Risk management Policy

The risk management policy should document all relevant aspects regarding risk management within MAHLE Metal Leve S/A (MAHLE) to assure a common understanding for the MAHLE Management Board (executive officers), the risk committee, the risk management organization and all relevant managers and employees that are affected in respect to risk management.

The main contents are to describe, explain and document:

all relevant definitions regarding risk management in general

the risk strategy and risk policy principles

relevant legal requirements

the scope of the related legal and management entities

the risk management process including risk reporting and risk controlling

the risk management organization at MAHLE

the key risk figures like maximum risk exposure, single risk tolerance, risk impact, risk likelihood and risk value

The policy is valid for MAHLE and for all companies that MAHLE holds the majority stake directly or indirectly. All employees of these companies and their boards must adhere to this manual and they must ensure its implementation. Furthermore it is applicable to foreign companies of MAHLE, provided that MAHLE holds a direct or indirect majority of voting rights. If a direct application of the regulation is not possible due to deviating country specific legal regulations, then adequate regulations must be specified and documented by the foreign company controlled by MAHLE.

The rules are adapted to MAHLE risk level in order to fulfill the CVM (Comissão de Valores Mobiliarios) requirements.

Within this policy risk is defined as any internal or external development that jeopardizes the achievement of the goals and objectives of the MAHLE. Risk can be of a strategic nature (“Are we doing the right things?”) as well as of an operative nature (“Are we doing things in the right way?”). More precisely, risk is the possible negative deviation of the planned/budgeted profit within the business planning process of the MAHLE.

Risk management is the process of systematically identifying and controlling threats that might impact the company’s goals. This process needs to be consistently applied across all sections of MAHLE (see scope chapter 1) and it should be cost effective and proportionate to the risks being managed.

The MAHLE risk strategy determines that risks should only be taken to increase the enterprise value but to avoid risks that would endanger the continuous existence of the company. To comply with this risk strategy, risk-related actions should be in line with the following risk policy principles for MAHLE itself including all the subsidiary companies (see scope, chapter 1) and all employees:

The corporate goals and the entrepreneurial activities are target- and future-oriented with regards to a strict observance of the legal framework and ethical principles.

If opportunities arise both within the framework of the business and the market as well as in accordance with the corporate targets, MAHLE will take advantage of these opportunities. The risks related to this topic will be recognized systematically and reduced to a minimum by strategies and measures of the risk management organization considering the possible profitability. In this context even a conscious decision to take a risk is part of management decisions.

In conclusion it can be said that risk management always has to deal with different levels of risks in order to increase and protect the enterprise value. In the following chart the addressed risk assessment is illustrated as example:

Chart 1: Comprehensive view of risks

An important element of MAHLE’s risk strategy is to keep its business activities focused on the core business of products for example automotive, industrial and service markets. That implies for example that MAHLE is using financial market instruments like derivatives only to balance risks from its core business (e.g. exchange rate risks) but not with the objective of making speculative profits.

The control of the occurring risks at MAHLE can be summarized to the following strategies (list includes the main elements but is not to be seen as complete):

- Avoidance of risks:
  - Violation of any law or regulation
  - Endangering the future existence of the company
  - Negative effect on the reputation
  - Endangering profit
  - Adverse influence on the safety of all stakeholders

- Limitation / Mitigation of risks: This refers to risks which could not be prevented. Therefore MAHLE defines additional mitigating control measures for the respective risk in order to make sure the impact is lowered to acceptable levels, e.g.:
  - Exchange and interest rates
  - Develop backup solutions for single suppliers
  - For most of the existing business risks mitigation measures and controls have to be defined

- Transfer or partly transfer of risks, e.g. to insurance:
  - Product liability and recall issues due to quality problems
  - Fire, flood, explosion, earthquake, tornados and other severe damages
  - Production interruption and consequential damages
  - Fraud or negligent behavior of management
  - Theft or to third parties through contractual regulations (e.g. supplier warranty agreements)

- Compensation of risks: It occurs when the risk impact is offset by the involved benefits. For example, an obsolete technology that is replaced by a new technology, for which its advantages compensate the investments spent.

- Acceptance of risks: This is a “control” as well in case the costs to avoid or mitigate risks are not in an appropriate relation to the risk impacts, e.g. there would only be the possibility for the segregation of duty by increasing staff but the risk impact of the possible fraudulent activity would be much lower than personnel costs. The acceptance of risks must be supported by a calculation shared with and validated by the respective risk experts (see attachment 1).

- For many risks, these responses to risks may be applied in combination.

Further principles regarding risk management at MAHLE are:

Risk management is aligned with and embedded within MAHLE´s strategy and its divisions. It focuses on identifying and managing risks in all business units.

Key roles and responsibilities for the company-wide coordination as well as the control of the risk management system including the determination of duties are clearly defined and communicated within the organization.

A common risk definition is used consistently throughout MAHLE.

Governing bodies, as for instance the management board or board of directors, have appropriate transparency and insight into the organization’s risk management practices to perform their responsibilities.

MAHLE managers at all levels are responsible for implementing and executing risk management within their responsible areas. Furthermore, the managers are responsible for the operational and daily risk management within their function.

The company-wide risk management policy should interact with other management systems (e.g. Internal Controls systems).

The operational structure for all sub-areas of the risk management system, especially the risk identification, risk control, communication and monitoring is determined and documented within the present policy.

The common risk management policy and related policy is used throughout the organization to manage risks.

MAHLE Metal Leve S/A (MAHLE) is listed on the Highest Corporate Governance Level named “Novo Mercado” at the B3 stock exchange in São Paulo.

Therefore the specific regulations of the Securities Commission of Brazil (CVM, currently CVM 552) are relevant for the company and its subsidiaries.

According to the aforementioned regulations MAHLE has to describe within the disclosure of the Reference Form to the commission the following main topics at least in annual basis:

The existing risk management policy and the governance body that approved it.
Describe, quantitatively and qualitatively, the main market risks, including the exchange and interest rates risks.
Inform the goals and strategies of the risk management policy including: for what risks the company seeks protection; the instruments used for protection and the organizational structure for risk management.
Describe the internal controls with regards to financial statements such as: main practices of internal controls, and their level of effectiveness; the involved organizational structures and how the efficiency of internal controls is overseen by the management, mentioning the title/position of the responsible persons. MAHLE’s Internal Control System in place must describe the key controls in regards to financial statements (disclose the main controls in 5.3).
More detailed disclosure about the relevant findings and recommendations reported by the financial statements (independent) auditors in the management letter and the respective actions taken by the company.

As part of the existing organizational form, the following functions of risk management are responsible on the several levels of the group. In particular these are:

Board of Directors (“Conselho de Administração”):

The board of directors of MAHLE is responsible to control the MAHLE management board regarding the implementation of an appropriate risk management system for MAHLE and consequently approve the risk management policy.

Management Board (“Diretoria”):

The management board is responsible for the lawful implementation and continuous functionality of the risk management system considering the efficiency and adequacy of the individual measures. Within this responsibility the board also has to define the corporate targets, the risk policy, the risk fields, the risk appetite and the general guidelines for risk management. According to COSO (Committee of Sponsoring Organizations of the Treadway Commission) risk appetite is the amount of risk, on a broad level, an organization is willing to accept in increasing the company value. Each organization has various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.

Furthermore the board has the task to understand the most significant risks as well as to manage the organization in a crisis. The integration of the risk management system into the organization of the company has to be assured by the management board as well as to take measures for the advancement of the risk culture within MAHLE.

If topics arise which need to be decided immediately, ad-hoc meetings of management board take place. Risk management topics regarding changes in documentation, communication, responsibilities etc. are determined by the management board, following the main instructions from the Board of Directors. The management board is responsible for the monitoring of mitigating activities and taking the appropriate measures of counteractions.

Risk manager (“Auditoria Interna Brasil”):

The task of the risk manager is to develop the risk management system and keep it up to date. Besides that he/she is responsible for the documentation of the internal risk policies & structures and the coordination of the risk management activities. Preparing reports for the Management Board as well as compiling risk information is also duty of the risk manager. Furthermore the task includes for instance the

Ensurance of the internal and external risk management requirements
Set-up of regular risk assessments
Validation of reported risks
Consolidation of the risk reports
Monitoring of the implementation of mitigating activities
Best-practice set-ups for risk mitigation
Training of employees

Risk Expert / Business Units, Shared Services and BU Functions Heads:

Within MAHLE the risk experts usually are the heads of Business Units, Profit Centers, group companies, functions etc., which have to assure the implementation and correct application of appropriate risk management systems to detect and control risks in their area. Furthermore, they have to report the risks within their area of responsibility according to the reporting requests within the risk management process and/or have to validate the reported risks of their risk coordinators and risk reporters.

Internal Audit:

Both the development of a risk-based internal audit program and the audit of risk processes across the organization are tasks of the Internal Audit. Besides that the department is responsible for the reporting on the efficiency and effectiveness of internal controls and risk management systems.

External Auditors:

The external auditor is responsible for the examination of the adequacy and functionality of the risk management system as an external body during the audit of the annual financial statement.

Individual employees:

Every single employee within MAHLE has to understand, accept and implement the relevant risk management processes defined within the present manual. Therefore the employees have to report proactively current or future possible inefficient, unnecessary or unworkable controls and loss events. To achieve the listed objectives a close cooperation between the management and the employees on incident investigations and other aspects is necessary. ¨ In addition, MAHLE must provide the necessary trainings and communications to the employees.

The next chapters comprise the main relevant steps of the risk management process at MAHLE:

The risks are identified based on risk assessment workshops organized by the Risk Manager involving the risk experts defined by the management board. Within the workshops the risk questionnaires are assessed and further risks can be added. It is recommended that the questionnaires be previously filled by the risk experts in order to increase the efficiency of the workshops.

Such risks are translated in monetary amounts and likelihood scales (see topic 6.2). To identify risks main following instructions must be regarded (same structure as the initial questionnaire):

Risk is based on profit impact which is not covered in the budget and strategic plan by events such as: further costs, expenses, penalties, reduction of sales and so on.
Risk has to be calculated over a one year period.
Existing mitigations have to be deducted, exceptions are insurance coverage and provisions to avoid that problem fields are forgotten within the risk identification

In addition, individual employees must report at any time new risks or changes in the risk assessment to the respective risk experts who will evaluate and report to the Risk Manager in case the amounts reach the thresholds mentioned in the topic 6.4.

The criteria for risk assessment aim to combine both quantitative (financial impact) and qualitative (e.g. image) factors:

Figure 1: Criteria for risk assessment

The figure demonstrates that the impact and likelihood are the main drivers for calculating the risk value, which are influenced by risk factors: image, speed, detection, occurrence and mitigation. The criteria are described below.

The categories for the profit risk impact are:

Range	BRL (Mio)
1	2-4
2	5-20
3	21-40
4	41-100
5	101-200
6	201-400
7	401-1.000
8	1.001-1.600
9	> 1.600

The criteria for likelihood of future events are:

Range	%	Occurrence
1	1%-2%	Less than once in 50 years
2	3%-10%	Once in 10-50 years
3	11%-30%	Once in 5-10 years
4	31%-50%	Once in 3-5 years
5	51%-70%	Once in 2-3 years
6	71%-90%	Once in 1-2 years
7	> 90%	Once a year

The profit risk impact will be multiplied by the likelihood and then the individual risk value for each risk per participant is calculated. The following factors are used to better support the profit risk impact and likelihood.

a) Image impact caused by risk materialization:

Range	Description
1	Negligible
2	Low
3	Moderate
4	High
5	Critical

b) Speed between event occurrence and possible impact:

Range	Description
1	Outside the horizon
2	Long Term
3	Medium Term
4	Short Term
5	Immediate

c) Detection is the control level to enable the identification of the risk occurrence (e.g. regular monitoring performed by head of the department to evaluate the past transactions).:

Range	Description
1	Control very robust
2	Control with high effectiveness
3	Control with moderate effectiveness
4	Control with low effectiveness
5	Control ineffective or not existing

d) Occurrence based on past events:

Range	Description
1	Once in 20-50 years
2	Once in 10-20 years
3	Once in 5-10 years
4	Once in 2-5 years
5	Once a year

e) Mitigation level of the controls in place to reduce or eliminate exposure and / or impact:

Range	Description
1	Control very robust
2	Control with high effectiveness
3	Control with moderate effectiveness
4	Control with low effectiveness
5	Control ineffective or not existing

The evaluation of the risk factors above should be reflected in the risk calculation of impact and likelihood e.g. a high score attributed to image risk should lead to a high profit risk impact. An eventual score model combining the risk factors and the respective impact and likelihood can be defined by MAHLE Management Board aiming at a more accurate risk assessment.

There must be countermeasures (mitigation controls) assigned by the risk experts following the thresholds in the attachment 2. The countermeasures (mitigation controls) must follow minimum attributes:

Control coverage (business process, business unit, general ledger account and so on);
Control design must focus on the risk assigned following the methodology 5Ws and 2H, in order to have a better description: WHAT – Definition what is the mitigation control; WHY – Reasons and objectives of the mitigation control; WHO – Who participates, shall do, shall monitor; WHERE – The department/company involved; WHEN – The moment, the frequency; HOW – Procedures applied to perform the mitigation control e.g. tool; HOW MANY – Magnitude – Quantify the risk.
In addition, the control must define a process to deal with any exceptions identified (e.g. report to risk expert and risk manager).

Based on all the risks reported and the respective countermeasures, the risk manager will review the consistency and set-up a consolidated risk versus mitigation control matrix. Such matrix will be the basis for the future risk assessment and can also be used either by risk expert to self-assess the risks or by Internal or External audits to perform the internal controls tests.

Depending on the area of responsibility of each participant the overall risk impacts, likelihoods and risk values per risk are consolidated. The risk manager will consolidate the risks according to the responsibility and avoid duplication.

The risks reported by the risk expert are reviewed by the Risk Manager and Management Board. Afterwards, the Risk Manager is in charge of consolidating the reported risks.

The single risk tolerance for a consolidated risk (e.g. due to the same risk can be report by different business units) from the total MAHLE perspective is fixed by the management board (refer to attachment 2). So no individual risk should exceed this value. In case there would be a higher risk immediate actions have to be started to reduce the risk value. More details are described under chapter 6.4 regarding the reporting and control of risks.

The maximum risk exposure is determined by management board (refer to attachment 2). In case the maximum risk exposure is exceeded the risk manager has to inform the management board about this situation. Provisions and insurance coverage here has to be deducted to calculate the risk exposure (for the identification of individual risks this is not allowed to assure that all problem fields are regarded within the risk management process, see chapter 6.1). Furthermore, the risk exposure is shown in the regular risk report described in chapter 6.4. Once a year the management board reviews the maximum risk exposure and adjusts it in case of new perceptions.

The consolidated risks are summarized in risk report on a regular basis. Depending on the risk level, risks are reported in the management board risk report. Further risks are part of a report which has to be under the focus by the risk management organization. For the top risks (refer to attachment 2) the general control systems has to be documented and measure plans with clear responsibilities has to be defined and followed up by the risk management organization.

The main determinations by the management board regarding the content of the risk reports and the reporting cycle are:

- The structure of the top risk is based on the initial risk assessment, including:
- The Top Risks (refer to attachment 2)
  - a management board member as a Senior Custodian for each of the Top risks
  - the defined countermeasures (mitigation control) including responsibilities for each of the Top risks
- Further Risks to be disclosed by Risk Experts with countermeasures (refer to attachment 2)
  - For each of the further Risks a direct report manager
    to the management board should be a Senior Custodian
  - a defined countermeasure including responsibilities for the each risk.
- Further Risk to be disclosed by Risk Experts (refer to attachment 2)
  - No countermeasures need to be defined for such risks.
The risk reporting cycle regarding its main relevant contents is as follows:
- Once a year a formal risk report has to be created based on the existing workshops:
  - the results will be consolidated by the Risk manager and presented to the management board.
  - the Management board approves the risk report and informs the Board of Directors which approves the release to CVM.
- After 6 months there will be a request to the risk management organization to report new top risks
  - the Risk manager informs the management board, then the Management board reports to the Board of directors in case of there are changes in the top risks: Increase of the risk value; or new top risks identified (refer to attachment 2) .
- In case during the year the risk situation changes seriously, there will be an Ad-hoc risk reporting to the Management board.

The Risk expert is in charge of self-assessing if the countermeasure (mitigation control) has been applied in accordance with the mitigation control design. In case of any countermeasure weakness, the risk expert must inform the supervisor and the risk manager.

The next picture demonstrates an overview of the risk management process:

Figure 2: Overview of Risk Management process

This policy is disclosed to all the employees through the Intranet (webpage: Brasil Finanças e Controladoria / Gestão de Riscos).

In addition, the policy is communicated to the executives (EL) and managers (ML1) through training sessions/workshops who must accept and be committed to comply with the requirements.