At Vale, we are committed proactive and effective risk management to ensure the safety of our employees, partners, communities, and the environment, in line with our values, Code of Conduct, internal policies, and governance rules.  

In our operations, we use industry best practices to assess and monitor key risks and opportunities and the effectiveness of our methodologies and tools.  We use some of the most important global standards as references, such as ISO 31000, ISO 55000, COSO-ERM and, for operational safety, the Risk Based Process Safety (RBPS) operational safety management system. We have adopted the Three Lines of Defense model, which defines the roles and responsibilities for risk management throughout the organization, ensuring integrated governance and the adoption of the risk vision in our key macro processes. ​

 In 2022, we revised our Risk Management Policy to further clarify risk management roles and responsibilities, enhance synergies across our lines of defense, and simplify processes. We also revised our Integrated Risk Map, a list of priority risk topics, and our Management Standard to incorporate new and modified risk management tools, including new business concepts and emerging risks, priority risk topics, and risk appetite definitions​

We foster a proactive risk management culture,  guided by transparency and aligned with the company’s objectives that adds value to the business by optimizing the flow of information needed for the decision-making process.   We provide training for all employees to increase awareness of the benefits and importance of risk management. Additionally we offer specific training for those responsible for management, enabling them to identify, evaluate and manage risks safely and efficiently

Click on the buttons below to navigate the page:

Process governance 

The Board of Directors is responsible for periodically monitoring risks and controls and ensuring that systematic action is taken accordingly, including both preventive and mitigation measures. The Board is advised by an Audit & Risk Committee in assessing and monitoring the effectiveness and adequacy of our risk management system. Within the Executive Committee, five supporting committees (Executive Risk Committees) assist in risk management as applicable to their scope of activity. 

Vale’s integrated governance model is based on the Lines of Defense approach, which helps to optimize communications for decision-making and enhance alignment across strategy, performance and risk management.  

Phtographer: Vale's Archive

The Three Lines of Defense Model  

1st Line 

This line of defense is responsible for identifying, documenting and managing risks, implementing and managing preventive and/or mitigation controls, tracking key performance indicators, and establishing action plans appropriate to the company’s risk appetite. 

2nd Line:

ERM: this function develops and assists in implementing risk management policies, methods and tools, promotes integrated communications, and works to disseminate a risk management culture within the Company. 

Specialists: responsible for developing methods, technical standards, technology, minimum management requirements, and risk and asset reliability indicators used by the 1st Line of Defense, and for monitoring compliance with established guidelines. 

3nd Line:

The Internal Audit is responsible for independently evaluating the effectiveness of internal controls and risk management practices within the Company, while the Whistleblower Channel is responsible for receiving, documenting and investigating whistleblower reports, with whistleblowers kept anonymous and protected from retaliation.  

Governance bodies that are fully independent from the Board of Directors—namely the internal audit and the whistleblowing channel—perform independent assessments and audits as applicable within their mandates, including assessments on the effectiveness of risk management and prevention, internal controls and compliance. 

Autonomy: the Audit & Compliance function is independent of other executive functions, reporting directly to the Board of Directors. This function is overseen by the Audit & Risk Committee.  

Framework ERM

Our risk management framework is structured around three essential pillars - peolple, processes and systems - providing an integrated and effective approach. This model guides all stages of the risk management cycle, from identification and analysis/treatment to monitoring and reporting, ensuring informed decision-making aligned with best governance practices.




All company risks must be mapped, assessed, and monitored according to governance and risk appetite, wether they are operational or non-operational, allowing for the implementation of appropriate preventive and mitigating actions to achieve our organizational objectives and maximize performance with a focus on safety.

We have a single risk management information system, in which risks must be recorded and approved. Business risks, highlighted in the framework, are those that can impact the achievement of overall business objectives and the company's strategy.

Risk Management Culture

Communication plays a fundamental role in strengthening the culture of high performance and risk management. Therefore, in 2024, we improved our analyses and enhanced the quality of risk management reports developed for each Vice Presidency and Executive Risk Committee.

Additionally, we launched the Integrated Risk and Insurance Management Portal, a unique environment that connects the Lines of Defense and enhances internal communication about risk processes. This portal integrates governance, methodology, and key indicators, providing greater transparency and efficiency in decision-making.

Training remains a fundamental element in the development of our employees, leaders, and risk agents. In 2024, we revamped the knowledge track, making it more agile, accessible, and effective for developing the necessary competencies for the integrated risk management process. As a result, approximately 24,000 employees were trained, of wich 3,474 received specific training for risk and control owners.


 

Risk Management Organizational Structure

com.liferay.portal.kernel.util.DateUtil_IW@57489ca9 com.liferay.portal.kernel.util.DateUtil_IW@57489ca9
2nd Line of Defense Specialist (2LDE) for operational and geotechnical risks, driving technical excellence and ensuring operations independence.​

2nd Line of Defense – Enterprise Risk Management (ERM) coordinating methodology, integration and standardization of risk management among all agents​.

Key risks 

 

Our risk management strategy considers the impact on our business of market risk factors (market risk), risks associated with dams, slopes and ore piles collapses (geotechnical risk), risks associated with inadequate or failed internal processes, people, systems or external events (operational risk), risks that may suspend or materially affect the performance of our operations (production planning and continuity risk), risks associated with our business model, ESG, political and regulatory conditions in countries in which we operate (strategic risk), risks associated with social and human rights, climate change (sustainability risk), risks from exposure to legal penalties, fines or reputational losses associated with failure to act in accordance with applicable laws and regulations, internal policies or best practices (compliance risk), risk associated to information security (cyber risk), risk associated to credit from trade receivables, derivative transactions, guarantees, down payment for suppliers and cash investments (financial risk), among others. 

 

Further information on risk factors can be found in our Form 20F report.

Photographer: Vale's Archive

 

We work to continuously refine and enhance our risk management processes for aspects such as dam management and operational safety. Dam safety is a major challenge for the mining industry and especially for Vale, following the Brumadinho dam breach, with growing public concern about the risks associated with mining dams and the sense of insecurity in downstream communities. Since 2019, we have made it our top priority to implement internationally recognized best practices, including the new Global Industry Standard on Tailings Management (GISTM), and have committed to decommission all upstream-raised dams. We also apply the Hazard Identification and Risk Assessment (HIRA) approach in mapping and assessing high-consequence or high-hazard safety risks, defining key performance indicators, and establishing appropriate controls and mitigation plans.

Emerging risks 

Emerging risks are generally influenced by external factors and are therefore difficult to predict due to the high degree of uncertainty regarding their severity and the likelihood of occurrence.

Every year we update our prioritized list of potential emerging risks, with the involvement of a multidisciplinary team and based on various sources of information, such as market research, benchmarking, specialized reports and our strategic planning. In addition, we strive to identify risk indicators for each emerging risk, with the aim of contributing to the monitoring process.

Fotógrafo: xxxx

Examples of emerging risks for Vale’s business:

Major Emerging Risks

Emerging risks Types Strategies for prevention/mitigation
Intensification of extreme weather conditions,
impacting operating sites, the production chain and communities
The physical risks resulting from climate change can be classified as acute weather events or long-term chronic changes in weather patterns. Both have significant
implications for Vale, due to the potential impact on neighboring communities, loss of biodiversity, reduction in production and damage to assets. These risks are especially worrying when different scenarios occur concurrently
or sequentially, such as droughts followed by severe rainfall that can cause heavy flooding. These extreme weather events can also affect our value chain, disrupting the supply chain,
outbound logistics and clients’ assets.
We have now mapped the potential impacts arising from extreme weather events across 100% of our operations, which allows us to better prepare for
and respond to these challenges.
Growing use of artificial intelligence (AI),
which could increase disinformation and
negatively impact internal decision-making

The use of biased information in the training
of AI systems or the generation of manipulated
information (fake news and deepfakes) can
generate disinformation about Vale and
negatively influence public opinion. The increased use of AI tools internally at Vale
increases the risk of creating AI systems with
unexpected behavior, due to their training
method, the information used in their training
or the use of an inappropriate algorithm, which
could lead to erroneous internal decisionmaking by leaders.