How do these work
B3 has a strategic target of continual enhancements to corporate governance structure. To this end, it invests in human capital, in infrastructure and in technology solutions for the implementation of best practices regarding internal controls, process management, corporate risk mitigation and financial modeling, compliance, information security and business continuity.
Our Governance model has four lines of defense:
1st line: Business areas
How do these work? These are the principal responsible parties for managing business risk and internal controls to ensure that operational and strategic goals are met.
2nd line: Internal Controls, Compliance and Corporate Risk
How does this work? By guiding and offering assessments on internal controls, risk and compliance, supporting decision-making by the company’s business and management areas. It is steered by the best practices and methodologies adopted in the following processes:
- Corporate governance of processes
Methods established for standardized documentation, analysis and process monitoring, with two main objectives:
- Process management: advisory role to the business areas, for generation of a standardized processes structure to support operations and for compliance with the governance structure (corporate risk, internal controls, Compliance, business continuity and internal audit) of B3 and the regulatory bodies.
- Continuous enhancement of processes: provision of tools that help business managers to construct and analyze process performance and risk indicators, enabling continuous enhancement actions for the processes for which they are responsible.
- Corporate risk management
Encompasses the identification, assessment, treatment, surveillance and communication of strategic, operational, financial and regulatory risks, from two perspectives:
1. Top-down approach: an overview of risks that compromise the Company’s strategic targets.
2. Bottom-up approach: accompanying the main risks through the detailed context of the Company’s operational processes and controls (see the “Process Management” item”).
Both perspectives provide a map of the principal events that could compromise the Company’s strategic targets, supplying a mechanism to prioritize these risks, and consequently a tool for directing efforts to mitigate their appearance.
- Assessment of risk management models:
A pre-implementation, independent assessment of the counterparty risk management models that B3 has developed. There is also continuous assessment of the models used in the counterparty risk management activities of the B3 Clearinghouses.
- Macroeconomic monitoring:
Identification and monitoring of possible political, social and economic scenarios, to assess their impact on B3’s operating revenue.
- Supervision of compliance with the applicable legislation and rules:
Monitoring updates to local and international legal and regulatory frameworks and joint assessment with the business areas of its impacts on B3’s activities, complying with legal and regulatory applicable changes and identifying continually opportunities to enhance its processes.
- Supervision of the internal controls environment:
Assessment and continuous monitoring of B3’s internal controls system for risk mitigation. Also responsible for Anti-Fraud Program development and application through monitoring the implementation of plans of action for treating failures or for risk mitigation, and through compliance with the Central Bank of Brazil and external auditors.
- Integrity program management:
The B3 integrity program seeks, together with the Legal Department:
i) to disseminate constantly the company’s values and commitments towards combating corruption, publicizing widely its abuse complaint channels and its corporate training about the subject;
ii) to guide managers, employees, interns and business partners towards adopting a proactive posture for the prevention and identification of suspicious behavior, in accordance with local and international best practice.
- Information security:
With activity shared between the Corporate Risk and IT areas, Information Security is a strategic pillar for B3. It resolutely protects assets (people, processes and technology) by defining and adopting security strategies.
Its principal activities are:
- defining security guidelines;
- disseminating a security culture among employees and collaborators;
- providing support for mapping and mitigating threats and for risk measurement and assessment;
- protecting and monitoring technology assets;
- defining security architecture;
- managing the life cycle of accesses.
- Business continuity management:
B3 invests in business continuity strategies and best practices to meet its operational excellence target. It offers a structure that allows the development of organizational resilience and a capacity to respond to unexpected events.
Business continuity management encompasses:
- Impact Analysis: constant review of critical processes and their requirements and of recovery strategies;
- Business Continuity Plan: a combination of structured documents that detail the activities necessary to recover B3’s critical processes and to reduce impacts caused by an interruption;
- Crisis Management Plan: establishes the crisis-management and response structure, backed by the necessary levels of authority and competence for assuring resumed decision-making and effective communication with the parties;
- Tests program: B3 draws up an annual calendar of tests for the business continuity plan’s components. Tests are monitored in loco by the Internal Audit and their results are presented and analyzed by the Company’s governance bodies and by the Regulators.
3rd line: Internal Audit
How does it work? The internal audit monitors, assesses and makes recommendations, seeking to enhance internal controls and the policies and procedures established by management.
Internal audits provide the Board of Directors, Audit Committee and senior management with broad assessments based on the highest level of independence and objectivity within the organization. The internal audit provides assessments on the effectiveness of governance, risk management and internal controls, including how first and second lines of defense achieve risk management and control goals.
To reach the goals, the B3 internal audit adopts the international internal auditing standards as recommended by The Institute of Internal Auditors (The IIA).
4th line: Independent External Audit
How does it work? It reviews financial statements to check that they contain no significant inaccuracies and that they have an appropriate structure. The Central Bank of Brazil and the Securities and Exchange Commission of Brazil (CVM), as regulatory supervision bodies, assess whether the Company has adequate infrastructure for the execution of its systemic activities and for compliance with the prevailing rules.
In addition to environment monitoring via these four lines of defense, the Company’s Board of Directors is assisted in risk management surveillance by the following committees:
How does it work? It monitors and validates the quality of the internal audit and of the independent external audit. It assesses the financial statements of the company and its subsidiaries. It supervises the area responsible for drawing up the statements and for the other attributions foreseen in the corporate bylaws and prevailing regulations. It also assesses the effectiveness and sufficiency of the structure of internal controls and risk management, encompassing legal, tax and labor risks.
Risk and Financial Committee
How does it work? It monitors and assesses the liquidity, credit and systemic risks of the markets that the company operates (with a strategic and structural focus) and assesses the financial position and capital structure of the company.