Process of identification, analysis, treatment, monitoring and contingency plan for risks and impacts associated with Klabin’s businesses
Risks are assessed according to impact and vulnerability criteria, following the classification devised by the Risk and Internal Controls area. process after which they are managed according to their criticality. With regard to methodology, the approaches to risks may be: reduce, transfer, accept or exploit. According to the Risk Management Policy, risks are classified into five categories: strategic, financial, operational, regulatory and socio-environmental.
Without compromising the operational work existing in the business units (plants and forests) which, in the performance of their duties, pay attention to the main events that may cause adversity to the business, in 2020, on the recommendation of the Executive Board and approval by the Board of Directors, a list of 11 macro risks was defined as priorities for continuous monitoring and development of the Key Risk Indicators (KRIs) as a way to anticipate the events that may trigger a possible materialization of the risk.
Klabin’s risk mapping methodology is performed according to the following guidelines: prevent loss, anticipate events and avoid surprises.
Risk identification follows a specific procedure and is carried out by the Risk and Internal Controls Management, in conjunction with the Boards, business managers and corporate areas. Initially, questionnaires and/or interviews are also conducted with employees who have extensive knowledge of their respective areas to help define the main aspects to be monitored, in addition to the assessment of internal documentation and third-party assessments. Subsequently, the main risk factors are assessed according to their impact and vulnerability (here considering the structure of controls and indicators).
The identified risks are assessed regarding their criticality, which depends on the degree of impact and vulnerability defined in the internal Risk Management procedure. After determining these aspects, the risk is incorporated into a “heatmap” to determine its criticality and the priority to which it should be addressed. Criticality degree may be low, medium, high and critical. At this stage, the mapping is presented to the Risks Committee for ratification and establishment of the priority risks to be addressed.
Aspects associated with integrated risk management:
– Identification: identify risks and understand their characteristics.
– Analysis: assess the criticality of risks, based on the respective degree of impact and vulnerability.
– Treatment: decide how to deal with each risk in order to structure action plans.
– Monitoring Governance: monitoring and reviewing risks and action plans. Defining indicators.
– Contingency plan: Contingency and Crisis Management Plans.
In order to ensure timely monitoring, a computerized system was deployed in 2020 and integrated with the methodology used to classify risks.
Main risks, control and mitigation measures
Main risks monitored (medium and long term: 3 to 5 years):
– Execution of the business strategy;
– Maintenance of operational activity;
– Asset insurance coverage;
– Court rulings;
– Input prices;
– Compliance with environmental legislation; and
– New technologies.
Control and mitigation actions and procedures:
– Approval of the Budget Plan by the Board, to be monitored, when appropriate;
– Procedures for continuous and preventive maintenance of assets, including general plant shutdowns and constant employee development;
– Active insurance policies for assets and lost profits (partial);
– Formal contingency update procedure supported by legal advisors;
– Supplier development, without concentration, through formal quotation processes and approval levels;
– Planning & Development area to monitor the strategies and the markets in which the Company operates;
– Internal Audit to review and monitor Company processes, in a joint effort with Integrity;
– Audit Committee established, elected at the General Meeting to defend shareholders’ rights; and
– Risk Commission and the newly created Audit and Related Parties Committee.
Operational risks in the production process:
– Use in the production of chemicals;
– Storage and disposal of chemical waste;
– Explosions, fires, wear over time and exposure to weather and natural disasters; and
– Potential mechanical failures, time required for maintenance or unscheduled repairs, interruptions in transportation, remediations, leakage of chemicals and other environmental risks.
– Monitoring critical activities such as health, safety and environmental protocols, monitoring the energy grid and respective voltage loads, effluent treatment;
– Defining action plans and controls when applicable, in addition to periodic monitoring by the Internal Risk and Control Management and Internal Audit;
– Procedures for continuous and preventive maintenance of assets, including annual plant shutdowns and constant employee development;
– Active insurance policies for assets and lost profits (partial); and
– Planning & Development area to monitor the strategies and the markets in which Klabin operates.
In addition, the risk mapping identified two risks related to human rights issues (decent work in the supply chain and discrimination). These risks have due monitoring and mitigation actions, which are managed by the directly related areas.”
The protection model adopted by Klabin takes into account potential offenders to the occurrence of cyber attacks:
– Insiders (employees, service providers etc.), whether by accidental or deliberate misuse (for example, when threatened by terrorists or criminals);
– Terrorists who are interestedin obtaining and using sensitive information to carry out a conventional attack;
– Unfair business and intelligence services competitors, interestedin obtaining economic advantages for their companies or countries;
– Cyber criminals interestedin making money by fraud or by selling valuable information;
– Virus hackers who set out to interfere in companies’ systems, just as a personal or collective challenge;
– Cybewar: hackers with a great deal of resources at their disposal, due to state support and who are qualified;
– Hacktivists who fight for a cause (such as political or ideological reasons); and
– Organized crime seeking ransomware.
As a mitigation measure, Klabin’s Information Security uses standards such as ISO 270001 and IEC 62.443 and operates on the following fronts:
Perimeter security: technology to reinforce edge security solutions (external world’s first protection) and infrastructure segregation.
Network security: solutions for network monitoring and management including protection against threats, secure and controlled access, content filtering and segregation of the environment.
Endpoint security: protection of servers, workstations, smartphones and tablets against advanced threats.
Application security: protection of critical applications.
Data security: technology to protect critical information throughout its life cycle, as well as where they are located.
Monitoring and response: process responsible for monitoring technologies and information security process through incident management, performance indicators and forensic analysis.
Prevention and management: based on risk management, governance, architecture, training, awareness and compliance.
Patch management, advanced threats and incident prevention and response through cybersecurity and hardening.
Access security: responsible for the user access life cycle, service and administrative accounts and password safe.
Based on the 2021 Top Global Risks Report produced by the World Economic Forum, Klabin’s risk analysis identifies the following long-term risks:
Risk of biodiversity loss
Defined as an “Irreversible consequences for the environment, humankind, and economic activity and a permanent destruction of natural capital, as a result of species extinction and/or reduction.”
The loss of biodiversity threatens the capacity of ecosystems to provide resources and services (e.g. dispersal of pollen and seeds, natural plague control, water and climate regulation, soil and nutrient conservation etc.) that are essential for sustaining Klabin’s plantations high yields.
– The responsible forestry management through the maintenance of ecological corridors.
– The Continuous Monitoring Program for Fauna and Flora.
– The biodiversity study center in the Ecological Park, which, going beyond veterinary clinical care of rescued species, aims to reestablish the quality levels of forests through the restoration of wildlife.
– The biodiversity targets included in Klabin 2030 Agenda. (link https://esg.klabin.com.br/en/biodiversidade/)
Risk of natural resource crises
Defined as an “Existential Threat, it involves chemical, food, mineral, water, or other natural resource crises at a global scale because of human overexploitation and/or mismanagement of critical natural resources.”
Mainly increased land use disputes and shortages of water availability, leading to higher production costs, and social and corporate cohesion erosion. These could lead up to significant changes in Klabin’s business competitiveness, tensions, and disputes between the company, communities and local authorities.
– The 2030 target of 100% of Klabin’s own management with hydrosolidarity management, which is a strategy based on the balance between forest production and water production. As such, it is possible to integrate the different needs of the input, including neighboring communities needs and ecological processes.
– The increase of the forest partners network through the Plant with Klabin Program which covers large and small producers to increase the diversification of wood sources.
– The plant and harvest technology to use less soil, and to operate over uneven surfaces, without decreasing conservation areas and ecological corridors
– The 2030 targets for Local Development and Communities to support initiatives to strengthen public management and reinforce a sustainable cities agenda aligned with the SDGs. (Link https://esg.klabin.com.br/en/desenvolvimento-local-e-impacto-nas-comunidades/)