SEC Form 6-K filed by VALE S.A.

United States

Securities and Exchange Commission

Washington, D.C. 20549

FORM 6-K

Report of Foreign Private Issuer

Pursuant to Rule 13a-16 or 15d-16

of the

Securities Exchange Act of 1934

For the month of

November 2025

Vale S.A.

Praia de Botafogo nº 186, 18º andar, Botafogo
22250-145 Rio de Janeiro, RJ, Brazil

(Address of principal executive office)

(Indicate by check mark whether the registrant files or will file annual reports under cover of Form 20-F or Form 40-F.)

(Check One) Form 20-F x Form 40-F ¨

Subject: Risk Management Cluster: Corporate. Identification: POL-0009-G / Version: 08. Use: Public. Resolution: DCA – 033/2025. Issued on: 11/27/2025. Responsible: Executive Vice-Presidency of Finance and Investor Relations. Review until: 11/27/2030. - 1 of 6 - Corporate Policy 1. General Guidelines Vale S.A. (“Vale” or “Company”) is committed to managing Risks proactively and effectively, prioritizing the safety of its Employees and Third Parties, the communities where it operates, and caring for the environment, in accordance with its values, Code of Conduct, regulatory documents, and governance rules. "Life Comes First" is a core value that guides Vale's activities. Vale seeks to adopt the best market practices as a reference in its operations, aiming to prevent lives from being lost or negatively impacted. Vale's Risk Management consists of coordinated activities that support and guide the Company in its decision-making processes related to Risk. This process consists of four stages: (i) Risk Identification; (ii) Risk Analysis and Treatment; (iii) Risk Monitoring; and (iv) Risk Communication and Reporting. These activities should contribute to: • Promote a risk management culture to add value to the organization by optimizing the flow of information needed for decision-making in a transparent manner and aligned with Vale's institutional objectives, to avoid or mitigate negative impacts on people, communities, the environment, operational continuity, and reputation. • Support the strategic planning and sustainability of Vale's businesses. • Optimize capital allocation and strengthen Vale's asset management based on mapped risks. • Strengthen Vale's risk management governance practices, based on the Lines of Defense concept. • Adopt as references the concepts and guidelines of ISO 31000, ISO 55000 and COSO-ERM in Risk management, and RBPS (Risk Based Process Safety) for Process Safety. • Use the Risk Appetite methodology as a tool to guide the Company in the business decision-making process, in the allocation of capital and in the formulation of actions to respond to the mapped Risks. • Support the assessment of potential impacts related to new investments, acquisitions, and divestments, based on Vale's Risk Map and Appetite. • Map Emerging Risks in order to seek timely solutions that minimize possible negative impacts on the Company's business objectives. • Apply a Risk response strategy to define Risk treatment, according to the priority level classification of the Risk Matrix and weighted according to the Company's Risk Appetite, according to the following levels: • Very high: Implementation of appropriate measures to effectively reduce the level of Risk, which must be initiated quickly, except in cases where the Risk Appetite is high. • High: Implementation of recommended measures in accordance with best practices to effectively reduce the level of risk. These measures should be implemented promptly, except in cases where the risk appetite is high. If, after an assessment based on technical aspects, risk reduction is not reasonably possible, continuous monitoring must be carried out to ensure effective risk control. • Medium: Management to avoid the escalation of the risk level. • Low: Acceptable, without dispensing with risk level management. Vale's Risk Management system adopts a specific taxonomy, detailed in an internal regulatory document, which must be read and interpreted in conjunction with this Policy. - 2 of 6 - Corporate Policy DCA 033/2025 Rev.: 08 - 11/27/2025 POL-0009-G PUBLIC 2. Scope This Policy applies to Vale and its subsidiaries1, in Brazil and in other countries, to all Employees and members of Key Management Personnel, always in compliance with the Bylaws, constitutive documents and applicable legislation. 3. References • POL-0001-G – Code of Conduct. • POL-0005-G – Human Rights Policy. • POL-0012-G – Climate Change Policy. • POL-0016-G – Anti-Corruption Policy. • POL-0019-G – Sustainability Policy. • POL-0025-G – Sanctions and Export Controls Policy. • POL-0029-G – Internal Audit Charter. • POL-0035-G – Vale Management Model Policy - Vale Production System - "VPS". • POL-0037-G – Safety and Geotechnical Mining Structures Policy. • POL-0041-G – Misconduct Management Policy. 4. Definitions Risk Appetite: For the purposes of this Policy and in a concise manner, it refers to the Risk scale that guides the organization in pursuing its strategic objectives. It should be noted that Risk Appetite does not represent, in any circumstances, any acceptance or assumption of the probability of risks of any kind or nature materializing into concrete results or events by Vale. Risk Appetite Statement: Internal document that establishes the appetite scale for each Risk category present in the Company's Integrated Risk Map. Employee: Any permanent or temporary employee, interns, young apprentices and/or trainees at Vale. Lines of Defense: Risk management governance model in which areas, their respective responsibilities and processes that assist the Company in the effective Risk management process are identified. Integrated Risk Map (or “Map”): Instrument that contains the set of Risk themes that need to be assessed and monitored, organized by categories, according to the taxonomy established in an internal normative document. Risk Matrix: Graphical representation of risk classification based on the combination of frequency/probability and severity of events, establishing a risk priority scale, with each event classified as Very High, High, Medium, or Low. This analysis allows comparisons between potential risk events, enabling appropriate risk management. Key Management Personnel: For the purposes of this Policy, these are the members of the Board of Directors, the Advisory Committees to the Board of Directors, the Executive Committee, and the executives who report directly to the Company's Board of Directors, as well as the non-statutory Executive Vice Presidents who report to the President. Severity Ruler: Used to standardize the measurement, qualitative or quantitative, of the potential negative impact of Risks and assist in the classification of Risks. It does not reflect, under any circumstances, the degree of relevance attributed by the Company to potential impacts in their various dimensions, always requiring the recording of the assessment rationale. 1 To learn about the classification of subsidiaries, please refer to POL-0043-G. - 3 of 6 - Corporate Policy DCA 033/2025 Rev.: 08 - 11/27/2025 POL-0009-G PUBLIC Probability Ruler: Used to estimate, in qualitative or quantitative terms, the frequency/probability of occurrence of a potential Risk, always requiring the recording of the rationale for the assessment. Risk(s): The effect of uncertainty on organizational objectives, which manifests itself in many ways and has a potential impact on all dimensions of the business. Business Risks: Relevant potential risks that, if they occur, could impact people, communities, the environment, operational continuity, reputation, and the achievement of the company's overall business objectives and strategy. These are risks with very critical potential severity in Residual Risk, that is, the extent of present risk mitigated by the existing control environment. Emerging Risks: These are new potential risks or already known risks, but under new or different conditions and/or circumstances, which have a high degree of uncertainty regarding their trend, severity, and probability of occurrence. They are typically influenced by external factors and are therefore difficult to predict. They may become presentbut are not expected to materialize within the next five years, and therefore, clear monitoring indicators may not be available in the market. Priority Risk Themes: These are included in the Integrated Risk Map and are subject to detailed monitoring of classification, mitigation and consequences, based on the analysis of the Risk Matrix and considering the Risk Appetite. Third Parties: For the purposes of this Policy, this refers to any individual, company or entity with which Vale does business, including Suppliers, Customers and business partners. 5. Governance Vale has an integrated risk management governance system based on the Lines of Defense concept, designed to optimize the flow of communication for decision-making and reinforce alignment between strategy, performance, and risk management. The general risk management guidelines that guide Vale's business are established by the Board of Directors, which includes the Audit and Risk Committee. Among other responsibilities, the Committee is responsible for overseeing the adequacy and effectiveness of Vale's risk management processes. The Board of Directors and the Audit and Risks Committee exercise their responsibilities under the Bylaws, their Internal Regulations, and applicable legislation, and, for the purposes of this Policy, through periodic monitoring cycles. The Executive Committee is responsible for implementing these guidelines and other responsibilities set forth in this Policy. It is determined that the Executive Committee maintain Executive Risk Committee(s) of an advisory nature with the purpose of advising it, in accordance with its scope of action, in the management and monitoring of Risks, as well as in pertinent deliberations. 6. Disclosure and Dissemination This Policy will be filed and published by the Executive Vice-Presidency of Finance and Investor Relations in Vale's official repositories for internal and external audiences, as applicable, and the Integrated Risk Management (“ERM”) area will be responsible for promoting the necessary actions to ensure its dissemination. 7. Policy Review Deadline This Policy must be reviewed at least every 5 (five) years or whenever necessary, in order to keep its content up to date. - 4 of 6 - Corporate Policy DCA 033/2025 Rev.: 08 - 11/27/2025 POL-0009-G PUBLIC 8. Responsibilities Board of Directors: • Deliberate on the general guidelines for the Company's Risk management, as well as periodically evaluate the indicators of the Company's exposure to Risks and the effectiveness of the Risk management systems, internal controls and the Company's integrity and compliance system. • Approve this Policy and its amendments, as proposed by the Executive Committee. • Approve Vale’s Risk Appetite levels and their respective Risk Appetite Statements, as proposed by the Executive Committee, as well as any revisions. • Deliberate annually on the Multi-Year Risk Management Investment Plan, as proposed by the Executive Committee. • Approve the review of the Integrated Risk Map and Priority Risk Themes, as proposed by the Executive Committee. • Approve the Risk Response Strategy, as proposed by the Executive Committee. • Delegate to the Executive Committee the approval of the developments of this Policy in rules and responsibilities directed at Risk Management and Control, with the objective of contributing to avoiding the occurrence of MUE (Material Unwanted Events) 2 and/or materialization of Business Risks. Audit and Risks Committee: • Advise the Board of Directors in carrying out its duties regarding Vale's Risk management, in accordance with this Policy and other applicable documents. • Oversee the adequacy of processes related to Risk management, advising the Board of Directors on Risk Appetite guidelines, including, but not limited to, the Map, Priority Risk Themes, Emerging Risks and mitigation actions arising from the Risk Response Strategy. • Assess and monitor the Company's risk exposures. • Assess the adequate integration of aspects related to Vale's Risk management within the scope of the Internal Audit Plan. • Recommend the approval of this Policy and its amendments, according to competences, upon proposal of the Executive Committee. Vale Executive Committee: • Evaluate and propose this Policy and its amendments to the Board of Directors. • Execute the guidelines contained in this Policy and establish administrative policies and standards that unfold the concepts discussed herein, aiming to achieve its objectives. • Manage the Company's Risks, including monitoring Emerging Risks. • Promote a culture of risk management within the organization and strengthen the 1st and 2nd Lines of Defense. • Define which areas of the organization will act as the 2nd Line of Specialist Defense. • Provide human, financial, and other necessary resources, through decisions within its authority, to appropriately support the 1st and 2nd Lines of Defense to act in the prevention and mitigation of risks, in alignment with the Risk response strategy established by the Company. • Propose the evaluation and validation, by Vale's Board of Directors, of the Multi-Year Investment Plan for Risk Management, considering the consolidated need for current investment, with a minimum annual frequency. • Create, change or dissolve Executive Risk Committees for support, whenever deemed necessary, and approve the respective Internal Regulations. • Propose Vale's Risk Appetite to the Board of Directors and recommend its review whenever there is a relevant change in the scenario. • Propose the review of the Integrated Risk Map and Priority Risk Topics to the Board of Directors, as necessary. • Approve the review of the Rules and Matrix listed below, as necessary, and present it for information purposes to Vale's Board of Directors, subject to audit by the 3rd Line of Defense: 2 Term derived from the HIRA methodology – Hazard Identification and Risk Analysis – used by operational areas to identify operational risks. - 5 of 6 - Corporate Policy DCA 033/2025 Rev.: 08 - 11/27/2025 POL-0009-G PUBLIC ‒ Probability Ruler; ‒ Severity Ruler, ‒ Risk Matrix. Risk Committees according to area of activity: • Support Vale's Executive Committee in monitoring Risks in the categories of the Integrated Risk Map, as well as issuing preventive recommendations regarding potential Risks discussed in the meetings of these Committees. • Recommend revisions to Risk management principles and instruments, aiming at continuous improvement of the process. • Evaluate and suggest, when necessary, changes to the Risk management strategy for subsequent approval by Vale's Executive Committee. • Perform other duties related to Risk management as provided for in its Internal Regulations. 1st Line of Defense: • Directly manage Risks, identifying, assessing, treating, preventing and monitoring them in an integrated manner. • Manage the prevention and mitigation controls assigned to it, ensuring the accuracy and timeliness of information, process security in compliance with external regulations, policies and internal standards, monitoring indicators, when applicable, as well as seeking correction of controls, in case of detection of any deficiencies. 2nd Line of Defense - Enterprise Risk Management, “ERM”: • Develop and assist in the implementation of management policies, methodologies and tools, as well as promote integrated communication and disseminate the Company's risk management culture. • Prepare and propose this Policy and its amendments to the Executive Committee, as well as disseminate its content. 2nd Line of Defense - Specialists: • Define methodologies, minimum technical, technological and management standards, as well as risk and asset reliability indicators to be mandatorily adopted by the 1st Line of Defense. • Monitor adherence to defined guidelines. 3rd Line of Defense: • Carry out assessments and inspections, through the execution of control tests and investigation of complaints, providing impartial assurance, including on the effectiveness of risk management and prevention, internal controls and compliance, observing their respective areas of activity. • Develop and execute the necessary checks to ensure the effectiveness of this Policy and the controls involved in the Risk management process. • Incorporate the Risk Matrix into the preparation of the Internal Audit Plan. • Submit considerations on Priority or Emerging Risk Topics to the Executive Committee and the Audit and Risks Committee, taking into account the results of the Internal Audit work. • Evaluate the effectiveness of dissemination actions related to this Policy. Executive Vice-Presidency of Finance and Investor Relations: • Monitor the implementation of dissemination actions related to this Policy. • Present to the Audit and Risk Committee the results of the Risk Management monitoring carried out by the Company. Executive Vice-Presidency Legal Affairs: • Evaluate this Policy and any proposed changes, providing guidance to all involved bodies on applicable legal aspects. Corporate Governance Office: • Evaluate this Policy and any need for adjustments prior to its submission to the governance bodies. • Monitor deadlines and the possible need to review this Policy, prioritizing the timeliness of processes and procedures between the Executive Committee, the Advisory Committees and the Board of Directors. - 6 of 6 - Corporate Policy DCA 033/2025 Rev.: 08 - 11/27/2025 POL-0009-G PUBLIC 9. Consequence Management Vale's Whistleblower Channel can be used by anyone, inside or outside the company, who wants to report a suspected violation of our Code of Conduct and the guidelines of this Policy. Failure to comply with this Policy will be subject to the terms of the Misconduct Management Policy, “POL-0041-G”. 10. Final Provisions In the event of any conflict between this Policy and Vale's Bylaws, the latter will prevail, and this Policy must be amended to the extent necessary to resolve the conflict. This Policy shall come into effect on the date of its approval by the Board of Directors. 11. Approvals Areas Description: Enterprise Risk Management, “ERM” Elaboration Executive Vice-Presidency Legal Affairs Executive Vice-Presidency of Finance and Investor Relations Audit and Compliance Department Corporate Governance Office Review/Recommendation Executive Committee – (DDE – 085/2025) Approval/submission to the Board of Directors. Audit and Risks Committee Review/Recommendation Nomination and Governance Committee Review/Recommendation Board of Directors (DCA – 033/2025) Approval

Signatures

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned, thereunto duly authorized.