sbs20180528_6k1.htm - Generated by SEC Publisher for SEC Filing
 
SECURITIES AND EXCHANGE COMMISSION
Washington, DC 20549
 

 
FORM 6-K
 
REPORT OF FOREIGN ISSUER
PURSUANT TO RULE 13a-16 OR 15d-16 OF THE
SECURITIES EXCHANGE ACT OF 1934
 
For May, 2018
(Commission File No. 1-31317)
 

 
Companhia de Saneamento Básico do Estado de São Paulo - SABESP
(Exact name of registrant as specified in its charter)
 
Basic Sanitation Company of the State of Sao Paulo - SABESP
(Translation of Registrant's name into English)
 


Rua Costa Carvalho, 300
São Paulo, S.P., 05429-900
Federative Republic of Brazil
(Address of Registrant's principal executive offices)



Indicate by check mark whether the registrant files or will file
annual reports under cover Form 20-F or Form 40-F.

Form 20-F ___X___ Form 40-F ______
Indicate by check mark if the registrant is submitting the Form 6-K
in paper as permitted by Regulation S-T Rule 101(b)(1)__.
Indicate by check mark if the registrant is submitting the Form 6-K
in paper as permitted by Regulation S-T Rule 101(b)(7)__.

Indicate by check mark whether the registrant by furnishing the
information contained in this Form is also thereby furnishing the
information to the Commission pursuant to Rule 12g3-2(b) under
the Securities Exchange Act of 1934.

Yes ______ No ___X___

If "Yes" is marked, indicated below the file number assigned to the
registrant in connection with Rule 12g3-2(b):

 

 

Organizational Instrument

Type:

Phase:

Institutional Policy

Valid

Title:

Number and Version:

CORPORATE RISK MANAGEMENT

PI0028 - V.2

Issuing Area:

Approver:

Validity - 1st version:

Validity - this version:

PK

DANTE RAGAZZI PAULI - DRPAULI

June 25, 2010

May 12, 2016

Related Areas (Scope):

Processes:

SABESP

---

         

 

1.      INTRODUCTION

The purpose of this Institutional Policy for Corporate Risk Management is to introduce risk evaluation practices in the corporate environment and help improve corporate governance and business planning while preserving and generating value for the organization.

 

The corporate risk management process is based on the Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management Framework 2004, ABNT NBR ISO 31000: 2009, and ABNT ISO GUIA 73: 2009.

 

2.     PURPOSE

2.1.  Determine corporate risk management guidelines, concepts and competences.

2.2. Incorporate risk vision into decision making in line with best practices in the market.

2.3.  Add value to the organization, make information more transparent, improve governance practices and help make the company sustainable.

2.4. Spread risk management culture and take action on all of the organization's hierarchical levels using plain language.

 

3.     GUIDELINES

3.1.  Business strategy and work processes must address risks and risk management.

3.2.  Risk management culture must involve all of the company's hierarchical levels.

3.3.  Employees involved in risk management activities must be trained in the methodology used.

3.4.  Process risks must be identified, evaluated, communicated, treated and monitored as an opportunity for improvement

3.5.  Risks must be evaluated and monitored by the Board of Directors, Audit Committee, Executive Board, Corporate Risk Management Committee, Departments, Superintendencies and Business Units

3.6.  Corporate risk management must involve all areas of the company, using plain language and established policy and procedural standards.

3.7.  All risk exposures must be evaluated, their treatment decided and, if necessary, action plans devised, while identifying persons responsible and risk monitoring indicators.

3.8.  Risk management must be periodically improved by frequent evaluation and review cycles or in response to specific events, thus favoring continuous improvement and strengthening strategic business guidelines.

3.9.  The company must use the results of risk evaluations to prepare and / or review contingency plans.

3.10.  Corporate risks must be reported to stakeholders at the Company's discretion, through the appropriate channels aligned with legislation and good corporate governance practices.

3.11.  Responsibilities for approval and treatment of risk are defined by levels of risk (impact and likelihood of occurrence).

3.12.  Risks must be classified by nature, category and origin of events (internal or external) defined in business procedure

 

 


 

Organizational Instrument

Type:

Phase:

Institutional Policy

Valid

Title:

Number and Version:

CORPORATE RISK MANAGEMENT

PI0028 - V.2

Issuer Area:

Approver:

Validity of 1st version:

Validity of this version:

PK

DANTE RAGAZZI PAULI - DRPAULI

June 25, 2010

May 12, 2016

Related Areas (Scope):

Processes:

SABESP

---

         

 

3.13.  The competences of the Board of Directors, Audit Committee, Executive Board, Corporate Risk Management Committee, Departments, Superintendence of Risk and Quality Management, Superintendencies and Business Units are defined in the appendix to this Policy

3.14.  Risk management professionals must have access to all areas of the company, employees, documents, data and information required for their activities.

3.15.  The functional authority for Corporate Risk Management is the Risk Management and Quality Superintendence, subordinated hierarchically to the Presidency and functionally to the Audit Committee.

3.16.  This policy must also be disclosed to the members of the Board of Directors, Audit Committee and Corporate Risk Management Committee.

4.     Supplements

Annexes Referenced (Annex Base)

Documents Referenced

Register Information

---

---

---

 Files Attached (Organizational Instrument's Supplementary Files)

PI0028v2 - Annex 01 Concepts.pdf

PI0028v2 – Annex 02 Competences


 

 

Annex Name:

Annex Number

Concepts

0001

Linked to Instrument:

PI0028v02 - Corporate Risk Management

Description

 

 

 

Risk level

Financial magnitude representing the exposure of risk impact, in the broadest sense, that allows the organization to make decisions related to risk management activities.

Periodic improvement

Associated activities to ensure the efficacy of risk management through frequent evaluation and review cycles, favoring continuous improvement and strengthening strategic objectives.

Risk evaluation

Evaluation process that enables an organization to consider the extent to which potential risk factors may impact its attainment of objectives. Management evaluates events based on two perspectives - probability and impact - and generally uses a combination of qualitative and quantitative methods.

Good Practices for

Corporate governance

Publicly-recognized guidelines to achieve and maintain transparency, equity and quality of information, as well as maintaining a positive reputation in the market and a differential in value preservation and generation.

Risk classification

Rates risks by their impact and probability as shown by different colors on a risk map. SABESP's risk rating rules:

 

a) Impact: High (red), Significant (orange), Moderate (yellow), Low (light green) and Minimal (dark green);

 

b) Probability: Almost certain (red), Probable (orange), Possible (yellow), Low (light green) and Improbable (dark green).

Corporate Risk Management

 

This process is conducted by an organization's board of directors, audit committee, executive board, corporate risk management committee, superintendences, business units and other employees; applied to strategies formulated to identify potential events within the organization that are capable of affecting it, and manage risks in order to keep them compatible with the organization's risk exposure and provide reasonable assurance that it will achieve its objectives. Risk management is directly related to sustainable growth, profitability, and preserving and generating value for the company and its shareholders, since this process allows it to detect not only threats but also opportunities to improve and develop the business.

Risk identification

Risk search, recognition and description processes. Identifying risk involves describing factors and potential consequences, thus drawing up a comprehensive list of risks (portfolio) based on events that may create, boost, prevent, reduce, accelerate or delay efforts to reach objectives. Risk identification may involve historical data, theoretical analyses, opinions compiled by informed persons and experts, and stakeholders' needs.

Impact

Result or effect of a risk event. There may be a number of possible impacts associated with an event. The impact of an event may be positive or negative in relation to the related objectives of a company.

Risk map

Graphical representation of the risk evaluation process in the corporate environment. Risks are shown graphically on a 5 X 5 map layout, by positioning the level of the risk in a quadrant with a corresponding color. Shown on the Cartesian plane by ordered pairs (Probability and Impact):

 

X-axis: Probability: Almost Certain (red), Probable (orange), Possible (yellow), Low (light green) and Improbable (dark green);

 

Y-axis: Impact: High (red), Significant (orange), Moderate (yellow), Low (light green) and Minimum (dark green).

Risk Management Methodology

 

A set of definitions of standards for risk identification, analysis, evaluation, treatment and monitoring, based on flexibly applying the COSO model ("Enterprise Risk Management - Integrated Framework") to Sabesp’s characteristics, particularities and business environment.

Monitoring

Continuously checking, supervising, critically observing or identifying situations in order to characterize any changes in performance levels that may be required or expected. Monitoring may be applied to risk management structure, the management process, risk as such or risk controls.

 Level of authority

The organization's management decision-making level related to risk management activities, depending on level of criticality (impact and probability) shown on the risk map.

Stakeholder

Includes Board of Directors, Audit Committee, Executive Board, Corporate Risk Management Committee, Department Heads, Superintendents, Executive Assistants, Advisors and other employees that may affect, be affected, or see themselves involved in decisions on risk management activities.


 

Annex Name:

Annex Number

Competences

0002

Linked to Instrument:

PI0028v02 - Corporate Risk Management

Description

 

1. Board of Directors

a)  evaluate and approve the Institution's Corporate Risk Management Policy;

b) review Corporate Risk Management methodology;

c)  verify the efficacy of corporate risk management and control procedures;

d)  evaluate and approve levels of authority for risks that define responsibilities for treating risks and approval;

e)  evaluate and periodically approve corporate risk map and Board of Directors level mitigatory action plans;

f)    monitor the evolution of corporate risk mitigation action plans;

g) ensure resources to execute corporate risk action plans, depending on level of authority.

2. Audit Committee

a)  analyze and comment on Institutional Policy for Corporate Risk Management and its methodology;

c)  examine and monitor the annual corporate risk management work plan;

d)  analyze and comment on levels of authority that define responsibilities for treating risks and approvals;

e)  review the corporate risk map;

f)    monitor the evolution of corporate risk mitigation action plans;

3. Executive Board

a)  approve Institutional Policy for Corporate Risk Management and submit it to the Board of Directors;

b)  approve Corporate Risk Management methodology and submit it to the Board of Directors;

c)  approve the Corporate Risk Management Committee's Internal Rules;

d)  approve nominations of Corporate Risk Management Committee members;

e) evaluate and approve risk levels that define responsibilities for approval and treatment;

f)    approve Corporate Risk Management annual work plans and support their development;

g)  evaluate and approve proposals to spread risk management culture across all levels of the company;

h)  periodically evaluate and approve corporate risk map and mitigatory action plans, submitting any risks beyond its level of competence to the Board of Directors;

i)    monitor the evolution of corporate risk mitigatory action plans;

j)    ensure the resources to execute corporate risk action plans depending on level of authority.

4. Corporate Risk Management Committee

a)  evaluate Institutional Policy for Corporate Risk Management and proposed alterations;

b) review Corporate Risk Management methodology;

c)  evaluate the Corporate Risk Management Committee's Internal Regulations and proposed amendments;

d) evaluate levels of authority for risk that define responsibilities for treatment and approval;

e)  monitor Corporate Risk Management annual work plans;

f)    evaluate proposals to spread risk management culture across all levels of the company;

g)  review and monitor the execution of corporate risk mitigatory action plans;

h)  monitor corporate risk indicators;

i)   evaluate the corporate risk map;

j)    review and monitor the identification, analysis, evaluation, treatment and monitoring of risks under the purview of Departments and Superintendences;

k) advise the Executive Board on Corporate Risk Management related matters;

l)    review the resources approved to execute the action plans.

5. Department Heads

a)  Be aware of the Institutional Policy for Corporate Risk Management;

b)  Be aware of the Corporate Risk Management methodology;

c)  Be aware of the Corporate Risk Management Committee's Internal Rules

d)  Be aware of the and monitor annual work plans for corporate risk management;

e)  Be aware of the risk levels that define responsibilities for treatment and approval;

f)    approve the Department's corporate risk map;

g)  nominate a member to represent the Department on the Corporate Risk Management Committee;

h)  support risk identification, analysis, evaluation, treatment and monitoring work;

i)    evaluate and approve the measurement and mitigatory action plans of the Department;

k)  monitor the evolution of corporate risk mitigation action plans;

l)    ensure resources to execute corporate risk action plans, depending on level of authority.

6. Superintendencies and Business Units


 

a)  Be aware and application Corporate Risk Management methodology;

b)  Be aware of the annual corporate risk management work plan;

c)   Be aware of the levels of authority that define responsibilities for risk treatment and approval;

d)  identify, analyze, evaluate, treat and monitor corporate risks within their competence;

e)  monitor the evolution of corporate risk mitigation action plans, within their competence;

f)    submit proposals to department heads for corporate risk treatment and mitigatory action plans within their competence

g) ensure resources to execute corporate risk action plans, depending on level of authority.

h)  draft and update the risk map for their area of business together with the Risk Management and Quality Superintendence - PK;

i)    define and monitor risk indicators;

7. Risk Management and Quality Superintendence

a)  spread risk management culture across all levels of the company;

b)  propose and update the Institutional Policy for Corporate Risk Management and the Corporate Risk Management Committee's Internal Rules;

c)  draft proposal for risk levels of authority and submit it for approval by the Executive Board

d)  prepare annual work plans and submit them for approval by the Executive Board;

e) execute annual work plans;

f)    propose measures to support the development of Corporate Risk Management;

g)  propose criteria for risk evaluation, mapping and classification;

h)  help develop corporate risk maps;

i)    consolidate corporate risk maps and ensure their distribution depending on risk levels defined;

j)    manage the computerized risk system in order to consolidate risk evaluation findings;

k)  monitor the evolution of action plans underway and corporate risk indicators;

l)    advise the Corporate Risk Management Committee on risk related matters;

m) propose and execute corporate risk reporting methodology.

8 - Audit Superintendent

a)  Systematically evaluate the risk management process and suggest improvements;

b)  Be familiar with the corporate risk map;

c)  Include corporate risk map findings when drafting Sabesp's internal audit work schedule.

 

 

SIGNATURE  
 
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized, in the city São Paulo, Brazil.
Date: May 28, 2018
 
Companhia de Saneamento Básico do Estado de São Paulo - SABESP
By: /s/  Rui de Britto Álvares Affonso    
 
Name: Rui de Britto Álvares Affonso
Title: Chief Financial Officer and Investor Relations Officer
 

 

 
FORWARD-LOOKING STATEMENTS

This press release may contain forward-looking statements. These statements are statements that are not historical facts, and are based on management's current view and estimates of future economic circumstances, industry conditions, company performance and financial results. The words "anticipates", "believes", "estimates", "expects", "plans" and similar expressions, as they relate to the company, are intended to identify forward-looking statements. Statements regarding the declaration or payment of dividends, the implementation of principal operating and financing strategies and capital expenditure plans, the direction of future operations and the factors or trends affecting financial condition, liquidity or results of operations are examples of forward-looking statements. Such statements reflect the current views of management and are subject to a number of risks and uncertainties. There is no guarantee that the expected events, trends or results will actually occur. The statements are based on many assumptions and factors, including general economic and market conditions, industry conditions, and operating factors. Any changes in such assumptions or factors could cause actual results to differ materially from current expectations.