Risk Management


Enel Brasil and its subsidiaries ("Companies") follow the guidelines of the Risk Management Control System (SCGR) defined at the level of Enel SpA ("Enel Group"), which establishes standards for risk management through respective policies, procedures, systems, etc. These guidelines are applied at different levels within the Companies, covering the processes of identification, analysis, evaluation, treatment, monitoring, and communication of risks that businesses continuously face.

The Risk Control Brazil area is responsible for the Companies' risk management process and holds the ISO 31000:2018 (G31000) International Certification, acting in accordance with the current guidelines of this international standard to manage such risks.

The Companies adopt the Enel Group's risk governance model. This model is based on a series of "pillars" as well as a uniform risk taxonomy also known as the "Risk Catalog," which facilitates their management and organic representation.



The Risk Governance Model


The Enel Group's risk governance model aligns with the best national and international risk management practices and is founded on the following pillars:


1. Lines of Defense: The model is structured into three lines of defense for risk management, monitoring, and control activities, complying with the principle of segregation of functions in key areas concerning significant risks.


2. Enel Group Risk Committee: This Committee, created at the executive level and chaired by the Executive Director of the Enel Group, is responsible for strategic guidance and supervision of risk management through: i) analysis of main exposures and key risks; ii) adoption of risk policies aiming to identify roles and responsibilities in risk management, monitoring, and control, respecting the principle of organizational separation of areas responsible for operations from those responsible for supervision and risk control; iii) approval of operational limits, authorizing exceptions to these limits when necessary and appropriate due to specific circumstances or needs; and iv) defining actions to mitigate risks.


3. Local Risk Committees: Local risk committees are structured according to the main global business lines and geographical areas of the Enel Group and are chaired by the respective high-level officials, ensuring proper oversight of the most relevant risks at the local level. The coordination of these committees with the Group Risk Committee facilitates timely sharing with the Group's top management of information and strategies for mitigating the most significant exposures, as well as the implementation at the local level of the guidelines and strategies defined at the Group level.


4. Risk Appetite Framework: Constitutes the reference framework for determining the tolerable level of risk. It is an integrated and formalized system of elements that allows for the definition and application of a unified approach to risk management, measurement, and control of each risk. The Risk Appetite Framework is summarized in the Risk Appetite Statement, a document that succinctly describes the identified risk strategies and the applicable indicators and/or limits for each risk.


5. Risk Policies: Organizational policies and procedures defined according to specific approval processes involving directly involved business structures, specifying the allocation of responsibilities, coordination mechanisms, and main risk control activities.


6. Reporting System: Specific and regular information flows on risk exposures and metrics allow Senior Management and corporate bodies of the Enel Group and its Companies to have an integrated view of the main risk exposures at the global level for each business line or geographical area, both current and future.




Enel Group Risk Catalog


The Companies use the Enel Group's risk catalog, which serves as a reference point for all areas involved in risk management and monitoring processes. The adoption of a common language facilitates the mapping and comprehensive representation of risks, thus allowing the identification of those impacting the processes and functions of the organizational units involved in their management.




Risk Control and Management Policy


The Companies' Risk Control and Management Policy establishes the basic principles and general framework for risk control and management that may affect the achievement of business objectives, ensuring that risks are systematically identified, analyzed, evaluated, managed, communicated, and controlled within the established risk levels. This Policy, reviewed and approved annually by the Companies' Board of Directors, represents the set of decisions that determine the acceptable framework for the levels of risk inherent in the business segments in which the Companies operate.

The objectives of the Policy are to establish a model that allows for the control and management of risks, defining the mission and functions of the bodies linked to it, and regulating the model of control and management of these risks. This Policy covers and binds all employees of the Companies, regardless of the nature of the functions of the respective position.

Additionally, there are organizational procedures in the Companies that comprehensively address risk management, complementing other specific policies that are established regarding certain risks in the corporate functions or business lines of the Group. These include limits and indicators that are subsequently monitored, such as the guarantee management policy, commodity risk control policy, credit and counterparty risk control policy, financial risk control policy, hedging policy (exchange rate and interest rate), climate change policy, among others.