The risks are classified—strategic, operational, financial, regulatory and legal, and reputational—and prioritized through a matrix with nine quadrants, guided by the axes of impact intensity and probability of occurrence.

This risk matrix is reviewed annually and matched with our five-year business plan. This definition is used to prepare action plans and allocate resources for risk control and mitigation.

Specific to the commercial aspect, our Market Risk Committee constantly analyzes the behavior of the commodities and foreign exchange markets to guide us on the hedging positions and pricing strategy for exports or imports of products. It also studies risks related to the marketing of ethanol and by-products so we can define limits in the risk policies implemented.

As for the operation, risks of downtime in cases of contingencies are avoided by means of the Continuity Plan for Critical Business Processes, a document reviewed annually by managers to forecast scenarios and work plans, which are periodically simulated and whose results are reported to Senior Management.

Since 2017, we have been mapping the main risks and opportunities arising from climate change. The results are added to the company's risk management process and strategic planning.

Regarding risks, we register those related to changes in water dynamics and to a higher occurrence of extreme weather events. Regarding opportunities, on the other hand, space is opened for differentiated public policies and lines of financing, with growing incentives for the production and marketing of low-carbon energy solutions such as biofuels and electricity from alternative sources— products that are part of the company's portfolio.

Due to the relevance of ESG issues, the risks and opportunities related to social and environmental topics follow the same governance as any other relevant risk, are discussed at the same level as the others, and are highlighted in the consolidated risk matrix.

The Audit Committee annually discusses the top-rated risks in all categories. This committee is also responsible for preparing and following up on action plans developed for each risk considered relevant, including the definition of responsible parties and deadlines.

The Internal Audit and Internal Controls Department, which reports to the Audit Committee, is responsible for, among other duties, managing business risks by mapping the risks and action plans to mitigate them. The execution of internal controls and other protection mechanisms is the responsibility of the business areas (1st line of defense), in accordance with internal guidelines.

The sustainability area provides technical support and is responsible for mapping the risks and opportunities related to ESG issues, especially those listed in the Strategic Sustainability Plan (learn more here). Other areas, such as Environment, Health and Safety, and Operations, are also consulted during the matrix review period to ensure that all relevant risks are mapped and managed.

Another committee involved is the Corporate Social Responsibility Committee (composed of the CEO, vice-presidents, and shareholders), which directly supports the Board of Directors in evaluating and addressing sustainability-related issues.

We also have the following: SIGO, a system that disseminates the HSE Policy and procedures for managing effluents, waste, air emissions, and permits; a tool that monitors and updates the applicable legal requirements; an Environmental Management Plan; a Solid Waste Management Plan; and a Plan for Monitoring the Quality of Surface Water and Liquid Effluents. We also monitor the Environmental Development Indicator and compliance with legal requirements. |GRI 102-11; SASB EM-MD-160.a.1|

More information about the risks and opportunities presented by climate change can be found here. |SASB FB-AG-440a.1.|

Information security

In March 2020, some of our systems experienced a momentary interruption due to a criminal act by hackers. Operations, however, were fully restored a few days after the attack, with a limited impact on results. The actions were guided by contingency plans, which allowed us to continue our activities, even if partially, on the same day of the attack.

We accelerated the upgrade of our applications to more modern versions and continued to evolve in the detection of threats and attacks and in the response time and remediation of vulnerabilities. However, the incident prompted us to take even more stringent measures for information security and data protection. We increased investments in the three pillars that support our Information Security strategy: Processes, People, and Technology, following market frameworks, acquiring new state-of-the-art security products, creating a dedicated structure for cyber defense, and hiring partners who are market leaders in the segment.

We expanded the coverage of our Information Security Policy and added stricter controls to the procedure for using Information Technology (IT) resources, which must be observed in the use of all IT equipment and means of communication and applies to employees and contractors. These guidelines also ensure that the entire team complies with the rules regarding the handling and protection of information and assets.

We also comply with the guidelines of the Internet Regulatory Framework and are moving forward with the adaptation of systems and processes in accordance with legislation related to this topic, such as the Brazilian General Data Protection Law (LGPD) and the EU General Data Protection Regulation (GDPR).

We also invest in training and education on safe behavior. We highlight the launch of online training at Raízen University on the LGPD, mandatory for all employees, as well as the engagement of suppliers who perform activities in critical processes that involve data processing and storage services. This includes collecting information through questionnaires, audits (depending on the supplier's classification), defining action plans, and monitoring to assess continuous improvement.