cbd20200214_6k5.htm - Generated by SEC Publisher for SEC Filing

FORM 6-K

SECURITIES AND EXCHANGE COMMISSION
Washington, D.C. 20549

Report of Foreign Private Issuer

Pursuant to Rule 13a-16 or 15d-16 of
the Securities Exchange Act of 1934

For the month of February, 2020

Brazilian Distribution Company
(Translation of Registrant’s Name Into English)

Av. Brigadeiro Luiz Antonio,
3142 São Paulo, SP 01402-901
Brazil
(Address of Principal Executive Offices)

(Indicate by check mark whether the registrant files or will file annual reports under cover of Form 20-F or Form 40-F)

Form 20-F X Form 40-F

(Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by Regulation S-T Rule
101 (b) (1)):

Yes ___ No X

(Indicate by check mark if the registrant is submitting the Form 6-K in paper as permitted by Regulation S-T Rule
101 (b) (7)):

Yes ___ No X

(Indicate by check mark whether the registrant by furnishing the information contained in this Form is also thereby furnishing the information to the Commission pursuant to Rule 12g3-2(b) under the Securities Exchange Act of 1934.)

Yes ___ No X

CORPORATE RISK MANAGEMENT POLICY OF THE COMPANY

“COMPANHIA BRASILEIRA DE DISTRIBUIÇÃO”

1. PURPOSE

Establishing principles, concepts, guidelines, and responsibilities in the Risk Management of Pao de Açúcar Group (GPA) and its Business Units regarding the identification, review, and assessment of risks that may affect their strategic goals and the effective creation and protection of value for GPA.

Defining, from inherent risks, exposure control and monitoring devices, incorporating the risk vision into strategic decision-making in compliance with the applicable legal requirements, best practices and applicable market methodologies.

2. SCOPE

Applicable to all GPA's macro processes and business operations.

3. GUIDELINES

Our general guidelines are our commitment to the GPA's value proposition, aligned with our code of ethics and conduct so that we can create a risk management culture that reaches all our associates.

Risk management is part of GPA's Corporate Governance process and is an integral part of the decision-making process, contributing to the performance of its strategy. Risks are identified and addressed to ensure compliance with the goals set out in the strategic planning.

For that purpose, the Risk Management structure considers the joint action of the corporate governance and management areas, according to the concept of the 4 lines of defense as described in table 1 below:

1st line

2nd line

3rd line

4^th line

- This line is composed of Operations Management, represented by the boards of executive officers, managers, and other associates of the business units that operate in day-to-day operations and tasks.

- They must manage performance and risks taken in compliance with the policy.

- They implement controls, action plans, and timely report information connected to Risk Management.

- This line is composed by areas of control and supporting functions, represented by the Risk Management Director, that may require the advice by the internal areas of the Company responsible for Compliance matters, Internal Controls and Information Security.

- They should guide, monitor, and assess adherence to all standards and policies set, in addition to support the first line of defense in achieving GPA's purposes.

- They should make it easier, disseminate, and monitor Risk Management practices and assist in identifying risks according to the set Risk Appetite.

- This line is in charge of assurance functions, represented by the Internal Audit, responsible for conducting audits or reviews of Risk Management and Internal Control practices, as well as governance effectiveness, identifying problems and opportunities for improvement with independence, objectivity, and authority for recommendations.

- This line represents the functions of the Independent External Audit, entity that has as mission the evaluation of the quality of the internal controls used to elaborate the financial statements. This line also represents a line of defense, since the Independent External Audit has to report to the Company all the liabilities in such internal controls, may they find any.

Table 1: Lines of Defense

Processes

Controlled document. When printed, it may be outdated Page 1/8

4. TERMS, EXPRESSIONS, AND DEFINITIONS

4.1. GPA: the Pao de Açúcar Group and its Business Units.

4.2. COAUD: Audit Committee.

4.3. COMEX: Executive Committee.

4.4. Risk Management: a set of coordinated and structured activities aiming at aligning the Risk Appetite with the strategic decision-making cycle in order to optimize the results set forth in the strategic planning and the effective creation and protection of GPA's value.

4.5. Risk Appetite: this means the degree of risk the Company is willing to accept in accordance with the risk/return ratio, to achieve its goals within the limits set by the senior management.

4.6. Event: an occurrence or set of events, the impact of which can affect results whether positively or negatively.

4.7. Risk: factors and/or events that may have negative impacts, compromising the Company's ability to achieve its strategic goals and the effective creation and protection of GPA's value.

4.8. Inherent Risk: degree of risk intrinsic to the operation of the business or activity, without considering the performance of controls and direct actions able to reduce its exposure; also called gross risk.

4.9. Residual Risk: degree of risk already considering all controls and actions identified to reduce exposure.

4.10. Tolerance: the limits of acceptable variation in the performance against the achievement of business goals.

4.11. Capacity: the resources available for the Company to meet its strategic plan, such as financial capital resources, technologies, processes and people, among others.

4.12. Risk Causes: risk factors that contribute to the risk eventually to materialize, potentiating its impacts through related consequences.

4.13. Risk Consequences: these are aggravating factors in the outcomes and impacts of an event that could positively or negatively affect the Company's ability to achieve its goals.

4.14. Probability: it is the possibility of the risk to materialize, and can be reported qualitatively, quantitatively and by frequency.

4.15. Impact: these are aggravating factors or consequences if the risk materializes, which can be categorized into Financial, Business, Physical Security, Food Security, Compliance, Reputation and Image impacts.

4.16. Mitigation Controls or Initiatives: actions taken to mitigate inherent risk, which may be periodic or ongoing Business Unit activities that will assist in monitoring risk exposure levels.

4.17. Key Risk Indicator (KRI): metrics used to measure and monitor risk exposure related to risk causes, helping the Company to act in a preventive manner to reduce the impacts of risk materialization, serving also as a tool for controlling and serving as an example of good practices of Risk Management.

Processes

Controlled document. When printed, it may be outdated Page 2/8

4.18. Key Performance Indicator (KPI): metrics used to measure and monitor process performance and results, which can also be used for risk monitoring.

4.19. Prioritized risks: a list of risks deliberately set by Senior Management that describes exposure levels that may enhance high impacts to the business, the management of which should be prioritized in a structured manner.

5. ROLES AND RESPONSIBILITIES

We describe hereinbelow all interested parties that are within the context and life cycle of the Risk Management process, with their corresponding responsibilities:

Function	Responsibilities
Board of Directors	· Establishing general risk guidelines aligned with the business context and the strategic planning cycle; · Establishing acceptable Risk Appetite limits under GPA's capacity and tolerance; · Evaluating, deliberating, and approving the strategic and prioritized risk matrix aligned with the Risk Appetite; · Influencing and sponsoring the monitoring of priority risks, within the management forums; · Influencing and sponsoring the risk culture within GPA; · Assessing, annually, the sufficiency of the structure and the budget of the Internal Auditors for the performance of their duty; · Revising and approving the general definitions of Risk Management strategies; · Approving the risk policy, its evolution and future reviews.
Audit Committee (COAUD)	· Following the activities of the Internal Auditors and the area of internal controls. · Evaluating and monitoring the exposure risks of the company. · Proposing, to eligible forums, definitions and guidelines that will compose the Risk Management model within the Company; · Monitoring and supporting the Risk Management process in defining priority risks aligned with the business context and the Board of Directors' guidelines; · Supervising Risk Management activities by complying with legal laws, policies, rules and internal procedures of the Company; · Evaluating and monitoring the priority risks found by the revisions of the Risk Management areas, reporting it to the Board of Directors and assisting it to assess action plans and recommendations; · Evaluating, approving, and monitoring how prioritized risks are addressed and monitored. · Evaluating, approving and recommending to the administration the correction or improvement of the internal policies of the company. · Evaluating the company's quarterly information, interim statements and financial statements.
Corporate Governance and Sustainability Committee	· Preparing the planning and ensuring that the Risk Management is actually put into operation, considering all dimensions of the structure set, encompassing strategic, tactical, and operative activities of GPA; · Assisting the Board of Directors in applying the Risk Management methodology in GPA; · Supporting the Board of Directors in defining both the Risk Appetite and GPA's priority risks; · Supporting GPA in reviewing and approving of the Risk Management strategy; · Assisting the Audit Committee and the Board of Directors on risk exposure levels; · Assessing the effectiveness of GPA's Risk Management process; · Identifying the risks arising from GPA's strategic and policy changes under the approval by the Board of Directors.
CEO's Office / EXCOM	· Promoting the integration and risk culture in GPA and in management cycles and strategic planning; · Ensuring the implementation of an efficient Risk Management model, aligned with business purposes and business goals. Applying the general guidelines set by the Board of Directors to assign the acceptable Risk Appetite level for GPA; · Monitoring all risks managed at the level of each process and operations to ensure the effectiveness of control measures; · Taking part in the validation rituals and risk prioritization of GPA. · Following up KRIs, KPIs, and priority risk mitigation strategies; · Assessing and monitoring how business risks are addressed, aligned with the performance of strategic planning; · Assessing, on a timely basis, the effectiveness and applicability of risk policy guidelines; · Assessing and supporting the suitability of the structure for the management process, considering human, financial and technological resources.

Processes

Controlled document. When printed, it may be outdated Page 3/8

Risk Management Director	· Setting and improving the Risk Management methodology, which shall be integrated and aligned with the value chain over the entire GPA; · Managing GPA's Risk Management process cycle, covering all Business Units; · Ensuring the information flow management within all Business Units aligned with the concepts, methodology, and deadlines set for each Risk Management cycle; · Supporting Business Units in the risk identification, assessment, treatment, and monitoring cycle to assist them in reducing risk exposure levels; · Managing the prioritized risk matrix, reporting their status and exposure levels to the key management forums; · Supporting business areas in identifying and assessing the impact of risks.
Risk Owner	· Identifying, ranking, and managing the risks of the corresponding areas according to mitigation strategies, together with the Risk Management area; · Appointing the professional who will answer as facilitator in risk management with the Risk Management area; · Ensuring the implementation of action plans and monitoring of KRIs (Key Risk Indicators); · Reporting exposure levels, action plans, and indicators describing residual risk status to governance and management forums.
Facilitator / Person in charge	· Having technical knowledge of the processes in which risks are inserted; · Being the responsible person for updating the mapping information and risk treatment of his/her Business Unit; · Keep information updated in a timely manner, respecting the planning calendar of the Risk Management cycle; · Monitoring the status of action plans with those ones responsible for implementing control measures.
Internal Auditors	· Measuring the quality and effectiveness of the company’s processes related to Risk Management, control and governance ; · Identifying and pointing out opportunities for improving Internal Control and Risk Management processes; · Auditing information and controls connected to KRIs and KPIs developed and monitored by functional areas; · Reporting periodically to the Audit Committee (COAUD) and its audited clients the results of independent, unbiased, and timely assessments of the effectiveness of Risk Management in the Company.
Associates	· Ensuring that Risk Management is put into operation, becoming part of the process of identification, assessment and measurement, implementing preventive and corrective actions; · Taking part in training sessions able to allow the conscious dissemination of the Risk Management culture.

Table 2: Roles and Responsibilities

Processes

Controlled document. When printed, it may be outdated Page 4/8

6. RISK MANAGEMENT PROCESS

The GPA Risk Management process was determined based on the guidelines of COSO - Committee of Sponsoring Organizations of the Treadway Commission (COSO )and also the ISO 31000: 2018 standard - Principles and Guidelines for Risk Management.

Such process life cycle is made up of 7 subsequent and dependent steps, which we perform once a year as shown in Figure 1.

Figure 1: steps of GPA's Risk Management Process

6.1. STAGES OF THE PROCESS

Stage 1 - Setting the Context:

Understanding the business scenario and context considering factors connected to the short- and long-term strategic planning of GPA and its Business Units aligned with the environment in which such goals are inserted.

This is a critical step to ensure that the Risk Management process is aligned with the Company's management and strategic planning cycles to align with its acceptable Risk Appetite levels.

It consists of an annual cycle of executive alignments with process owners and the senior management to compose a benchmark that will provide support to the next steps of identifying risks that are most aligned with the business context.

To determine the scenarios that should support this stage we considered two influencing factors, namely:

· External Factors: Economic, Environment, Political, and Social.

· Internal Factors: Infrastructure, Human Resources, Processes, and Technologies.

Stage 2 - Risk Identification:

The risk identification approach is top-down, starting with interviews with key executives of the Business Units, considering the main processes they are responsible for.

The product generated at this stage is a comprehensive list of event-based risks that could identify vulnerabilities and threats able to jeopardize the achievement of GPA's strategic goals.

Processes

Controlled document. When printed, it may be outdated Page 5/8

At this stage the owner and the responsible for every single risk identified must be determined, as well as a description that will guide the next steps of the mapping.

Stage 3 - Review:

We have performed a more detailed review of the identified risks, including important attributes for clarity and qualitative and quantitative support to generate variables able to holistically rate the universe of risks for us to act more assertively in their prioritization.

We have determined, among other aspects, their causes or risk factors and their effects, rating their aggravating factors so that we can generate a comprehensive and relevant list of risks for further mapping.

We have gathered information to obtain data able to describe the likelihood and impacts of risks, thus generating a qualitative matrix to describe in an executive way the universe of risks based on their ranks, as described hereinbelow in Figure 2.

Figure 2: Qualitative Risk Matrix

We classify the risks within this qualitative matrix, according to the following criteria:

· High Rating or High Risk (Red): they represent a potential threat to GPA's business and there must be priority actions to reduce or eliminate the risk component.

· Medium Rating or Medium Risk (Yellow): these represent a threat and can be monitored and managed through preventive control measures able to maintain the degree of exposure or risk acceptance.

· Low Rating or Low Risk (Green): they represent an acceptable threat with minor impacts and no need for continuous monitoring, which can be accepted.

Stage 4 - Assessment:

We assess the inherent risks and their potential materialization impacts to achieve GPA's goals.

With the support by the senior management, executive officers, and process leaders, we assess events from the perspective of probability or frequency and impacts. We seek variables to combine qualitative and quantitative assessment methods.

We consider, among others, variables to rank impacts that help in better risk classification, using the high, medium, and low gradient for each variable.

Finally, by combining all the assessment variables, we define the criticality of risks found that allows us to build a prioritization map, starting from the highest exposure to the lowest exposure risks.

Processes

Controlled document. When printed, it may be outdated Page 6/8

This map supports GPA and its Business Units to achieve a greater degree of strategic planning alignment, and also an acceptable Risk Appetite level for the Company.

Stage 5 - Treatment:

The risk treatment stage involves identifying the existing control devices within the process to rate their effectiveness as a preventive measure and as a factor reducing the exposure (Mitigating Factor) that will help to determine the residual risk.

For processes that require a greater degree of control effectiveness or that do not have effective mitigation factors, we perform at this stage the implementation of one or more action plans to mitigate risk factors.

For each action plan, we assign responsible persons and implementation schedules to ensure the effectiveness and efficiency of the plans and thereby reduce the level of residual risk.

Within this process, we apply alternative risk responses, as shown in table 3:

Suppress	Reduce or Mitigate	Transfer	Accept
Taking actions that change and/or abolish a process or a project, protecting business goals from the impacts of this risk	Taking control measures to reduce the likelihood and/or impact of a risk to an acceptable level, according to the Risk Appetite	Taking actions that reduce the likelihood and/or risk impact by fully transferring or sharing a portion of the risk	No action is taken to affect the likelihood and/or impact of the risk as it is within an acceptable level of Risk Appetite

Table 3: Risk response alternatives

Stage 6 - Monitoring:

Consisting of a dynamic and continuous cycle, it is essential to ensure timely, preventive, and reactive actions that help minimize impacts in case risks materialize.

Associates involved in each area must have the ability and competence to identify, assess, prioritize, monitor, and manage their risks, taking into account all changes within the internal and external environment, so that they can achieve the highest degree of control over their processes to achieve their goals as established on risk management (see table 3).

The risk monitoring process consists of two main fronts, namely:

· Action Plans: these must be carried out by the Business Units according to the responsibilities determined by the risk owners, which may vary from monthly, bimonthly, quarterly, semiannually, and even annually, depending on the Risk Management needs.

· Control measurement: we use metrics and indicators we call KRI. These metrics and indicators are connected to risk factors and preventive measurement factors. During the risk treatment stage, we identify such metrics according to the control devices, determining acceptable limits that inductively describe whether the indicators point out trends or deviations that could make the risks to materialize, thus enabling triggers for the Business Units to take actions to reverse events and, consequently, their impacts.

Processes

Controlled document. When printed, it may be outdated Page 7/9

Stage 6 - Dissemination and reporting:

We perform regularly an alignment ritual that aims at spreading the Risk Management culture through workshop, training sessions, and/or rendering of account rituals with risk owners and the key GPA management forums such as the Board of Directors, Executive Committee, and Audit Committee.

To fulfill such dissemination and reporting ritual we have determined a plan that develops communication formats according to the target audience, describing the frequency, the persons involved, and the responsibility within the context.

6.2. RISK CLASSIFICATION

We adopted 4 risk classifications within the process, namely:

· Strategic: risks that affect GPA's strategy or strategic goals. They are connected to scenarios of uncertainties and/or opportunities and are a priority focus of senior management.

· Operations: risks arising from some inadequacy or failure to manage internal processes, people, or technologies that may hinder or prevent goals to be achieved.

· Compliance: risks that are within the legal or regulatory context, connected to public or private corruption, crime, and fraud.

· Information Technology (IT): risks connected to the use, operation, and influence of information technology within GPA that could generate vulnerabilities that, once exploited, affect the company's operations and results.

7. TERM OF EFFECTIVENESS AND APPROVAL

This policy becomes effective as of its approval and publication and may be revised whenever necessary.

8. PENALTIES

Any failure to comply with this policy will be considered a serious offense, which will be subject to all applicable administrative, civil, criminal and/or labor penalties, to be verified by the corresponding area's Executive Director and by the Ethics Committee.

Processes

Controlled document. When printed, it may be outdated Page 8/8

SIGNATURES

Pursuant to the requirement of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.


		COMPANHIA BRASILEIRA DE DISTRIBUIÇÃO
Date: February 14, 2020		By: /s/ Peter Estermann Name: Peter Estermann Title: Chief Executive Officer
		By: /s/ Isabela Cadenassi Name: Isabela Cadenassi Title: Investor Relations Officer

FORWARD-LOOKING STATEMENTS

This press release may contain forward-looking statements. These statements are statements that are not historical facts, and are based on management's current view and estimates offuture economic circumstances, industry conditions, company performance and financial results. The words "anticipates", "believes", "estimates", "expects", "plans" and similar expressions, as they relate to the company, are intended to identify forward-looking statements. Statements regarding the declaration or payment of dividends, the implementation of principal operating and financing strategies and capital expenditure plans, the direction of future operations and the factors or trends affecting financial condition, liquidity or results of operations are examples of forward-looking statements. Such statements reflect the current views of management and are subject to a number of risks and uncertainties. There is no guarantee that the expected events, trends or results will actually occur. The statements are based on many assumptions and factors, including general economic and market conditions, industry conditions, and operating factors. Any changes in such assumptions or factors could cause actual results to differ materially from current expectations.