Risk Management

Risk is the effect of uncertainty on organizational objectives, manifested in many ways and potentially impacting all dimensions of the business. Business risk management focuses on the relevant potential risks that, if any, could impact people, communities, the environment, operational continuity, reputation and the achievement of the company's overall business objectives.
Vale has an integrated Risk Management Governance flow, based on the concept of Lines of Defense, which represents how periodic reviews are performed. The objective is to ensure the alignment between strategic decisions, performance, definition and monitoring of risk tolerance limits approved by the Company's Board of Directors, upon recommendation of the Executive Vice Presidencies.
Risk management governance in our company is evolving to strengthen the safety of people and operations.

Lines of Defense

Risk Governance

A very relevant step for our governance was to open the Risk Executive Committee in six executives committees with different scopes of activity, one of them entirely dedicated to geotechnical risk management.
We also fortified our defense line model with the new Executive Vice President Technical, which has a work plan in place.
In our dam assessments and management, we are implementing a very high level of rigor, with the most conservative methods.

1st Line of Defense

Composed of the executors of the Company's operational and business processes, being responsible for registering the risks identified in the entire chain of the operating model; for managing risks; for implementing the risk management controls and their respective action plans.
It is formed by the owners of the risks, that is, those directly responsible for keeping the risks within the tolerance limits defined at Vale; by the owners of controls, responsible for the implementation of prevention and mitigation controls, which are assigned to them by the owner of the risks; and by the executors of the processes in the operational, commercial, project, support and administrative areas.

Risk owners primarily responsible

Operate and maintain the integrity and reliability of assets, developing and implementing the performance of assets, both in operations, projects, support and administrative activities.
Immediately stop the operation of the asset(s) in the case of critical deviation(s) or in cases of total unavailability of the critical control elements that move the risk to the risk priority “Mandatory Risk Level Reduction” level;
Proactively implement and execute any mitigation or elimination actions that they deems necessary, whether for the transfer, sharing or rejection of risks of the “Mandatory Risk Level Reduction” level;
Manage risks directly, identifying, assessing, treating, preventing and monitoring risks in an integrated manner;
Continuously assess the applicability of the risk themes of the Integrated Risk Map to the activities and geographies under their responsibility;
Monitor risk compliance in order to comply with external regulations, internal policies and standards;
In the event of risks that present threats of materialization, the risk owner must immediately and proactively adopt the preventive and mitigating actions that they deem appropriate, without the need to obtain prior authorizations;
Subsequently, if any support or ratification by levels higher than that observed in practice is necessary, the request must be sent to the corresponding body or position, according to the response governance established in the Strategy and Governance in Response to Risks Tables;
Establish and implement Crisis Management protocols and Business Continuity plans for the risks under their responsibility, classified as of Very Critical and Critical severity; 
For risks, whenever applicable, with Very Critical and Critical impacts, simulated tests should be carried out in order to verify the efficiency and effectiveness of the Crisis Management protocols. The periodicity of the simulations must be defined by the 1st line of defense according to the criticality, observing local rules and specificities of the legislation and, according to internal normative documents, always following the most restrictive period;
Meet the guidelines, technical and minimum management standards defined by the 2nd Line of Defense;
Periodically monitor the risk management indicators in order to manage the effectiveness of the controls and plans associated with the risks under their responsibility;
Evaluate corrective action plans, proposals for continuous improvement of controls and/or implementation of new controls suggested by control owners, aiming at the continuous improvement of risk management.

Control owners primarily responsible

Manage the prevention and mitigation controls assigned to them, always ensuring the accuracy and timeliness of the information and security of the process, in accordance with the applicable legislation, internal policies and standards, and seek the correction of the controls, in case of detection of any deficiency;
Perform or review the control tests, respecting the frequency defined in the control
Inform the risk owner in case of deficiencies found in control verification tests, which may have an impact on risk prevention or mitigation, especially in the case of critical controls.

2nd Line of Defense (Enterprise Risk Management (ERM)) 

Main responsibilities

Develop and implement policies, methodologies, processes and infrastructure for integrated risk management;
Support the work of the 1st Line of Defense, providing training and methodological instrumentation in the Business Risk Management model;
Support and promote the exchange of knowledge and information, in order to disseminate the culture of management and risk prevention in the organization;
Support and monitor compliance with the business risk governance model;
Support external disclosure of official information regarding business risk management;
Consolidate the deliberations of the Business Risk Executive Committees for submission to the Executive Vice Presidencies, as well as monitor the conclusion of the recommendations, and the 2nd Specialist Defense Line are responsible for evaluating their technical effectiveness, when applicable.
The management of operational risk, which is the responsibility of the Executive Vice President Technical, corresponds to the performance as 2nd Specialist Defense Line on potential risks with impacts on the People dimension, and also on the potential geotechnical risks.

Check the responsibilities of the Executive Vice President Technical

Act as a technical axis in the definition of standards and standards for the management of Occupational Safety, industrial and geotechnics processes;
Act as a regulator and inspector in the management process of critical assets;
Maintain the integrated management system that ensures uniformity in the application of standards and good operational management practices.
Monitor and present the risks of operational processes with a level of Critical severity, in the forums indicated by the Operational Excellence and Risk Committee.
In addition to the responsibilities described above, the areas of the Executive Vice President Technical have all the responsibilities assigned to the 2nd Specialist Defense Lines.
In addition to the Executive Vice President Technical, which is the 2nd Line of Defense for Operational Risks, there are areas such as the Environment, Corporate Integrity, Social and Human Rights, not exhaustively, which should also act as the 2nd Specialist Line of Defense of the respective potential risks. All these ones have the following attributions:
Define methodologies, minimum technical, technological and management standards, risk and asset reliability indicators to be mandatorily adopted by the 1st Line of Defense;
Define methodology and technical criteria for the selection of critical control elements;
Perform independent checks (evaluation of effectiveness) of critical controls, related to relevant potential risks, performed by the 1st Line of Defense. In the exercise of their duties, if any deviation in the existing controls and barriers for risks with very high and high criticality is identified, it has the power to define immediate actions to be implemented by the 1st Line of Defense. In this case, they are able to take the decision to stop the operation of the assets, when applicable;
Act as support to the 1st Line of Defense, through the assessment of the concepts adopted, checking if the risks have mapped controls and if the barriers implemented are the best in each situation related to relevant potential risks;
Support in the identification of risks, the need to implement additional controls and non-conformities of existing controls and issue recommendations, provide technical support in the implementation of the model and standards for the management and prevention of risks and assets;
Evaluate the application of standards and indicators by the operational, commercial, project, support and administrative areas (1st Line of Defense), with independence and transparency;
List potential relevant risks in the specific Executive Committees, in case preventive action deliberations are required that require additional support.
The definition of which areas of the organization will act as the 2nd Specialist Defense Line is delegated to Vale's Executive Vice Presidencies.

3rd Line of Defense

The 3rd line of defense is made up of Internal Audit and the Whistleblower Channel, which are part of the Compliance Department, which also manages the Corporate Integrity area (2nd line of defense Specialist). The Compliance Department is totally independent from management, as it is an area that reports to Vale's Board of Directors and is supervised by the Audit Committee, which was installed in March 2020, with the election of its members and approval of its internal regulations. After the statutory reform of April 30, 2020, its composition and attributions started to be regulated in Vale's Bylaws, in order to comply with the rules of the Audit Committee regulated by CVM and the Novo Mercado Regulation, as well as the rules of Audit Committee applicable to Brazilian companies with ADRs listed on the American market).
The Internal Audit and the Whistleblower Channel carry out, subject to their respective areas of expertise, evaluations, inspections, through the execution of control tests and investigation of complaints, providing exempt assurance, including on the effectiveness of risk management and prevention, internal controls and compliance.

Internal Audit

Independent assessment of risk management, processes and internal controls, and compliance with internal laws and regulations, according to the annual work plan approved by the Board of Directors;
Consulting and advisory services provided that they are intended to add value and improve the governance, risk management and control processes, without the internal auditor assuming responsibility inherent to the duties of the process owners and the 1st and 2nd Lines of Defense;
Communication to responsible managers and competent governance bodies about exposure to significant risks and deficiencies in control.

Whistleblower Channel

Availability of a communication channel on violations of the Code of Conduct, which guarantees the anonymity of the whistleblower, ensuring control of the complaints received and their respective investigation;
Verification of all complaints received, preparing reports used to justify the consequences measures, among other adjustments in the company's internal processes and controls;
Systematic accountability on the progress of the complaints channel, its results and information, to the main governance bodies of the company, including the Conduct and Integrity Committee, the Audit Committee and the Board of Directors.
Risk management organizational structure
Key risks are periodically monitored, as well as the effectiveness of their key prevention/mitigation controls and the implementation of their treatment strategies. As such, Vale seeks to have a clear view of its main risks, acting on them in a systematic manner through the adoption of protection or mitigation measures.
To this end, the Company has an operational structure to check and monitor the policy and internal controls, with the Board of Directors being the body responsible for approving the Vale risk policies.
The Board of Directors is supported by advisory committees that, in general, are responsible for monitoring the scope of action and the effectiveness of the risk management of the business by the Board of Executive Officers, aligned with the guidelines set out by Vale's Board of Directors. Permanently, they are: the Financial Committee, Sustainability Committee, Operational Excellence Committee and Risks, People, Compensation and Governance Committee, the Audit Committee, Nomination Committee and Innovation Committee.
In order to fully understand the responsibilities of our Lines of Defense, click here and access our Policy.

Emerging Risks

In 2022, we defined an ongoing process for mapping and monitoring emerging risks that included the following stages:
  • Establishment of an Emerging Risk Intelligence Group (ERIG) composed of a multidisciplinary team with professionals from the most diverse areas of the company;
  • Periodic discussions of the ERIG based on market research, specialized reports on risk management, and other technical consultation sources;
  • Preparation of a collaborative tool for formalization and periodic updating of the emerging risks mapped, containing detailed description of the risk, mitigation and monitoring actions, a source for tracking trend and monitoring indicators; and
  • Presentation of the list of priority emerging risks to senior management.

We keep an updated list of these risks, validated with top management, and below are some examples:  
  • Transition risks for a low carbon economy
  • Geopolitical Tensions and International Sanction

Transition risks for a low carbon economy

 Risk Priority: High
  • Risks related to product substitution due to new technologies and/or processes
  • Changes in supply and demand , specifically for low carbon products;
  • Changes in policies, including carbon tax;
  • Climate-related litigations and reputational impacts;

Root cause

Transition risks are related to aspects:
  • Technological - substitution of products and/or processes by more efficient and/or current technologies;
  • Market - changes in supply and demand as a result of alternative products;
  • Regulatory and Legal - changes in public policies to restrict emissions or require adaptation to the effects of climate change imposing costs on emitters. Litigation due to non-compliance with policies to mitigate climate-related impacts;
  • Reputational - perception of consumers and investors about the company's adherence to the transition to a low carbon economy.


Potencial impacts:

  • Advent or discontinuity of some products in our portfolio;
  • Price increases or decreases due to changes in consumption behavior, impacting demand;
  • Increase in adaptation costs due to changes in consumption and/or changes in environmental legislation;
  • Increase / decrease in revenue due to changes in the demand for low carbon products; 
  • Negative impact on market value, credit rating and company reputation;  
  • Cost increase due to carbon taxation;
  • Reputational impact caused by commitments made and not fulfilled.


The main tools and initiatives that address these challenges are:

- Monitoring process of regulatory and policy trends related to the decarbonization theme on a global scale, using the technical precepts present in the Task Force on Climate-Related Financial Disclosures (TCFD) as a guideline;

- Emission reduction initiatives: 


  • Energy Efficiency Program and transition to renewable energy;

  • PowerShift Program - substitution of diesel by electricity and/or other non-fossil or lower intensity energy sources in mining and transportation activities;  

  • Increased participation of bioenergy as a transition fuel for our operations; 

- Monitoring of scope 1, 2 and 3 emissions with standardized metrics;

- Management of decarbonization initiatives, through Mac curve tools - Marginal Abatement Cost Curve, using the internal carbon price as a reference, to order and prioritize emission reduction projects;

- Participation in forums and discussion groups, promoting engagement with relevant stakeholders, aiming for excellence in the management of the theme;

- Transparency with stakeholders, through the annual publication of reports such as the Integrated Report, TCFD, and third-party questionnaires such as CDP and CA100+;

- Development of products and technologies that support decarbonization (e.g., iron ore pellets with near-zero CO2 for blast furnaces; premium products (>68% Fe) for the EAF (Electric Arc Furnace)  production route; partnerships for the use of technology to support the acceleration of the transition of blast furnaces to production routes with less CO2).


In 2020, the company conducted an analysis of the business resilience to climate change scenarios, based on International Energy Agency (IEA) scenarios, as suggested by the TCFD. 

Under a variety of climate change scenarios, Vale's EBITDA performs in a range of 90% to 140% regarding to the base case used in our strategic planning. This resilience is the result of a flexible portfolio, that can be adapted to different market conditions and that has a strategic positioning well aligned with the trends of transition to a low carbon economy. Our commodities will be at the forefront of the challenges and opportunities presented by the climate crisis. This analysis will be updated in 2023.

With governments adopting increasingly ambitious climate measures, the probability of implementing climate protectionism instruments increases. In the coming years, several carbon pricing mechanisms are likely to come into effect, in particular the EU's Carbon Border Adjustment Mechanism (CBAM); the inclusion of the steel industry in China's Emissions Trading Scheme (ETS); an own mechanism in Brazil, and potential tariff incentives based on the Green Steel Club that will include US-EU carbon intensity metrics.

Geopolitical Tensions and International Sanctions

 Risk Priority: High
Geopolitical Tensions could lead to a protectionist approach, disruption of international trade flows, extreme pricing, high volatility in the markets, with particular impact on the energy  sector, increased regulatory and contractual uncertainty. It may also lead to a cooling off of the international Sanctions scenario by imposing new restrictions on selling or purchasing products, or conducting business with specific countries, companies and individuals, bringing impacts to our productive chain.

Root cause​

The most common causes of geopolitical tensions are related to historical context, ethnic-religious rivalries, disputes over economically valuable natural resources, and territorial disputes.

Polarization creates uncertainties for the business and diplomatic environment, between key countries for the global mining industry, requiring continuous monitoring.


Potencial impacts:
  • Escalation of economic sanctions, including export banning, breaks in payment chains, reserves freezing, among others;
  • Possible global recession;​​
  • Increase of inflationary pressure on prices and costs;​
  • Reduction in international trade;​​
  • Supply chain disruptions;​
  • Possible increase in cyber attacks.​


Several measures have been adopted by Vale in recent years to prevent or mitigate the risk impacts, among them are:

  • Strengthening of the sanctions department;
  • Sanctions policy for group companies​​;
  • Daily monitoring of the sanction status;​​
  • Compliance Program;​​
  • Sanctions clauses in contracts;​​
  • Training and constant monitoring;​
  • Development of more automated control solutions and due diligence;
  • Intensification of market risks monitoring, especially freight, bunker and diesel, important components of the cost of the sold products;
  • Counterparties monitoring, which may be affected by lack of raw materials, sanctions or other potential crisis outcomes​;
  • ​Intensification of cyber risk controls;
  • Scenario analysis and economic modeling, as part of the strategic planning cycle, from the perspective of geopolitical trends affecting value chains;
  • Continuous monitoring of the political and geopolitical environments in which we operate, as well as of our main markets and closer relationships with governments and customers.


Geopolitical contexts have the potential to impact key markets, operations, and investments. Uncertainties in the business environment derived from geopolitical tensions may impact the company in several ways, such as the ability to sell/deliver products and restrictions on jurisdictions where the company can operate, maintain or establish new partnerships and/or supply chains.

Epidemics and Pandemics​

Risk Priority: High

Collective manifestation of a disease that quickly spreads, by direct or indirect contagion, until reaching a large number of people in a given territory (e.g. COVID-19, Ebola, Avian Influenza)​

Root cause​

Presence of viruses, bacteria and protozoa, carried by vectors or not, and that spread quickly reaching a large number of people, aggravated by the absence of control and mitigation measures and sanitary / public health deficiency.​



  • Death as outcome (increase in incidents, public and private health system overload);​
  • Possibility of chronic, permanent and disabling sequelae arising from SARS-COV-2 infection, especially in severe cases;​
  • Sanitary disruption of the operation (deterioration in relations with supervisory agencies);​
  • Increase in medical absenteeism;​​
  • Increased spending on supplementary health;​​
  • Loss of productivity;​​​
  • Partial or total disruption of activities​

Prevention / Mitigation​

In controlling of an infectious disease epidemic, it is important that cases are reported to the public health agency so that measures can be taken to prevent the spread of the disease to other locations.

  1. Strategies that can be adopted to contain an epidemic or pandemic are:
    • Self-assessment of signs and symptoms related to the disease;​​
    • Sanitary education;​​
    • Use of mechanical protection barriers (masks and physical distancing);​​
    • Identification and tracking of contacts; ​​
    • Segregation of groups at increased risk of greater potential for a death outcome (pregnant and immunosuppressed);​
    • Deployment of remote work where possible and appropriate;​
    • Restriction of domestic and international travels;​
    • Creation of an epidemiological barrier with the request for a complete vaccination certificate, as essential condition for access to the operations for own employees and third parties.​
  2. Humanitarian support actions in countries where Vale operates (community support):
    • Donation of medical supplies (e.g. diagnostic tests, health PPE);​
    • Installation and maintenance of temporary field hospitals in the most affected regions;​
    • Implementation of remote laboratories for molecular diagnosis of infectious diseases.


The distinctive character of epidemics lies in their collective and singular manifestation: collective as a phenomenon that affects groups of individuals causing changes in the "way of life” and singular as a unique occurrence in the unit of time and space.

​Based on information discussed at the World Economic Forum , Infectious Diseases (ID) and survival crisis lead the rank of predicted risks, ahead of other threats such as cybersecurity flaws. Infectious Diseases will represent a critical threat to the world for years to come. As an example, we can mention the COVID-19 Pandemic, which continues to cause devastation with a growing increase in the number of lives lost and impacting very strongly world economies.

Taking into account the emergence of new strains of SARS-COV-2, mainly the Omicron variant, with its infectious capacity 3-4 times greater than its predecessor, but with less offensive power (80% lower), it will directly reflect on the overcrowding of primary health care units, impacting on the lack of medical supplies, in addition to causing, according to the current literature, a possible impact of up to 20% on medical absenteeism for companies.​

Cyber Risks​

Risk Priority: High

Vale's businesses are heavily dependent on technological systems for the operations. In this way, cyber events or attacks can have a significant impact on the business. The cyber risk management discipline deals with situations where the availability, integrity and confidentiality of information and operational technology systems can be compromised.

Root cause​

The growth of cyber threat scenarios has been spread in the world and in 2020 the amount of ransomware attacks has grown significantly. The ever-evolving risks come from a variety of actors in this context, such as “nation-state”, cyber criminals, hacktivists and “insiders”, each with different motivations.​

It is noted that these cyber criminals have applied more aggressive techniques and continue - and sometimes increase - their activities in times of crisis as in the case of the COVID-19 pandemic.


  • Business disruption, generating financial loss or damage to security;​​
  • Loss of intellectual property,​​​
  • Negative impact on the company's market value, credit rating and reputation;​​
  • Lawsuits and fines, including criminal offences.

Prevention / Mitigation​

Diverse measures are taken to manage this risk in order to protect, detect and respond to cyber events, including information security policies and standards, security protection technologies, threat detection and monitoring, as well as periodic cyber incident simulations to test response and recovery plans.​

We have been sustained our investments in order to continually evolve our cyber defenses within the risk tolerance levels for enterprise systems layers.​

As for the layers of industrial systems and operational technologies, we significantly increased investments in order to improve the efficiency of cybersecurity controls in a way that is compatible with the threats aggravation in this area.

​​​We constantly maintain initiatives to strengthen the information security awareness culture in the organization. Encouraging vigilance among the employees and associates, we run a recurring training program covering topics such as email phishing, information classification, and other information security best practices.


We experience threats to the security of our technology systems, but none of them impacted our business in 2021.

Exposure to cyber risks is expected to increase due to our increasing dependence on technology as well as the increasing sophistication and frequency of cyber attacks.

Our cyber risk management committee assists the executive committee to continually oversee the progress of the Information Security program, as well as the effectiveness of our cyber security controls framework. Additionally, the audit committee and other advisory committees assist the board of directors to ensure that the internal controls are robust and sufficient to manage the information security in the company within the limits of tolerance for cyber risk.

Climate Change​

Risk Priority: High

Increased sense of urgency to address challenges that threaten not just the mining sector, but the entire society. Low carbon mining is one of our priorities for the coming years.

Root cause​

Physical events are considered chronic, such as the increase in the average temperature of the atmosphere, droughts, fires, strong winds, atmospheric discharges, sea level rise and changes in rainfall patterns and/or acute problems, such as extreme weather and maritime conditions.

​​​Transition events are related to changes in public policies to restrict emissions, climate-related litigation, demand changes for products and services, and the replacement of products due to new technologies and processes.


  • Interruption of operational activities, generating financial loss or damage to safety; ​​
  • Cost increase for infrastructure adaptation;​
  • Cost increase due to carbon taxing;​
  • Revenue increase/decrease due to demand changes for low carbon products; ​
  • Negative impact on the company's market value, credit rating and reputation; ​
  • Impact on the company's image;

Prevention / Mitigation​

The main tools used in face of these challenges are:

  • Recover and protect 500 thousand hectares of forests by 2030;​
  • Replacement of diesel with electrical energy in mining and transport activities, including trucks and trains;​
  • Global self-sufficiency in electrical energy through renewable sources by 2030;​
  • Energy Efficiency Program;​​
  • Use of Autonomous Trucks;​
  • Powershift Program (100% electric yard locomotive);​
  • Partnerships with major mining companies in the world market – The Charge On Challenge (complete electrification of surface mining vehicles - https://chargeoninnovation.com/);​
  • Target of reducing emissions by 33% for scopes 1 and 2 by 2030, and neutrality by 2050;​
  • Incentive to the development of low carbon projects;​
  • Emissions monitoring for the scopes 1, 2 and 3 with standardized metrics.


In 2020, the company carried out a resilience analysis of its portfolio to climate change scenarios, based on the National Energy Agency (AIE) scenarios. In the challenging context of decarbonization, our commodities will be at the forefront of the challenges and opportunities presented by the climate crisis.

​Also in 2020, it was developed the Vale Climate Forecast, a methodology that promotes the physical resilience of our operations to climate changes. The methodology makes it possible to identify potential operational and financial impacts due to climate variables, such as changes in rainfall patterns and temperature variation for all the company's operations.

Russia-Ukraine War​

Risk Priority: Very High

Escalation of the conflict could lead to disruption of international trade flows, extreme pricing, high volatility in the markets, with particular impact on the energy sector, increased regulatory and contractual uncertainty, and geopolitical tensions around the world.

Root cause​

Geopolitical tension between Russia and Ukraine, a NATO partner, has been increasing in recent years. And in Feb/22, Russia started a military operation inside Ukraine, leading to several negative impacts - direct and indirect - on several countries and affecting the world economy.



  • Escalation of economic sanctions, including export banning, disconnection of the swift in Russia, reserves freezing, among others;​
  • Possible global recession;​​
  • Increase of inflationary pressure on prices and costs;​
  • Reduction in international trade;​​
  • Supply chain disruptions;​
  • Possible increase in cyber attacks

Prevention / Mitigation​

Several measures have been adopted by Vale in recent years and others have been reinforced by the conflict, among them are:

  1. Creation and strengthening of the sanctions department:
    • Sanctions policy for group companies;​
    • Daily monitoring of the sanction status;​​​
    • Compliance Program;​​​
    • Sanctions clauses in contracts;​
    • Training and constant monitoring;​​
    • Development of more automated control solutions and due diligence.
  2. ​Monitoring of market risks, especially freight, bunker and diesel, important components of the cost of the sold products.
  3. Actions being taken to mitigate the effects of the conflict.:​
    • Monitoring of counterparties around the world, especially in Europe, which may be affected by lack of raw materials, sanctions or other crisis outcomes;​
    • Adjustments in our logistics chain.
  4. Intensification of cyber risk controls


Vale created a multidisciplinary committee, before the conflict beginning, to assess the possible impacts on the company, as well as possible prevention or mitigation actions.​​

The impact of the conflict on commodity markets is expected to be severe, since Russia is a major producer of several raw materials, such as 40% of the gas consumed by Europe, as well as an important oil supplier to the continent. This scenario may lead to the temporary paralyzation of operations of some stakeholders.​

​The medium-term impacts, such as a possible increase in other geopolitical tensions, are still uncertain. Asia is currently our main consumer market and any impact on its economy could have consequences for the company's results.

Read Also


Follow the progress of our reparation efforts

Read more

Board of Directors and Leadership

Meet our top leaders

Read more