Risk Policy

1 PURPOSE AND SCOPE

The purpose of this Policy is Çates Elektrik Üretim A.Ş. To explain the general principles and management principles regarding the risk management strategy and risk management framework. This policy covers the general principles and management principles regarding the risk management strategy and risk management framework.
The provisions of this Policy, Çates Elektrik Üretim A.Ş. Applies to all employees.

2 BASIS

Risk Management Policy, Capital Markets Board ("CMB") regulations, including the Capital Markets Law no. 6362, the Turkish Commercial Code no. 6102, the "Corporate Governance Communiqué" no. II-17.1 ("Communiqué") and the corporate governance principles included in its annex. , is regulated within the framework of other legal regulations and the relevant provisions of the Company's Articles of Association (“Articles of Association”).

3 RESPONSIBILITY

The Board of Directors, through the Early Detection of Risk Committee, is responsible for the creation of annual plans and policies regarding Risk Management activities; The Company's risk management manager/expert or legal and compliance manager is responsible for creating supporting documentation and implementing risk management activities in parallel with the plans and policies.

4 DEFINITIONS

Mentioned in this Policy;
Company; Çates Electricity Production Inc. .
Board of Directors; Çates Electricity Production Inc. Board of Directors,
Early Detection of Risk Committee; Hereinafter referred to as the Committee, both of them refer to the early risk detection committee established within the Company's Board of Directors.

5 RISK MANAGEMENT STRATEGY
To quickly identify, measure, manage, report and monitor risks that affect the achievement of the Company's strategic, operational and financial goals; To regulate the Company's risk profile in line with the Company's risk appetite in order to intervene in new threats and opportunities in order to benefit from returns at the maximum level; To ensure that risk management is effectively effective in the Company's strategy and decision-making processes; To protect the Company's capital by considering its compliance with the Company's risk appetite;
Achieving an optimal risk return profile by allocating capital effectively;
To provide sustainable financial performance, income and competitiveness to the Company,
Supporting decision-making processes by providing consistent, reliable and timely risk information;
To protect the reputation of the Company by reinforcing the Company's core values, increasing risk awareness, and developing a strong culture of disciplined and conscious risk taking.

5.1. Governance
Effectively structuring and implementing governance forms the basis of all other components of risk management.

5.1.1. Defense Areas

5.1.1.1. First Level Defense Area
Managers of business units have primary responsibility for effectively controlling the risks exposed to them by their activities (“first-level defensive area”). The parties in the first level defense area are responsible for the implementation of the risk regulations and implementation principles and procedures established by the parties in the second level defense area. Below are examples of the main activities of parties in the first level defense area:

To make risk assessments and to create and take the necessary actions against risks to ensure that only risks at acceptable levels remain, to implement the issues foreseen within the scope of Risk Management policies, regulations, application principles and procedures and processes, to ensure that key controls are effective.

5.1.1.2. Second Level Defense Area

The Company's manager/expert responsible for risk management or legal and compliance manager (“second level defense area”) supports the parties in the first level defense area regarding risk management activities.
Below are examples of the main activities of parties in the second-level defense area:
To act in accordance with the application principles, procedures and regulations regarding Risk Management and to ensure compliance by the relevant managements,
To make suggestions for improving controls,
Overseeing the effectiveness of controls,
Analyzing and reporting control weaknesses,
Creating methodologies for risk management,
Ensuring that risk management activities are carried out,
Helping to establish key control points,
Helping business units identify the risks they are exposed to and monitoring risks,
To ensure that responsibility for the actions to be taken against risks is determined,
Reporting the company's risk profile and issues other than risk appetite and escalating it to the next level when necessary.

5.1.1.3. Third Level Defense Area

Internal Audit serves as the third level defense area. Provides independent assurance on the effectiveness of the Risk Management system.

5.1.2. Early Detection of Risk Committee

The Early Detection of Risk Committee was established to be responsible and authorized within the framework of legal regulations, including the corporate governance principles in the Turkish Commercial Code No. 6102 and the Capital Markets Board ("CMB") regulations, and the relevant provisions of the Company's Articles of Association. Early Detection of Risk Committee; It operates for the purpose of early diagnosis of strategic, operational, financial and all kinds of risks that may endanger the existence, development and continuity of the Company and to manage risks by applying appropriate risk management strategies.

5.1.2.1. Responsibility

The duties and powers of the Early Detection of Risk Committee are as follows:
a. Establishing a company-wide Enterprise Risk Management approach and ensuring the establishment and maintenance of an effective risk management framework;
b. To prepare and present suggestions for the establishment of risk management systems and the establishment of organizational infrastructures related to risk management within the Company and the development of relevant systems to increase functionality;
c. To present an opinion to the Board of Directors to establish internal control systems, including risk management and information systems, processes that can minimize the effects of risks that may affect the Company's stakeholders, especially the shareholders;
D. To carry out studies to determine Risk Management Strategies, Policies and the relevant standards and methodologies used in managing risks within the Company and to submit them to the approval of the Board of Directors;
to. To carry out studies to prepare policies that define the Company's risk appetite and are compatible with the strategic plans and targets approved by the Board of Directors, and to submit the studies to the approval of the Board of Directors;
f. To carry out studies to create a proposal regarding the indicators and levels within the scope of risk appetite and to submit it to the approval of the Board of Directors; monitoring the indicators and presenting the results, evaluations and recommendations to the Board of Directors when necessary;
g. Ensuring that the Company's strategies and risk appetite are effectively implemented throughout the Company;
h. To adequately inform the members of the Board of Directors about the risk-creating activities of the Company, including strategic management, capital and resource management, risk profile, risk appetite, business activities, financial performance and reputation, and to provide suggestions to the Board of Directors in this context;
I. Capital and liquidity levels and asset-liability structure; Ensuring that internal processes are maintained, including stress testing where appropriate, to ensure compliance with the Company's normal and stressful conditions;
j. Ensuring the integration of risk management and internal control systems into the Company's corporate structure and business processes;
k. To identify, evaluate and monitor existing and potential risk elements that may affect the achievement of the Company's objectives within the framework of the corporate risk management systematic, and to ensure that the principles for managing the relevant risks are determined in accordance with the Company's risk-taking profile and used in decision-making mechanisms;
l. Evaluating and approving risk studies carried out within the company; To provide information and suggestions to the Board of Directors when necessary;
m. Evaluating and recommending risk management strategies for risks that will be accepted and managed, shared or completely eliminated in the Company regarding risks evaluated according to probability and impact calculations;
n. Evaluate the development and maintenance of management reporting to ensure that information is timely, accurate and relevant;
he. To follow the latest status of audit issues and findings, to evaluate the effectiveness and efficiency of the actions taken;
p. To supervise activities related to Business Continuity Management;
q. To review the risk management systems at least once a year and to ensure that the practices in the relevant departments that undertake risk management responsibility are carried out in accordance with the Committee decisions;
r. To detect technical bankruptcy early and to ensure that the Board of Directors is warned about this issue;
s. To submit reports to the Board of Directors every two months that evaluate the current situation, point out any dangers and include recommendations, and share the prepared reports with the audit committee and internal audit unit;
t. To prepare an annual evaluation report and submit it to the Board of Directors in order to form the basis for the Board of Directors' evaluation regarding the members of the Committee, the frequency of meetings, the working principles, including the activities carried out, and the effectiveness of the Committee, which will be included in the annual activity report,
u. To fulfill other duties assigned/to be assigned to the Committee by CMB regulations and the Turkish Commercial Code.
The Committee meets with the Audit Committee at least once a year to ensure compliance with audit results and risk determinations.
The Committee immediately notifies the Board of Directors in writing of its evaluations and important findings and recommendations regarding its field of duty and responsibility.
The decisions of the Committee are recommendations to the Board of Directors, and the final decision responsibility on relevant matters belongs to the Board of Directors.

5.2. Goal Setting

The objectives of the parties involved in the first and second level defense field regarding risk management activities are established in accordance with the strategic objectives and risk appetite of the company.

5.2.1. Compliance with Activities

Risk management is fully integrated into the Company's daily activities and strategic planning to gain a sustainable competitive advantage.

5.2.2. Risk Management Principles

While ensuring that our daily activities are integrated with our strategic plans through the risk management function, the following principles are observed.

5.2.2.1. Flexibility

The company's risk management framework allows for acceptable flexibilities while maintaining the company's risk appetite.

5.2.2.2. risk appetite

Risk appetite is defined as the maximum level of acceptable and approved risk.
The acceptable risk appetite level is determined by the Board of Directors with the recommendations of the Early Detection of Risk Committee and is reviewed once a year or more frequently when necessary. Risk appetite is operationalized through the following items.
Risk Matrix - Risk Levels,
Limits or obligations,
Key Risk Indicators tolerance levels After the risk appetite is determined, the Company's risk profile is monitored periodically according to the risk appetite levels. If these levels have been exceeded or are likely to be exceeded, necessary precautions are taken by the relevant business units upon the recommendations of the Company's Committee and/or the manager/expert responsible for risk management or the legal and compliance manager.

5.2.2.3. risk awareness

It is aimed to create a culture with high 'risk awareness' within the company. This principle is implemented through regular meetings, training and reports.

5.3. Event Detection

Incident detection is done proactively and prior to risk assessment. There are different techniques for event detection.
For example:
Analysis of actual events,