Risk management

Responsible performance and operations, with individuals of all levels committed and able to act in a responsive and participatory manner in decision-making processes.

Risks are assessed according to impact and vulnerability criteria, following the classification devised by the Risk and Internal Controls area. process after which they are managed according to their criticality. With regard to methodology, the approaches to risks may be: reduce, transfer, accept or exploit. According to the Risk Management Policy, risks are classified into five categories: strategic, financial, operational, regulatory and socio-environmental.

In 2020, upon recommendation of the Board of Directors and approval of the Board of Directors, a list of 28 macro risks considered a priority for continuous monitoring and development of Key Risk Indicators (KRIs - key risk indicators, in Portuguese) was defined in an attempt to deal with events that may trigger a possible materialization of the risk. The methodology, as well as the risk priority map, were again approved by the Board of Directors in 2021, as well as appreciated by Klabin's Audit and Related Parties Committee. In 2022, we presented to the governance bodies the movement in the criticality of the prioritized macro risks in relation to the year 2021.

Klabin’s risk mapping methodology is performed according to the following guidelines: prevent loss, anticipate events and avoid surprises.

Risk identification follows a specific procedure and is coordinated by the Risk and Internal Controls Management with the participation of the Boards, business managers and corporate areas. Initially, questionnaires and/or interviews are also conducted with employees who have extensive knowledge of their respective areas to help define the main aspects to be monitored, in addition to the assessment of internal documentation and third-party assessments. Subsequently, the main risk factors are assessed according to their impact and vulnerability based on the structure of controls and indicators.

The identified risks are assessed regarding their criticality, which depends on the degree of impact and vulnerability defined in the internal Risk Management procedure. After determining these aspects, the risk is incorporated into a “heatmap” to determine its criticality and the priority to which it should be addressed. Criticality degree may be low, medium, high and critical. At this stage, the mapping is presented to the Risks Committee for ratification and establishment of the priority risks to be addressed.

The Risk Management area, together with the business areas, updates the risk matrices periodically, which consists of monitoring action plans and/or including new risks.


Aspects associated with integrated risk management:

– Identification: identify risks and understand their characteristics.

– Analysis: assess the criticality of risks, based on the respective degree of impact and vulnerability.

– Treatment: decide how to deal with each risk in order to structure action plans.

– Monitoring Governance: monitoring and reviewing risks and action plans. Defining indicators.

– Contingency plan: Contingency and Crisis Management Plans.
In order to ensure timely monitoring, a computerized system was deployed in 2020 and integrated with the methodology used to classify risks.

In order to have timely monitoring, in 2021 a Self-Assessment of action plans was implemented in the computerized system and integrated with the methodology used for risk classification.


Main risks, control and mitigation measures

   
Main risks monitored (medium and long term: 3 to 5 years) – Execution of the business strategy;
– Maintenance of operational activity;
– Court rulings;
– Compliance with environmental legislation;
– New technologies; and 
– Geopolitical scenarios.
Operational risks in the production process – Use in the production of chemicals;
– Storage and disposal of chemical waste;
– Explosions, fires, wear over time and exposure to weather and natural disasters; and
– Potential mechanical failures, time required for maintenance or unscheduled repairs, interruptions in transportation, remediations, leakage of chemicals and other environmental risks.
Mitigation measures

– Monitoring of critical activities such as: health, safety and environmental protocols, monitoring of the electrical network and respective voltage loads, treatment of effluents;

– Assistance in the design and monitoring of action plans, when applicable, by the Risk Management area.

-  Assessment of controls in the Company's operations through the execution of tests by the Internal Audit, providing impartial and independent assurance.

– Continuous and preventive maintenance procedures for assets, including annual plant shutdowns and constant employee development;

– Monitoring of priority risk indicators on the Board's agenda;

– Active insurance policies for assets and loss of earnings (partial);

– Planning & Development Area for monitoring strategies and the market in which Klabin operates.


Cyber risks:

   
Potential offenders considered in Klabin's protection model
– Insiders (employees, service providers etc.), whether by accidental or deliberate misuse (for example, when threatened by terrorists or criminals);
– Terrorists who are interested​in obtaining and using sensitive information to carry out a conventional attack;
– Unfair business and intelligence services competitors, interested​in obtaining economic advantages for their companies or countries;
– Cyber criminals interested​in making money by fraud or by selling valuable information;
– Virus hackers who set out to interfere in companies’ systems, just as a personal or collective challenge;
– Cybewar: hackers with a great deal of resources at their disposal due to state support and who are qualified;
– Hacktivists who fight for a cause (such as political or ideological reasons); and
– Organized crime seeking ransom (ransomware).

Mitigation measures:
As a mitigation measure, Klabin’s Information Security uses standards such as ISO 270001 and IEC 62.443 and operates on the following fronts:
– Perimeter security: technology to reinforce edge security solutions (external world’s first protection) and infrastructure segregation.
– Network security: solutions for network monitoring and management including protection against threats, secure and controlled access, content filtering and segregation of the environment.
– Endpoint security: protection of servers, workstations, smartphones and tablets against advanced threats.
– Application security: protection of critical applications.
– Data security: technology to protect critical information throughout its life cycle, as well as where they are located.
– Monitoring and response: process responsible for monitoring technologies and the information security process through incident management, performance indicators and forensic analysis.
– Prevention and management: based on risk management, governance, architecture, training, awareness and compliance.
– Patch management, advanced threats and incident prevention and response through cybersecurity and hardening.
– Access security: responsible for the user access life cycle, service and administrative accounts and password safe.


Emerging Risks

Based on the 2023 Top Global Risks Report produced by the World Economic Forum, Klabin’s risk analysis identifies the following long-term risks:

Emerging risk 1: Risk of biodiversity loss
Definition Irreversible consequences for the environment, humankind, and economic activity, and a permanent destruction of natural capital, as a result of species extinction and/or reduction. The biodiversity loss and ecosystem collapse pose risks of irreversible consequences for the environment, humankind, and economic activity. The issue is top-ranked within 2023’s World Economic Forum Report. The productivity and quality of planted forests directly depend on the quality of native forests, its biodiversity, and ecological services. The loss of biodiversity threatens the viability of many ecosystems and therefore the productivity of Klabin’s businesses at its core.
Impact to the business The loss of biodiversity threatens the capacity of ecosystems to provide resources and services (e.g. dispersal of pollen and seeds, natural plague control, water and climate regulation, soil and nutrient conservation etc.) that are essential for sustaining Klabin’s plantations high yields. Additional investments in techniques and R&D towards replacing or artificially compensating lost ecosystem services will increase the cost of operations with no guarantee of achieving satisfactory effectiveness or intended results.
Mitigation measures Klabin has been assessing the impacts of this risk with the Continuous Monitoring Program for Fauna and Flora. In doing so, it is possible to understand the behavior of the species and adopting prevention and mitigation measures such as initiatives for reducing road accidents, rewilding actions and scientific research. Klabin has a biodiversity study center within its Ecological Park, which aims to monitor and re-establish the quality levels of forests through the restoration of wildlife. This department is also responsible for bringing technological solutions to speed and scale the Biodiversity Monitoring program, which includes species tracking with ADN tracking, camera traps, geolocation and radio signal. The department is now studying ways to incorporate IoT sensors in order to increase data-related and make conservation decisions more efficiently.
Emerging risk 2: Risk of natural resource crises
Definition Existential threat involving chemical, food, mineral, water or other natural resource crises at a global scale as a result of human overexploitation and/or mismanagement of critical natural resources. The Natural Resource Crises is categorized by the World Economic Forum as an Existential Threat. As a Pulp&Paper company and water and land-intensive business, Klabin relies on the quality of natural resources to deliver products to the market and all of Klabin’s operations incorporate into their strategy environmental management aspects, such as water, energy, climate change and biodiversity in a systemic view approach. In this way, the company strengthens its commitment to conserve natural resources, such as by working to reduce the use of non-renewable resources, controlling environmental impacts, own and third-parties land planning and management, access to high-quality water, as well as an overall safe community.
Impact to the business The increase in demand for land for other uses due to the expectation of a significant increase in the population can raise production costs, change in Klabin's business competitiveness and generate tensions between the company, community and local authorities fostered by land and water resource disputes.
Mitigation measures

Assessed as both high likelihood and impact, the natural resource risk and its derived impacts are addressed within Klabin ’s 2030 Sustainability Agenda with goals aiming at reducing adverse outcomes for the next 10 years.

  For Wood Availability and Forest yield, the main 2030 goal is to maintain productivity levels by: Rising the forest partners network through the Plant with Klabin Program which covers large and small producers to increase the diversification of wood sources, and Improving plant and harvest technology to use less soil, and to operate over uneven surfaces, without decreasing conservation areas and ecological corridors.  

As for Water use, one of the 2030 targets is to have 100% forest operation under own management with hydrosolidarity management, which is a strategy based on the balance between forest production and water production. As such, it is possible to integrate the different needs of the input, including neighboring communities needs and ecological processes.

The theme of human rights is transversal at Klabin and considers environmental, social and governance issues, such as: Labor practices and Health and Safety, diversity and non-discrimination, relationship with communities, environment and data protection.

Although there is no specific policy that brings together all human rights issues in a single document, all of them have their governance established by the following set of rules: Code of Conduct, Anti-Corruption Manual, Sustainability Policy, Diversity and Employability Policy, Fundamental Rights Policy in Labor Relations, Socio-environmental Responsibility Policy in Contracting Suppliers, Life Protection Policy and Cybersecurity Policy.

All these commitments are based on internationally recognized frameworks such as: the Guiding Principles on Business and Human Rights, the International Bill of Human Rights (which considers the Universal Declaration of Human Rights and the UN Covenants on Civil and Political Rights, and Economic and Social Rights), Conventions of the International Labor Organization, Conventions on biological diversity, environment and climate. The guidelines of the Global Compact and the Sustainable Development Goals (SDGs) of the United Nations are also considered guiding principles.

In 2022, there were no reports of any case or violation of Human Rights involving the Company.

 

GRI-411-1 SASB-RR-FM-210a.1 SASB-RR-FM-210a.2

TRADITIONAL COMMUNITIES
 

Total forest area on indigenous lands (in acres)

2022 2021 2020
0 0 0

 

Number of identified traditional communities (10km buffer of Klabin's forest management areas)

2022 2021
172 161

 

Klabin maps all the traditional communities in its areas of influence, such as quilombolas, faxinalenses (communities that inhabit small areas and live off their relationship with the forest) and indigenous groups. In its relationship with these communities, the company follows Brazilian legislation and the recommendations of ILO 169, resolution of the International Labor Organization for Indigenous and Tribal Peoples, guaranteeing their right to prior, free and informed consent (CLPI).

In 2020, Phase II was completed, characterizing the traditional communities identified in the 10km buffer of Klabin's forest management areas, in Paraná, in a total of 81, as follows: 12 indigenous lands identified and characterized in 10 municipalities; 27 quilombola communities, identified and characterized in 6 municipalities, and 42 communities from Faxinal, identified and characterized in 10 municipalities. Continuing the process of identifying traditional peoples, 11 more traditional communities were recently mapped on the December 2022 forest base. The next phase of this work is the characterization of these communities.

In 2022, there were no cases of violation of the rights of indigenous peoples and traditional communities.

 

GRI-412-1 SASB-RR-FM-210a.2

For the units and operations in Paraná, a Manual for the area of Social Responsibility and Community Relations was prepared, as well as other internal procedures, to record the entire process of engagement with stakeholders.

Klabin's Social Responsibility and Community Relations area operates on several fronts, with the aim of preserving and improving the company's relationship with its stakeholders and affected parties; nullify or mitigate impacts caused by its operation; and, promote actions that contribute to the local development of the municipalities where it operates, among others. Thus, its main work fronts are:

Preventive action on possible impacts linked to Klabin's forestry and manufacturing operations;
Identification of opportunities for engagement with the local community and regional development of the territory;
Promotion and expansion of dialogue between Klabin and public authorities, the local community (including the traditional community) and other interested publics.

In 2021, the expansion to other Klabin units began, due to corporate activities.


Human Rights Due Diligence Analysis   

In 2021, Klabin initiated the first stage of the Human Rights due diligence conducted by a third party. This process was based on the UN Guiding Principles on Business and Human Rights and covered 100% of Klabin's businesses and products, considering not just its operations, but also its value chain, communities and new commercial relationships (acquisitions and joint ventures)

 

 

The first phase included a diagnosis to identify risks from the rights holders' perspective, and not only from the corporate risk management perspective, which only considers  inherent risks for the company. 

This diagnosis considered the pre-established risks for each one of the supply chains involved: wood, wood chips, logistics and other goods and services. Local communities are considered all those that may be impacted by Klabin's value chain operations, including forestry, industrial, logistics (including ports) and forestry producers that supply Klabin.

 

Rightholders  Included subgroups Inherent Risks
Own and third-party employees 
 
  • Women, black people, people with disabilities,
  • LGBTQI+ people, and others
  • Health and safety
  •  Freedom of association and collective agreement
  •  Discrimination and harassment
  • Working hours
  • Decent salary
  •  Privacy 
Supply chain workers
  • Women, black people, people with disabilities, LGBTQI+ people, and others;
  • Children
  • Health and safety 
  • Freedom of association and collective bargaining 
  • Discrimination and harassment 
  • Working hours 
  • Decent salary
  • Child labor 
  • Forced labor 
Local communities
  • Women, black people, people with disabilities, LGBTQI+ people, and others;
  • Children
  • Indigenous and traditional communities

 
  • Community safety 
  • Access to land and livelihoods* 
  • Impacts on indigenous peoples and traditional  communities 
  • Environmental impacts 
  • Conflicts involving security forces** 
  • Child sexual exploitation 
  • Impact on access to public infrastructure 
     
Customers -
  • Product safety 
  • Privacy 

* Includes tenant farmers, housekeepers, squatters
** Includes environmental and human rights defenders  

In 2022, the diagnosis provided the basis for the second stage of due diligence conducted by an external consultancy that, due to pandemic situations and the impossibility of conducting on-site consultations, assumed the representation of the active voice of rights holders, from their technical perspective. The company conducted a cross-analysis of the impact on these groups versus Klabin's management capacity for each of the prioritized topics. The process generated a heatmap of priorities and recommendations, which were further developed into a roadmap of short-, medium- and long-term action plans:

 

Topics prioritized by the human rights roadmap and timeframe for actions

  Short-term Medium term Long term**
Management system Commitment political - -
Risk assessment and impact - -
Adoption of prevention and mitigation measures - -
Monitoring of effectiveness - -
Reporting - -
Complaint and reporting mechanism - -
Specific themes Health and safety Supply chain workers   -
Freedom of collective association* Access to land and means of subsistence  -
Discrimination and harassment* Decent wage* -
Working hours* Conflicts involving security forces -
Safety of indigenous peoples and traditional communities - -
Impacts on public infrastructure - -
Child sexual exploitation - -

 *Topics that include direct and indirect collaborators. 
**Actions prioritized and planned for the medium term, at least. 

According to the recommendation from the consultancy that conducted Klabin's first cycle of due diligence analysis, the update of risk and impact assessment will be carried out after the completion of existing action plans or in the event of a significant change in any business or expansion of the company into new territories.

Human Rights Governance: 

  1. The entire due diligence process, findings and recommendations involved the Fixed Sustainability Committee and the Sustainability Committee. 

  2. The risks identified from the impact on the rightholder group were integrated to the Company’s official Risk Matrix, with monitoring along with sponsoring areas carried out bimonthly. 

  3. 100% of short-term action plans are linked to the individual goals of corporate managers. 


Assuming that human rights due diligence is a continuous process, Klabin regularly evaluates the update of the management capacity x impacts heatmap based on significant changes in business and operations.

 

Mitigation and preventive actions

 

Topic % Covered operations Actions taken Are the actions considered sufficient? KPI
Health and Safety 100 Klabin has an Occupational Health and Safety Management System (SGSSO) that covers all operations, own employees and third parties. Six industrial units are ISO 45001 certified. The forestry units' own plantations are FSC Management certified, which assesses health and safety aspects of the employees involved in these activities. In addition, periodic audits are carried out on procedures to assess compliance with the requirements of the Occupational Health and Safety Management System (SGSSO), ISO 45001 and FSC.
Also, there are procedures in place for (a) ongoing identification of hazards, risk assessment and determination of necessary controls, (b) provision of OH&S training in accordance with role and legal requirements, (c) recording, investigation and analysis of accidents and incidents, (d) identification of potential for emergencies and procedures for response.
Yes
Freedom of association and collective bargaining 100 All own employees are covered by collective agreements. Additionally, the Code of Conduct includes freedom of union membership for all employees. Yes
Diversity and Inclusion 100 There are procedures directed at addressing complaints of harassment and discrimination via the Ombudsman Channel. Campaigns, training, workshops, lectures and conversation circles have been developed since 2019. Most activities are aimed at all own employees and third parties. Specific topics such as racism, gender equity, unconscious biases, inclusive language, and harassment are addressed for the various hierarchical levels, in these events and trainings. Welcoming groups are also trained, as well as People & Management teams (which are directly involved in these cases), with monitoring by the Integrity area and a professor and Anthropology consultant. Yes
Supply chain 100 The Code of Conduct and the Vendor Contracting Policy set minimum human rights standards for vendors. For contracts, there is an additional document with minimum standards: List of Minimum Safety, Environment, and Occupational Health Requirements for the Contractor. In addition, in the scope of purchase requests, the requesting area is responsible for defining any additional health and safety requirements for the scope of contract. Yes
Labor analogous to slavery and/or child labor 100 As a signatory of the National Pact for the Eradication of Slave Labor, Klabin undertakes to cross-reference its base of active and inactive Suppliers, multiple times a year, with the names listed in the Register of Employers who have subjected workers to conditions analogous to slavery (popularly known as the “Black List of Slave Labor”).
Thus, if there is any note, the appropriate actions taken by the Company follow: identification of the supplier and service provided (date, place, among other data) and formal notification to the party demanding clarification and declaration on the corrective measures implemented (and suggestions for improvement, if necessary). From this stage, it is evaluated whether the supplier will be monitored or if the supply will be interrupted. In 2022, there were no cases of suppliers in Klabin's chain mentioned in that list.
Yes
Communities 100 Implementation of the procedure for managing conflicts with communities, which establishes an internal committee to address complaints considered valid. In addition, the company maintains Fale com a Klabin, a channel dedicated to answering demands, complaints and complaints from the community.    
Traditional communities (quilombolas, indigenous, faxinalenses, etc.) 100 Klabin maps all the traditional communities in its areas of influence, such as quilombolas, faxinalenses (communities that inhabit small areas and live off their relationship with the forest) and indigenous groups. In its relationship with these communities, the company follows Brazilian legislation and the recommendations of ILO 169, resolution of the International Labor Organization for Indigenous and Tribal Peoples, guaranteeing their right to prior, free and informed consent (CLPI).  
Engagement with stakeholders 100

Klabin's Social Responsibility and Community Relations area operates on several fronts, with the aim of preserving and improving the company's relationship with its stakeholders and affected parties; nullify or mitigate impacts caused by its operation; and, promote actions that contribute to the local development of the municipalities where it operates, among others. Thus, its main work fronts are:
  

  • Preventive action on possible impacts linked to Klabin's forestry and manufacturing operations;
  •   Identification of opportunities for engagement with the local community and regional development of the territory;
  •   Promotion and expansion of dialogue between Klabin and public authorities, the local community (including the traditional community) and other interested publics.
                  
Yes
Environment 100

All operating units have an environmental management system that includes:

  •  system for recording environmental anomalies within Klabin's units;
  • system for recording occurrences and complaints by stakeholders, with due analysis of the occurrence, monitoring of applicable legal requirements;
  • survey of environmental aspects and impacts of all operations,- mitigation actions (e.g., forest: mosaic, hydrosolidarity management);
  • environmental monitoring programs in the surrounding regions.
Yes
Data Protection     100 Klabin has a governance structure and cyber security policies and procedures, and engages in constant system monitoring. The policies and standards are based on ISO standards and consider the Brazilian General Data Protection Law (LGPD) and the Brazilian Civil Rights Framework for the Internet. The process and information is made available to all employees through a Cyber Security Booklet and trainings. Vendors who have access to Klabin and Klabin employee data are informed of their responsibilities through the contract, and fill out an LGPD Compliance form. Yes
 

Klabin's Risk Management and Internal Controls was created in 2018 with the support of senior management (Board of Directors and Executive Board). The area seeks to apply best practices to support the business units in the analysis of their processes, with a focus on controls, business and operational continuity plans and risk assessment. With this, the Company hopes to strengthen preventive action and security in decision-making processes, bearing in mind the principle of transparency and sustainable growth.

In November 2020, the Audit and Related Parties Committee was created, an advisory committee to the Board of Directors, which has among its roles the evaluation of the Company's risk exposure control mechanisms. Risk management has at least two annual fixed meetings with this committee to promote together with the other members the risk management methodology and “Tone the Top” model, updating the concepts and methodology, as well as discussions on main risks, emerging risks and plans of action.

In 2021, the IB Solutions risk management software was implemented in order to automate the follow-up process of actions and controls together with risk and action owners, and to assist in the traceability and history of changes, and also in the creation of dashboards.

Klabin believes that the risk management culture in an organization is the key to promoting and realizing the importance of risk management at all Company levels. Regarding the members of the Audit and Related Parties Committee, at least two annually fixed agendas are held with the members of the Board of Directors in order to update knowledge on the risk management methodology adopted by the company and also discussions on the main risks, and action plans. In addition to the regular presentations of Risk-related topics to the Board of Directors, the company started in 2022 an internal leadership education program, which includes continuous training for new officers and directors, addressing Risk-related topics such as Safety, Diversity, Mergers and Acquisitions, and others.

The procedures associated with risk management were internally audited in 2020. A new audit is scheduled for 2023.

Dissemination and propagation of the risk management culture

In 2022, the main results of the Risk Management area include:

– Development and monitoring of follow-up indicators (KRI's - Key Risk Indicators) for priority risks;

– Implementation of the Business Continuity Plan (BCP) at the manufacturing units in order to improve crisis management in situations where risks materialize;

– Development of the risk management book, with instructions on Klabin's risk management and crisis management process to update concepts, which was presented and distributed to the Company's managers;

– Risk management is included in the corporate and economic governance dimension of the Dow Jones index. At Klabin, compliance is carried out through actions to assess emerging risks, risk governance, dissemination of culture, among others. The Company has a rising score on the subject in recent years, reaching 94 points in 2022;

– Survey and monitoring of identified risks related to TCFD – Task Force on Climate-Related Financial Disclosures (Task Force on climate-related financial disclosures);

– Mapping and evaluation, carried out in partnership with the automation technology area in relation to the automation security maturity level of the units;

– Development of a work together with the Packaging business, with the aim of discussing new technologies, identifying and standardizing procedures regarding the risk of fire in the manufacturing units;

– Carrying out actions related to the dissemination and propagation of the risk management culture;

– Training at the manufacturing units focusing on risk management that may cause crises. These trainings were carried out through the application of a simulated “Table Top” with the managers of the manufacturing units. After completion, a report was built with the points in which the managers acted positively and also the points that need to be developed.

– Disclosure of knowledge pills through Klabin's intranet, with the aim of disseminating and reinforcing concepts used in the risk management process;

– Development of e-Learning training available to all employees, with a focus on instructing about the objectives and advantages of implementing the risk management process;

– Training of the Risk Management area in partnership with the Insurance area for all units in Brazil and Argentina, with the aim of disseminating risk management concepts;

Assessment Frequency: Risk Management and Internal Controls will continuously monitor and review the risks and respective Action Plans according to the criticality of the risks: High and Critical Risks: every six months or as required by the Risk Commission; Medium and Low Risks: annually.

Channels for employees to report risk situations:

– Employees are encouraged to report any risk event by sending an email to Risk Management (gestao_riscos@klabin.com.br)

– Communication channel with risk management information, policies and procedures (https://klabin.sharepoint.com/sites/ComunicacaoGestaodeRiscos)

– We have an integrity channel and ombudsman used for reporting risk situations, conduct issues, and non-compliance with policies and laws. This channel is secure and managed by an independent company, ensuring the confidentiality and anonymity of information. We have a website and also communication can be made via phone;

Effective Risk Culture
– We implemented Crisis Prevention Centers in the manufacturing units, consisting of quarterly meetings in which employees can present possible risks for discussion and issues that could lead to crises should they materialize;

– We have established a Crisis Committee in each unit, with a structured communication flow for reporting by employees related to potential risk scenarios that can become crises.

Updated and verified on: 06/26/2023