Risk management GRI 102-15, 103-1, 103-2, 103-3

We treat risk and opportunity management as a significant point in our business strategy and the topic is ingrained in our corporate guidelines. Since 2016, we have followed the Enterprise Risk Management Policy (ERM), which addresses the main risks in all corporate areas and operating units and is applied to subsidiaries and controlled companies.

The mapped risks include four major topics: Compliance; Business Risks (operational and strategic, including socioenvironmental aspects); Internal Controls and Financial Risks. The risk matrix is reviewed annually to ensure it is always aligned with our strategic plans.

For risks considered critical and high, we draw up action plans with deadlines established for completion. Our risk monitoring actions involve, in addition to the area directly responsible for the topic, the Risks, Internal Controls and Compliance team, the Executive Board members responsible for the area and the Board of Directors. For risks below this classification, monitoring is conducted at opportune moments by the areas involved. The details of the risks we manage can be found in the 20-F form, submitted to the New York Stock Exchange and accessed at https://ir.nexaresources.com/regulatory-filings.

Quarterly report

We introduced the Risk Management Report in 2017, which each quarter presents the main factors mapped in the operating units and corporate areas and the respective actions that are being taken to mitigate them. This resource aims to provide a broader view of all the initiatives and teams involved in managing business-related risks.

As part of the annual process, all our units and corporate areas participated in the operational risk assessment cycle. In addition to the reassessment and discussion of all risks, the managers presented the most critical risk surveys and the respective mitigation actions being adopted, based on the criteria established in ISO 31000, which defines benchmarks for different phases of management (contextualization, identification, analysis, monitoring and review, treatment and evaluation).

At the end of 2018, we concluded the implementation of the BWise tool for systematization and efficiency gains in the risk assessment and monitoring process. Subsequently, in 2019 we will conduct training and migration rounds on the full business risk management activity for this platform.

Business risk management model