Risk Management GRI 102-15

Risk and opportunity management is considered to be one of our business strategy’s key aspects, rooted in our corporate guidelines. Focus on this subject resulted in creation, in 2016, of the Enterprise Risk Management (ERM) Policy. The document addresses the principle risks in all corporate divisions and operating units, and is applicable to subsidiaries and controlled companies.

The mapped risks include five major subjects – Compliance; Business Risks (operational and strategic, including socio-environmental aspects); Internal Controls; Financial Risks; and Governance. The matrix is revised annually to remain in conformity with strategic planning set forth by the company.

Action plans are drawn up for high and critical risks, with deadlines established for their completion. Monitoring is carried out, which involves, in addition to the division directly responsible for the topic, the Risks and Compliance division, the Executive Board, and the Board of Directors. For those risks that fall under this classification, monitoring is carried out in a timely manner by the involved divisions.

Detailed information related to the risks we manage can be found in the 20-F, released April 2018 (http://www.nexaresources.com/regulatory-filings).

Business risk management model

Our risk management model is based on the guidelines set forth in the ISO 31000 standard, which defines criteria for different phases:

❯ Establishment of context – From a risk perspective, understand the business model, as well as the internal and external environment of the company.
❯ Risk identification – Areas of the business and risks identify events that threaten the achievement of objectives. These events are classified according to magnitude and follow the criteria established by the impact rule.
❯ Risk analysis – Collaborative construction of a risk matrix based on the probability of occurrence of risk events and their potential impacts. Risk analysis involves assessing causes, their positive and negative consequences, and the likelihood of them occurring. The matrix, in turn, orients action plans for the management of greeter magnitude risks and probability of occurrence.
❯ Monitoring and review – Risk exposure monitoring is carried out by the Risk Management division and reported to the Executive Board and to the Board of Directors (the highest decision-making bodies). This process is part of monitoring context, identifying new risks, and updating the risk matrix.
❯ Risk management – Dealing with risks involves a cyclical process consisting of: evaluating risk management already carried out, definition and implementation of new treatments for risks, and assessment of the efficacy of the treatments. Responsibility for the treatment of risks rests with the appropriate business division and/or operating unit, accompanied by the “owner” of the risk and the Risk Management division.
❯ Risk assessment – This step’s purpose is to assist decision-making based on the results of risk analysis, including identifying risks that need treatment and prioritizing implementation.

Business Risk Management Model

Risk Management Report

Launched in 2017, this report highlights key risks mapped out by the company’s operating units and corporate divisions, and the respective actions being taken to mitigate them. Produced quarterly, the document is updated as reappraisals occur. The resource aims to support the area by providing a broader view of all initiatives and teams involved in managing the business-related risk process.

As part of an annual process, all our units and corporate divisions participated in the operational risk assessment cycle. In addition to reassessing and discussing all risks, managers presented a mapping of the most critical risks and the respective mitigation actions being adopted to address them, all based on the criteria established in ISO 31000.