|
Risk Management Policy DCA 034/2019 Rev.: 03-31/07/2019 POL-0009-G PUBLIC Support Vale's Executive Board to monitor operational, geotechnical, strategic, financial cyber and compliance risks and issue preventive recommendations regarding potential risks presented at the meetings of these committees. Recommend reviews on risk management principles and tools, aimed to continuous process improvement. Evaluate and suggest, when necessary, changes on the strategy of business risk management for subsequent approval by the Executive Board. Provide the Executive Board with a consolidated macro view of Vale System's potential risk exposure in Operational, Strategic, Financial, Cybernetics or Compliance dimensions, as appropriate, and assist in the development of the Multi-Annual Risk Management Plan. Propose, when necessary, consequences management for any eventual non-compliance with action plans recommended by these committees and by the Executive Board, regarding to risks. Vales Executive Board Monitor business risks management systematically. Promote the culture of business risks in the organization and the empowerment of 1st and 2nd Lines of Defense. Support the organization, including the risk owner (1st Line of Defense) and the 2nd Line of Defense, with human, financial or any kind of resources, through decisions under their authority, in order to reduce or eliminate the risks at unacceptable level and to ensure that the risks at continuous monitoring level have effective controls and action plans. Annually propose to the Board of Directors the Multi Annual Risk Management Plan, including the consolidated requirement for sustaining investments and other resources necessary to mitigate potential risks. 1st Line of Defense Consist on the risk owners, who are directly responsible for keeping the risks within the tolerance limits defined by Vale, and the process executors of operational, commercial, project, support and administrative areas. They hold the primary responsibility and directly manage the risks, identifying, evaluating, treating, preventing and monitoring their risks in an integrated way. Responsibilities of the 1st Line of Defense: Implement and execute effective preventive and mitigation controls, ensure appropriate definition and execution of action plans and establish corrective actions for the continuous improvement of risk management. Continuously assess the applicability of risks in the Integrated Risk Map to the activities and geographies under their responsibility. Recommend adjustments in the Integrated Risk Map when consider necessary and ensure the record of the risks, in case they do not fit in with the existing risks presented in the map. Ensure the compliance with external regulations, policies and internal standards. Operate and maintain the integrity and the reliability of assets, should develop, implement and ensure the performance of assets from operations, projects, support and administrative activities. Must immediately stop the asset(s) operation in case of critical deviations or in the event of a partial or complete unavailability of critical control elements that move the risk to unacceptable level. Proactively implement and execute, any mitigation or elimination actions that consider necessary, to transfer or to share or to reject risks at unacceptable level. Ensure, for risks at continuous monitoring level, the effectiveness of controls and the timeliness of action plans. When consider necessary, request additional support to push forward the preventive treatment of risks under their responsibility, and submit the request to the Business Risks Executive Committee(s) for proper addressing. In the event of imminent risks, the 1st Line of Defense must immediately and proactively take the corrective actions, which consider appropriate, with no need to obtain prior authorizations. Subsequently if any support above the established authority limits is required, should submit the request directly to the Executive Board. In the event that the imminent risk is at unacceptable level as well, the 1st Line of Defense must take over for themselves higher authority limits to approve emergency measures. Subsequently, such measures, if adopted, shall be submitted for ratification by the competent authority. Establish and implement Crisis Management protocols and Business Continuity plans for the risk events under their responsibility, classified with severity Very Critical and Critical, and, for other risks whenever applicable. For risks - 3 de 5 -
|