Integrated Corporate Risk Management
Copel’s corporate risk management is a permanent activity and is directly related to sustainable growth, the Company’s profitability and the creation of value for its shareholders, being monitored by senior management.
This process allows you to identify threats and opportunities, connecting it to the business strategy and objectives, and contributes significantly to decision making and maximizing results.
The risk management and internal control methodology adopted by Copel has basic structures and standards that are established references on the topic, incorporating the guidelines defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Code of Best Corporate Governance Practices from the Brazilian Institute of Corporate Governance (IBGC).
The result of this work is a consolidated matrix of the main risks and opportunities, cataloged and periodically reviewed, which makes it possible to accurately map each situation and create prevention measures to deal with various unwanted events or establish strategies to exploit opportunities.
The risk assessment process uses several criteria to establish quantification standards, considering, among other parameters, CAPital EXpenditure (CAPEX), OPerational EXpenditure (OPEX), in addition to other qualitative and quantitative techniques.
The risk matrix is prepared according to each object of study (strategic, operational and new business risks) using SAP’s GRC Risk Management system as technological support, which allows the centralization of data providing a global view of all risks , history of modifications, traceability of changes, Monte Carlo simulation for quantitative risks, among other features.
Risk Management, therefore, strengthens the Corporate Governance process, as it increases security in achieving objectives, promotes greater transparency for interested parties and improves the Company’s internal control environment.
It also contributes to generating and preserving value for Copel, minimizing losses through the identification of opportunities and news, improving operational effectiveness and efficiency and reinforcing crisis and incident management. Furthermore, risk management at Copel complies with international standards and relevant legal and regulatory requirements.
Risk Management Governance at Copel
The duties and guidelines inherent to Risk Management at Copel are present in the Company’s Bylaws, in the Internal Regulations of the responsible collegiate bodies, in Copel Organization Standards (NOCs), Corporate Policies (NPCs), in addition to Copel Administrative Standards (NACs) .
As defined in the Bylaws, the Board of Directors (CAD) is responsible for monitoring the effectiveness of the risk management system, with the support of the Statutory Audit Committee (CAE).
The Audit Committee is an independent, permanent advisory body to the CAD, whose responsibilities, duties, competencies and attributions are established in specific internal regulations, in accordance with the laws and regulations of Brazil and the United States.
The CAE’s functions include auditing, supervising and inspecting internal controls, risk and compliance management, as well as accounting and financial reporting processes and the activities of independent internal and external auditors. The CAE is responsible for evaluating the effectiveness of the risk management process, reviewing the Integrated Corporate Risk Management Policy and analyzing the risk portfolio and resulting mitigation plans on a quarterly basis.
Copel’s Integrated Corporate Risk Management Policy (NPC 0104) defines the principles and guidelines relating to the corporate risk management process integrated with the strategy and performance to be observed and applied in the Company.
The risk management function at Copel, therefore, is structurally independent from the business lines, including to ensure systematic and integral monitoring, which generates greater security for all interested parties.
The Integrated Corporate Risk Management activity at Copel is linked to the Deputy Directorate of Governance, Risk and Compliance (DRC), in accordance with the Internal Regulations of the Directorates. DRC coordinates activities related to compliance, corporate risk management and internal controls within the scope of Copel (Holding), its wholly-owned subsidiaries, controlled companies and affiliates.
The regular review of the company’s risk exposure occurs several times a year, through quarterly reports to the CAE and semi-annual reports to the CAD, as established in the Integrated Corporate Risk Management Policy.
The Risk Management process at Copel follows the 3-line Model recommended by The Institute Of Internal Auditors (IIA), with roles and responsibilities distributed across different management levels.
The Risk Management process is audited annually with the aim of evaluating the effectiveness of the work. The results are reported to the collegiate bodies: Meeting Board (Redir), CAE, CAD and Fiscal Council. If any complications are identified, notes (PTAs) are made and action measures are defined to mitigate the audit findings.
Copel also has an external audit, currently carried out by PricewaterhouseCoopers Auditores Independentes (PWC), which works to verify the Company’s various processes during the year, including risk management. The results are reported to the Statutory Audit Committee and the Board of Directors. If any deficiency is identified, the flow follows the governance established in accordance with statutory attributions, risk policy and transparency is provided in disclosures to the market, and action measures are established to mitigate the notes.
Integrated Corporate Risk Management Policy
Copel’s crisis management process is aligned with the Company’s strategy and supports decision-making in the face of possible contingencies that may cause reputational, operational, financial and strategic risks, in order to maintain the integrity and availability of its assets, as well as how to mitigate and remedy negative impacts.
Copel has an Integrated Corporate Risk Management Policy that covers corporate areas, its wholly-owned and controlled subsidiaries, which has been in force since 2009. Furthermore, the Policy is recommended for its jointly controlled companies, associated companies and other corporate interests of the Copel Copel. The guidelines of this policy are based on Copel’s values, its Code of Conduct and the guidelines issued by COSO – Committee of Sponsoring Organizations of the Treadway Commission. The last review took place in 2020 and was approved at the 208th Ordinary Meeting of the Board of Directors, on 11/12/2020, after the favorable recommendation of the 2421st Board Meeting – Redir, on 11/05/2020, and the 226th Meeting of the Statutory Audit Committee, of 06.11.2020.
Publicly available, Copel’s Risk Management Policy provides for the integration of risk management with the definition of strategies and performance monitoring, the formal establishment of roles and responsibilities, the constitution and maintenance of adequate infrastructure, the definition of a common methodology for the entire company, and the declaration of risk appetite
Additionally, the Policy provides instruments for adequately monitoring risks and protecting the Company’s value, highlighting:
- Practices for incident reporting and control;
- Monitoring the adequacy and effectiveness of risk responses, the accuracy and completeness of disclosures and the timely correction of deficiencies;
- Periodic reports to the Statutory Audit Committee and the Board of Directors.
The focus of crisis situation management is on agile, effective and articulated assistance with other government entities and society, in possible emergencies that may directly affect people, the environment and the Company’s operations.
Risk Appetite
The risk appetite is established based on the goals of the Company’s Strategic Planning, aligned with the objectives of each Copel business.
To establish the level of risk appetite, Copel considers the following aspects as priority indicators:
- Act to the highest ethical and compliance standards;
- Ensure that activities or practices adopted are aligned with ESG practices with an emphasis on climate change and socio-environmental aspects;
- Ensure that workplace safety is strictly observed in all Copel operations;
- Ensure the constant improvement of the level of cybersecurity of Information Technology and Operation Technology;
- Do not operate in segments that are not related to your main activity; and
- Invest in businesses that adhere to the Investment Policy and Strategic Planning, having as foundations and pillars: decarbonization, integration with scale, capital discipline and innovation.
Risk Management Culture
To promote a strong and effective risk management culture throughout the organization, Copel adopts a series of strategic measures.
The analysis of the risks to which the Company is exposed is one of the pillars of Copel’s Integrity Program and the results obtained offer an adequate basis that contributes to decision-making. Risks are present in everyone’s daily activities, so there is a need to be aware to identify them and act quickly.
Copel’s Integrity Program, in the Communication and Training pillar, develops and contributes to strengthening the Corporate Governance process, increases security in achieving objectives, promotes greater transparency for interested parties and improves the Company’s internal control environment.
As a way of reinforcing the risk management culture, the variable remuneration of all managers and employees is linked to the internal controls indicator, which covers financial risks and which, in the case of material deficiencies, can represent up to a 10% reduction in value. of the Performance Award Program (PPD).
Risk Management Education
Top admnistration
Copel has a training program with an annual agenda, the objective of which is to expand and update the knowledge on risk management of members of Senior Management, including the Board of Directors and the Statutory Audit Committee.
The most recent training took place in July 2024 and was offered to all advisors, directors and some other executives, with 88% of the target audience participating. The content remains available to everyone and includes:
- Contextualization of methodology and the importance of risk management;
- Integration of Risk Management with Strategy and Performance;
- Trends in Risk Management for the Electricity Sector in Brazil and around the world.
Employees and interns
For the workforce, under the terms of the Code of Conduct, it is mandatory to participate in training on risk management and integrity principles.
The 2024 Cycle Integrity Program – Risk Attention Campaign is available to all company employees and interns, and aims to strengthen the risk management culture within Copel, since concern about risk must be present on the day each person’s day. To date, 76% of employees have completed the current cycle.
Activities, products and services
In developing its activities, products and services, whether for generation, transmission, distribution and sale of energy, Copel establishes criteria in internal standards that guide the execution of activities for the main processes in the value chain. Risk assessment is incorporated into the process description. The Internal Standard that deals with Process Management establishes the identification and management of process risks is the responsibility of process managers.
These works are supported by the Department responsible for establishing the rules of the corporate risk management process integrated with the strategy and operational performance to be observed and applied in the Company.
Emerging Risks
Following the Corporate Risk Policy guidelines, new and emerging risks should be identified so that management can implement responses in a timely manner. These risks should be escalated to the Board of Directors for knowledge and potential action.
Sensitivity Analysis and Stress Testing
In risk assessments for new businesses, whether acquisitions, mergers or divestitures intended by Copel, the risk analysis includes the Monte Carlo statistical simulation, which is based on massive random sampling to obtain numerical results of financial impacts, which are grouped into confidence scenarios.
Concerning the management of financial risks, sensitivity analyses are developed for the exchange rate risk, sensitivity analysis of the operations with derivative financial instruments, and sensitivity analysis of the interest rate risk and monetary variations. Sensitivity analysis is also performed on the operations of purchase and sale of energy.
Supply Chain Risk Management
In compliance with the law, and in order to guide and establish responsibilities for the responsible areas in the Company and for suppliers, in every contracting process the need to prepare a matrix of risks and responsibilities is evaluated, which considers, in addition to strategic aspects related to the purpose of the contract, aspects of social and environmental responsibility, provided for in Copel’s Sustainability Policy, Environmental Policy, Human Rights Policy and other corporate policies.
The results obtained with the application of the Risks and Responsibilities Matrix serve as guidance for the identification of the major points of attention in the execution of the contract and the severity of the materialization of the incidents.
Among the risks related to the supply chain, the following stand out: violation of human rights, accidents with employees; precarious installations and working conditions; and accidents or damages to the population.
Especially in the economic-social dimension, there are risks related to Copel’s economic-financial dependence, legal obligations, tax, social and labor charges, and salaries and additional payments.
The risks related to the environment involve non-compliance with environmental legislation, inadequate origin of inputs and deficiency in waste treatment. Copel seeks to mitigate these risks by determining strict contracting rules, reaffirming its commitment to sustainable development.