Risk Management

Risk management is an integral part of CAIXA Cartões’s activities and is perceived as a competitive advantage and the main means to preserve the Company’s solvency, liquidity, and profitability.

CAIXA Cartões’s risk management structure is separated from the other Company’s units and is in accordance with the prevailing legislation, appropriate to the nature and complexity of its business and the best corporate governance practices.

The Company adopts a model with three lines of defense when managing risks. The first line of defense identifies, assesses and controls risks, being composed of operational and internal controls. The managers taking the business risks are responsible for managing them and for implementing corrective measures in faulty processes and controls. The second line of defense consists of the Company’s risk management, internal control and compliance areas, which are responsible for monitoring and contributing to implementing effective risk management practices. The second line of defense is also in charge of monitoring compliance risks. The third line of defense is performed by the internal audit, which is responsible for providing the

Company’s governance bodies with objective and independent assessment of the effectiveness of internal controls, risk management and governance. Deficiencies identified by the second and/or the third lines of defense may lead to the creation of action plans, so that the areas in charge can implement controls/mitigators.

Caixa Cartões performs actions to disseminate and maintain a culture of risks, information security, internal controls, and compliance and integrity, fostering employee commitment to the adequate management of risks within their scope of operation.

The Company has a Risk Management and Information Security Policy, as well as a Risk Appetite Statement (RAS), which are adequate to its needs.

The Risk Management and Information Security Policy and the RAS are revised at least annually, so they are adequate to the nature, complexity and level of risk exposure, as well as compatible with strategic objectives. They classify the risks to which the Company is exposed and set the maximum risk limits it is willing to take, according to each risk composing the four following groups:

  • Strategic Risks: consist of contagion, strategy, image, reputational and socio-environmental risks;
  • Financial Risks: consist of capital, credit, liquidity and market risks;
  • Operational Risks: consist of own operational and cybersecurity risks;
  • Regulatory Risks: consist of compliance or legal risks.
a. The following guidelines are applied to Strategic Risks:
  • Seeking profit compatible with the scope, risk profile and business complexity, taking into account economic and socio-environmental aspects;
  • Monitoring investments and interests, so as to ensure return on invested capital and mitigate the risk of contagion;
  • Monitoring events menacing brand value and stakeholder credibility;
  • Seeking to increase the relevance of CAIXA Cartões products and services (proportional to results) when making CAIXA’s performance evaluation;
  • Carrying out all transactions at costs and conditions compatible with the market (also applies to transactions conducted together with the Parent Company CAIXA), including those relating to the use of CAIXA desks;
  • Identifying trends and disruptions that could foster competitive advantage and improve market positioning and long-term performance for the Company;
  • Seeking to minimize or neutralize negative socio-environmental impacts related to the Company’s processes.
b. The following guidelines are applied to Financial Risks:
  • Prioritizing capital generation through profit arising from its operations;
  • Making decisions to ensure the necessary capital while maintaining performance in accordance with the strategy, complexity and risk profile;
  • Implementing governance, processes, models, technology and assessment of scenarios that support the effective management of financial risks, especially relating to the market and capital.
c. The following guidelines are applied to Operational Risks:
  • Identifying, handling and controlling operational risks related to people, processes, systems and external events that could significantly affect the results;
  • Establishing contingency plans for critical transactions, mitigating financial, operational and image losses;
  • Identifying everyone that is part of the Company as risk managers and highlight their roles and responsibilities to the lines of defense;
  • Classifying, storing and allowing access to information in accordance with the established level of secrecy and the current rules;
  • Seeking to eliminate stimuli for conflicts of interest across processes and decision-making;
  • Pursuing innovation, automation, intelligence and best market practices, with a focus on the mitigation of cybersecurity risks, obsolete processes and the reduction of operating costs, so as to strengthen the business and maintain a good reputation before stakeholders.
d. The following guidelines are applied to Regulatory Risks:
  • Disallowing noncompliance with internal or external rules;
  • Disallowing any corruption practices, while working to ban and combat them;
  • Contracting suppliers observing the highest standards of transparency, integrity and legality, ensuring that they are aware of the code of ethics and the whistleblowing channel;
  • Prioritizing collective decision-making, through Committees, Commissions and Boards, respecting authority limits.

The Company has a Risk Management Methodology (RMM) based on the best market practices and approved by the Board of Directors. The RMM is applied to the Company’s processes and consists of a supplementary dimension cycle with procedures to identify, assess, mitigate, monitor and report risks.

CAIXA Cartões has a Crisis Management and Business Continuity Program to guarantee – through the established plans – that the Company’s critical processes, if disrupted, will adequately function until the situation is normalized.

All the Company’s processes are assessed and classified according to their criticality, aiming for the business continuity, with the following key impacts taken into account:

  • Image and Reputation: arising out of the likelihood of the institution losing credibility before society, potentially leading it to lose market share, have its profitability reduced, or its value dropped;
  • Financial: arising out of potential losses because the Company could not honor liabilities until maturity, being subject to sanctions by virtue of noncompliance with legal or regulatory provisions, or indemnification for damages caused to third parties;
  • Regulatory: arising out of potential losses due to sanctions resulting from noncompliance with legal or regulatory provisions requiring the continuity of processes;
  • Interdependence: correlation or dependence on internal or external agents’ processes;
  • Information Technology and Communication: arising out of the likelihood of losses resulting from a failure to adequately provide infrastructure (information technology and communication).

The classification is broken down into 4 (four) possible groups:

  • D0: Highly critical processes, which, if disrupted, have to be resumed on the same day;
  • D1: Highly critical processes, which, if disrupted, have to be resumed in up to one business day;
  • D5: Critical processes that can be disrupted in up to five business days;
  • D21: Non-critical processes that can be disrupted in up to one month (21 business days), without causing irreparable damage.

Based on the Business Continuity Program, the Company’s critical activities were mapped and business continuity plans were created. These activities and plans were then subject to testing and assessment of effectiveness, aiming for the continuity of the Company’s critical activities in the event of disruptions.

Information security and personal data protection guidelines contained in Law 13,709/20218 – the Brazilian General Data Protection Law (LGPD) – are part of the Risk Management and Information Security Policy of Caixa Cartões Holding S.A.

As soon as the LGPD came into force, CAIXA Cartões initiated an adjustment program to adjust the Company to the legal provisions of said law and ensure the rights of the personal data subjects that may be processed by the Company.

CAIXA Cartões’s Adjustment Program currently consists of two phases – the first was prepared and put in place with the engagement of all Company units. The following activities were performed

  • Holding of meetings with representatives and employees of each Company unit, providing subsidies and methodology support;
  • Dissemination of specific guidelines;
  • Disclosure of events and supporting materials;
  • Discussions and clarification of practical concepts;
  • Constant monitoring of ongoing actions.

Phase I, which consisted of diagnosis, identification of gaps and preparation of action plans to adjust CAIXA Cartões to the LGPD, was concluded.

The Program is currently in Phase 2 – Implementation, which consists of establishing a communication channel, defining the Data Protection Officer (DPO), and maintaining liaison with the Parent Company to define actions relating to shared systems, acculturation, monitoring of control measures, and the roles of the personal data subjects and the Data Protection Officer.

Said actions aim to ensure CAIXA Cartões’s compliance with the LGPD and show the Company’s commitment to privacy and personal data protection.

Information about risk management, internal controls and compliance is provided periodically and reported to Senior Management, allowing it to assess the impacts on the company and to adopt timely actions in order to maintain the risk exposure limits at accepted levels.

Powered by MZ