Investors

Corporate risk management policy

CORPORATE RISK MANAGEMENT POLICY

1. Purpose

1.1. This policy establishes the guidelines, principles, and responsibilities for the Corporate Risk Management of Romi S.A. (“Company”) and conceptualizes, defines, and formalizes the activities of those responsible for this policy.

2. Scope

2.1. This policy applies to all organizational levels of the Company that participate in the Risk Management process, directly or indirectly.

3. Principles

3.1. Preservation of value to shareholders in risk management

3.1.1. The Company is committed to the management of corporate risks to create and preserve its value to shareholders, adopting procedures and tools to identify, analyze, evaluate, and address threats to the company, and, with this good practice, it allows for the identification of business opportunities.

3.2. Promote transparency and communication

3.2.1. Risk management allows the organization to maintain management’s focus on matters that are really important, promoting visibility of the scenario the company is in, allowing the risk appetite to be aligned in decision-making that will be extremely important for the organization’s perpetuity.

3.3. Assist in the continuous development of corporate governance standards

3.3.1. The adoption of the best corporate governance practices, with regard to risk management and anti-fraud and anti-corruption policies and practices, is committed to acting ethically and in compliance with legal and regulatory requirements, improving corporate governance standards, improving reputation in the market, being a differential in generating value for the business.

4. Guidelines

4.1. To establish Risk management as part of the Company’s corporate culture.

4.2. To associate risk management with the Company’s Strategic Plan, anticipating threats that may affect strategic, financial, operational, or compliance goals.

4.3. To align corporate risk management among the company’s lines of defense, covering the managers of the business areas, those responsible for internal controls, Compliance, Internal Audit, the Board of Directors, and its advisory Committees.

4.4. To ensure autonomy and segregation of roles in risk management, distinguishing risk-takers and those responsible for monitoring them.

4.5. To care for transparency and accountability to all stakeholders in the Company, providing the conclusion that the risk management processes are working effectively and that the main risks are being managed to an acceptable exposure limit.

5. Responsibilities

5.1. Board of Directors

5.1.1. Deliberate on the strategic issues of the risk management process, such as the acceptable risk exposure limit, monitor the risks with the support of the committees, approve the policies and procedures related to risk management.

5.2. Risk and Audit Committee

5.2.1. Assist the Board of Directors in supervising risk management activities, ensuring that the guidelines are followed.

5.2.2. Periodically review the Corporate Risk Matrix, deciding on the necessary measures to ensure alignment between risk appetite and strategy execution.

5.3. Executive Board

5.3.1. Commit to risk management, allocating the necessary resources to the process and approving specific rules for compliance with the guidelines and the risk management process.

5.3.2. Decide on strategic decisions considering the risk analysis reported by the Risk and Audit Committee.

5.4. Internal Audit and Risk Management

5.4.1. Provide the Board of Directors, the Risk and Audit Committee, and the Executive Board with independent, impartial, and timely assessments on the effectiveness of risk management and governance processes, the adequacy of controls, and compliance with the rules and regulations associated with the company’s operations.

5.4.2. Define the corporate risk management methodology with an integrated and systemic view that enables continuous risk monitoring.

5.4.3. Consolidate, evaluate, monitor, and communicate the company’s (strategic, financial, operational and Compliance) risks to the Risk and Audit Committee and the Board of Directors;

5.4.4. Ensure maintenance and annual review of the risk management policy.

5.4.5. Evaluate and recommend risk mitigation strategies, supporting business areas.

6. Approval

This Policy was approved by the Company’s Board of Directors at a meeting held on December 10, 2019, and will become valid on March 2, 2020, for an indefinite period, until a resolution to the contrary is approved, which can be found on the company’s website: https://www.romi.com.