We permanently monitor our business environment, seeking to reflect our concerns, as well as those of investors and the market in general, in the risk management process.
Currently, our risk management model is based on the ISO 31000 standard and the COSO 2013 and COSO ERM frameworks. This model aims to align risk management with organizational strategies, initiatives and structures, as well as meeting industry requirements and those of regulatory and supervisory bodies.
The main goal of the risk management process is to prevent the materialization of events that could have a negative impact on our strategic objectives.
We have a Risk Management Policy, applicable to any and all risks to which the company may be exposed. The policy determines the role and responsibilities of each manager in the process, incorporating a vision of risks into strategic decision-making, in compliance with applicable regulations and best practices.
In order to achieve the Policy's objectives, the risk management process is divided into the following stages:

| Risk identification
|
| Risk assessment
|

| Risk treatment
|

| Risk monitoring
|

| Risk communication
|
The Executive Board Office and the Board of Directors, through the Audit and Risks Committee, are responsible for assessing the effectiveness of the entire risk management process.
Risk matrix
The new matrix is structured around the Business, Financial and ESG pillars. The ESG pillar identifies environmental, social and governance risks, including issues such as climate change, human rights, diversity, tax, health and safety, information security and fraud.
All the risks in our matrix are dealt with by implementing action plans based on the technical recommendations of the Risk Management and Internal Controls areas, in partnership with the business managers, always considering the risk appetite defined by the Board of Directors.
This corporate risk management process is related to the strategic guidelines of sustainable growth, profitability and value creation, as it enables the preventive identification of threats to business objectives and risk-based decision-making.