Business Risk Management Policy

This policy - approved by Petrobras Board of Directors - Minutes CA 1.412, item 4, Agenda No. 53 26-06-2015 - is systematically applied to Petrobras Organizational Units, and the corporate procedures complied with, its subsidiaries and affiliates, taking into account the peculiarities of each, and the laws of each country.

It also applicable to enterprises that are controlled jointly, joint and related operations as indicative nature, according to the corporate governance model of Petrobras.


1. Life must be respected in all its diversity and the rights, liabilities, facilities, processes, information, reputation and the image of Petrobras secured against threats arising from intentional or unintentional actions.

2. Risk management is part of Petrobras commitment to act ethically and in compliance with legal and regulatory requirements in the countries where it operates.

3. The risk management must be aligned and consistent with Petrobras Strategic Plan.

4. The risks should be considered in all decisions, and the management of those risks should be carried out in an integrated manner, taking advantage of the benefits of diversification.

5. The response actions should consider the possible cumulative, long-term and far-reaching effects of the risks, and should be prioritized according to value creation or maintenance for shareholders.


1. To strengthen the risk management philosophy as part of the corporate culture of Petrobras.

2. To take advantage of opportunities and anticipate the threats to our strategic, economic, financial, operational or compliance objectives.

3. To promote the uniformity of concepts and the integration of methodologies used in the identification, analysis, evaluation and treatment of risks in order to improve the reliability of information and transparency of the whole process.

4. To manage in a proactive and comprehensive manner, the risks associated to business, management and support process in order to keep them at a tolerable level of exposure.

5. To undertake risk management actions contributing to the efficacy, efficiency, effectiveness and economy.

6. To align risk management actions with the organization units actions responsible for internal control, compliance and internal audit of Petrobras.

7. To ensure autonomy in the risk management process and segregation of duties between risk-takers and those responsible for monitoring it.

8. To ensure to managers, investors and other stakeholders, a continuous, transparent and timely flow of information associated to the main risks and their management process at Petrobras, provided they comply with the degree of information confidentiality as well as with the corporate procedures, policies, guidelines and other internal rules of business and information security.

9. To ensure that employees and service providers (through contracts) a risk management training in such a way this is adequate to their responsibilities.

10. To assure monitoring and critical analysis of risk management itself, as part of an ongoing process of improving corporate governance.


1. The Board of Directors of Petrobras

1.1. To approve Petrobras' risk appetite proposed by the Executive Board.

1.2. Systematically monitor risk management.

2. Petrobras' Audit Committee

2.1. To advise the Board of Directors in establishing global policies related to risk management.

3. Executive Board of Petrobras

3.1. To propose Petrobras risk appetite, mainly but not limited to, at the moment that its strategic objectives are defined.

3.2. To decide on necessary measures to ensure alignment between risk appetite and the execution of Petrobras' strategies.

4. Petrobras' Internal Audit

4.1. To systematically assess the risk management process and to recommend improvements.

5. Organizational Unit responsible for Corporate Management of Business Risk

5.1. To identify, prioritize, monitor and report periodically to the Executive Board, the Audit Committee and the Board of Directors the effect of the main risks in integrated Petrobras results.

5.2. To promote the integration and capture the synergy of risk management actions among all organizational units, as well as among the other business, support and management processes.

5.3. To set corporate risk management methodology guided by an integrated and systemic view that allows a continuous environment risk monitoring in all levels of the organization.

5.4. To disseminate knowledge on risk management.

6. Organizational Unit responsible for Specific Risk Management

6.1. To coordinate, promote, monitor and guide the risk management activities in their area.

6.2. To disseminate knowledge in the management of specific risks.

6.3. To determine the risk tolerance associated to the specific objectives defined for their area.

6.4. To support managers in developing and implementing the necessary measures to ensure the alignment of exposure to tolerable levels of risk.

7. Organizational Unit Holder (Manager)

7.1. To manage risks and to ensure the response actions under their responsibility.

7.2. To timely report to the designated manager any risk and information that may affect the activities and processes under the responsibility of a third party.