Corporate risk management is an integral part of our corporate governance practices.
Its overall objective is to build and maintain a structure capable of providing material information to senior management to support taking of decisions, creating and protecting the company’s value.
The process of risk management enables the risk of the business’s objectives to be managed effectively, making it possible to influence and align strategy and performance in all the areas of the company.
In 2016 Cemig’s corporate risk management activity was subordinated to the office of the CEO. In 2019, a separate senior management unit, Compliance, Corporate Risks and Internal Controls, was created, bringing the processes of risk management and internal controls together under a single administration – still reporting directly to the CEO. This change underlines the intention to increase the synergy between these processes, and the independence from other processes – so as to supply senior management with independent information for decision-making, preserving the value of the company.
The guidelines adopted for the process are compliant with the structures and standards known as the Committee of Sponsoring Organizations of the Treadway Commission – COSO, and with ISO 31000. Their objective is to state explicitly the group of principles applicable to the company’s business, orienting the activities of planning, identification, analysis, and monitoring and treatment of data, including the communication of corporate risks.
Annually, the Executive Board and the Board of Directors approve the ‘Top Risks’ corporate risk matrix, which includes a list of compliance risks for the year.
Each Chief Officer’s Department has responsibility for monitoring and managing the Company’s exposure to these risks as they relate to execution of strategy and scenarios, and also risks of conflicts of interest, fraud and corruption. The Chief Officers report on this monitoring periodically to senior management.
The matrix of internal controls is also revised and approved annually. The Risk Management and Internal Controls Unit tests and monitors the controls, and reports on them periodically to the Board of Directors, the Audit Board, and the Audit Committee.
To further strengthen our governance and risk management discussions, in June 2022 we created the Risk Committee, an advisory body linked to the Board of Directors that is in charge of analyzing compliance with requirements imposed by regulatory and inspection bodies; defining top risks and monitoring risk treatment; identifying and measuring action plans to mitigate and control identified risks; and assessing risk tolerance limits to which the Company is exposed.
The controls linked to mitigation of risks associated with preparation and publication of the financial statements are a part of Cemig’s Risks and Internal Controls Matrix. The financial statements are issued in accordance with Section 404 of the Sarbanes-Oxley Law and the rules of the US Public Company Accounting Oversight Board (PCAOB), included as part of the annual 20-F Report filed with the US Securities and Exchange Commission (SEC).
For more details on Cemig’s Corporate Risk Management Policy, see: Cemig Corporate Risk Managemant Policy – NO-02.19.