Risk management

Responsible performance and operations, with individuals of all levels committed and able to act in a responsive and participatory manner in decision-making processes.

  • 102-15

Process of identification, analysis, treatment, monitoring and contingency plan for risks and impacts associated with Klabin’s businesses

Risks are assessed according to impact and vulnerability criteria, following the classification devised by the Risk and Internal Controls area. process after which they are managed according to their criticality. With regard to methodology, the approaches to risks may be: reduce, transfer, accept or exploit. According to the Risk Management Policy, risks are classified into five categories: strategic, financial, operational, regulatory and socio-environmental.

Without compromising the operational work existing in the business units (plants and forests) which, in the performance of their duties, pay attention to the main events that may cause adversity to the business, in 2020, on the recommendation of the Executive Board and approval by the Board of Directors, a list of 11 macro risks was defined as priorities for continuous monitoring and development of the Key Risk Indicators (KRIs) as a way to anticipate the events that may trigger a possible materialization of the risk.

Klabin’s risk mapping methodology is performed according to the following guidelines: prevent loss, anticipate events and avoid surprises.

Risk identification follows a specific procedure and is carried out by the Risk and Internal Controls Management, in conjunction with the Boards, business managers and corporate areas. Initially, questionnaires and/or interviews are also conducted with employees who have extensive knowledge of their respective areas to help define the main aspects to be monitored, in addition to the assessment of internal documentation and third-party assessments. Subsequently, the main risk factors are assessed according to their impact and vulnerability (here considering the structure of controls and indicators).

The identified risks are assessed regarding their criticality, which depends on the degree of impact and vulnerability defined in the internal Risk Management procedure. After determining these aspects, the risk is incorporated into a “heatmap” to determine its criticality and the priority to which it should be addressed. Criticality degree may be low, medium, high and critical. At this stage, the mapping is presented to the Risks Committee for ratification and establishment of the priority risks to be addressed.
Aspects associated with integrated risk management:
– Identification: identify risks and understand their characteristics.
– Analysis: assess the criticality of risks, based on the respective degree of impact and vulnerability.
– Treatment: decide how to deal with each risk in order to structure action plans.
– Monitoring Governance: monitoring and reviewing risks and action plans. Defining indicators.
– Contingency plan: Contingency and Crisis Management Plans.
In order to ensure timely monitoring, a computerized system was deployed in 2020 and integrated with the methodology used to classify risks.

Main risks, control and mitigation measures

Main risks monitored (medium and long term: 3 to 5 years):
– Execution of the business strategy;
– Maintenance of operational activity;
– Asset insurance coverage;
– Court rulings;
– Input prices;
– Compliance with environmental legislation; and
– New technologies.

Control and mitigation actions and procedures:
– Approval of the Budget Plan by the Board, to be monitored, when appropriate;
– Procedures for continuous and preventive maintenance of assets, including general plant shutdowns and constant employee development;
– Active insurance policies for assets and lost profits (partial);
– Formal contingency update procedure supported by legal advisors;
– Supplier development, without concentration, through formal quotation processes and approval levels;
– Planning & Development area to monitor the strategies and the markets in which the Company operates;
– Internal Audit to review and monitor Company processes, in a joint effort with Integrity;
– Audit Committee established, elected at the General Meeting to defend shareholders’ rights; and
– Risk Commission and the newly created Audit and Related Parties Committee.

“Operational risks in the production process:
– Use in the production of chemicals;
– Storage and disposal of chemical waste;
– Explosions, fires, wear over time and exposure to weather and natural disasters; and
– Potential mechanical failures, time required for maintenance or unscheduled repairs, interruptions in transportation, remediations, leakage of chemicals and other environmental risks.

Mitigation measures:
– Monitoring critical activities such as health, safety and environmental protocols, monitoring the energy grid and respective voltage loads, effluent treatment;
– Defining action plans and controls when applicable, in addition to periodic monitoring by the Internal Risk and Control Management and Internal Audit;
– Procedures for continuous and preventive maintenance of assets, including annual plant shutdowns and constant employee development;
– Active insurance policies for assets and lost profits (partial); and
– Planning & Development area to monitor the strategies and the markets in which Klabin operates.

In addition, the risk mapping identified two risks related to human rights issues (decent work in the supply chain and discrimination). These risks have due monitoring and mitigation actions, which are managed by the directly related areas.”

Cyber risks:
The protection model adopted by Klabin takes into account potential offenders to the occurrence of cyber attacks:
– Insiders (employees, service providers etc.), whether by accidental or deliberate misuse (for example, when threatened by terrorists or criminals);
– Terrorists who are interestedin obtaining and using sensitive information to carry out a conventional attack;
– Unfair business and intelligence services competitors, interestedin obtaining economic advantages for their companies or countries;
– Cyber criminals interestedin making money by fraud or by selling valuable information;
– Virus hackers who set out to interfere in companies’ systems, just as a personal or collective challenge;
– Cybewar: hackers with a great deal of resources at their disposal, due to state support and who are qualified;
– Hacktivists who fight for a cause (such as political or ideological reasons); and
– Organized crime seeking ransomware.

Mitigation measures:
As a mitigation measure, Klabin’s Information Security uses standards such as ISO 270001 and IEC 62.443 and operates on the following fronts:
Perimeter security: technology to reinforce edge security solutions (external world’s first protection) and infrastructure segregation.
Network security: solutions for network monitoring and management including protection against threats, secure and controlled access, content filtering and segregation of the environment.
Endpoint security: protection of servers, workstations, smartphones and tablets against advanced threats.
Application security: protection of critical applications.
Data security: technology to protect critical information throughout its life cycle, as well as where they are located.
Monitoring and response: process responsible for monitoring technologies and information security process through incident management, performance indicators and forensic analysis.
Prevention and management: based on risk management, governance, architecture, training, awareness and compliance.
Patch management, advanced threats and incident prevention and response through cybersecurity and hardening.
Access security: responsible for the user access life cycle, service and administrative accounts and password safe.

  • 102-30
  • 103-1
  • 103-2
  • 103-3

Risk Management

Klabin’s Risk Management and Internal Controls, created in 2018, are supported by Senior Management (Board of Directors and Executive Board) in approving its budget, as well as its work agenda. This area seeks to ensure best practices to support business units in analyzing their processes, with a focus on controls, business continuity and operational plans, and risk assessment. The goal is to strengthen the company’s preventive actions and security in decision-making processes, based on the principles of transparency and sustainable growth.

The Risk Committee, composed of members of the Executive Board and Management, is responsible for monitoring, assessing and communicating risks and corresponding action plans, together with the Risk and Internal Controls Management, on a regular basis, as well as forwarding risk assessment information to other areas within the Company.

In 2020, despite the difficulties of the Covid-19 pandemic and its impacts, it was a year of many achievements for the ​​Risk Management area, implementation of several projects for better monitoring and handling of risks, with the following highlights:

– Implementation of risk management software in order to improve disclosure and knowledge of risk areas and action plans;
– Implementation of the business continuity plan in several manufacturing units;
– Definition of Priority Risks for in-depth monitoring;
– Beginning of the development of Key Risk Indicators (KRIs) for priority risks.

Risk management structure with respective responsibilities:

Board of Directors:

– Approve the Risk Management Policy;
– Define, support and disseminate the risk management culture; and
– Deliberate on any matter submitted thereto or, if deemed necessary, on risks and possible action plans.”

Boards:

– Disseminate and promote the risk management culture;
– Monitor, based on the information reported periodically by the Risk Committee, the Risk Management of the Company and its Subsidiaries, ensuring its appropriate functioning and taking any necessary measures for its improvement.
– Validate the risks reported to Risk Management and Internal Controls by their respective Business areas;
– Ensure the existence of material and human resources at adequate levels, which allow the effective compliance with this Policy and the risk management procedures as a whole in their respective Business Areas;
– Assist the Risk Commission in handling risks; and
– Assist the respective Business areas in executing action plans, as well as in the implementation of any recommendations or measures related to risk management.

Risk Commission:

– Recommend the Risk Management Policy to the Board of Directors and, in this context, establish the internal procedures used by the Company and its Subsidiaries in risk management;
– Assess and monitor the most relevant risks reported by the Risk Management and Internal Controls, as well as their respective action plans;
– Validate the action plans proposed by the Business areas and the Boards, after validation by Risk Management and Internal Controls; and
– Report periodically, or whenever deemed necessary, to the Executive Board and the Board of Directors the relevant information related to the risk management of the Company and its Subsidiaries.

Risk Management and Internal Controls:

– Propose the Risk Management Policy and its updates;
– Identify, monitor and periodically control risks, including with regard to the implementation of action plans;
– Report the Risks and their Action Plans to the Risk Commission;
– Assist the Business Areas and the Boards in the design and implementation of internal controls or risk management indicators;
– Conduct a critical analysis of the action plans defined by the business areas to mitigate risks; and
– Provide training and a communication plan related to Risk Management.

Integrity Management:

– Prevention, detection and remediation of violations of the Code of Conduct and other policies whose non-compliance may contradict Klabin’s Integrity principles and values; and
– Management of the Company’s Integrity Program, structured on several pillars that contribute to the strengthening of ethical conduct in the Company. The pillars are: Senior Management Commitment and Support; Integrity Training; Third party reputational assessment; Integrity risk assessment; Communication; Code of Conduct, Integrity Policies and Procedures; Integrity and Ombudsman Channel; Integrity Commission; and Continuous monitoring.

  • 102-11

Precautionary Principle at Klabin

In addition to being part of B3’s level 2 corporate governance and integrating the portfolio of the Corporate Sustainability Index (ISE) based on economic efficiency, environmental balance, social justice and corporate governance, the assessment of the internal control environment aims to carry out the main practices of internal controls, evaluate the degree of efficiency of such controls, indicating imperfections and the measures adopted to correct them.