Process of identification, analysis, treatment, monitoring and contingency plan for risks and impacts associated with Klabin’s businesses
Risks are assessed according to impact and vulnerability criteria, following the classification devised by the Risk and Internal Controls area. process after which they are managed according to their criticality. With regard to methodology, the approaches to risks may be: reduce, transfer, accept or exploit. According to the Risk Management Policy, risks are classified into five categories: strategic, financial, operational, regulatory and socio-environmental.
Without compromising the operational work existing in the business units (plants and forests) which, in the performance of their duties, pay attention to the main events that may cause adversity to the business, in 2020, on the recommendation of the Executive Board and approval by the Board of Directors, a list of 11 macro risks was defined as priorities for continuous monitoring and development of the Key Risk Indicators (KRIs) as a way to anticipate the events that may trigger a possible materialization of the risk.
Klabin’s risk mapping methodology is performed according to the following guidelines: prevent loss, anticipate events and avoid surprises.
Risk identification follows a specific procedure and is carried out by the Risk and Internal Controls Management, in conjunction with the Boards, business managers and corporate areas. Initially, questionnaires and/or interviews are also conducted with employees who have extensive knowledge of their respective areas to help define the main aspects to be monitored, in addition to the assessment of internal documentation and third-party assessments. Subsequently, the main risk factors are assessed according to their impact and vulnerability (here considering the structure of controls and indicators).
The identified risks are assessed regarding their criticality, which depends on the degree of impact and vulnerability defined in the internal Risk Management procedure. After determining these aspects, the risk is incorporated into a “heatmap” to determine its criticality and the priority to which it should be addressed. Criticality degree may be low, medium, high and critical. At this stage, the mapping is presented to the Risks Committee for ratification and establishment of the priority risks to be addressed.
Aspects associated with integrated risk management:
– Identification: identify risks and understand their characteristics.
– Analysis: assess the criticality of risks, based on the respective degree of impact and vulnerability.
– Treatment: decide how to deal with each risk in order to structure action plans.
– Monitoring Governance: monitoring and reviewing risks and action plans. Defining indicators.
– Contingency plan: Contingency and Crisis Management Plans.
In order to ensure timely monitoring, a computerized system was deployed in 2020 and integrated with the methodology used to classify risks.
Main risks, control and mitigation measures
Main risks monitored (medium and long term: 3 to 5 years):
– Execution of the business strategy;
– Maintenance of operational activity;
– Asset insurance coverage;
– Court rulings;
– Input prices;
– Compliance with environmental legislation; and
– New technologies.
Control and mitigation actions and procedures:
– Approval of the Budget Plan by the Board, to be monitored, when appropriate;
– Procedures for continuous and preventive maintenance of assets, including general plant shutdowns and constant employee development;
– Active insurance policies for assets and lost profits (partial);
– Formal contingency update procedure supported by legal advisors;
– Supplier development, without concentration, through formal quotation processes and approval levels;
– Planning & Development area to monitor the strategies and the markets in which the Company operates;
– Internal Audit to review and monitor Company processes, in a joint effort with Integrity;
– Audit Committee established, elected at the General Meeting to defend shareholders’ rights; and
– Risk Commission and the newly created Audit and Related Parties Committee.
“Operational risks in the production process:
– Use in the production of chemicals;
– Storage and disposal of chemical waste;
– Explosions, fires, wear over time and exposure to weather and natural disasters; and
– Potential mechanical failures, time required for maintenance or unscheduled repairs, interruptions in transportation, remediations, leakage of chemicals and other environmental risks.
– Monitoring critical activities such as health, safety and environmental protocols, monitoring the energy grid and respective voltage loads, effluent treatment;
– Defining action plans and controls when applicable, in addition to periodic monitoring by the Internal Risk and Control Management and Internal Audit;
– Procedures for continuous and preventive maintenance of assets, including annual plant shutdowns and constant employee development;
– Active insurance policies for assets and lost profits (partial); and
– Planning & Development area to monitor the strategies and the markets in which Klabin operates.
In addition, the risk mapping identified two risks related to human rights issues (decent work in the supply chain and discrimination). These risks have due monitoring and mitigation actions, which are managed by the directly related areas.”
The protection model adopted by Klabin takes into account potential offenders to the occurrence of cyber attacks:
– Insiders (employees, service providers etc.), whether by accidental or deliberate misuse (for example, when threatened by terrorists or criminals);
– Terrorists who are interestedin obtaining and using sensitive information to carry out a conventional attack;
– Unfair business and intelligence services competitors, interestedin obtaining economic advantages for their companies or countries;
– Cyber criminals interestedin making money by fraud or by selling valuable information;
– Virus hackers who set out to interfere in companies’ systems, just as a personal or collective challenge;
– Cybewar: hackers with a great deal of resources at their disposal, due to state support and who are qualified;
– Hacktivists who fight for a cause (such as political or ideological reasons); and
– Organized crime seeking ransomware.
As a mitigation measure, Klabin’s Information Security uses standards such as ISO 270001 and IEC 62.443 and operates on the following fronts:
Perimeter security: technology to reinforce edge security solutions (external world’s first protection) and infrastructure segregation.
Network security: solutions for network monitoring and management including protection against threats, secure and controlled access, content filtering and segregation of the environment.
Endpoint security: protection of servers, workstations, smartphones and tablets against advanced threats.
Application security: protection of critical applications.
Data security: technology to protect critical information throughout its life cycle, as well as where they are located.
Monitoring and response: process responsible for monitoring technologies and information security process through incident management, performance indicators and forensic analysis.
Prevention and management: based on risk management, governance, architecture, training, awareness and compliance.
Patch management, advanced threats and incident prevention and response through cybersecurity and hardening.
Access security: responsible for the user access life cycle, service and administrative accounts and password safe.