Corporate Risk Management and Internal Controls
|Version:||Date of Review:||History:|
This policy replaces the former policy PLT_007 Corporate Risk Management.Title is altered from “Integrated management of corporate risks, internal controls and compliance” to “Corporate Risk Management and Internal Controls”;Update of the policy’s full content in conformity with the Company’s current practices.
Set forth the main guidelines relating to the corporate risk management and internal controls, in compliance with applicable rules and good market practices.
All Management (Statutory Officers, members of the Board of Directors, Fiscal Council, advisory committees of the Board of Directors) and employees of Cielo S.A. We expect that subsidiaries, associated companies and investees define their directions from these guidelines, considering specific needs, legal and regulatory aspects to which they are subject.
1. Concerning internal controls management, Cielo:
1.1. Has a methodology which provides subsidies to identify, assess, respond, monitor and report the status of the Company’s controls environment.
1.2. Aligns the internal controls structure with objectives set out by the Company, the business strategies and internal rules.
1.3. Prioritizes the identification, assessment and mitigation of operational risk in the processes posing greater potential of financial consequences (losses) for the Company, from qualitative and/or quantitative criteria.
1.4. Continuously assesses the operational risks as to the aspects of impact and vulnerability of controls environment, so that to allow its prioritization for treatment purposes, promoting an effective internal controls system.
1.5. Manages the occurrences of risk and addresses mitigating and/or corrective action plans for the risks identified.
1.6. Ensures the elaboration of reports on internal controls environment to be analyzed and approved, at least, half-yearly, by the Board of Directors.
2. Concerning business continuity and crisis management, Cielo:
2.1. Has a methodology which provides subsidies to identify, assess, respond, monitor, report and manage events of business discontinuance and crisis.
2.2. Identifies internal and external threats which may compromise the continuance of the Company’s operations, as well as potential impacts to the operation deriving from materialization of these threats.
2.3. Maintains contingency plans and mechanisms which ensure the continuance of payment services rendered.
2.4. Maintains a structure of crisis management response, supported by adequate levels of authority and competence, which ensure an effective communication with stakeholders.
2.5. Implements and maintains an evolutive process of Business Continuity Management, aiming at ensuring that the Company maintains its critical activities within an acceptable level of operation during recovery after unavailability, protecting its image.
2.6. Conducts training, tests and analyses which ensure the maintenance and good operation of business continuity plans.
3. Concerning operational risk management, Cielo:
3.1. Has a methodology which provides subsidies to identify, measure, monitor, control, mitigate and manage the operational risk.
3.2. Identifies and assesses the operational risks in products, services, systems and processes, as well as maintains updated a list of main operational risks to which the Company is exposed.
3.3. Maintains register of operational losses data incorporating the main attributes of loss events, according to objective and transparent criteria.
3.4. Manages the operational risk by monitoring the limits established and the evolution of operational losses aiming at addressing action plans to conform the controls environment and reduce the company’s exposure to such risk.
4. Concerning the social and environmental risk management, Cielo:
4.1. Identifies, classifies, assesses, monitors, mitigates and controls main social and environmental risks of its products, processes and operations.
4.2. Assesses and manages potential social and environmental impacts, by adopting economic, social and environmental criteria when creating new products or revising those already existing.
4.3. Manages the social and environmental aspects and impacts of its processes and operations, seeking:
4.3.1. To reduce water and electricity consumption;
4.3.2. To properly manage waste;
4.3.3. To collaborate to build a low-carbon economy from a climate governance strategy based on four areas of activity:
• Impact assessment which includes the elaboration of greenhouse gas inventory (GEE), risks and opportunities deriving from climate changes;
• Emission reduction;
• Emissions compensation; and
• Articulation and commitment to transparency.
4.3.4. To contribute to the society’s development by means of investment in social projects.
4.3.5. Promote relations based on ethics and respect for human rights, valuing diversity and repudiating any type of discrimination.
4.3.6. Ratify, contract and evaluate critical suppliers, considering social and environmental aspects which may represent potential risks to Cielo and its clients.
5. Concerning strategic risk management, Cielo:
5.1. Conducts cycles of strategic planning every three (3) years and, yearly revises the previously planned cycle.
5.2. Carries out market researches aiming at identifying changes and movements in the market, as well as eventual inadequacies in Cielo’s value proposal.
5.3. Assesses the market trends for the operational segments, the competencies required to execute the strategy and the initiatives to be developed in order to comply with planning.
5.4. Identifies, measures, monitors, reports, controls and mitigates the business emerging risks which may affect the compliance with the company’s strategy, as well as it weekly monitors the course of strategic initiatives with main stakeholders.
6. Concerning image risk management, Cielo:
6.1. Identifies, assesses, measures, monitors, reports, controls and mitigates the internal factors posing risk to the Company’s image, identifying major image promoters and detractors;
6.2. Has a strategy to disseminate information, envisaging the flow of communication with stakeholders describing the actions necessary according to the institutional impact identified.
6.3. Continuously monitors the reputation risk by means of a brand tracking research and by means of references and publications on the Company in social networks and press.
6.4. Conducts reputation research with the Company’s stakeholders.
7. Concerning financial risk management, Cielo:
7.1. Maintains revised and updated the Credit, Liquidity and Market Risk Management Policy which sets forth the guidelines, the roles and responsibilities to manage these risks.
The exceptions, where applicable, shall be treated by Board of Executive Officers and/or Board of Directors, observing their competencies defined in the Risk Management Governance Policy.
V. Outcome Management
Employees, suppliers or other stakeholders who notice any deviations to the guidelines of this Policy may report the fact to the Ethics Channel (www.canaldeetica.com.br/cielo or 0800 775 0808), anonymously or not. Internally, the failure to comply with the determinations hereof shall result in outcome management actions which may vary from a guidance on how to annul or at least, minimize eventual problems created to defaulters’ dismissal with cause.
Cielo adopts the concept of three (3) lines of defense to operate its Corporate Risk and Internal Controls management structure, so that to ensure the compliance with guidelines defined.
- 1st line of defense: It is represented by all business areas and support managers, who shall ensure an effective risk management within the scope of its direct organizational responsibilities.
- 2nd line of defense: It is represented by the Risk Management & Compliance Executive Board, which acts on a consulting and independent basis with business and support areas, with assessment and report on risk management, compliance, business continuity management, crises management and control environment to Cielo’s chief executive officer and Risk Committee. Second line of defense activities are separate and independent from activities and management of business and support areas and Internal Audit.
- 3rd line of defense: It is represented by the Internal Audit and aims at providing independent opinions to the senior management, by means of the Audit Committee, on the risk management process, the effectiveness of internal controls and corporate governance.
- Board of Directors:
– Approve the guidelines, strategies and risk management policies.
– Approve the limits and risk levels established in the Risk Appetite Statement.
– Ensure proper and sufficient funds to carry out the risk management activities.
– Authorize, when necessary, exceptions to strategies, guidelines, policies and risk levels defined in the Risk Appetite Statement.
– Ensure that the compensation structure adopted by the Company does not interfere in the independence of areas performance and foments behavior compatible with risk appetite levels considered acceptable by Cielo.
– Promote the dissemination of a risk management culture at the Company.
- Board of Executive Officers:
– Ensure the Company’s adhesion to strategies, guidelines and risk management policies, as well as the limits and risk levels set forth in the Risk Appetite Statement.
– Deliberate on action plans to respond to high risks and exceptions.
– Ensure appropriate and sufficient resources to carry out risk management activities.
– Promote the dissemination of Risk Management Culture.
- Risk Management and Compliance Executive Board
– Promote the development, the implementation and the performance of risk management structure, including its improvement.
– Identify and assess the operational risks in products, services, systems and processes of the Company, as well as keep updated a list of main operational risks to which the Company is exposed.
– Continuously assess the operational risks as to the aspects of impact and vulnerability of controls environment, so that to allow its prioritization for the purposes of treatment, promoting an effective internal controls system.
– Monitor the exposure to operational risk and operational losses incurred, as well as certify the sufficiency and efficacy of internal controls, considering the strategic objectives, internal and regulatory rules.
– Support the Business and Support Areas in the development of mitigating and/or corrective action plans to respond to the risks identified.
– Monitor the mitigating and/or corrective action plans, including those originated by Audit and Regulators.
– Manage the Business Continuity Management and Crisis.
– Ensure the governance of operational risk management issues, internal controls, business continuity management, by means of a periodic report to the appropriate bodies.
– Subsidize and take part in the strategic decision-making process relating to risk management.
– Conduct the risk assessment process in subsidiaries and associated companies.
– Disseminate a culture of Risk Management, Internal Controls and Compliance at the Company, by maintaining employees’ qualification program.
- Sustainability Management
– Continuously identify, assess and monitor the social and environmental risk incurred by the Company.
– Subsidize and take part in the strategic decision-making process relating to the social and environmental risk management.
– Ensure the social and environmental risk management governance by means of a periodic report to the appropriate bodies.
- Strategic Planning Executive Board
– Continuously identify, assess and monitor the Company’s emerging and strategic risks.
– Subsidize and take part in the strategic decision-making process relating to the strategic and emerging risk management.
– Ensure the strategic risk management governance by means of a periodic report to the appropriate bodies.
- Marketing Executive Board
– Continuously identify, assess and monitor the image risk incurred by the Company.
– Subsidize and participate in the strategic decision-making process relating to the image risk management.
– Ensure the image risk management governance by means of a periodic report to the appropriate bodies.
VII. Additional Documentation
- Circular No. 3.681/13 issued by the Brazilian Central Bank.
- CMN Resolution No. 2554/98
- COSO ERM – Integrated Framework
- COBIT – ITGI – Control Objectives for Information and Related Technology
- Risk Management Governance Policy
- Sustainability Policy
- Credit, Liquidity and Market Risk Management Policy
- Compliance Policy
- In-house rules continuously improved, approved by appropriate authorities and available to all employees.
VIII. Concepts and Acronyms
- Controls environment: It consists of a set of representative controls for a certain risk.
- Brazilian Central Bank (BACEN): Body in charge of ruling the establishment, operation and inspection of payment institutions, as well as the discontinuance of services rendered.
- Internal Controls: Policies, rules, procedures, methods and mechanisms created aiming at ensuring a reasonable level of confidence in the efficacy and efficiency of operations, financial reports and in the compliance with regulatory requirements, besides achieving business objectives, preventing or detecting and repairing undesirable events.
- Business Continuity: Activity integrated to risk management, which uses business impact analysis tool (BIA) as driver to mitigate discontinuance risks. It provides a structure to develop an organizational resilience, capable of identifying in advance and respond to the impacts caused by interruption of Cielo’s main processes.
- Risk Appetite Statement (RAS): Document which envisages the formalization of levels and the Company’s capacity to support risks, aiming at achieving its strategic and business objectives.
- Risk: Possibility of events occurring and jeopardizing the execution of the Company’s strategy and objectives.
- Operational Risk: Eventual losses due to the following events: a) failures in the protection and security of sensible data relating both to end users’ credentials and other information exchanged aiming at making payment transactions; b) failures in the identification and authentication of end user; c) failures in the authorization of payment transactions; d) internal frauds; e) external frauds; f) labor claims and poor security at workplace; g) improper practices relating to end users, payment products and services; h) damages to own physical assets or which have been used by institution; i) occurrences to cause the interruption of payment institution activities or the discontinuance of payment services rendered; j) failures in systems, processes or information technology infrastructure; and k) failures in the execution, deadline compliance, and management of activities involved in payment arrangements. The operational risk includes the legal risk associated with inadequacy or deficiency in contracts signed by payment institutions, sanctions due to failure to comply with legal provisions and indemnification for damages to third parties resulting from activities involved in the payment arrangement.
- Social and Environmental Risk: Eventual financial, operational and image losses deriving from social and environmental damages, such as pollution, damages to human health, safety, transparency, impacts on communities, threats to biodiversity, amongst others.
- Strategic Risk: Risk deriving from adverse changes in the business environment or the use of inappropriate assumptions in the decision-making process.
- Image Risk deriving from a negative perception on the Company by clients, counterparties, shareholders, investors or regulators.
- Financial Risks: Risk category which encompasses Credit, Liquidity and Market Risks, as defined in the Credit, Liquidity and Market Risk Management Policy.
- Stakeholders: They represent the company’s interested parties, namely, employees, the Board of Executive Officers, investors, members of the Board of Directors, clients, regulators, suppliers and society. Stakeholders involved may vary according to the level of confidentiality of shared information.
- Occurrence of Risks: Incident or event relating to failures in processes, systems or persons occurred at the Company, with direct or indirect negative impacts on the operation, such as financial, reputational, regulatory, safety, environmental, labor and continuity impacts.
It shall be incumbent upon Cielo’s Board of Directors to amend this Policy whenever necessary.
This Policy takes effect on the date of its approval by the Board of Directors and revokes any contrary rules and procedures.