 |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
Versão Inglês / English Version
| 1 | OBJECTIVE |
This Corporate Policy of Enterprise Risk Management (Policy) aims to establish the guidelines and responsibilities of the Risk Management process, guiding the Company in the identification, evaluation, treatment and communication of Risk which are intrinsic to the business, as part of the decision process, in order to generate and protect value to BRF.
| 2 | APPLICABILITY |
This document applies to all BRF S.A. Company and its subsidiaries, in Brazil and abroad (“BRF” or “Company”).
| 3 | ROLES AND RESPONSIBILITIES |
| 3.1 | BOARD OF DIRECTORS |
The Board of Directors has a fundamental role in the development of Risk Management culture in the Company, as well as in the implementation of a robust process of integrated Risk management. The Administration Council must:
| (i) | Approve the Corporate Risk Management Policy draft, submitted by the COMEX to its deliberation and recommended by the Advice Committee; |
| (ii) | Provide orientation regarding the Company’s Corporate Policy of Enterprise Risk Management; |
| (iii) | Approve the Risk appetite and adjustments, when applicable, suggested by |
COMEX and recommended by the Finance and Risk Management Committee (CFGR); and
| (iv) | Monitor the main Company Risks reported by COMEX and CFGR. |
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| 3.2 | FINANCE AND RISK MANAGEMENT COMMITTEE (CFGR) |
The Finance and Risk Management Committee (CFGR) is directly connected to the Administration Council and is responsible for, in the Risk Management process, as established in its Internal Regimen:
| (i) | Recommending to the Administration Council the Corporate Policy of Enterprise |
Risk Management and require adequations, when necessary;
| (ii) | Recommending to the Administration Council the Company’s Risks exposure limits |
(Risks competence), requiring adequations, when applicable;
| (iii) | Reporting to the Administration Council the exceptions to the Company’s Risks |
Management guidelines presented/discussed in CFGR;
| (iv) | Recommending, under the optics of Risk Management the long-term strategic plan, annual plan and Company’s goals, always when presented to CFGR; |
| (v) | Monitoring the main Company’s Risks (financial, operational, strategic and/or regulatory) presented to CFGR and report to the Board of Directors the relevant themes; |
| (vi) | Recommending the treatment process for the Company’s main Risks presented to |
CFGR, considering the possibilities: “Accept”, “Mitigate”, “Share” or “Eliminate/ Avoid”;
| (vii) | Recommending evaluations for specific Risk to the Risk Management Director; |
| (viii) | Issuing recommendations on the annual plan and corresponding budget for the |
Management of Enterprise Risk Management with the Risks Management Director; and
| (ix) | Monitoring the execution of the annual plan and budget approved by the Administration Council, as well as the fulfillment of orientations defined by the Board of Directors regarding the Company’s Corporate Policy of Enterprise Risk Management. |
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| 3.3 | AUDIT AND INTEGRITY COMMITTEE (CAI) |
The Audit and Integrity Committee is directly connected to the Administration Council and is responsible for, in the Risk Management process, as established in its Internal Regimen:
| (i) | Discussing with the Company’s administration the policies and procedures about |
Risks evaluation and management;
| (ii) | Evaluating and monitoring the Company’s Risks Exposures, requiring detailed information of policies and procedures related to the managers’ compensation, the use of the Company’s assets and the expenditure incurred by the Company; |
| (iii) | Analyzing and opining about the guidelines and the Policy of Enterprise Risk Management, including the degree of disposition and tolerance for Risks assumption, the selection and revaluations of strategic Risks and the monitoring of action plans for the Risks mitigation and control; and |
| (iv) | Knowing the annual planning for the Risks Management Director work, the processes to be mapped, the results of Risks identification and measurement, the biannual report regarding the Risk Management activities and the Company’s Risks mitigation program. |
| 3.4 | EXECUTIVE COMMITTEE (COMEX) |
BRF’s Executive Committee must act directly in the Enterprise Risk Management, being its responsibility:
| (i) | Elaborate the draft, for further submission to the deliberation of the Board of Directors, of the Corporate policy of Enterprise Risks Management, which must observe the minimum requisites established by the Regulation of the New Market, by the Brazilian Code for Enterprise Governance and other current, applicable regulations, according to the competence defined in BRF’s Bylaws; |
| (ii) | Sponsor the application of the Corporate Policy of Enterprise Risk Management, promoting the Risk Management culture in the Company; |
| (iii) | From the general guidelines established by the Administration Council, submit the exposure limits to its approval (Risks Appetite); |
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| (iv) | Evaluate the Risks and define which treatment will be given (Accept, Mitigate, Share or Eliminate/ Avoid), taking actions to mitigate and minimize them; |
| (v) | Suggest to the Administration Council the acceptance of Risks with Very High or High exposure and approve the acceptance of Risks with Medium exposure; |
| (vi) | Establish and monitor the Internal Controls system, considering guidelines and monitoring mechanisms, aligned with the levels of Risk appetite and tolerance; |
| (vii) | Validate and promote the integration of Risks Management with the management and planning cycles; |
| (viii) | Guarantee the implementation of an efficient Risk Management model, aligned with the business and operation goals and supervise its evolution; |
| (ix) | Monitor the indicator and mitigation strategies for priority Risks, considering the |
Risks analysis in the process of decision making;
| (x) | Evaluate, at least annually, this Policy’s and the Risks Management system effectiveness, and report to the Administration Council regarding the evaluation; and |
| (xi) | Guarantee the structure adequation (human and financial resources and systems) aimed at BRF’s Risk Management process and Internal Controls system. |
| 3.5 | MANAGEMENT COMMITTEE |
The Management Committee must act continuously in the Risks Management process, being its responsibility:
| (i) | Monitor the Risks and Internal Controls Director Plan, aiming to guarantee the maintenance of Risks Management and Internal Controls practices; |
| (ii) | Supervise the possible deviations related to the Plan and structure the necessary actions to correct those deviations; |
| (iii) | Discuss the priority Risks, recommending to COMEX the assessment of relevant themes; and |
| (iv) | Monitor the evolution of relevant action plans for the mitigation of Risks with Very High exposure, supervising possible deviations. |
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| 3.6 | RISK OWNER (1ST LINE OF DEFENSE) |
The Risk Owner is the employee responsible for and with authority to manage the Risk. At BRF, the Vice-Presidents and the direct reports are the owners of Risks managed by their respective areas, being their responsibility:
| (i) | Sponsor the application and dissemination of the Corporate Policy of Enterprise Risk Management, engaging their teams in the Risks Management process; |
| (ii) | Identify preventively and monitor systematically the inherent Risk to the business; (iii) Report timely to COMEX and the Risks Management Director every Risk events, factors or situations which may impact BRF’s operations and goals; |
| (iv) | Manage the Risks related to activities, responsibilities and goals of their respective areas, in the level of every macroprocess and/or operation, in order to verify the effectiveness of the existing controls; |
| (v) | Highlight and mobilize the Focal Points in their teams, who will support the Risks Management Director in the analysis and monitoring of the identified Risks; |
| (vi) | Define and implement mitigators and monitor the corrective and/or preventive actions; |
| (vii) | Acting with the Risks Management Director, define Internal Controls for their respective areas processes; |
| (viii) | Implement and monitor the Key Indicators for Risks Management; and |
| (ix) | Guarantee the interface with other business areas and the Risks Management Director, aligning when necessary for the effective management of the shared Risks. |
| 3.7 | FOCAL POINT (1ST LINE OF DEFENSE) |
The employee designated by the Risk Owners to be the contact person for the Risk Management Director’s team is considered the Focal Point, being their responsibility:
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| (i) | Support the Risk Management Director in the analysis and continuous monitoring of identified Risks; |
| (ii) | Centralize the demand of the Risk Management Director, mobilizing resources from the team for information, data and indicator collection, according to the defined mitigation strategies; |
| (iii) | Monitor the implementation and evolution of the corrective and/or preventive actions for the mitigation of the mapped Risks, as well as the key indicators; |
| (iv) | Support the Risk Management Director in the periodical revaluation of the Risks statuses and ongoing mitigation actions, supporting information consolidation; and |
| (v) | Report internally and to the Risk Owners the updated information related to the Risk Management process. |
| 3.8 | EMPLOYEES (1ST LINE OF DEFENSE) |
The employees must:
| (i) | Actively engage in communication and training which allow the conscious dissemination of the Company’s Risk Management; |
| (ii) | Report to their leaders and/or to the Risk Management Director events or factor which may present Risk to BRF (except in cases of complaint, in which the guidelines in BRF’s Transparency Handbook should be followed); |
| (iii) | Always when involved in the Risk Management process, support the analysis of identified Risks, helping with information, data and indicators collection, according to the mitigation strategies established; and |
| (iv) | Ensure the operationalization of Risk Management, being part of the identification, evaluation and measuring process for the Risks mitigation. |
| 3.9 | GLOBAL RISK MANAGEMENT DEPARTMENT (2ND LINE OF DEFENSE) |
The Risk Management Director must act continuously in the Risk Management process, being their responsibility:
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| (i) | Establish the methodology, guidelines and process for Company’s Enterprise Risk |
Management, as well as revisit them, always when applicable;
| (ii) | Coordinate the Risk Management process considering the patterns to be applied and their frequency for identification, evaluation, treatment, monitoring and communication of Risks intrinsic to the business; |
| (iii) | Acting with the business areas, analyze the identified Risks, helping the areas understand the Risk factor, indicator definition and action plans; |
| (iv) | Continuously monitor the Risks evolution, considering the information collected with the business areas; |
| (v) | Consolidate the evaluation related to BRF’s Risks Management process and Internal |
Controls system and report, periodically, to COMEX, to the Advice Committee of the Administration Council and to the Administration Council itself;
| (vi) | Support and train the business areas (1st line of defense) to manage their own Risks, supporting with methodology for the review or development of tools and indicators which may turn the management more effective; and |
| (vii) | Spread the importance of Risk Management at BRF and the inherent responsibility of the people involves in the process, through training and communication. |
| 3.10 | GLOBAL INTERNAL AUDIT DEPARTMENT (3RD LINE OF DEFENSE) |
The Internal Audit must evaluate, independently, impartially and timely the effectiveness of Risk management and governance processes, the Internal Controls adequation and the compliance of rules and regulations associated to the Company’s operations.
| 4 | GUIDELINES |
Risk Management is a process built to identify, respond to and monitor events which can affect significantly the Company’s strategic goals. In addition to It, the Risk
Management models applied at BRF follows the best market practices, according to COSO and ISO 31000:2018 guidelines and aims to (figure 1):
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| (i) | Disseminate and reinforce Risk culture in the Company; |
| (ii) | Enhance opportunities and threats identification and analysis; |
| (iii) | Prevent or minimize losses, guiding definition and prioritization of mitigating actions; |
| (iv) | Support resource allocation decisions in the Company, enhancing the Internal Controls environment; |
| (v) | Guarantee a trustworthy database for decision making and planning; |
| (vi) | Reinforce and make the internal communication flows more efficient, assuring that BRF’s Corporate Governance are followed and continuously improved; |
| (vii) | Enhance the information reports to the market, guaranteeing transparency and elevating trust for the stakeholders; |
| (viii) | Incorporate best practices of Risk Management and attend to legal requirements and regulations, standardizing concepts and practices. |
Figure 1 – Goals of Risk Management
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
To establish the culture of Integrated Risk Management, beside the implementation of the process presented below, the continuous communication about the theme is fundamental, involving all employees and inciting frequent and robust discussion about Risk Management. The figure that illustrates the correlation between the lines of defense is stated below (figure 2):
Figure 2 – Lines of Defense and Integrated Risk Management
The Risk Management structure in the Company considers the conjunct action of corporate governance and management organs, according to the concept of the 3 (three) lines of defense:
1st Line of Defense: Refers to the operational management, represented by the direction, management and employees working for the Company’s operations. Along with COMEX, is responsible for:
| • | Identifying, evaluating, monitoring and mitigating Risks (treatment) according to this Policy’s guidelines; |
| • | Implementing action plans and controls; |
| • | Communicating/reporting, timely, relevant information related to Risk Management. |
2nd Line of Defense: Refers to the control departments in the Company, comprising Risk Management, Internal Controls and Compliance. Reports to COMEX, with
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
autonomy to inform the Board of Directors and its Advice Committees, whichever items that might expose the Company. It is responsible for:
| • | Analyzing, evaluating and monitoring Risk practices identified by the operational management; |
| • | Favoring and monitoring the implementation of Risk Management practices through operational and financial management (1st line of defense) according to the Company’s Risk appetite; |
| • | Communicating/reporting, timely, relevant information related to Risk Management; |
| • | Helping in the identification of Risks and development of processes and controls; |
3rd Line of Defense: Refers to the actions of Internal Audit and evaluation and
Supervision of adherence and effectiveness of the Risk management process in the
Company. It acts independently and objectively, reporting to the Audit and Integrity Committee (CAI), organ which advises the Board of Directors in themes related to Risks and Internal Controls.
Risks are identified and evaluated according to occurrence of likelihood and their impact on business, considering the possible impact on reputation and image of the Company. The steps of BRF’s Risk Management processes follow ahead:
| 4.1 | CONTEXT ESTABLISHMENT |
Context establishment consists in understanding the business strategy and premises in order to identify inherent Risks to all types of activities performed by BRF.
| 4.2 | RISK IDENTIFICATION |
The Risk identification step consists in understanding, recognizing and registering Risk and Risk factors (which can be classified as financial, operational, strategic or regulatory and/or reputational and image) to which BRF is expose, considering the existing mitigators and actions necessary to mitigate, when applicable. The goal for this step is to identify events which may affect BRF’s strategic plan and consider quantitative and qualitative aspects.
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| 4.3 | RISKS ANALYSIS AND EVALUATION |
The evaluation of identified Risk is the result of Risk factor analysis captured in combination with the possible impact and its likelihood. This evaluation enables the creation of a Risks map for BRF, providing a prioritization mechanism for those Risks and, consequently, direction to minimize relevant Risks.
| 4.4 | RISK TREATMENT |
After Risk identification, the treatment is defined, according to the options below:
| • | Accept: Consist in not define an action or additional control to the Risk (NOT RECOMMENDED), but maintain the monitoring process on it; |
| • | Mitigate: Consist in define actions or controls which reduce the likelihood or impact in case of risk’s materialization. |
| • | Share: Consist in share the Risk with other corporations which will assume financially part or all the loss (e.g.: insurer) or be held responsible for processes or activities at the Risk (e.g.: third-party companies) and, consequently, its impacts. |
| • | Eliminate/ Avoid: Consist in abandoning or not being involved in a Risk situation. |
The Risks treatment must follow the guidelines approved by the Administration Council, which define the exposure limits (Risk Appetite) – according to ANNEX A. The metrics for impact evaluation, likelihood and Risks exposure will be detailed in a specific internal document.
| 4.5 | MONITORING AND REPORT |
The identified Risks and Internal Controls in BRF must be monitored, revaluated and reports to suitable forums, by the Risk Owners, allowing the evolution of the Risk Management process in the Company.
It is worth to highlight that, for the financial Risk (Market, Counterparty and Liquidity), the Company uses the Financial Risk Management Policy (available at BRF’s website).
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
| 5 | REFERENCE DOCUMENTS |
| - | BRF’s Bylaws. |
| - | Advisory Committees to the Board of Directors’ Internal Regulations. |
| - | Audit and Integrity Committee’s Internal Regulations. |
| - | BRF’s Transparency Guide. |
| - | Policy of Financial Risk Management. |
| - | COSO ERM and ISO 31.000:2018 Guidelines. |
| 6 | FINAL PROVISIONS |
This document is valid as from the date of its issue and shall be modified at any time and discretion.
Individuals violating these rules will be subject to the legal/disciplinary applicable measures, to be determined by the BRF competent administrators.
It will be incumbent upon the editor area to clarify any possible doubts, establish the procedures required for implementation, checking and dissemination of the rules mentioned in this document.
| 7 | APPROVALS |
| RESPONSIBLE | AREA |
| ELABORATOR | Global Risk Management Department |
| REVIEWER | COMEX and Advisory Committees to the Board of Directors |
| APPROVER | Board of Directors |
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
GLOSSARY
Action Plan: Proposition to enhance or correct deviation and identified Risk factors, in order to reduce materialization likelihood and impact of the Risk to a limit that is acceptable by the Company.
Board: Collegiate body of the Company, formed by Statutory Directors, elected by the Board of Directors with competence defined in the constitutive acts of the Company in BRF Group.
COSO (Committee of Sponsoring Organizations of the Treadway Commission):
Organization acclaimed Worldwide for providing guidelines related to critical aspects of enterprise governance, business ethics, Internal Controls, enterprise Risk management and fraud dissuasion.
Executive Committee – COMEX: Collegiate body of the Company formed by members of the Board of Officers, as well as the other non-statutory Company’s VicePresidents.
Financial Risk: Possible events related to broad cash flow management, in the activities of raising and applicating funds operations in the financial market, financial losses due to frauds, mistakes, catastrophes, bad planning, among others.
Inherent Risk: Existing risk before being treated as to its likelihood and impact.
Internal Controls: Policies, norms, proceedings, activities and mechanisms developed in order to assure that the business goals are reached and to prevent, detect and correct undesirable events to ensure conformity with the laws and regulations and promote reliability to shareholders, investors and other stakeholders.
ISO 31.000:2018: Norm created to establish standardization of Risk Management among Companies, as well as the best practices and approaches to its deployment.
Key Risk Indicators: Metrics used to evaluate how the Risk behaves. They provide alerts related to the exposure or future loss potential, and to evaluate the adherence and evolution of Risk Management activities in the Company.
Lines of Defense: Departments responsible for the protection of the Company, as stated below:
First Line of Defense: Refers to the operational management, represented by the direction, management and employees working for the Company’s operations.
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
Second Line of Defense: Refers to the control departments in the Company, comprising Risk Management, Internal Controls and Compliance.
Third Line of Defense: Refers to the actions of Internal Audit and evaluation and Supervision of adherence and effectiveness of the Risk management process in the Company. It acts independently and objectively.
Operational Risk: Possible events due to inadequate or deficient internal processes, errors, frauds or failures in BRF’s operation, as well as external events which cause losses to the normal activities or damages to its physical assets. They include operational effectiveness and efficiency, productive base performance, facilities modernity, technology maturity and strategic vision, quality and organization of human resources and management instruments, among others.
Regulation Risk: Possible events related to not complying with legislation and/or regulations applicable to the business.
Reputation and Image Risk: Possible event, usually caused by other Risks, which can impact negatively the reputation or credibility of BRF and its brands.
Residual Risk: Remaining Risk after the Company’s Board has taken actions to reduce occurrence likelihood and to mitigate its impact.
Risk: Possibility of an event to occur and impact negatively reaching the Company’s strategic goals.
Risk Appetite: Risk degree which the Company is willing to take or accept in the pursuit of Its strategic goals and value creation.
Risk Exposure: Risk classification evaluated according to its likelihood and impact (Risk exposure can be Low, Medium, High and Very High).
Risk Factor: Situations and/or circumstances which can potentialize Risk occurrence.
Risk File: Standard document used to formalize identified Risks.
Risk Management: Coordinated activities to drive and control a Company referring to Risks (ISO 31.000:2018, 3.2)
Risk Map: Document that contemplates the main Risks in BRF, in determined period of analysis, considering possible impact and likelihood for their materialization.
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |
| |
BRF S.A. Companhia Aberta de Capital Autorizado CNPJ 01.838.723/0001-27 |
Risk Owner: Employee responsible for and with authority to manage Risk (ISO GUIDE 73:2009, 3.5.1.4)
Risk Tolerance: Acceptable deviation related to the levels of Risk Appetite preestablished by the Company.
Stakeholders: Person, group of people or organization which can affect, be affected by or feel affected by a Company’s decision or activity. The Stakeholders are essential elements the business strategic planning.
| Política Corporativa/Corporate Policy: 02.4.003 | Data Publicação/Issue Date: 14/01/2020 | Edição nº/Revision: 0 |