Governance Structure & Documents

Our risk governance structure is made up of:

• Board of Directors: Responsible for overseeing the company’s risk management, ensuring that it is aligned with our strategic objectives and values.

• Audit, Risks and Ethics Committee (CARE): Made up of members of the Board and senior executives, it is in charge of monitoring and reviewing the company’s main risks, as well as supervising that mitigating actions are being effectively implemented.

• Risks and Controls Department: A team dedicated to identifying, assessing and continuously monitoring risks, as well as assisting the first line of defense areas in implementing the necessary mitigation strategies.

Corporate Risk Management is a fundamental pillar for ensuring Afya’s sustainability and resilience. Our aim with this topic is to identify, assess and mitigate the risks that could negatively impact our business, ensuring that we achieve our strategic objectives safely and efficiently.

We promote a culture of risk management and controls throughout the company, encouraging open and transparent communication about risks and engaging all employees in identifying and mitigating potential threats. We believe that effective risk management is a shared responsibility and fundamental to the long-term success of our company.

Afya has an Internal Risk Management Policy which establishes the principles, guidelines and responsibilities to be observed in the company’s risk management process, as well as the criteria used to classify the level of impact of priority risks, among other guidelines.

Our risk management process follows international best practices and is divided into the following stages:

• Risk Identification: We map the potential risks in all areas of the company, considering both internal and external factors.

• Risk Assessment: We classify the identified risks based on the probability of occurrence and the potential impact on the company.

• Risk mitigation: We develop and implement risk response measures, controls and action plans to mitigate the assessed risks, prioritizing those with the greatest criticality.

• Monitoring and Review: We continuously monitor risks and mitigating actions, adjusting our strategies as necessary.

The main risk we monitor includes:

• Operational Risk: Related to the company’s day-to-day activities, including failures in processes, systems or people.

• Financial Risk: Associated with financial management, such as exchange rate volatility, variations in interest rates and credit.

• Compliance Risk: Involving compliance with laws, regulations and standards applicable to our sector.

• Reputational Risks: Linked to public perception and the company’s image in the eyes of our stakeholders.

• Strategic Risks: Related to strategic decisions, such as new investments, acquisitions or changes in the market.

• ESG (Environmental, Social and Governance) Risk: Involving issues of sustainability, corporate social responsibility and governance practices that could impact the company.

• Technological Risk (Cybersecurity and Privacy): These refer to cyber threats and the protection of data and privacy, which are essential in an increasingly complex digital environment.