumptions in the decision-making process.
  • Reputation Risk: Risk arising from the negative perception of Cielo by customers, counterparties, shareholders, investors or regulators.
  • Financial Risks: Risk category that includes Credit, Liquidity and Market risks, established in the Credit, Liquidity, and Market Risk Management Policy.
  • Stakeholders: Represent Cielo’s stakeholders, namely: employees, the Executive Board, investors, members of the Board of Directors, customers, regulators, suppliers, and society. The stakeholders involved may vary depending on the level of confidentiality of the information shared.
  • Affiliated Companies: companies in which the Company has significant influences, pursuant to Article 243, Paragraph 4 and 5 of the Brazilian Corporation Law, (i) there is a significant influence when the Company holds or exercises the power to participate in the decisions of a company’s financial or operating policies, without, however, controlling it; and (ii) the significant influence will be assumed when the Company owns twenty percent (20%) or more of the voting capital of the said company, without controlling it.
  • Subsidiaries: Companies in which the Company, directly or indirectly, holds rights as partner or shareholder, which permanently guarantee to the Company the preponderance in business resolutions and the power to elect the majority of the members of the Management, pursuant to Article 243, Paragraph 2 of the Brazilian Corporation Law.
  • Risk Occurrence: Incident or event related to failures in processes, systems or people that occurred at Cielo, with negative impacts (direct or indirect) for the operation such as financial, reputation, regulatory, safety, environmental, labor and continuit.

VIII. General Provisions

Cielo’s Board of Directors is responsible for changing this Policy whenever necessary.

This Policy shall take effect on the date of its approval by the Board of Directors and revokes any rules and procedures contrary thereto.