The risk management activity is highly strategic due to the increasing complexity of products and services and the globalization of the Company's business. The dynamism of the markets leads the Company to constantly seek to improve this activity.

The Company carries out a corporate risk control in an integrated and independent manner, preserving and giving value to a collective decision-making environment, developing and implementing methodologies, models and tools for measurement and control. It promotes the dissemination of the risk culture to all employees, at all hierarchical levels, from the business areas to the Board of Directors.

Scope of Risk Management

The Organization established procedures are based on market practices and ongoing acculturation, to keep risks at acceptable levels.

This management allows for the achievement of strategic objectives, business sustainability, timeliness and effectiveness in resource allocation decisions, in addition to preparing the Organization to face sudden changes in the economic, regulatory or technological scenario.

The scope of the Organization's risk management allows the risks of the Economic-Financial Consolidation^[1] to be managed by the Corporate Risk Management Process. The main risks monitored by the Organization are: solvency, liquidity, credit, market, social and environmental, climate, model, operational, strategy, contagion, cybersecurity, compliance and reputational.

Risk Appetite Statement (RAS)

The risk appetite refers to the types and levels of risks that the Company is willing to accept in the conduct of its business and purposes. The Risk Appetite Statement – RAS is an important instrument to reinforce the risk culture of the Company.

The Risk Appetite Statement is reviewed on annual basis, or whenever necessary, by the Board of Directors and permanently monitored by forums of the Senior Management and business and control areas.

Appetite monitoring is carried out by monitoring the established indicators, through effective control processes, in which managers are informed about risk exposures and the respective use of current limits. Reporting is carried out through an alert system, which facilitates communication and highlights any exceptions that require adjustment measures, permeating all areas of the Organization, supporting Senior Management in assessing whether the results are consistent with the risk appetite.

^[1] Includes the regulatory scope of the Prudential Conglomerate and other Consolidated companies.

Dimensions of Risk Appetite

For the many types of risks, whether measurable or not, the Company established control approaches, observing the main global dimensions: Solvency, Liquidity, Profitability, Credit, Market, Operational, Cyber Security, Social, Environmental, Climate, Reputation, Model and Qualitative Risks.

Risk and Capital Management Structures

The risk and capital management structure are made up of several committees, commissions and areas that support the Board of Directors, the Executive Officer, the Risk Officer and the Board of Executive Officers of the Company in strategic decision making.

Among the governance forums related to the topic, the following stand out:

Risk Management Corporate Process

Corporate Risk and Control Management methodology is aligned with the main international risk management Frameworks, enabling proactive identification, measurement, mitigation, monitoring and reported of risks.

Given the complexity of the products and services offered and the nature of the Organization’s activities, it is necessary to establish a robust risk management structure. In this context, operations are conducted through the Three Lines Model, ensuring that everyone contributes to providing reasonable assurance that the specified objectives will be achieved:

Stress Test Program

The risk management structure has a stress testing program characterized by a set of processes and routines, which include methodologies, documentation and governance, whose main objective is to identify potential vulnerabilities of the institution.

The stress testing program, prospective assessment exercises are carried out on the potential impacts of specific events and circumstances in capital, liquidity, or the value of a particular portfolio of the Organization and are used as a tool for risk management.

Stress tests are forward-looking assessment exercises of the potential impacts of specific events and circumstances on the Organization’s capital, liquidity, or the value of a particular portfolio, and are used as a tool for risk management.

The results of the stress tests serve as inputs for assessing the institution’s capital and liquidity levels, for the preparation of the respective contingency plans, for evaluating capital adequacy, and for the recovery plan.

In the Stress Testing Program, the scenarios and results are validated by COGIRAC, evaluated by the Risk Committee and deliberated by the Board of Directors, which is also responsible for approving the program and the guidelines to be followed.

The Organization manages capital covering the control and business areas, according to the guidelines of the Executive Board and the Board of Directors. Its governance structure is composed of Commissions and Committees, with the Board of Directors as the highest body.

The Organization has a structure dedicated to complying with the determinations of the Central Bank of Brazil related to capital management. In addition, it provides Senior Management with analyses and projections on the availability and need for capital, identifying threats and opportunities that contribute to planning the sufficiency and optimization of capital levels.

Capital Management Corporate Process

The Capital Management provides the conditions required to meet the Company’s strategic goals to support the risks inherent to its activities.

The Organization adopts a three-year forward-looking approach when preparing its capital plan, anticipating needs and establishing contingency procedures and actions for adverse scenarios. This considers possible changes in the regulatory, economic and business conditions in which it operates.

To manage sound capital composition to support the development of its activities and to ensure adequate coverage of risks incurred, the Organization performs a periodic monitoring of capital projections considering a managerial capital margin (buffer), which is added to the minimum regulatory requirements.

The management buffer is in line with the regulatory requirements, observing aspects such as additional impacts generated by stress scenarios, qualitative risks and risks not captured by the regulatory model.

The results from the Organization’s capital projections are submitted to the Senior Management, pursuant to the governance established. In addition, the Company’s regulatory capital sufficiency is monitored by periodically calculating the Basel Ratio, Tier I Ratio and Common Equity Ratio.

Details of Reference Equity (PR), Capital and Liquidity Ratios

The following table presents the main metrics established by prudential regulation (orders financial institutions to comply with requirements to cope with risks associated with their financial activities), such as regulatory capital, leverage ratio and liquidity indicators:

40.2.    Credit risk

Credit risk refers to the possibility of losses associated with the borrower’s or counterparty’s failure to comply with their financial obligations under the terms agreed, as well as the fall in value of loan agreements resulting from deterioration in the borrower’s risk rating, the reduction in gains or remunerations, benefits granted to borrowers in renegotiations, recovery costs and other costs related to the counterparty’s noncompliance with the financial obligations. Additionally, it includes the concentration risk and the country/transfer risk.

Credit risk management in the Company is a continuous and evolving process of mapping, development, assessment and diagnosis through the use of models, instruments and procedures that require a high degree of discipline and control during the analysis of transactions in order to preserve the integrity and autonomy of the processes.

The Company controls the exposure to credit risk which comprises mainly loans and advances, loan commitments, financial guarantees provided, securities and derivatives.

With the objective of not compromising the quality of the portfolio, aspects inherent to credit concession, concentration, guarantee requirements and terms, among others, are observed.

The Company maps the activities that could possibly generate exposure to credit risk, classifying them by their probability and magnitude, identifying their managers and mitigation plans.

Counterparty Credit Risk

The counterparty credit risk to which the Company is exposed includes the possibility of losses due to the non-compliance by counterparties with their obligations relating to the settlement of financial asset trades involving bilateral flows, including the settlement of derivative financial instruments.

The Company exercises control over the replacement cost and potential future exposures from operations where there is counterparty credit risk. Thereby, each counterparty’s exposure referring to this risk is treated in the same way and is part of general credit limits granted by the Company’s to its customers.

In short, the Counterparty Credit Risk management covers the modeling and monitoring (i) of the consumption of the credit limit of the counterparties, (ii) of the portion of the adjustment at fair value of the portfolio of credit derivatives (CVA – Credit Value Adjustment), segregated by counterparty, and (iii) of the respective regulatory and economic capital. The methodology adopted by the Company establishes that the credit exposure of the portfolio to certain counterparty can be calculated based on the Replacement Cost (RC) of its operations in different scenarios of the financial market, which is possible through the Monte Carlo simulation process.

In the context of risk management, the Company conducts studies of projection of capital, for example of the Stress Test of the ICAAP (Evaluation of Capital Adequacy) and TEBU (Bottom-Up Stress Test). These are multidisciplinary programs involving minimally the areas of Business and Economic Departments, of Budget/Result and Risk.

Regarding the forms of mitigating the counterparty credit risk that the Company is exposed to, the most usual is the composition of guarantees as margin deposits and disposal of public securities, which are made by the counterparty with the Company or with other trustees, whose counterparty’s risks are also appropriately evaluated.

Credit-Risk Management Process

The credit risk management process is conducted in a corporation-wide manner. This process involves several areas with specific duties, ensuring an efficient structure. Credit risk measurement and control are conducted in a centralized and independent manner.

Both the governance process and limits are validated by the Integrated Risk and Capital Allocation Management Committee, submitted for approval by the Board of Directors, and reviewed at least once a year.

In Management's view, the credit risk management structure performs a fundamental role in the Organization's second line, actively participating in the process of improving customer risk classification models, periodically monitoring major risks by main default events, level of provisioning in view of expected and unexpected losses.

This structure reviews the internal processes, including the roles and responsibilities and training and requirements, as well as conducts periodic reviews of risk evaluation processes to incorporate new practices and methodologies.

In Management's view, the attributions of the credit risk management structure faithfully follow the compliance precepts defined by the Organization. Integration with other lines occurs continuously and frequently, enabling assertiveness in the identification, measurement and control of credit risk.

Credit Concession

The Company’s strategy is to maintain a wide client base and a diversified credit portfolio, both in terms of products and segments, commensurate with the risks undertaken and appropriate levels of provisioning and concentration.

Under the responsibility of the Credit Area, lending procedures are based on the Company’s credit policy emphasizing the security, quality and liquidity of the lending. The process is guided by the risk management governance and complies with the rules of the Central Bank of Brazil.

The methodologies adopted value business agility and profitability, with targeted and appropriate procedures oriented to the granting of credit transactions and establishment of operating limits.

In the evaluation and classification of customers or economic Organizations, the quantitative (economic and financial indicators) and qualitative (personal data, behaviors and transactional) aspects associated with the customers capacity to honor their obligations are considered.

All business proposals are subject to operational limits, which are included in the Loan Guidelines and Procedures. At branches, the delegation of power to the submission of proposals depends on its size, the total exposure to the Company, the guarantees offered, the level of restriction and their credit risk score/rating. All business proposals are subject to technical analysis and approval of by the Credit Area.

In its turn, the Executive Credit Committees was created to decide, within its authority, on queries about the granting of limits or loans proposed by business areas, previously analyzed and with opinion from the Credit Area. Depending on the financial amount, the proposed operations/limits of this Committee may be submitted to the Board of Directors for deliberation.

Loan proposals pass through an automated system with parameters set to provide information for the analysis, granting and subsequent monitoring of loans, minimizing the risks inherent in the operations.

There are exclusive Credit and Behavior Scoring systems for the assignment of high volume, low principal loans in the Retail segment, meant to provide speed and reliability, while standardizing the procedures for loan analysis and approval.

Business is diversified wide-spread and aimed at individuals and legal entities with a proven payment capacity and solvency, seeking to support them with guarantees that are adequate to the risk assumed, considering the amounts, objectives and the maturities of loan granted.

Credit Risk Rating

The Organization has governance, practices and follow-up process. Among these practices, the Governance of Concessions and Credit Recovery Levels, which, depending on the size of the operation or the total exposure of the counterparty, require approval at the CEO or Board of Directors level. In addition, frequent portfolio monitoring is evaluated, with assessments of its evolution, defaults, provisions, vintage studies, capital, among others.

In addition to the process and governance levels of approval for credit and recovery operations, the risk appetite defined by the Organization is followed by concentration limits of operations for Economic Organization, Economic Activity Sector and Transfer (concentration by countries). Besides concentration indicators, Indicators of the quality of new credits, delinquency levels, problematic assets, economic capital margin, and provision expense for expected losses were also established within the risk appetite framework.

The credit risk assessment methodology, in addition to providing data to establish the minimum parameters for lending and risk management, also enables the definition of special Credit Rules and Procedures according to customer characteristics and size. Thus, the methodology provides the basis not only for the correct pricing of operations, but also for defining the appropriate guarantees.

The methodology used also follows the requirements established by National Monetary Council (CMN) Resolution 4,945/21 and includes analysis of social and environmental risks in projects, aimed at evaluating customers’ compliance with related laws and the Equator Principles, a set of rules that establish the minimum social and environmental criteria, which must be met for lending.

In accordance with its commitment to the continuous improvement of methodologies, the credit risk rating of operations contracted is distributed into homogeneous risk Organizations according to the criteria established by CMN Resolution No. 4,966/21 for the purpose of constituting provisions for expected losses associated with credit risk. In a simplified way, the operations risk ratings are determined according to the credit quality of the economic Organizations/customers defined by the Customer risk Rating, contract guarantees, credit product characteristics, late due behavior, notes/restrictions and the contracted credit face value, among other characteristics of the operation.

The customer risk ratings for economic Organizations are based on parameterized statistical procedures, using quantitative and qualitative information and judgments. Classifications are made by economic Organization and periodically monitored to preserve loan portfolio quality.

With respect to individuals, customer risk ratings are generally defined based also on statistical procedures and analysis of variables that discriminate risk behavior. This is made by applying statistical models for credit assessment.

The customer risk rating is used, in sets with several decision variables, for concession and/or renewal analysis of operations and credit limits, as well as for monitoring the customers' risk profile deterioration.

Control and Monitoring

The credit risk is controlled and monitored by and independent area which calculates the risk of open positions, consolidates the results, and performs the reporting as determined by the existing Governance process.

This area holds monthly meetings with all product and segment executives and officers, with a view to informing them about the evolution of the loan portfolio, delinquency, problematic assets, restructurings, adequacy of provisions for expected credit losses, loan recoveries, losses, portfolio limits and concentrations, regulatory and economic capital allocation, among others.

It also monitors any internal or external event that may cause a significant impact on the Organization’s credit risk, such as mergers, bankruptcies, and crop failures, in addition to monitoring industries in which the company is exposed to significant risks.

Internal Report

Credit risk is monitored on a timely basis in order to maintain the risk levels within the limits established by the Company. Managerial reports on risk control are provided to all levels of business, from branches to Senior Management.

With the objective of highlighting the risk situations, that could result in the customers’ inability to honor its obligations as contracted, the credit risk monitoring area provides daily reports, to the branches, national managers, business segments, as well as the lending and loan recovery areas. This system provides timely information about the loan portfolios and credit bureau information of customers, in addition to enabling comparison of past and current information, highlighting points requiring a more in-depth analysis by managers, such as assets by segment, product, region, risk classification, delinquency and expected and unexpected losses, among others, providing both a macro-level and detailed view of the information, and also enabling a specific loan operation to be viewed.

The information is viewed and delivered via dashboards, allowing queries at several levels such as business segment, divisions, managers, regions, products, employees and customers, and under several aspects (exposure, delinquency, stage, provision, write-off, restriction levels, guarantees, portfolio quality by rating, among others).

Measurement of Credit Risk

Periodically, the Company evaluates the expected credit losses from financial assets by means of quantitative models, considering the historical experience of credit losses of the different types of portfolio (which can vary from 2 to 7 years), the current quality and characteristics of customers, operations, and mitigating factors, according to processes and internal governance.

The actual loss experience has been adjusted to reflect the differences between the economic conditions during the period in which the historical data was collected, current conditions and the vision of the Company about future economic conditions, which are incorporated into the measurement by means of econometric models that capture the current and future effects of estimates of expected losses. The main macroeconomic variables used in this process are the Brazilian interest rates, unemployment rates, inflation rates and economic activity indexes.

The estimate of expected loss of financial assets is divided into three categories (stages):

The significant increase of credit risk is evaluated based on different indicators for classification in stages according to the customers’ profile, the product type and the current payment status, as shown below:

Retail Portfolios:

Wholesale Portfolios:

The expected losses are based on the multiplication of credit risk parameters: Probability of default (PD), Loss due to default (LGD) and Exposure at default (EAD).

The PD parameter refers to the probability of default perceived by the Company regarding the customer, according to the internal models of evaluation, which, in retail, use statistical methodologies based on the characteristics of the customer, such as the internal rating and business segment, and the operation, such as product and guarantee and, in the case of wholesale, they use specialist models based on financial information and qualitative analyses.

The LGD refers to the percentage of loss in relation to exposure in case of default, considering all the efforts of recovery, according to the internal model of evaluation that uses statistical methodologies based on the characteristics of the operation, such as product and guarantee.

Customers with significant exposure have estimates based on individual analyses, which are based on the structure of the operation and expert knowledge, aiming to capture the complexity and the specifics of each operation.

EAD is the exposure (gross book value) of the customer in relation to the Company at the time of estimation of the expected loss. In the case of commitments or financial guarantees provided, the EAD will have the addition of the expected value of the commitments or financial guarantees provided that they will be converted into credit in case of default of the loan or credit rather than the customer.

Credit Risk Exposure

We present below the maximum credit risk exposure of the financial instruments:

Loans and advances to customers

Concentration of credit risk

By Economic Activity Sector

The credit-risk concentration analysis presented below is based on the economic activity sector in which the counterparty operates.

Credit Risk Mitigation

Potential credit losses are mitigated using a variety of types of collateral formally stipulated through legal instruments, such as conditional sales, liens and mortgages, by guarantees such as third-party sureties or guarantees, and also by financial instruments such as credit derivative instruments, or netting arrangements. The efficiency of these instruments is evaluated considering the time to recover and realize an asset given as collateral, its fair value, the guarantors’ counterparty risk and the legal safety of the agreements. The main types of collateral include: term deposits; financial investments and securities; residential and commercial properties; movable properties such as vehicles, aircraft. Additionally, collateral may include commercial bonds such as invoices, checks and credit card bills. Sureties and guarantees may also include bank guarantees.

Credit derivative instruments are bilateral contracts in which one counterparty hedges credit risk on a financial instrument – its risk is transferred to the counterparty selling the hedge. Normally, the latter is remunerated throughout the period of the transaction. In the case default by the borrower, the buying party will receive a payment intended to compensate for the loss in the financial instrument. In this case, the seller receives the underlying asset in exchange for said payment.

The table below shows the fair value of guarantees of loans and advances to customers.

40.3.    Market risk

Market risk is represented by the possibility of financial loss due to fluctuating prices and market interest rates of the Company’s financial instruments, such as your asset and liability transactions that may have mismatched amounts, maturities, currencies and indexes.

Market risk is identified, measured, mitigated, controlled and reported. The Company’s exposure to market risk profile is in line with the guidelines established by the governance process, with limits monitored on a timely basis independently of the business areas.

All transactions that expose the Company to market risk are identified, measured and classified according to probability and magnitude, and the whole process is approved by the governance structure.

In line with the best Corporate Governance practices, with the objective of preserving and strengthening the management of market risk in the Organization, as well as complying with the provisions of Resolution No. 4,557 of the National Monetary Council, the Board of Directors approved the Market Policy, which is reviewed at least annually by the competent Committees and by the Board of Directors, providing the main guidelines for accepting, controlling and managing market risk. In addition to this policy, the Organization has specific rules to regulate the market risk management process, as follows:

Market Risk Management Process

The market risk management process is a corporation wide process, comprising from business areas to the Board of Directors; it involves various areas, each with specific duties in the process. The measurement and control of market risk is conducted in a centralized and independent manner. This process permits that the Company be the first financial institution in the country authorized by the Central Bank of Brazil to use its internal market risk models to calculate regulatory capital requirements since January 2013. This process is also revised at least once a year by the Committees and approved the Board of Directors itself.

Determination of Limits

Proposed market-risk limits of Trading Portfolio are validated by specific Committees and submitted for approval by the Integrated Risk and Capital Allocation Management Committee, and then for approval by the Board of Directors.

Trading Portfolio: it comprises all financial assets at fair value through profit or loss, including derivatives, or used to hedge other instruments in the Trading Portfolio, which have no trading restrictions. Held-for-trading operations are those intended for resale, to obtain benefits from actual or expected price variations, or for arbitrage.

The risks of this portfolio are monitored through:

Banking Portfolio: it comprises operations not classified in the Trading Portfolio, arising from Organization’s other businesses and their respective hedges. Portfolio risks in these cases are monitored by:

Market-Risk Measurement Models

Market risk is measured and controlled using Stress, Value at Risk (VaR) and Sensitivity Analysis methodologies, as well as limits for the Management of Results and Financial Exposure. The use of different methodologies for measuring and evaluating risks is important, as they are always complementary and their combined use allows the capture of different scenarios and situations.

Trading and Regulatory Portfolio

Trading Portfolio risks are mainly controlled by the Stress and VaR methodologies. The Stress methodology quantifies the negative impact of extreme economic shocks and events that are financially unfavorable to the Company’s positions. The analysis uses stress scenarios prepared by the Market Risk area and the Company’s economists based on historical and prospective data for the risk factors in which the Company portfolio.

The methodology adopted to calculate VaR is the Delta-Normal, with a confidence level of 99% and considering the number of days necessary to unwind the existing exposures. The methodology is applied to the Trading and Regulatory Portfolio (Trading Portfolio positions plus Banking Portfolio foreign currency and commodities exposures). It should be noted that for the measurement of all the risk factors of the portfolio of options are applied the historical simulation models and Delta-Gamma-Vega, prevailing the most conservative between the two. A minimum 252-business-day period is adopted to calculate volatilities, correlations and historical returns.

For regulatory purposes, the capital requirements relating to shares held in the Banking Portfolio are determined on a credit risk basis, as per Central Bank of Brazil resolution, i.e., are not included in the market risk calculation.

Risk of Interest Rate in the Banking Portfolio

The measurement and control of the interest-rate risk in the Banking Portfolio area is mainly based on the Economic Value of Equity (EVE) and Net Interest Income (NII) methodologies, which measure the economic impact on the positions and the impact in the Company’s income, respectively, according to scenarios prepared prepared by specialist areas and evaluated by the Organization’s Technical Stress Testing Committee - COTES. These scenarios determine the positive and negative movements of interest rate curves that may affect Company’s investments and capital-raising.

The EVE methodology consists of repricing the portfolio exposed to interest rate risk, taking into account the scenarios of increases or decreases of rates, by calculating the impact on present value and total term of assets and liabilities. The economic value of the portfolio is estimated on the basis of market interest rates on the analysis date and of scenarios projected. Therefore, the difference between the values obtained for the portfolio will be the Delta EVE.

In the case of the NII – Interest Earning Portion, the methodology intends to calculate the Company’s variation in the net interest income (gross margin) due to eventual variations in the interest rate level, that is, the difference between the calculated NII in the base scenario and the calculated NII in the scenarios of increase or decrease of the interest rate will be Delta NII.

For the measurement of interest rate risk in the Banking Portfolio, behavioral premises of the customers are used whenever necessary. As a reference, in the case of deposits and savings, which have no maturity defined, studies for the verification of historical behaviors are carried out as well as the possibility of their maintenance. Through these studies, the stable amount (core portion) as well as the criterion of allocation over the years are calculated.

Financial Instrument Pricing

The Mark-to-Market Commission (CMM) is responsible for approving or submitting fair value models to the Market and Liquidity Risk Commission. The CMM is made up of representatives from the business, back-office and risk areas, with the risk area being responsible for coordinating the Commission and submitting the matters assessed for approval in accordance with the established governance, as appropriate.

Whenever possible, the Bank uses prices and quotes from the securities, commodities and futures exchange and the secondary markets. Failing to find such market references, prices made available by other sources (such as Bloomberg, Reuters and Brokerage Firms) are used. As a last resort, proprietary models are used to price the instruments, which also follow the same CMM approval procedure and are submitted to the Company’s validation and assessment processes.

Fair value criteria are periodically reviewed, according to the governance process, and may vary due to changes in market conditions, creation of new classes of instruments, establishment of new sources of data or development of models considered more appropriate.

Financial instruments to be included in the Trading Portfolio must be approved by the Treasury or Products, Services and Partnerships Executive Committee and have their pricing criteria defined by the CMM.

The following principles for the fair value process are adopted by the Company:

Control and Follow-Up

Market risk is controlled and monitored by an independent area which, on a daily basis, measures the risk of outstanding positions, consolidates results and prepares reports required by the existing governance process.

In addition to daily reports, Trading Portfolio positions are discussed once every fifteen days by the Treasury Executive Committee, in this meetings, results and risks are assessed and strategies are discussed. Both the governance process and the existing thresholds are ratified by the Integrated Risk Management and Capital Allocation Management Committee and submitted to approval of the Board of Directors, which are revised at least once a year.

In the event of a breach of any of these limits, the business unit’s executive management responsible for the position and the COGIRAC are promptly informed of the limit consumption for decision-making purposes. If an increase in the limit and/or an adjustment or maintenance of the positions is required, the Board of Directors is convened to deliberate on the new limit or the revision of the position strategy.

Internal Communication

The market risk area provides daily managerial control reports on the positions to the business areas and Senior Management, in addition to weekly reports and periodic presentations to the Board of Directors.

Reporting is conducted through an alert system, which determines the addressees of risk reports as previously determined risk threshold percentage is reached; therefore, the higher the risk threshold consumption, more Senior Management members receive the reports.

Hedging and Use of Derivatives

In order to standardize the use of financial instruments as hedges of transactions and the use of derivatives by the Treasury area, the Company created specific procedures that were approved by the competent Committees.

The hedge transactions executed by Organization’s Treasury area must necessarily cancel or mitigate risks related to unmatched quantities, terms, currencies or indexes of the positions in the Treasury books, and must use assets and derivatives authorized to be traded in each of their books to:

For derivatives classified in the “hedge accounting” category, there is a monitoring of: (i) strategy effectiveness, through prospective and retrospective effectiveness tests, and (ii) mark-to-market of hedge instruments.

Cash flow Hedge

Bradesco maintains cash flow hedges. See more details in Note 7.

Standardized and “Continuous Use” Derivatives

Company’s Treasury area may use standardized (traded on an exchange) and “continuous use” (traded over the counter) derivatives for the purpose of obtaining income or as hedges. The derivatives classified as “continuous use” are those habitually traded over-the-counter, such as vanilla swaps (interest rates, currencies, Credit Default Swap, among others), forward operations (currencies, for example) and vanilla options (currency, Bovespa Index), among others. Non-standardized derivatives that are not classified as “continuous use” or structured operations cannot be traded without the authorization of the applicable Committee.

Evolution of Exposures

In this section are presented the evolution of financial exposure, the VaR calculated using the internal model and its backtesting and the Stress Analysis.

Financial Exposure – Trading Portfolio (Fair Value)

VaR Internal Model – Trading Portfolio

The 1-day VaR of Trading Portfolio net of tax effects was R$14,814 thousand as of December 31, 2025, with the options risk factor classified in the IGP-M/IPCA rates Organization as the largest share of the Portfolio’s risk.

VaR Internal Model – Regulatory Portfolio

The capital is calculated by the normal delta VaR model based in Regulatory Portfolio, composed by Trading Portfolio and the Foreign Exchange Exposures and the Commodities Exposure of the Banking Portfolio. In addition, the historical simulation and the Delta–Gamma–Vega models of risk are applied to measure all risk factors to an options portfolio, whereby this risk of options is added to the VaR of the portfolio. In this model, risk value is extrapolated to the regulatory horizon^[2] (the highest between 10 days and the horizon of the portfolio) by the ‘square root of time’ method. VaR and Stressed VaR shown below refer to a ten-day horizon and are net of tax effects.

Note: Ten-day horizon VaR net of tax effects.

^[2] The maximum amount between the book’s holding period and ten days, which is the minimum regulatory horizon required by Central Bank of Brazil, is adopted.

To calculate regulatory capital requirement according to the internal model, it is necessary to take into consideration the rules described by Central Bank Circular Letters No. 3,646/13 and No. 3,674/13, such as the use of VaR and Stressed VaR net of tax effects, the average in the last 60 days and its multiplier.

VaR Internal Model – Backtesting

The risk methodology applied is continuously assessed using backtesting techniques, which compare the one-day period VaR with the hypothetical statement of income, obtained from the same positions used in the VaR calculation, and with the effective statement of income, also considering the intraday operations for which VaR was estimated.

The main purpose of backtesting is to monitor, validate and assess the adherence of the VaR model, and the number of exceptions that occurred must be compatible with the number of exceptions accepted by the statistical tests conducted and the confidence level established. Another objective is to improve the models used by the Company, through analyses carried out with different observation periods and confidence levels, both for Total VaR and for each risk factor.

The daily actual and hypothetical results for the last 250 business days did not exceed the respective VaR at the 99% confidence level at any time during the year ended December 31, 2025. Likewise, in September 2025, the daily actual and hypothetical results for the last 250 business days also did not exceed the corresponding VaR for the same confidence level.

According to the document published by the Basel Committee on Banking Supervision, breakouts would be classified as “Bad luck or the markets moved in a way not predicted by the model”, that is, the volatility was significantly higher than the expected and/or correlations were different from those assumed by the model.

Stress Analysis – Trading Portfolio

The Company also assesses on a daily basis the possible impacts on statement of income in stress scenarios considering a holding period of 20 business days, ie, how much prices or interest rates can change in 20 business days based on historical data and prospective scenarios. This metric is monitored with limits established in the governance process. The scenarios are defined for each risk factor and they are represented as a shock or discount factors which are applied to the trading book position, thus, the value calculated represents a possible loss of the trading book in a stress scenario:

Note: Values net of tax effects.

Sensitivity Analysis of Financial Exposures

The sensitivity analysis of the Company’s financial exposures (Trading and Banking Portfolios) is performed on a quarterly basis and carried out based on the scenarios prepared for the respective dates, always taking into consideration market inputs available at the time and scenarios that would adversely impact our positions as shown in the examples below:

Scenario 1: Based on market information (B3, Anbima, etc.), stresses were applied for 1 basis point on the interest rate, being 1.0% variation on prices;

Scenario 2: 25.0% stresses were determined based on market information; and

Scenario 3: 50.0% stresses were determined based on market information.

The results show the impact for each scenario on a static portfolio position. The dynamism of the market and portfolios means that these positions change continuously and do not necessarily reflect the position demonstrated here. In addition, the Company has a continuous market risk management process, which is always searching for ways to mitigate the associated risks, according to the strategy determined by Management. Therefore, in cases of deterioration indicators in a certain position, proactive measures are taken to minimize any potential negative impact, aimed at maximizing the risk/return ratio for the Company.

Sensitivity Analysis – Trading Portfolio

Sensitivity Analysis – Trading and Banking Portfolios

Market Risk - Insurance

In Item 40.6 – Insurance/Underwriting Risk in consolidated financial statements, the sensitivity analysis related to the discount rate applied in calculating the present value of future obligations is presented. The effects of this sensitivity on insurance liabilities are directly linked to the Yield Curve (ETTJ), which fluctuates as a result of interest rates and inflation. In this context, its inclusion in this section would be possible. However, considering that such sensitivity directly affects the measurement of the actuarial liability, its presentation is considered more appropriate in Item 40.6 – Insurance/Underwriting Risk, as that section already includes the other sensitivity analyses related to the liability.

The Liquidity Risk is represented by the possibility of the institution not being able to efficiently meet its obligations, without affecting its daily operations and incurring significant losses, as well as the possibility of the institution to fail to trade a position at market price, due to its larger size as compared to the volume usually traded or in view of any market interruption.

The understanding and monitoring of this risk are crucial to enable the Company to settle operations in a timely manner.

Control and Monitoring

The liquidity risk management of the Company is performed using tools developed on platforms and validated by independent areas of the Company. Among the key metrics and indicators considered in the framework of liquidity risk, are:

Limits were established for the main metrics, which can be strategic (approved up to the level of the Board of Directors) or operational (approved by Executive Committee), based on flags, which trigger different levels of governance according to the percentage of use (consumption) of their respective limits.

Liquidity Risk Mitigation

The governance established for the liquidity risk management includes a series of recommendations to mitigate the risk of liquidity, among the main strategies, are:

Stress Tests

Due to the dynamics and criticality of this theme, the management and control of liquidity risk should happen every day and be based on stress scenarios. In this way, the main metric used for the monitoring of the liquidity risk of the Prudential Conglomerate is the Short-term Liquidity Coverage Ratio (LCR), which measures the adequacy of liquid resources to honor the commitments in the next thirty days considering a scenario of stress. Therefore, the daily management is performed through the stress test.

In addition to the LCR and other metrics of monitoring, simulations of stress scenarios in the long-term are performed, within the integrated stress test program (ICAAP for example), also to evaluate a possible deterioration of liquidity indicators for different time horizons.

Internal communication

Internal communication about liquidity risk, both between areas and between the different layers of internal governance are done through internal reports, committees and the Company's senior management.

Additionally, reports are distributed daily to the areas involved in management and control, as well as to senior management. Several analysis instruments are part of this process and are used to monitor liquidity, such as:

The liquidity risk management process has an alert system, which determines the appropriate level of reporting of risk reports according to the percentage of use of the established limits. Thus, the lower the liquidity ratios, the higher levels of management of the Company receive the reports.

Undiscounted cash flows of financial liabilities and insurance contracts

The table below presents the cash flows payable for non-derivative financial liabilities and insurance contracts, covering the remaining contractual period to maturity as from the date of the consolidated statements of financial position. The values disclosed in this table represent the undiscounted contractual cash flows.

The assets available to meet all the obligations and cover the outstanding commitments include cash and cash equivalents, financial assets, loans and advances. Management may also cover unexpected cash outflows by selling securities and by having access to sources of additional funds, such as asset-backed-markets.

The cash flows that the Company estimates for these instruments may vary significantly from those presented. For example, it is expected that demand deposits of customers will maintain a stable or increasing balance, and it is not expected that these deposits will be withdrawn immediately.

In the Company, liquidity-risk management involves a series of controls, mainly related to the establishment of technical limits, with the ongoing evaluation of the positions assumed and the financial instruments used.

Undiscounted cash flows for derivatives

All the derivatives of the Company are settled at net value, and include:

The table below analyzes the derivative financial liabilities that will be settled at net value, Organizationed based on the period remaining from the reporting date to the respective maturity date. The values disclosed in the table are undiscounted cash flows.

Consolidated statements of financial position by maturities

The tables below show the financial assets and liabilities and insurance contract liabilities of the Organization segregated by maturities used for the management of liquidity risks, in accordance with the remaining contractual maturities on the reporting date:

The tables below show the assets and liabilities of the Company segregated by current and non-current, in accordance with the remaining contractual maturities on the reporting date:

40.5.    Fair value of financial assets and liabilities

The tables below present the composition of the financial assets and liabilities measured at fair value, classified using the hierarchical levels:

Reconciliation of securities and derivative financial instruments measured at fair value on a recurring basis using significant unobservable inputs (Level 3):

The tables below show the gains/(losses) due to changes in fair value and interest income, including the realized and unrealized gains and losses, recorded in the consolidated statement of income for Level 3 assets and liabilities:

Sensitivity analysis for financial assets classified as Level 3

The sensitivity analyses were carried out based on the scenarios prepared for the dates shown, always taking into consideration market inputs available at the time and scenarios that would adversely impact our positions, in accordance with the scenarios below:

Scenario 1: Based on market information (B3, Anbima, etc.), stresses were applied for 1 basis point on the interest rate and 1.0% variation on prices;

Scenario 2: 25.0% stresses were determined based on market information; and

Scenario 3: 50.0% stresses were determined based on market information.

Financial instruments not measured at fair value

The table below summarizes the carrying amounts and the fair values of the financial assets and liabilities that were not presented in the consolidated statements of financial position at their fair value, classified using the hierarchical levels:

40.6.    Insurance/Underwriting risk

Underwriting risk is the risk related to a possible loss event that may occur in the future and for which there is uncertainty over the amount of damages that result from it. The risk arises from an economic situation not matching the Company’s expectations at the time of issuing its underwriting policy with regard to the uncertainties existing both in the definition of actuarial assumptions and in the measurement of compliance cash flows, as well as for pricing and calculating premiums and contributions. In short, it refers to the risk of the frequency or severity of loss events or benefits exceeding the Company’s estimates.

Historical experience shows that the larger the Organization of contracts with similar risks, the lower the variability in cash flows. In that way, the risk management process seeks to diversify insurance operations, aiming to excel at balancing the portfolio, and is based on the Organizationing of risks with similar characteristics in order to reduce the impact of individual risks.

Risk underwriting management is carried out by the Technical Superintendence and the policies of underwriting and acceptance of risks are periodically evaluated.

Uncertainties over estimated future claim payments

Claims are due as they occur, and the Organization must compensate all covered claims that occur during the term of the contract. The estimated cost of claims includes the direct expenses to be incurred in their settlement. Therefore, considering the uncertainties inherent to the process, the final settlement may be different from that initially planned.

Asset and liability management (ALM)

The Company periodically analyzes future cash flows on assets and liabilities held in portfolio ALM – Asset Liability Management. The method used for ALM analysis is to observe the sufficiency or insufficiency of the present value of the stream of assets in relation to the present value of the stream of liabilities, and the duration of assets in relation to that of liabilities. The aim is to verify that the situation of the portfolio of assets and liabilities is balanced in order to honor the Company’s future commitments to its insured persons.

The actuarial assumptions used to generate the flow of liabilities are in line with international actuarial practices and also with the characteristics of the Company’s product portfolio.

Risk management by product

The continuous monitoring the insurance contract portfolio enables us to track and adjust premiums practiced, as well as to assess the need for alterations. Other monitoring tools in use include: (i) sensitivity analysis, and (ii) algorithmic checks and corporate system notifications (underwriting, issuance and claims).

The main risks associated with Non-Life

The risks associated with Non-Life include, among others:

Generally, the Non-Life insurance underwritten by the Company is of short duration. The underwriting strategies and goals are adjusted by management and informed through internal guidelines and practice and procedure manuals.

The main risks inherent to the main Non-Life business lines are summarized as follows:

The main risks associated with life insurance and pension plans

Life insurance and Private Pension Plans are generally long-term in nature and, accordingly, various actuarial assumptions are used to manage and estimate the risks involved, such as: assumptions about returns on investments, longevity, mortality and persistence rates in relation to each business unit. Estimates are based on historical experience and on actuarial expectations.

The risks associated with life insurance and pension plans include:

The main risks associated with health insurance

The risks associated with health insurance include, among others:

For individual health insurance, for which certain provisions are calculated based on expected future cash flows (difference between expected future claims and expected future premiums), there are a number of risks, in addition to those cited above, such as biometric risk, including mortality and longevity experience and the insured’s behavioral risk, which covers persistency experience, as well as interest-rate risk that is managed as a part of market risk.

Risk management of non-life, life insurance and pension plans and health insurance

The Board for Risk Management monitors and evaluates risk exposure and is responsible for the development, implementation and review of policies that cover subscription. The implementation of these policies, the treatment of claims, reinsurance and the constitution of technical provisions of these risks are performed by the Technical Superintendent of Actuary and Statistics. The Technical Superintendent developed mechanisms, such as the analysis of possible accumulations of risks based on monthly reports, which identify, quantify and manage accumulated exposure in order to keep it within the limits defined by internal policies.

For life insurance, pension plans and health insurance, the longevity risk is carefully monitored using the most recent data and tendencies of the environment in which the Company operates. Management monitors exposure to this risk and its capital implications in order to manage possible impacts, as well as the funding that the future business needs. Management adopts assumptions of continuous improvement in the future longevity of the population for the calculation of technical provisions, in order to anticipate and thus be covered by possible impacts generated by the improvement in the life expectancy of the insured/assisted population.

Persistency risk is managed through the frequent management of the Company’s historical experience. Management has also established guidelines for the management of persistency in order to monitor and implement specific initiatives, when necessary, to improve retention of policies.

The risk of elevated expenses is primarily monitored through the evaluation of the profitability of business units and the frequent monitoring of expense levels. Specifically, for life insurance and pension plans, mortality and morbidity risks are mitigated through the assignment of catastrophe reinsurance.

Risk Concentration

The Company operates throughout the national territory, and potential exposures to risk concentration are monitored through management reports where the results of insurance contracts sold by branch are observed. The table below shows the concentration of types of risks insured:

Sensitivity test

The purpose of the sensitivity test is to measure the impacts on the Organization´s results, in the event of isolated, reasonably possible changes in assumptions inherent to the operations that may be affected due to the risk underwriting process and that are considered relevant on the balance sheet date.

As risk factors, the following premises were elected:

Sensitivity test results

The table below shows the impact on the Company's results in insurance liabilities for life insurance with survivorship coverage, pension plans and individual life insurance, considering variations in the risk factor:

The sensitivity tests for Conversion and Income of the Pension product and for Longevity of the Life product were not presented as they resulted in zero impact.

With respect to insurance risk, the table below presents the effects of sensitivity to the discount rate (bottom-up, risk-free rate, illiquidity premium) on insurance liabilities, segregated by line of business. The risk-free rate used to discount the liabilities to present value is the Yield Curve (ETTJ) published by Ambima/SUSEP. The DV01 (Dollar Value of 1 basis point) was selected as the shock factor, as it is a metric widely used in the financial market to measure interest rate risk and facilitates comparisons across different instruments, since it expresses sensitivity in monetary terms. The results of this sensitivity analysis are presented both in statement of income and in Equity; however, the Company has established as an accounting policy that the adjustments arising from changes in interest rates are recognized directly in Equity, reinforcing the consistency and comparability of the consolidated financial statements.

For non-life insurance, collective life and health including dental insurance, the table below shows the impact in expenses with claims on the Organization's statements of income, if there was an increase of 1 percentage point in the accident rate, in the last year of the calculation base date:

The effect of this sensitivity is linear. Considering the loss ratio recorded for the period from October 2024 to September 2025, variations were observed in Non-Life of –1 and +5 percentage points for the lower and upper scenarios, respectively; in Life of –3 and +5 percentage points for the lower and upper scenarios, respectively; and in Health of –2 and +2 percentage points for the lower and upper scenarios, respectively. It should be noted that such variations are continuously monitored.

Limitations of sensitivity analysis

Sensitivity analyses show the effect of a change in certain assumptions while other assumptions remain unchanged.

Sensitivity analyses do not take account of the fact that assets and liabilities are highly managed and controlled. Additionally, the Company’s financial position may vary with any movement occurring in the market. For example, the risk management strategy aims to manage exposure to fluctuations in the market. As investment markets move through various levels, management initiatives may include sales of investments, altered portfolio allocations, and other protective measures.

Other limitations of the sensitivity analyses include the use of hypothetical market movements to show the potential risk, which only represents Management’s view of possible market changes in the near future, which cannot be foreseen with certainty, and they also assume that all interest rates move in the same manner.

Credit risk

Credit risk consists of the possible occur of losses in value of financial assets and reinsurance assets, because of noncompliance, by the counterparty, of its financial obligations according to agreed terms the Company and its subsidiaries, as well as the devaluation of contracts, resulting from the deterioration in the counterparty's risk classification.

This risk may materialize in different ways, among others.

Credit risk management

The Company performs various sensitivity analyses and stress tests as tools for management of financial risks. The results of these analyses are used for risk mitigation and to understand the impact on the results and the shareholders’ equity of the Company in normal conditions and in conditions of stress. These tests take into account historical scenarios and scenarios of market conditions provisioned for future periods, and their results are used in the process of planning and decision making, as well as the identification of specific risks arising on financial assets and liabilities held by the Company. The management of credit risk for reinsurance operations includes monitoring of exposures to credit risk of individual counterparts in relation to credit ratings by risk assessment companies, such as AM Best, Fitch Ratings and Standard & Poor’s and Moody’s. The reinsurers are subject to a process of analysis of credit risk on an ongoing basis to ensure that the goals of the mitigation of credit risk will be achieved.

In that sense, credit risk management in the Company is a continuous and evolving process including the mapping, development, evaluation and diagnosis of existing models, instruments and procedures that requires a high level of discipline and control in the analysis of operations to preserve the integrity and independence of processes. It is a process carried out at the corporate level using structured, independent internal procedures based on proprietary documentation and reports, assessed by the risk management structures of the Company, and based on the gradual deployment of internal models for the determination, measurement and calculation of capital.

Meetings are held quarterly of the Executive Committee for Risk Management of Grupo Bradesco Seguros, of the Executive Committee of Investments and, monthly, of the Internal Meeting of Asset Allocation by the area of Investment Management of Bradesco Seguros S.A. for the deliberative negotiations, possessing the functions, which are necessary for the regulatory/improvement requirement in the processes of management.

Reinsurance policy

No matter how conservative and selective insurers are in the choice of their partners, the purchase of reinsurance presents, naturally embedded in its operation, a credit risk.

The Bradesco Company’s policy for purchasing reinsurance and approval of reinsurers are the responsibility of the Board of Executive Officers, observing to the minimum legal requirements and regulations, some of them aimed at minimizing the credit risk intrinsic to the operation, and considering the shareholders’ equity consistent with amounts transferred.

Another important aspect of managing reinsurance operations is the fact that the Company aims to work within its contractual capacity, thereby avoiding the frequent purchases of coverages in optional agreements and higher exposures to the credit risk.

Practically, all property damage portfolios, except automotive, are hedged by reinsurance which, in most cases, is a combination of proportional and non-proportional plans by risk and/or by event.

Currently, part of the reinsurance contracts (proportional and non-proportional) are transferred to IRB Brasil Resseguros S.A. Some admitted reinsurers participate with lower individual percentages, but all have minimum capital and rating higher than the minimum established by the Brazilian legislation, which, in Management’s judgment, reduces the credit risk.

Exposure to insurance credit risk

Management believes that maximum exposure to credit risk arising from premiums to be paid by insured parties is low, since, in some cases, coverage of claims may be canceled (under Brazilian regulations), if premiums are not paid by the due date. Exposure to credit risk for premium receivables differs between risks yet to be incurred and risks incurred, since there is higher exposure on incurred-risk lines for which coverage is provided in advance of payment of the insurance premium.

The Company is exposed to concentrations of risk with individual reinsurance companies, due to the nature of the reinsurance market and strict layer of reinsurance companies with acceptable loan ratings. The Company manages the exposures of its reinsurance counterparties, limiting the reinsurance companies that may be used, and regularly assessing the default impact of the reinsurance companies.

Operational risk

Operational risk is the possibility of losses resulting from failure, deficiency or inadequacy of internal processes, people and systems, or resulting from fraud or external events, including legal risk and excluding risks arising from strategic decisions and image of the Organization.

Operational risk management

The Organization approaches operational risk management as a process of continuous improvement, aiming to monitor the dynamic evolution of the business and minimize the existence of gaps that could compromise the quality of this management.

The entire Corporate Governance process for operational risk management is monitored quarterly by the executive committees of Grupo Bradesco Seguros, having, among others, the following responsibilities:

Within this scenario, the Organization has mechanisms for evaluating its Internal Controls system to provide reasonable security regarding the achievement of its objectives in order to avoid the possibility of loss caused by non-observance, violation or non-compliance with internal rules and instructions. The internal control environment also contributes to operational risk management, in which the risk map is regularly updated based on self-assessments of risks and controls.

Procedures for Continuous Control and Monitoring

Operational risk is represented by the possibility of losses resulting from external events or failure, deficiency, or inadequacy of internal processes, people, or systems. This definition includes the legal risk associated with inadequacy or deficiency in contracts signed by the Organization, sanctions due to non-compliance with legal provisions and compensation for damages to third parties arising from the activities carried out by the Organization.

Operational Risk Management Process

The Operational Risk Management Policy establishes the principles, guidelines, and responsibilities that ensure the effective identification and management of operational risk, supporting the maintenance of a framework that is appropriate and commensurate with the nature and complexity of the Organization’s activities.

The policy guides the monitoring of risk exposures, defines acceptable loss thresholds, and supports the proper allocation of capital. It also promotes the dissemination of a risk-aware culture among employees and third parties, ensuring that they understand their roles and responsibilities in the identification, assessment, monitoring, control, and mitigation of operational risk, in line with applicable regulatory requirements. Additionally, the policy encompasses mechanisms for assessing risks associated with new products, services, processes, and systems.

Operational risk management is conducted on a corporate basis and involves different areas with specific responsibilities, ensuring an efficient structure that enables the proper assessment of risks and supports managers and Senior Management in the decision-making process. The process comprises stages such as identifying, assessing, and continuously monitoring the operational risks inherent to the Organization’s activities.

The management process also considers the regulatory environment, with its main results and aspects reported periodically to Senior Management and the Regulator. These procedures are supported by an internal control system that is independently certified regarding its effectiveness and execution, ensuring compliance with the Organization’s established risk appetite. Operational loss events are analyzed and discussed with the parties involved, including Senior Management, as they not only represent challenges but also provide insights for the continuous improvement of processes. These analyses contribute to strengthening risk management and enhancing the Organization’s operational resilience.

Operational Risk Measurement Methodology

In compliance with BCB Resolution No. 356/23, the Organization calculates the portion of risk-weighted assets related to Operational Risk using the standardized approach (RWAopad). In addition, it uses internal operational loss data as inputs for determining the economic capital for operational risk based on an internal model. In this context, operational risk events are classified as follows:

Control and Monitoring

Operational risk is measured through a structured and centralized system designed to capture, store, consolidate, and manage operational loss data. This solution supports both quantitative and qualitative analyses, impact assessments, management reporting, and the identification of historical patterns, while also serving as an input for the calculation of economic and regulatory capital.

Additionally, the Organization uses an integrated risk-management solution that documents risk analyses, controls, and mitigating actions that support the management of relevant incidents and the review of scenarios used in internal models, contributing to methodological consistency and the prioritization of mitigation initiatives.

Internal Communication

The preparation and submission of management reports follow the standards established by applicable regulatory requirements and are presented to the Executive Board through risk commissions and committees, as well as to the Board of Directors. These materials consolidate the institutional view of operational risk exposure and support strategic decision-making.

This information is reported monthly and includes the monitoring of the Operational Risk Appetite Indicator (RAS), the comparison of budgeted versus actual operational losses, and the analysis of material incidents, in accordance with the materiality criteria set forth in Article 6 of BCB Normative Instruction No. 33/20.

Additionally, the results of regulatory and economic capital measurements are submitted to the governance bodies. This process reinforces regulatory adherence and supports the integrated assessment of the level of capital required for adequate risk coverage.

Operational Risk Mitigation Strategies

For the mitigation of operational risk, the Organization adopts an integrated set of practices that involves the continuous dissemination of risk culture through training, internal campaigns, and capacity-building initiatives, including for third-party service providers. This process is complemented by the design and implementation of preventive and predictive controls aligned with the mapping and assessment of critical risks associated with areas, processes, and products.

Mitigating actions are conducted in a risk-oriented manner, supporting decision-making. Systematic monitoring of the impacts on the Risk Appetite (RAS) is performed through specialized assessments and root-cause analysis, ensuring an understanding of key drivers and timely corrections.

Additionally, the Organization conducts periodic reviews of management processes, strengthening its ability to prevent and detect incidents. The process of capturing, recording, reconciling, and monitoring operational losses ensures traceability, data accuracy, and compliance with applicable regulatory requirements.

In 2025, the Organization implemented the RBA – Risk-Based Approach with the objective of identifying and prioritizing risks, allowing Risk Areas to focus efforts and resources on the most critical topics/processes requiring greater depth.

This methodology aims to revise the operational model of Compliance/Internal Controls, promoting operational efficiency and predictive and preventive action, increasing staff seniority with a focus on risk management, business, and data analysis for more assertive decision-making, as well as integrating the Business Analytics unit to enable greater coverage, expansion of data-based testing, and more accurate and timely diagnostics.