Overview

OVERVIEW

C&A is committed to maintaining high standards of corporate governance, based on principles that favor transparency, fairness of shareholder treatment, accountability and corporate responsibility.

The Company continually seeks to improve its corporate governance structure and improve its internal controls. Among the actions taken so far, we can highlight: (i) adequacy of compliance and risk management structures and processes; (ii) formalization of corporate policies and operating procedures; (iii) improvement of the integrity and anti-corruption policies and procedures; and (v) existence of a whistleblowing channel.

ADHERENCE TO MARKET REGULATIONS

As a publicly traded company, C&A is regulated by Brazilian Corporate Law, and regulations issued by CVM and B3 S.A., which define that every publicly held company must report certain periodic information, including annual and quarterly information and the quarterly management and independent auditors’ reports.

These regulations also oblige C&A to file at CVM the shareholders meetings agreements and calling notices, as well as the minutes of these meetings.

C&A has also opted to follow B3 S.A.’s Novo Mercado Rules by voluntarily subjecting itself to stricter Corporate Governance rules than those defined in the Brazilian law, by committing, for example, to:

  • Issue only common shares;
  • Keep at least 25% of the capital stock as free float (shares trading in the market that may not be held by the controlling shareholder);
  • Establish an Audit Committee;
  • Approve the internal regulations of the Board of Directors and its advisory committees;
  • Implement internal controls, risk management and compliance functions in the Company, among others.

DETAILS OF THE STRUCTURE

C&A’s Corporate Governance structure underwent by some adjustments in 2019, as part of its IPO preparation process, and is currently organized as follows:

The Company has taken all necessary measures, including the establishment of leadership positions, to ensure the appropriate segregation of duties between the areas within the Corporate Risk & Compliance Management, which includes the Internal Audit area.

Below we detail the objective and main activities of functions of our Corporate Governance structure.

RISK MANAGEMENT

The Risk Management department seeks to evaluate and monitor the strategic, technological, operational, financial and regulatory risks to which the company is exposed, providing a mechanism for prioritizing these risks and, consequently, a resource to direct efforts to mitigate their materialization. Among its main activities we highlight:

  • Ensure constant vigilance of the Company’s risk environment, reporting new risks to the Audit and Risk Management Committee, when necessary;
  • Anticipate and plan for possible failures, as well as maintain a practical and relevant safety margin;
  • Encourage the Company’s leadership to have a risk management culture;
  • Report risk management activities to the Audit and Risk Management Committee;
  • Make decisions about risk evaluation results, specific responses to new risks and changes in the planning of risk mitigation plans;
  • Continuously seek improvements in the risk management process; and
  • Oversee any necessary risk training and awareness programs.

INFORMATION SECURITY, IDENTITY MANAGEMENT AND DATA PRIVACY

The department’s main objective is to evaluate and monitor the internal control environment in order to protect the information and technological assets. Among its activities we highlight:

  • Define the Company’s security guidelines, respecting data protection laws and regulations;
  • Disseminate a security culture to employees, third parties and business partners;
  • Support the security threat mapping and mitigation, as well as assess and measure technological risks;
  • Protect and monitor the technology assets and the brand;
  • Define a security architecture;
  • Manage the access lifecycle;
  • Manage data lifecycle and ensure compliance with the local General Data Protection Act (“Lei Geral de Proteção de Dados”).

CORPORATE COMPLIANCE & INTERNAL CONTROLS

The department has two main objectives: (a) ensuring compliance with relevant obligations through a Compliance Program, raising awareness on the areas involved and verifying compliance with relevant legal, regulatory, contractual, governance and internal obligations; and (b) ensure that risk responses, as defined by the Company, are being applied in its internal control environment, either by improving existing controls or through new controls. Among its main activities we highlight:

  • Being the guardian of policies and procedures, in addition to the Risk and Control Matrix;
  • Periodically assess the effectiveness of internal controls and the compliance with relevant obligations;
  • Apply checklists and / or self-assessment questionnaires to evaluate processes;
  • Liaise with third party and certification auditors, and with internal and external auditors;
  • Monitor the implementation of audit action plans;
  • Evaluate the contacts received in the whistleblowing channel, conduct internal investigations and report the result of the internal investigations to the Internal Ethics Committee;
  • Define the procedures for hiring and monitoring third parties;
  • Conduct training on integrity issues, as well as continuous monitoring of integrity actions.

INTERNAL AUDIT

The department aims to provide to the Audit and Risk Management Committee an independent and objective assessment of the quality and the effectiveness of the Company’s governance, risk management and internal control processes, suggesting recommendations for improvements. Among its activities, the following stand out:

  • Audit processes to identify risks, vulnerabilities and opportunities for improvement throughout a business process, with assessment of the control design and / or with test to ensure control execution;
  • Verify that business processes follow internal policies and procedures, as well as specific regulations and laws;
  • Perform comprehensive testing and advise on the compliance level of the activity; and
  • Identify new risks, vulnerabilities, and opportunities for improvement by evaluating and testing improvements to implemented controls.

Internal Audit is a hybrid function, mixing internal team with an independent company, registered with CVM. The supervision of the function is the sole and exclusive responsibility of the Audit and Risk Management Committee.

INTERNAL ETHICS COMMITTEE

This important structure aims to (i) apply and monitor the Company’s integrity program, as well as suggest adjustments, when necessary; (ii) periodically review the integrity risks associated to the Company; (iii) establish the Company Whistleblowing Channel (“Canal Aberto”) and ensure its proper functioning; (iv) evaluate cases of violation to the Code of Ethics and recommend appropriate measures regarding the cases that effectively characterize a violation; (v) ensure compliance with the principles and guidelines contained in the Code of Ethics; (vi) revise, whenever necessary, the Code of Ethics, forwarding any suggestions for additions and / or amendments for approval by the Board of Directors; and (vii) decide on questions related to the Code of Ethics interpretation.