At Vale, we are committed proactive and effective risk management to ensure the safety of our employees, partners, communities, and the environment, in line with our values, Code of Conduct, internal policies, and governance rules.  

In our operations, we use industry best practices to assess and monitor key risks and opportunities and the effectiveness of our methodologies and tools.  We use some of the most important global standards as references, such as ISO 31000, ISO 55000, COSO-ERM and, for operational safety, the Risk Based Process Safety (RBPS) operational safety management system. We have adopted the Three Lines of Defense model, which defines the roles and responsibilities for risk management throughout the organization, ensuring integrated governance and the adoption of the risk vision in our key macro processes. ​

 In 2022, we revised our Risk Management Policy to further clarify risk management roles and responsibilities, enhance synergies across our lines of defense, and simplify processes. We also revised our Integrated Risk Map, a list of priority risk topics, and our Management Standard to incorporate new and modified risk management tools, including new business concepts and emerging risks, priority risk topics, and risk appetite definitions​

We foster a proactive risk management culture,  guided by transparency and aligned with the company’s objectives that adds value to the business by optimizing the flow of information needed for the decision-making process.   We provide training for all employees to increase awareness of the benefits and importance of risk management. Additionally we offer specific training for those responsible for management, enabling them to identify, evaluate and manage risks safely and efficiently

Click the buttons below to navigate the page:

Process Governance

The Board of Directors is responsible for periodically monitoring risks and their control mechanisms, and for ensuring systematic action through prevention or mitigation measures. The board is supported by the Audit and Risk Advisory Committee in assessing and monitoring the effectiveness and adequacy of the risk management system. Within the Executive Committee, five support committees (Executive Risk Committees) assist in managing risks within their respective areas of operation.
The integrated governance flow is based on the Lines of Defense concept, optimizing the communication flow for decision-making and reinforcing the alignment between strategy, performance, and risk management.

Phtographer: Vale's Archive

Three Lines of Defense Model

1st Line 

This line of defense is responsible for identifying, documenting and managing risks, implementing and managing preventive and/or mitigation controls, tracking key performance indicators, and establishing action plans appropriate to the company’s risk appetite. 

2nd Line:

Integrated Risk Management (ERM):
Develop and support the implementation of policies, methodologies and tools for risk management, as well as promote integrated communication and disseminate the Company's risk management culture.

Specialists:
Define methodologies, minimum technical, technological and management standards, as well as risk and asset reliability indicators, to be mandatorily adopted by the 1st Line of Defense.

Monitor adherence to the defined guidelines.

3nd Line:

  • Perform assessments and inspections through the execution of control testing and the investigation of complaints, providing independent assurance, including on the effectiveness of management, risk prevention, internal controls, and compliance, within their respective areas of responsibility.
     
  • Incorporate the Risk Matrix into the development of the Internal Audit Plan.
     
  • Our Audit and Compliance Department is composed of Internal Audit, Corporate Integrity, and the Whistleblowing Channel, operating with full independence from management and reporting directly to the Board of Directors.
Autonomy: the Audit & Compliance function is independent of other executive functions, reporting directly to the Board of Directors. This function is overseen by the Audit & Risk Committee.  

ERM Framework

Our risk management framework is structured around three essential pillars—people, processes, and systems—and encompasses the following stages: identification, analysis/treatment, monitoring, and reporting.

Risk Management is the process implemented by Vale across all levels of the organization, with the purpose of preventing the potential materialization and/or minimizing the negative impacts of risk events on the Company’s strategic objectives. It is designed to guide decision-making processes and inform stakeholders through guidelines aligned with Vale’s core value that underpins all its activities—life comes first.




All the company's risks must be mapped, evaluated, and monitored in accordance with governance and risk appetite, whether operational or non-operational, allowing the implementation of appropriate preventive and mitigating actions to achieve our organizational objectives and maximize performance with a focus on safety.

We have a single risk management information system, in which risks must be recorded and approved. The business risks, highlighted in the framework, are those that can impact on the achievement of the general objectives of the business and the company's strategy.

Knowledge path for risk management training

We disseminate an initiative-taking culture of risk management, adding value to the organization and supporting the decision-making tone, aligned with Vale's institutional objectives.

Communication plays a key role in strengthening the culture of high performance and risk management. Transparent risk reporting is essential to reinforce the confidence of society, regulators, investors, and the market, demonstrating how we identify, evaluate, and treat our main exposures. This transparency has materialized in several mandatory and voluntary reports, such as the Form 20-F, the FRE, the Annual Report, and other governance publications that detail risks, controls and opportunities.

An important milestone in 2025 was the voluntary adoption of the ISSB¹ standards, an international reference for reporting risks and opportunities related to sustainability. With this initiative, Vale became the first mining company in the world and the first Brazilian company to adopt the standard, which will be mandatory in Brazil as of 2027. This decision reinforces our commitment to integrated, responsible risk management in line with global best practices.

Internally, we provide visibility to risk management activities and results at all levels of the organization, providing information for decision-making, improving risk management activities and assisting in interaction with stakeholders, strengthening Vale's Risk Governance model. The communication flow begins at the routine meetings of the 1st Line of Defense, with the participation of risk agents and support from the 2nd Lines and evolves through the levels of the organization to the risk committees and advisory committees, promoting integrated communication.

Training continues to be a fundamental element in the training of our employees, leaders and risk agents, sustaining and strengthening the Company's risk management culture. We provide an online knowledge trail in our internal learning system, which makes the development of the skills necessary for risk management more agile, accessible and effective. In 2025, we recorded significant progress in adhering to mandatory training for risk owners and control owners. In all, 29,386 people participated in the training programs promoted by Integrated Risk Management, expanding technical maturity and engagement in all lines of defense.
com.liferay.portal.kernel.util.DateUtil_IW@1d6c9926 com.liferay.portal.kernel.util.DateUtil_IW@1d6c9926
2nd Line of Defense Specialist (2LDE) for operational and geotechnical risks, driving technical excellence and ensuring operations independence.​

2nd Line of Defense – Enterprise Risk Management (ERM) coordinating methodology, integration and standardization of risk management among all agents​.

Heading Example

Key risks 

 

Our business, operations and performance are subject to various risks and uncertainties that may impact the achievement of our objectives, our reputation, as well as our financial condition and results of operations. Among the risks identified by the Company, we highlight those related to:

  • Geotechnical structures, such as dams, piles and pits;
  • Operations, including Process Safety, Occupational Health and Safety, and Environment;
  • Production, including licenses, concessions, resources, reserves, and mining rights;
  • Cyber Security;
  • Strategy;
  • Financial Management;
  • People, including Culture and Talent Management;
  • Sustainability and Communication, including Climate Change, Communities and Human Rights;
  • Compliance and Institutional Relations, including Legislative and Regulatory Changes.

For details on Risk Factors click here 20F
Read more about dam management here

Photographer: Vale's Archive

Emerging Risks

Focused on a more predictive risk analysis, Vale has the practice of identifying and managing not only the risks it faces today (present risks), but also the risks it may potentially face in the future (emerging risks¹). Managing emerging risks helps the Company anticipate possible scenarios while remaining attentive to adaptation as the external environment and strategy change.
Emerging risk management is an already consolidated process at Vale and plays a fundamental role in anticipating threats and strengthening business resilience. Throughout 2025, two semi-annual cycles were conducted in multidisciplinary forums, based on benchmarks, analyses of specialized reports and alignment with the Company's strategic planning. This structured process follows four main steps: identification of potential risks, review of the emerging risks list (watchlist), monitoring through fact sheets and indicators (KRIs), and periodic reporting to Senior Management.
¹ Emerging risks are those that are little known or present new conditions, with potential materialization within up to 5 years and a high degree of uncertainty regarding trend, severity and probability, frequently influenced by external factors.

Emerging risks 

Emerging risks are generally influenced by external factors and are therefore difficult to predict due to the high degree of uncertainty regarding their severity and the likelihood of occurrence.

Every year we update our prioritized list of potential emerging risks, with the involvement of a multidisciplinary team and based on various sources of information, such as market research, benchmarking, specialized reports and our strategic planning. In addition, we strive to identify risk indicators for each emerging risk, with the aim of contributing to the monitoring process.

Fotógrafo: xxxx

Examples of emerging risks for Vale’s business:

Major Emerging Risks

Emerging risks Types Strategies for prevention/mitigation
Intensification of extreme weather conditions,
impacting operating sites, the production chain and communities
The physical risks resulting from climate change can be classified as acute weather events or long-term chronic changes in weather patterns. Both have significant
implications for Vale, due to the potential impact on neighboring communities, loss of biodiversity, reduction in production and damage to assets. These risks are especially worrying when different scenarios occur concurrently
or sequentially, such as droughts followed by severe rainfall that can cause heavy flooding. These extreme weather events can also affect our value chain, disrupting the supply chain,
outbound logistics and clients’ assets.
We have now mapped the potential impacts arising from extreme weather events across 100% of our operations, which allows us to better prepare for
and respond to these challenges.
Growing use of artificial intelligence (AI),
which could increase disinformation and
negatively impact internal decision-making

The use of biased information in the training
of AI systems or the generation of manipulated
information (fake news and deepfakes) can
generate disinformation about Vale and
negatively influence public opinion. The increased use of AI tools internally at Vale
increases the risk of creating AI systems with
unexpected behavior, due to their training
method, the information used in their training
or the use of an inappropriate algorithm, which
could lead to erroneous internal decisionmaking by leaders.