Risk management

Responsible activities and operations, with individuals at all levels committed and able to act responsively and collaboratively in decision-making processes. 

Risk and impact governance at Klabin operates in an integrated manner in two broad areas: Risk Management and Crisis Management.

Risk Management Diagram

Risk Management

Klabin divides its risks into five categories: strategic, financial, operational, regulatory, and social and environmental. These risks are managed in accordance with a specific Risk Management Policy. In order to prevent losses, anticipate events and avoid surprises, preventive action is taken through the stages of identification, classification, evaluation, treatment, and continuous monitoring:

  • Identification: In a process coordinated by the Risk Area in conjunction with the directors of operational areas and/or equivalent leaders, identification includes meetings with employees who have extensive knowledge of their respective areas of activity. The goals are to define the aspects to be monitored, evaluate internal documentation, assess third parties and appraise present conditions.
  • Classification: Once the characteristics of a risk have been understood, its origin is determined, which may be internal or external.
  • Evaluation: The identified risks are assessed in terms of their potential impact and vulnerability. The degree of criticality determined from this assessment – which can be low, medium, high or critical – defines the risk's position on Klabin's risk map and consequently its priority level and possible measures.
  • Treatment: There are two methodological approaches to risk management at Klabin: avoid or accept. If a risk is accepted, it can be maintained, reduced or exploited. To this end, risk matrices and action plans are developed.
  • Monitoring: In conjunction with areas and risk owners, action plans are monitored and, when necessary, new risks are included in accordance with the Company's maturity and in response to external factors. The map of prioritized risks is presented and monitored every two months by Klabin's internal governance bodies.

Examples of risks, control measures and mitigation

Identified risk Description of risk Mitigation measures
Rupture and/or explosions of pressure vessel equipment Some equipment that is essential to the Company's production processes (such as recovery boilers, steam boilers and chemical tanks) contains fluids and is designed to operate at internal pressures that differ from atmospheric pressure.
As a result, ruptures and/or explosions could:
  • cause production stoppages for an indefinite period or even permanently;
  • result in injuries or fatalities;
  • cause environmental impacts.
  • The Risk Area, together with the directors and managers of operational areas, develops and monitors action plans (when applicable).
  • Evaluations of controls in the Company's operations through tests performed by the Internal Audit Area, providing impartial and independent assurance.
  • Continuous and preventive maintenance procedures for assets, including scheduled plant shutdowns and ongoing employee development.
  • Periodic equipment inspections performed by specialized companies in the market.
  • Periodic testing of safety devices related to pressure vessels.
  • Active insurance policies for assets and loss of earnings (partial).
Fires in manufacturing and forestry units

The Company is subject to fires, considering the business in which it operates, the inputs and equipment used in its production processes, and the final products sold.


The occurrence of fires at sites, especially in pulp and paper mills, could:

  • halt production for an indefinite period or even permanently;
  • result in injuries or fatalities;
  • cause environmental impacts.
  • The Risk Area, together with the directors and managers of operational areas, develops and monitors action plans (when applicable).
  • Evaluations of controls in the Company's operations through tests performed by the Internal Audit Area, providing impartial and independent assurance.
  • Implementation of fire prevention, fighting and control systems in manufacturing plants and forests.
  • Periodic testing of safety and firefighting equipment.
  • Ongoing training of employees in emergency procedures.
  • Active insurance policies for assets and loss of earnings (partial).
Cybersecurity

Failures in the Company's information technology systems and/or externally contracted data processing systems could adversely affect the Company's operations, resulting in:

  • partial and/or temporary stoppages of its activities;
  • loss of clients;
  • noncompliance with applicable laws and regulations;
  • breaches of obligations to third parties;
  • compromised security of internal and third-party data, due to the loss, capture or disclosure of confidential or sensitive information, including strategic information;
  • an increase in litigation.

Klabin complies with standards such as ISO 27001 and IEC 62443, operating in the following areas:

  • Perimeter security: technology to reinforce edge security solutions (first line of defense against external threats) and infrastructure segregation;
  • Network security: solutions for network monitoring and management, including threat protection, secure and controlled access, content filtering, and environment segregation;
  • Endpoint security: protection of servers, workstations, smartphones and tablets against advanced threats;
  • Applicable security: protection of applications critical to the Company's processes;
  • Data security: technology for protecting critical information throughout its entire life cycle, as well as the location where it is stored, including the creation of backup copies and the implementation of recovery procedures;
  • Monitoring and response: monitoring of information security technologies and processes through incident management, performance indicators and forensic analysis;
  • Prevention and management based on risk management, governance and architecture, encompassing training, awareness and compliance processes;
  • Management of vulnerabilities, advanced threats, and incident prevention and response, involving cybersecurity, hardening and cyber incident simulation;
  • Identity management: definition of procedures and responsibilities involving the user access life cycle, password vault, and service and administrative accounts.

Examples of emerging risks

Klabin's risk management also covers long-term risks that are intrinsically linked to the longevity and survival of the business, such as:

Emerging risk 1: Biodiversity loss
Definition Resulting from the extinction and/or reduction of fauna and flora species, the collapse of ecosystems implies irreversible consequences for the environment, humanity and economic activity, leading to permanent destruction of natural capital.
Impact for the business Biodiversity loss threatens the ability of ecosystems to provide resources and services (such as pollen and seed dispersal, natural pest control, water and climate regulation, and soil and nutrient conservation) that are essential to sustaining the high yields of Klabin's forestry plantations.
Additional investments in techniques and R&D to replace or artificially compensate for lost ecosystem services will increase the cost of operations, with no guarantee of achieving effective results.
Mitigation measures
  • Maintenance of the Continuous Fauna and Flora Monitoring Program, dedicated to understanding the behavior of different species and adopting prevention and mitigation measures, such as initiatives to reduce road accidents, restoration actions and scientific research;
  • Expansion of monitoring work with the support of technology, including the implementation of geolocation tools and radio signals, camera traps and DNA-based species tracking;
  • The activities of Klabin Ecological Park's biodiversity study center, to monitor and restore forest quality levels through wildlife restoration. The center is also studying ways to incorporate IoT sensors to expand related data and make more efficient decisions regarding species conservation.
 
Emerging risk 2: Natural resource crisis
Definition The natural resource crisis has been described by the World Economic Forum as an existential threat. It encompasses crises involving chemicals, food, minerals, water and other natural resources on a global scale, caused by human overexploitation and/or the mismanagement of critical natural resources.
Impact for the business As a pulp and paper company with water- and land-intensive operations, Klabin depends on the quality of natural resources to deliver products to the market. Competition for these resources could generate tensions between the Company, the community and local authorities. Additionally, increased demand for land for other purposes due to expectations of significant population growth could raise production costs and alter the competitiveness of the business.
Mitigation measures

All of Klabin's operations incorporate environmental management aspects such as water, energy, climate change and biodiversity into their strategy, using a systemic approach. Risks and impacts related to natural resources are also addressed in Klabin's 2030 Agenda, which sets goals aimed at reducing adverse outcomes:

  • Expand the network of forestry partners through the "Plante com a Klabin" ("Plant with Klabin") program, which covers large and small producers, to increase the diversification of wood sources;
  • Improve planting and harvesting technology to use less soil and operate on uneven surfaces without reducing conservation areas and ecological corridors;
  • Have 100% of forestry operations in-house, based on socially responsible water management – a strategy based on balancing wood and water production. This makes it possible to integrate different input needs, including the needs of neighboring communities and ecological processes.

Crisis management

Crisis management means the organizational capacity to anticipate, deal with and recover from significant adverse situations, minimizing negative impacts and restoring normality as quickly as possible.

Among the crisis management tools adopted by Klabin, the Business Continuity Plan is a comprehensive process that:

  • identifies potential threats and impacts to the organization's processes;
  • promotes organizational preparedness capable of maintaining or quickly resuming critical business functions after a crisis or disaster;
  • provides effective responses to safeguard the interests of stakeholders, as well as the Company's reputation, brand and value-creating activities.

Since 2023, the Company has been self-assessing its action plans involving crisis management through a computerized system, which allows for process improvements and greater integration with the risk management methodology.

The topic of human rights encompasses environmental, social and governance issues, such as labor practices, health and safety, diversity and non-discrimination, community relations, the environment and data protection. Given the interdisciplinary nature of this topic, human rights management at Klabin is carried out as a cross-cutting initiative, supported by a comprehensive set of regulatory documents:

  • Code of Conduct;
  • Suppliers' Code of Conduct;
  • Anti-Corruption Manual;
  • Sustainability Policy;
  • Diversity and Employability Policy;
  • Fundamental Rights in Labor Relations Policy;
  • Social and Environmental Responsibility Policy for Hiring Suppliers;
  • Life Protection Policy;
  • Cybersecurity Policy.

All these commitments are underpinned by internationally recognized frameworks, such as the Guiding Principles on Business and Human Rights; the International Bill of Human Rights (which includes the Universal Declaration of Human Rights and the UN Covenants on Civil and Political Rights, and Economic, Social and Cultural Rights); the conventions of the International Labor Organization; and conventions on biodiversity, the environment and climate. The guidelines of the United Nations Global Compact and the UN Sustainable Development Goals are also considered guiding principles.

In 2024, there were no reports of any cases of human rights violations involving the Company.

 

GRI 411-1 SASB RR-FM-210a.1 SASB RR-FM-210a.2

Traditional Communities

Total forest area in indigenous lands (in acres)

2024 2023 2022 2021 2020
0 0 0 0 0

Number of traditional communities identified (within a 10-km buffer zone around Klabin's forest management areas)

2024 2023 2022 2021
177* 172 172 161

Klabin maps, identifies and characterizes all traditional communities (settlements composed of descendants of runaway slaves, known as “quilombos,” villages in central Paraná that use land communally, known as “faxinal” communities, and indigenous peoples) within its areas of influence. This work has gone through different stages in recent years:

  • 2019: 81 traditional communities were identified and characterized within the 10-km buffer zone around Klabin's forest management areas in Paraná;
  • 2020: Due to the expansion of Klabin's forestlands, in 2020 a new study was carried out to identify traditional communities within the 10-km buffer zone around the Company's forest management areas, this time covering the states of Paraná, Santa Catarina, Rio Grande do Sul and São Paulo. As a result, 80 new communities were identified for subsequent characterization;
  • 2022: After a two-year pause due to the COVID-19 pandemic, work began to characterize the previously identified 80 new communities;
  • 2023: Given the continued expansion of forestlands, 16 new communities were identified.
  • 2024: Work to characterize the communities identified to date was completed, resulting in:
    • 19 indigenous lands;
    • 55 quilombos;
    • 103 faxinal communities (15 of which are still actively engaged in traditional communal land management practices*).

In its relationships with all identified and characterized communities, the Company complies with Brazilian law and follows the recommendations of International Labor Organization Convention 169, guaranteeing the right to free, prior and informed consent. In 2024, there were no cases of violations of the rights of indigenous peoples and/or traditional communities.

*These studies, conducted using official databases and primary data, enabled an in-depth analysis of the presence of faxinal communities in the region where Klabin operates in Paraná. Of the 103 identified communities, 15 remain engaged in traditional communal land management practices, while the others have lost their traditional characteristics over the years, due to various external factors. Thus, within our region of operation, we found 89 traditional communities located within a 10 km radius of the Company's forest management areas.

GRI 412-1 SASB RR-FM-210a.2

Relationships with stakeholders regarding human rights, indigenous rights and the local community

Klabin's Social Responsibility and Community Relations Area operates in a cooperative manner, supporting all the Company's units with the aims of preserving and improving the organization's relations with its stakeholders and affected parties, eliminating or mitigating impacts caused by its operations, and taking measures to contribute to local development in the municipalities where it operates. Its main areas of work in this field are as follows:

  • Measures to prevent potential social impacts linked to Klabin's forestry and manufacturing operations;
  • Identification of opportunities for engagement with local communities and regional development;
  • Promotion and expansion of dialogue between Klabin and the public authorities, local/traditional communities and other stakeholders.

Human rights due diligence at Klabin

Klabin carries out human rights due diligence in a structured and continuous manner, based on the UN Guiding Principles on Business and Human Rights. The process covers 100% of the Company's operations and is integrated into its governance and risk management practices, covering the entire value chain, impacted communities and new business relationships (acquisitions and joint ventures).

In 2021, Klabin began the first stage of human rights due diligence, conducted by an independent consulting firm. Since then, the process has been continuously improved and implemented, structured in six main stages:

 

1. Public commitment

Although Klabin does not yet have an exclusive human rights policy, the topic is addressed in various corporate guidelines, such as the following:

  • Code of Conduct;
  • Suppliers' Code of Conduct;
  • Anti-Corruption Manual;
  • Sustainability Policy;
  • Diversity and Employability Policy;
  • Fundamental Rights in Labor Relations Policy;
  • Social and Environmental Responsibility Policy for Hiring Suppliers;
  • Life Protection Policy;
  • Cybersecurity Policy.

All these commitments are underpinned by internationally recognized frameworks, such as the Guiding Principles on Business and Human Rights; the International Bill of Human Rights (which includes the Universal Declaration of Human Rights and the UN Covenants on Civil and Political Rights, and Economic, Social and Cultural Rights); the conventions of the International Labor Organization; and conventions on biodiversity, the environment and climate. The guidelines of the United Nations Global Compact and the UN Sustainable Development Goals are also considered guiding principles.

2. Risk and impact assessment

  • Mapping of human rights risks

A human rights risk mapping exercise was conducted to identify the main risks inherent to Klabin's business that could impact human rights, considering its activities and operations, as well as its commercial relationships. The risks were identified by mapping rights holders who could be affected.

The diagnosis considered the risks previously defined for each of the supply chains involved: wood, wood chips, logistics, and other goods and services. Local communities were considered to be all those potentially impacted by Klabin's value chain operations, including forest producers, industrial companies, logistics providers and the Company's forest suppliers.

Rights holders Included subgroups Inherent risks
Employees and contractors Women, black people, people with disabilities and LGBTQI+ people, among others
  • Health and safety
  • Freedom of association and collective bargaining
  • Discrimination and harassment
  • Working hours
  • Decent pay
  • Privacy
Supply chain workers

Women, black people, people with disabilities and LGBTQI+ people, among others

Minors

  • Health and safety
  • Freedom of association and collective bargaining
  • Discrimination and harassment
  • Working hours
  • Decent pay
  • Child labor
  • Forced labor
Local communities Women, black people, people with disabilities and LGBTQI+ people, among others
Minors
Indigenous and traditional communities
  • Community safety
  • Access to land and livelihoods*
  • Impacts on indigenous peoples and traditional communities
  • Environmental impacts
  • Conflicts involving security forces**
  • Child sexual exploitation
  • Impact on access to public infrastructure
Clients -
  • Product safety
  • Privacy

*Including sharecroppers, caretakers and occupants.
**Including environmental and human rights activists.

 

  • Assessment of management capacity

This stage was intensified in 2024 with a comparative assessment of Klabin's practices and international requirements. As a result, a continuous process was structured to periodically update the identified risks while strengthening governance.

This assessment was integrated into the Company's risk management system (ERM), expanding the impact table to include human rights issues, in addition to health and safety. The classification of risks followed a framework based on the severity criteria of the UNGPs, considering:

  • scale: severity of the impact;
  • degree of reparability: ease of returning to the situation prior to the impact;
  • scope: number of individuals potentially affected.

The inherent risks were then cross-referenced with the Company's management capacity, resulting in recommendations and short-, medium- and long-term action plans based on the gaps identified and the prioritization of actions.

  Short term Medium term
Management system Public commitment -
Risk and impact assessment -
Risk and impact assessment -
Adoption of prevention and mitigation measures -
Monitoring of effectiveness -
Reporting -
Complaint and whistleblowing mechanisms -
Specific topics Health and safety* Supply chain workers
Freedom of association* Access to land and livelihoods
Discrimination and harassment* Decent pay*
Working hours* Conflicts involving security forces
Community safety  
Indigenous peoples and traditional communities  
Impacts on public infrastructure -
Child sexual exploitation -

*Topics that involve employees and contractors.

3. Adoption of prevention and mitigation measures – integration into internal processes

Based on the mapped risks and management capacity analysis, measures were recommended to prevent and mitigate potential human rights violations, integrating these actions into the company's internal processes.

4. Monitoring of effectiveness

The next phase consisted of defining and implementing key performance indicators (KPIs) aimed at monitoring the effectiveness of actions taken to prevent and mitigate human rights risks. These KPIs were integrated into the Klabin Sustainable Development Goals, ensuring better alignment of strategic commitments and operational results.

5. Reporting

Klabin reports on human rights issues in its Sustainability Report and ESG Dashboard.

6. Complaint and whistleblowing mechanisms

The Company provides accessible and secure channels for reporting allegations and complaints, aimed at internal and external audiences and impacted communities. More information is available in the Ethical Conduct and Integrity section of the ESG Dashboard.

 

Mitigation and prevention actions

Topic 1: Health and safety

100% of operations covered

KPIs: lost-time injury frequency rate (employees and contractors); number of life-changing injuries; accident severity rate among employees and contractors; units' level in the Hearts and Minds methodology.

Are the actions taken considered sufficient? Yes

Klabin has an Occupational Health and Safety Management System that covers all its operations, employees and contractors. In addition, six industrial units are ISO 45001 certified, while the forestry business units' own plantations have FSC® management certification, attesting to the health and safety conditions of employees involved in these activities. The compliance of procedures with the requirements of the Occupational Health and Safety Management System, ISO 45001 and FSC is periodically assessed through audits.

There are also procedures in place to:

  • continuously identify hazards, assess risks and determine necessary controls;
  • offer occupational health and safety training in line with function and legal requirements;
  • record, investigate and analyze accidents and incidents;
  • identify the potential for emergencies and response procedures.

Topic 2: Freedom of association and collective bargaining

100% of operations covered

KPIs: percentage of employees covered by collective bargaining agreements

Are the actions taken considered sufficient? Yes

All employees are covered by collective agreements. In addition, the Code of Conduct includes freedom of association for all employees.

Topic 3: Freedom of association and collective bargaining

100% of operations covered

KPIs: women's share of leadership positions; percentage of employees belonging to marginalized groups who positively assess the conditions of respect and equality in the workplace

Are the actions taken considered sufficient? Yes

Since 2019, campaigns, training sessions, workshops, talks and roundtable discussions have been held on topics such as racism, gender equity, unconscious bias, inclusive language and harassment. Most activities are aimed at all employees and contractors, enabling the topic to be addressed at various hierarchical levels.

The Company also provides training for support groups and People & Management teams (which are directly involved in these cases), aided by the Integrity Area and a professor and consultant in anthropology.

At the same time, there are procedures in place to address reports of harassment and discrimination via the Ombudsman Channel.

Topic 4: Supply chain

100% of operations covered

KPIs: percentage of critical suppliers covered by the Sustainable Supply Chain Management Program

Are the actions taken considered sufficient? Yes

The Code of Conduct and Social and Environmental Responsibility Guidelines for Hiring Suppliers establish minimum human rights standards for suppliers. For contracts, Klabin also has a Minimum Safety, Environmental and Occupational Health Requirements Manual for Contractors.

Topic 5: Slave-like labor and/or child labor

100% of operations covered

KPIs: number of suppliers identified as causing actual and potential negative social impacts

Are the actions taken considered sufficient? Yes

As a signatory to the National Pact for the Eradication of Slave Labor, Klabin is committed to cross-checking its database of active and inactive suppliers multiple times a year against the names listed in the Brazilian government's register of employers that have subjected workers to slave-like conditions (popularly known as the “Slave Labor Dirty List"). If any suppliers are identified, the Company takes the following actions:

  • Identification of the supplier and service provided (date and location, among other details);
  • Formal notification to the party requesting clarification and a statement on the corrective measures implemented (and suggestions for improvement, if necessary).

At this stage, an assessment is made as to whether the supplier will be monitored or whether the relationship will be terminated. In 2024, no cases were recorded of suppliers in Klabin's chain being included on this list.

Topic 6: Communities

100% of operations covered

KPIs: number of cases of human rights violations involving the Company

Are the actions taken considered sufficient? Yes

Klabin has a community conflict management procedure that establishes an internal committee to address complaints deemed substantiated. In addition, the Company maintains the "Fale com a Klabin” channel, dedicated to responding to community requests, complaints and grievances.

Topic 7: Traditional communities (quilombos, indigenous peoples, “faxinal” rural communities, etc.)

100% of operations covered

KPIs: number of cases of violations of the rights of indigenous peoples and traditional communities

Are the actions taken considered sufficient? Yes

Klabin maps all traditional communities in its areas of influence, according to the procedures described in the section on this form titled “Number of traditional communities identified (within a 10-km buffer zone around Klabin's forest management areas).”

Topic 8: Stakeholder engagement

100% of operations covered

KPIs: Klabin's acceptance rating in local communities

Are the actions taken considered sufficient? Yes

Klabin's social responsibility and community relations activities are described in greater detail in the section on this form titled “Relationships with stakeholders regarding human rights, indigenous rights and the local community.

Topic 9: Environment

100% of operations covered

KPIs: number of fines and non-monetary penalties related to environmental issues

Are the actions taken considered sufficient? Yes

All Klabin's operational units operate in accordance with an environmental management system that includes the following:

  • Means for recording environmental anomalies within each unit;
  • Records of occurrences and complaints from stakeholders, together with appropriate analysis of each occurrence and monitoring of applicable legal requirements;
  • Identification of environmental aspects and impacts of all operations;
  • Mitigation actions, such as socially responsible water management and mosaic forest management;
  • Environmental monitoring programs in surrounding regions.

Topic 10: Data protection

100% of operations covered

KPIs: percentage of employees and contractors included in digital language

Are the actions taken considered sufficient? Yes

Klabin has a governance structure focused on data protection, featuring constant systematic monitoring and cybersecurity policies and procedures based on ISO standards, the Brazilian General Data Protection Law (LGPD) and Brazil's Digital Bill of Rights. This information is made available to all employees through a Cybersecurity Handbook and training on the subject.

Suppliers that have access to Klabin’s data and that of its employees are informed of their responsibilities through their contract and they also fill out an LGPD compliance form.

Klabin's Risk Area was created in 2018 with the support of senior management (Board of Directors and Executive Board). The area seeks to apply best practices to support operational, corporate and/or equivalent areas in:

  • analyzing their processes, with a focus on risk mapping and assessment;
  • implementing controls and/or actions;
  • implementing operational and business continuity plans.

In November 2020, the Audit and Related Parties Committee was created in order to advise the Board of Directors. Its functions include assessing the Company's risk exposure control mechanisms. The Risk Area holds at least two fixed annual meetings with this committee to update management concepts and methodology in accordance with the “Tone at the Top" model, as well as to discuss the main risks and action plans.

In 2021, IB Solutions risk management software was implemented to automate the follow-up process for risk owners' actions and controls, assist in tracking and recording changes, and facilitate the creation of dashboards.

Klabin believes that a risk management culture within an organization is key to promoting and implementing the importance of this issue at all levels of the Company. In addition to regular presentations on risk-related topics to the Board of Directors, in 2022 the company launched an internal leadership education program that includes updates on risk management (methodology, main risks, etc.) for new directors and board members. The procedures associated with risk management were audited internally in 2023.

 

FRAMEWORK – LINES OF DEFENSE

Framework - Lines of Defense
  • 1st line: composed of operational and equivalent areas, whose teams are responsible for the Company's daily operational activities and assume primary responsibility for identifying, assessing, and managing risks.
  • 2nd line: composed of risk management and related areas (Integrity, Internal Controls, and Information Security), which are responsible for monitoring and supervising first-line activities, as well as providing guidance on appropriate risk management practices.
  • 3rd line: composed of the independent Internal Audit Area, which reviews and evaluates the performance of the first and second lines with the objective of ensuring that risk management processes and internal controls are effective and comply with corporate governance best practices.

Updated and verified on: 25/08/2025