OBJECTIVE

Brasil Group, to promote the management of potential (or involved) risks in EDP's business and that may impact the Company and the stakeholders with whom we interact.

PURPOSES AND PRINCIPLES

Risk management within the EDP Brasil environment aims to align the risk appetite assumed with the company's strategic objectives, to guarantee the achievement of results.

Risk management at the EDP Brasil Group considers the following principles:

• Risk management as everyone's responsibility, from the Board of Directors to the individual employee. Risk, risk appetite and risk tolerance are key points in decision making for the execution of business activities, functions and processes;
• The ability to manage risks as a lever for the value of assets, projects and business opportunities, in addition to safeguarding human lives, the environment, the well-being of employees and reinforcing innovation;
• The transmission of trust in the business to shareholders, employees, customers, suppliers and the communities where the Company operates;
• The assessment of risks and opportunities for generating value in the short, medium and long term considers the direct and indirect economic, social and environmental impacts of the operations;
• The constant evolution and improvement to ensure compliance with the best international risk management practices;
• Identification of efficient mitigators to ensure alignment of the Company's strategy.

1.1. Lines of Defense

The risk management model adopted by EDP is based on the concept of three lines of defense, in which each agent in the organization has a specific role within the risk management process:

1st Line: Operates in operational risk management in the day-to-day routine, identifying, analyzing, evaluating, treating and controlling risks. It is responsible for the mapped risks and reports directly to the company's senior management. It is made up of the company's employees and business areas.

2nd Line: Consisting of the Risk and Control areas within the organization, its function is to provide guidance and methodological support to the company's employees, in addition to ensuring the management and control of the risks mapped by the 1st line of defense.

3rd Line: Represented by the company's Internal Audit. They provide independent assessments of the company's risk methodology, bringing greater strength to the risk management system.

1.2. Compliance Risk

Corporate risk management is based on the best governance models such as COSO and ISO 31,000.

• We have adopted a structure dedicated to corporate risk management with the objective of identifying, evaluating, controlling, treating and monitoring the risks associated with the companies described in the scope of this policy;
• We identify and assess the risks associated with the organization's internal processes, identifying failures and deficiencies that may generate financial impacts materialized in losses, to mitigate and control risks, providing instruments for analysis and decision-making;
• We classify risk events considering their probability of occurrence and financial impact;
• We continuously monitor the risk management process, evaluating proposals for improvements;
• We establish rules and procedures for risk management, respecting cost-benefit ratios, including those associated with activities provided by third parties;
• According to pre-established criteria, the methodology allows the contracting of insurance to cover risks;
• We maintain a risk and loss basis observing the scope, consistency, integrity and reliability;
• We periodically prepare risk scenarios to assess exposure to external events;
• We periodically review and evaluate the model used in risk management, through quality and precision tests, carried out by a separate or outsourced area, based on the best market practices;
• We keep up-to-date documentation regarding risk management and senior management decisions related to risk management;
• We periodically make public disclosure of information to the market to allow investors and other interested parties to verify how risks are managed;
• We disseminate a risk management culture through awareness, awareness and training programs.