In 1965, Lojas Renner S.A. is incorporated, Brazil’s largest fashion retailer. In 1967, Lojas Renner S.A. went public, starting its history in the Brazilian capital market.
Since its incorporation, Lojas Renner has maintained its commitment to the best corporate governance practices, seeking continuous improvement of its corporate structure.
In 2005, Lojas Renner became the first corporation in Brazil, with 100% of its shares traded on the stock exchange, in the Novo Mercado special segment, seeking, from the beginning, the best corporate governance practices.
We highlight below some milestones of the Company’s corporate governance:
We list below some of the practices that make Lojas Renner a benchmark in corporate governance:
- First Brazilian Corporation, with 100% of free float;
- 100% ordinary shares;
- Listing in the Novo Mercado of B3 – Brasil, Bolsa, Balcão;
- 88% of independent in the Board of Directors (7 of 8 members)
- 25% of women in the Board of Directors (2 of 8 members);
- Non-accumulation of the positions of Chairman of the Board of Directors and Chief Executive Officer;
- Permanent Fiscal Council;
- Advisory Committees to the Board of Directors, where the Audit and Risk Management Committee is of a statutory nature;
- Alignment of interests of management with those of the shareholders – stock options plan and restricted shares and participation in the results;
- Mechanisms to encourage diffused shareholding and to protect shareholders in the event of a takeover (Poison Pill);
- Portal for the Board of Directors, Advisory Committees and Fiscal Council;
- Secretaries for the Board of Directors, Advisory Committees and Fiscal Council;
- Formal appraisal of the Board of Directors, Advisory Committees and Executive Board, conducted by a specialized and independent company;
- Competencies Matrix of the Board of Directors;
- Board of Officers with remuneration tied to ESG targets;
- Whistleblower Channel managed by an independent and specialized company;
- Corporate policies, such as Anti-corruption, Related-Party, Governance, Risks and Compliance, Nomination and Management Compensation;
- Internal Charter for the Board of Directors, Fiscal Council, Committees and Board of Executive Officers;
- Adherence to Women on Board (WOB), committing to keep at least two women on the Board of Directors; and
- Corporate Governance Area – Governance Officer.
The Board of Directors’ critical analysis of defense mechanisms in the Company’s Corporate Bylaws
As is common knowledge, in 2005, the Company became the first listed joint stock company to have all its shares traded on the stock exchange. Consequently, from then on, it ceased to be a company with controlling shareholders, adopting the model which is characteristic of major North American corporations in this respect.
In 2005, there were no Brazilian benchmarks to give comfort to the Company and its shareholders as to this new corporate model. The inclusion of a poison pill clause in the Corporate Bylaws such that a shareholder acquiring a 20% or more stake would have to make a public offering of shares (POS), was one of the ways of guaranteeing to remaining shareholders that there would be no significant changes in the company. And in the event that such a contingency occurred, the shareholder would not be harmed since the offer would have to be extended indistinctly to all holders of Renner’s equities at already predetermined terms and prices. In this context, the provisions to articles 39 and 40 of our Corporate Bylaws favor the maintenance this structure.
It is the view of this Body, that the totally dispersed capital stock model contributes greatly to ensuring that the Company continues its constant search to be a benchmark for best corporate governance practice. There are several examples of Renner’s pioneering initiatives in this respect: we were the first Company in Brazil to put out a Manual for Participation in Shareholders’ Meetings, the first to issue a Public Request for a Power of Attorney pursuant to the rules of ICVM 481/09 and, for some years now, no longer requiring signatures on powers of attorney to be notarized/consularized. We also have a large number of independent directors with seats on the Board, a percentage much higher than is mandatory under Novo Mercado Listing Regulations.
Furthermore, it is worth pointing out that the Company is not insensitive to eventual criticisms of this poison pill mechanism and more especially, its trigger of 20% or more of the capital stock, such criticisms being made to the effect that this percentage could be increased as an incentive for those institutional shareholders believing in the Company to increase their stake. However, while this issue, not uncommonly, is the subject of discussions at Board level where due consideration is given to eventual shareholder wishes, the overriding opinion is that it is healthy to maintain a high degree of liquidity through the existing widely held corporate model.
To the present time, the sentiment of this Board is to endeavor to maintain the status quo for reasons already mentioned, protecting minority shareholders and guaranteeing a high degree of share liquidity.
1. How does Lojas Renner S.A. address data security issues?]
Data security is one of the pillars of Lojas Renner S.A. and part of the fundamental commitments in the Code of Conduct. The Company has a strong focus on mitigating cyber risks and protecting confidential and personal data. In this context, Renner has a formal Data Security Policy, a formal and disclosed Privacy and Personal Data Protection Policy, two structured areas focused on Cyber Security in the Company, the technique Information Security Area, from the IT board, and the Information Security Risks and Compliance Area, from the Risk board, a multidisciplinary Cyber Risk and Fraud Committee, and the Corporate Compliance area that has a vertical focus on Privacy and Personal Data Protection.
These teams prepare periodic reports for the Audit and Risk Management Committee, all of its members being independent directors.
2. How does Lojas Renner S.A. protect itself from cyber attacks?
One of the risks that has challenged companies most is that of attacks and intrusion by hackers (or crackers).
Renner has several processes for defending itself and involving three principal macro operational structures supported by specialized partner companies: (i) SOC – Security Operation Center focused on the protection at the Internet perimeter level, event correlation and incident response; (ii) Ethical Hacking with repeated penetration testing in the corporate environment; and (iii) Brand Protection, that monitors Lojas Renner S.A.’s leading brands on the Internet.
The Company has a cybernetic risks and technological vulnerabilities management structure as well as having a cybernetic security insurance policy in place since 2020.
3. How does Lojas Renner S.A. protect customer data?
The risk of data leakage is undoubtedly a relevant challenge faced by companies, especially large retailers.
Lojas Renner S.A. places a strong focus on protecting customer data. Since 2012, the Company has recertified annually with the PCI DSS (Payment Card Industry Data Security Standard), a data security standard for organizations that handle branded credit and debit cards (Visa, Master and others) . Renner has also been using data protection techniques for databases and active DLP (Data Loss Prevention) tools to monitor and prevent the leakage of confidential and personal data.
4. How does Lojas Renner S.A. handle the privacy of customer data?
Following the approval of the General Data Protection Law (LGPD) in 2018, the Company has undertaken a Project of adjustment of the processes with operations involving the personal data of customers, employees, suppliers and third parties, establishing an area of Corporate Compliance as responsible entity for the implementation and effective management of the Law’s requirements.
The area has a structure with a focus on privacy and protection of personal data and responsible for a continuous process of disseminating the culture of Privacy in the Company, involving good practices such as use of “Privacy by Design” methodology, which establishes that privacy be thought from conception/origin of any system, process, project, product or any other purpose which involves the handling of personal data. Privacy by Design presents seven foundational principles which guarantee the security of this data in all phases of its life cycle:
1. Proactive not reactive; Preventive not remedial.
2. Privacy as a default setting.
3. Privacy embedded into design.
4. Total Functionality – Positive Sum, not Zero Sum.
5. End-to End Security – Full Life Cycle Protection.
6. Visibility and Transparency.
7. Respect for user privacy.
A hundred employees have also been trained as Privacy Agents, in a range of different areas, which, in short are the link of the business and the Corporate Compliance areas helping the dissemination of the Culture of Privacy in the Company.
5. How does Lojas Renner S.A. manage identities and accesses?
Another challenge is Identity and Access Management (IAM), also known as the “Triple A” of data security: authentication, authorization, and accounting. Risks related to weaknesses in internal controls in this respect are commonly detected by internal and external audits in organizations of all sizes.
Lojas Renner S.A. and partner companies have an employee identity and access management platform covering the most relevant systems and the access accounts. The platform is based on RBAC (Role-Based Access Control) concepts, Single Sign-On, and complementary processes.
6. How does Lojas Renner S.A. address the “security awareness” of people?
Market research indicates that most security incidents are caused by internal staff or third parties who have authorized access to confidential and personal data.
Lojas Renner S.A. believes that its employees and staff from partner companies form the most important link in our ecosystem’s information protection network. Our People corporate value (“hiring, developing and retaining the best people”) underscores this point. In this context, we have a corporate program run jointly with the Human Resources department and focused on education and security awareness, that counts on:
- Information security Plan: the program has information security lectures at integration for new employees held monthly; a week dedicated to information security awareness, called Cyber Week, held annually; an Information Security Program made available online at Renner University (degreed) that employees expect to perform annually; as well as education campaigns on topics such as cyber risks, phishing, care with passwords, information classification, security by design, among others.
- Personal data protection and privacy program: we also have a plan developed with the main points to be observed due to privacy and data protection (LGPD) online at Renner University (degreed). It contains several contents related to the theme and the following tracks:
- the LGPD
- the Advanced LGPD
- the Personal Data Life Cycle
- Privacy by Design
The Company, its shareholders, management, members of the Fiscal Council (effective members and alternates), undertake to resolve through arbitration by the Market Arbitration Panel, in accordance with its regulations, any disputes which may arise among them, related with or originating from their position as issuer, shareholders, management and members of the Fiscal Council, particularly in the light of the provisions of Law 6.385/76, Law 6.404/76, these Corporate Bylaws, the rules published by the National Monetary Council, by the Central Bank of Brazil and by the CVM as well as other rules governing the securities market in general in addition to those of the Novo Mercado Listing Regulations, of other rules established by the B3 and the Novo Mercado Participation Agreement.
The arbitration chamber shall be made up of 3 (three) arbitrators, appointed pursuant to the Arbitration Regulation of the Arbitration Chamber of Mercado.
Arbitration shall be conducted in the municipality of São Paulo, state of São Paulo, Brazil. The language of the arbitration process shall be Portuguese. The arbitration shall be conducted and adjudicated according to Brazilian Law.
Without in anyway limiting the validity of this arbitration clause, petitioning for writs of prevention and urgency by the parties, prior to the constitution of the arbitration tribunal, may be submitted to the Law Courts. Once the arbitration tribunal has been constituted, all petitioning for writs of prevention or urgency shall be submitted to the said arbitration tribunal, the latter being from then on authorized to maintain, revoke or modify writs of prevention and petitioning for urgency previously solicited to the Law Courts.