Risk Management Governance Policy

Review History

Version: Date of Review: History: 
1 04/19/2018 Document Elaboration.
06/10/2019 In compliance with the Company’s Standard of Normative Instruments, the policy was reviewed, according to the rules set forth in said standard, and no changes were identified in the content. In this regard, the Board of Executive Officers acknowledged the review and since this policy was not amended, there is no need to submit it to the Board of Directors.

I. Purpose

Set forth the main guidelines relating to the risk management and assets governance process, in compliance with applicable rules and good market practices.

II. Scope

All Management (Statutory Officers, members of the Board of Directors, Fiscal Council, advisory committees of the Board of Directors) and employees of Cielo S.A.

III. Guidelines

1. Concerning risk management and assets governance, Cielo:

1.1. adopts structure and risk management processes compatible with the nature of Cielo’s activities and complexity of products and services offered.

1.2. relies on a methodology recognized by the Company based on the best market practices addressing the demands of regulatory and inspection agencies and encompasses the phases of identification, assessment, measurement, answer, monitoring and risk reporting.

1.3. ensures an independent risk management, considering the definition of duties and responsibilities, dividing the first, second and third lines of defense.

1.4. continuously assesses the risks as to the aspects of impact and vulnerability of the control environment, so that to allow its prioritization for treatment purposes.

1.5. monitors the changes in the regulatory environment, ensuring the conformity of products and processes with regulators and brands requirements and prevailing internal rules.

1.6. disseminates a culture of Risk Management, Internal Controls, and Compliance at Cielo.

1.7. adopts a governance model in risk management which envisages two decision-making bodies, the Board of Executive Officers and the Board of Directors, which are respectively advised by forums and committees, according to the following structure:

Board of Directors – Risk Committee/Audit Committee
Board of Executive Officers – Risk Forum/Regulatory Forum/Products and Services Forum

IV. Exceptions

The exceptions, where applicable, shall be treated by Board of Executive Officers and/or Board of Directors, observing their competencies.

V. Outcome Management

Employees, suppliers or other stakeholders who notice any deviations to the guidelines of this Policy may report the fact to the Ethics Channel (www.canaldeetica.com.br/cielo or 0800 775 0808), anonymously or not. Internally, the failure to comply with the determinations hereof shall result in outcome management actions which may vary from a guidance on how to annul or at least, minimize eventual problems created to defaulters’ dismissal with cause.

VI. Responsibilities

  • Board of Directors:
    • Approve the strategies, guidelines and risk management policies.
    • Approve the limits and risk levels laid down in the Risk Appetite Statement.
    • Ensure adequate and sufficient resources to perform the risk management activities.
    • Authorize, when necessary, an exception to strategies, guidelines, policies, and levels of risk appetite established in the Risk Appetite Statement.
    • Ensure that the remuneration structure adopted by Cielo does not interfere in the independent activity of areas and stimulates behavior compatible with the risk appetite levels considered acceptable by Cielo.
  • Risk Committee:
    • Propose to the Board of Directors, at least, yearly, recommendations on the risk management strategies, guidelines and policies.
    • Assess the limits and levels set forth in the Risk Appetite Statement.
    • Monitor Cielo’s adhesion to the risk management strategies and policies.
  • Audit Committee:
    • Independently, autonomously and impartially assess the quality and effectiveness of systems, internal control processes and risk management at Cielo.
  • Board of Executive Officers:
    • Ensure Cielo’s adhesion to the risk management strategies, guidelines, and policies, as well as risk limits and levels set forth in the Risk Appetite Statement.
    • Ensure proper and sufficient resources to carry out the risk management activities.
    • Deliberate on action plans which will respond to high risks and exceptions.
    • Promote the dissemination of a Risk Management Culture.
  • Risk Forum:
    • Assess and propose to the Board of Executive Officers recommendations on the risk management policies and methodologies, limits, and levels of the Risk Appetite Statement.
    • Monitor the risk limits and indexes and oversee the implementation of action plans to conform Cielo’s risk management strategies, guidelines, and policies.
    • Assess and propose methodologies and specific actions and respond to the risks identified.
  • Regulatory Forum:
    • Assess the risks and impacts deriving from the changes in regulatory environment.
    • Assess action plans for Cielo’s conformity with regulatory requirements.
    • Monitor the evolution of action plans and assess the effectiveness of improvement actions implemented.
  • Products and Services Forum:
    • Assess the risks and impacts on new products and services, as well as alterations or discontinuance of current products and services.
    • Resolve on the approval of products and services posing risks, average and low impacts and submit for the Board of Executive Officers’ deliberation, with its opinion, on the approval of products and services with high risks and impacts.
    • Oversee and monitor the observance of the references and/or constraints identified in the opinions of areas concerning the implementation of Cielo’s products and services.
  • Risk Management and Compliance Executive Board:
    • Oversee the development, the implementation and the performance of risk management structure, including its improvement.
    • Monitor the Company’s exposure, considering the limits set out in the Risk Appetite Statement, the strategic objectives, internal and regulatory rules.
    • Ensure an adequate training of risk management unit’s members on the policies, processes, reports, systems and risk management structure models, notwithstanding developed by third parties.
    • Subsidize and participate in the strategic decision-making process referring to the risk management.

VII. Additional Documentation

  • Circular No. 3.681/2013 issued by the Brazilian Central Bank.
  • Resolution No. 2.554/1998 issued by the Brazilian Central Bank.
  • Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management.
  • Brazilian Institute of Corporate Governance (IBGC) – Corporate Risk Management: Governance and Strategy Evolution.
  • PLT_019 Corporate Risk, Internal Controls, and Compliance Integrated Management
  • PLT_020 Credit and Liquidity Risk Management

VIII. Concepts and Acronyms

  • Audit Committee: Decision-making advisory committee of Cielo’s Board of Directors, referring to the independent assessment of the internal controls process and risk management composed of one independent board member (member of Cielo’s Board of Directors); one representative of Banco do Brasil; one representative of Banco Bradesco, all of them with specific technical expertise to act in referred committee.
  • Risk Committee: Decision-making, statutory, advisory committee of Cielo’s Board of Directors referring to the risk management aspects composed of one independent board member (member of Cielo’s Board of Directors); one representative of Banco do Brasil; one representative of Banco Bradesco and other invitees.
  • Board of Directors (BD): Cielo’s joint decision-making body composed of, at least, seven (7) and, at most, eleven (11) members, at least, two (2) board members or twenty percent (20%), whichever is higher, shall be classified as independent board members.
  • Board of Executive Officers (BEO): Cielo’s execution body, which reports to the Board of Directors, in charge of implementing the risk management strategy and guidelines defined by the Board of Directors composed of one chief executive officer, one investor relations officers and up to six (6) officers without a specific designation.
  • Risk Forum: an advisory body of the Board of Executive Officers referring to risk management aspects composed of one representative of the Risk and Compliance Executive Board; one representative of the controllership executive board; one representative of the prevention and safety executive board; one representative of the treasury management.
  • Products and Services Forum: the Advisory body of Cielo’s Board of Executive Officers referring to the assessment of risks and impacts on products and services composed of Vice President of Products and Businesses; Risk and Compliance Officer; Legal and Institutional Relations Officer; Prevention and Safety Officer; Controllership Officer.
  • Regulatory Forum: the Advisory body of Cielo’s Board of Executive Officers and Risk Committee referring to the regulatory compliance aspects composed of one representative of the legal executive board and one representative of the Risk and Compliance Executive Board.
  • Risk Management: Practices and procedures allowing to identify, assess, measure, answer, monitor and report the financial and non-financial risks of the Organization. In addition, it encompasses the practices and procedures relating to internal controls, business continuity, crisis management and compliance.

IX. Miscellaneous

It shall be incumbent upon Cielo’s Board of Directors to amend this Policy whenever necessary.

This Policy takes effect on the date of its approval by the Board of Directors and revokes any contrary rules and procedures.