C&A is committed to maintaining high standards of corporate governance, based on principles that promote transparency, equal treatment of shareholders, accountability and corporate responsibility.

The Company continuously seeks to improve its Corporate Governance structure and internal controls. The initiatives undertaken for that purpose include (i) adjustment of compliance and risk management structures and processes; (ii) introduction of corporate policies and operating procedures; (iii) improvement of integrity and anti-corruption policies and procedures; and (v) existence of compliance hotlines.


In 2019, when C&A went public and began trading its shares on the Brazilian stock exchange, it became regulated by Brazilian Corporate Law and regulations issued by the CVM and B3 S.A., which mandate the reporting of certain periodic information, including annual and quarterly information and the quarterly reports prepared by management and the independent auditors.

C&A also opted to follow the Novo Mercado Regulations of B3 S.A., voluntarily committing to comply with stricter corporate governance rules than those required by Brazilian legislation, as described below:

  • It has issued only common shares and maintains at least 25% of its capital stock in free float;
  • It has created a Board of Directors and an Audit and Risk Management Committee;
  • It has prepared and approved mandatory corporate documents, which are duly published on its Investor Relations website;
  • It has established the Corporate Governance management area, which reports to the Audit and Risk Management Committee; and
  • It has established a Governance Secretariat to support the Board of Directors, its advisory committees and the Executive Board.


C&A’s corporate governance structure was adapted in 2019 to comply with all the new requirements. Below you will find the purposes and main activities of the new structures:



We have established the Corporate Governance management area, which reports to the Audit and Risk Management Committee and is organized into four (4) pillars, as detailed below. The Company has taken all necessary measures to ensure appropriate independence and segregation of duties among the pillars.


The increasingly competitive, rigorous, digital and regulated business environment exposes the Company to various risks, and effective management of these risks is a differential that increases confidence in business plans and strategies. C&A believes that managing the risks (strategic, technological, operational, financial and regulatory) to which the Company is exposed is an important tool to prioritize efforts designed to prevent them from materializing. The main activities under this pillar include:

  • Defining the Company’s Corporate Governance guidelines, in line with best practices, standards and regulations in force.
  • Encouraging leadership to have a culture of governance and risk management;
  • Ensuring constant monitoring of its risk environment, reporting new risks to the Audit and Risk Management Committee when necessary;
  • Making decisions about risks, specific responses to new risks and changes in risk mitigation plans;
  • Safeguarding Policies and Procedures, in addition to the Risk and Control Matrixes of its processes;
  • Periodically evaluating adherence to internal controls and compliance with relevant obligations;
  • Monitoring changes in the internal control environment, providing an insight into the risks involved; and
  • Disseminating the culture of governance, risk and internal controls to employees and business partners, overseeing any necessary training and awareness programs.


The evolving and chaotic cyber world poses daily security and privacy challenges to all companies, and C&A keeps up with these trends and invests in the continuous improvement of its processes and tools, always respecting the laws and regulations in force. The activities of this pillar include:

  • Defining the Company’s information security, data privacy and identity management guidelines, in line with best practices and current security and data protection rules and regulations – including LGPD (Lei Geral de Proteção de Dados – General Data Protection Act), PCI (Payment Card Industry Data Security Standard) and ISO (International Organization for Standardization);
  • Helping identify and mitigate threats, as well as assess and measure technological risks;
  • Protecting and monitoring technology assets and the brand;
  • Responding to cyber security incidents, fraud and crisis management;
  • Defining a security architecture;
  • Managing the life cycle of data and accesses; and
  • Disseminating the culture of governance, security and privacy to employees and business partners, overseeing any necessary training and awareness programs.

The Security & Privacy pillar is also an essential part of C&A’s digital evolution process, being a partner in this journey.


The trend in the global competitive scenario is for organizations to build a management structure capable of earning trust through reputation. In this sense, integrity programs are designed to establish good corporate governance, having all the necessary characteristics to prevent abuse, fraud and corruption within companies.

At C&A, this pillar has two major pillars: (a) ensure compliance with relevant obligations, raising awareness of the involved areas and verifying compliance with relevant legal, regulatory, contractual, governance and internal obligations; and (b) ensure that the responses to risks defined by the Company are being applied in its internal control environment, either by improving existing controls or by creating new controls. The main activities under this pillar include:

  • Defining the Company’s Integrity Program, in line with best practices, rules and regulations in force;
  • Monitoring adherence of policies to relevant legal, regulatory, contractual and governance obligations;
  • Managing the Company’s compliance hotlines;
  • Investigating the complaints received by the compliance hotlines and submitted directly to the team, in addition to any deviations from indicators, reporting the result of the investigations to the Internal Ethics Committee and the Audit and Risk Management Committee; and
  • Disseminating the culture of compliance and ethics to employees and business partners, in addition to continuously monitoring integrity initiatives.


C&A’s Internal Audit is a hybrid function that combines a dedicated internal team and an independent company duly registered with the CVM. This function is the sole and exclusive responsibility of the Audit and Risk Management Committee and aims to provide an independent and objective evaluation of the quality and effectiveness of the Company’s governance processes, risk management and internal control environment. Its activities include:

  • Auditing processes to identify risks, vulnerabilities and opportunities for improvement throughout a business process, evaluating the design of controls and/or testing to ensure the execution of controls;
  • Checking whether business processes follow internal policies and procedures, as well as specific regulations and laws;
  • Performing comprehensive tests and issuing an opinion on the level of compliance of the activity; and
  • Identifying new risks, vulnerabilities and opportunities for improvement by evaluating and testing improvements in implemented controls.


It is imperative that Management (Directors, Committee Members and Executive Officers) have a clear understanding of the responsibilities inherent in their positions, that the governance guidelines and the code of conduct be aligned and that the information flow quickly and accurately between them. Thus, C&A’s Governance Secretariat is responsible for directly supporting all activities related to the functioning of the governance system, acting with autonomy and impartiality in its interactions with governance bodies and when proposing and/or implementing processes to promote best corporate governance practices.


The Internal Ethics Committee is an important body whose purpose is:

  • To monitor adherence to the Company’s integrity program and suggest adjustments when necessary;
  • To periodically assess integrity risks associated with the Company;
  • To ensure the correct functioning of compliance hotlines;
  • To evaluate the result of investigations of possible violations and recommend appropriate measures for violation incidents;
  • To review the Code of Ethics and related policies whenever necessary, submitting any suggested inclusions and/or changes to the Board of Directors for approval; and
  • To resolve doubts about the interpretation of the text of the Code of Ethics.