Gestão de riscos
Risk management
Risks are assessed according to impact and vulnerability criteria, following the classification devised by the Risk and Internal Controls area. process after which they are managed according to their criticality. With regard to methodology, the approaches to risks may be: reduce, transfer, accept or exploit. According to the Risk Management Policy, risks are classified into five categories: strategic, financial, operational, regulatory and socio-environmental.
Without compromising the operational work existing in the business units (plants and forests) which, in the performance of their duties, pay attention to the main events that may cause adversity to the business, in 2020, on the recommendation of the Executive Board and approval by the Board of Directors, a list of 11 macro risks was defined as priorities for continuous monitoring and development of the Key Risk Indicators (KRIs) as a way to anticipate the events that may trigger a possible materialization of the risk.
Klabin’s risk mapping methodology is performed according to the following guidelines: prevent loss, anticipate events and avoid surprises.
Risk identification follows a specific procedure and is carried out by the Risk and Internal Controls Management, in conjunction with the Boards, business managers and corporate areas. Initially, questionnaires and/or interviews are also conducted with employees who have extensive knowledge of their respective areas to help define the main aspects to be monitored, in addition to the assessment of internal documentation and third-party assessments. Subsequently, the main risk factors are assessed according to their impact and vulnerability (here considering the structure of controls and indicators).
The identified risks are assessed regarding their criticality, which depends on the degree of impact and vulnerability defined in the internal Risk Management procedure. After determining these aspects, the risk is incorporated into a “heatmap” to determine its criticality and the priority to which it should be addressed. Criticality degree may be low, medium, high and critical. At this stage, the mapping is presented to the Risks Committee for ratification and establishment of the priority risks to be addressed.
In addition to the regular presentations of Risk-related topics to the Board of Directors, the Company establishes, through its leadership education program (Rumos), a training program for new board members, covering topics related to Risks, such as Safety, Diversity, Mergers, and Acquisitions, among others.
Aspects associated with integrated risk management:
– Identification: identify risks and understand their characteristics.
– Analysis: assess the criticality of risks, based on the respective degree of impact and vulnerability.
– Treatment: decide how to deal with each risk in order to structure action plans.
– Monitoring Governance: monitoring and reviewing risks and action plans. Defining indicators.
– Contingency plan: Contingency and Crisis Management Plans.
In order to ensure timely monitoring, a computerized system was deployed in 2020 and integrated with the methodology used to classify risks.
Main risks, control and mitigation measures
| Main risks monitored (medium and long term: 3 to 5 years) | – Execution of the business strategy; – Maintenance of operational activity;– Asset insurance coverage;– Court rulings;– Input prices;– Compliance with environmental legislation; and– New technologies. |
| Operational risks in the production process | – Use in the production of chemicals; – Storage and disposal of chemical waste;– Explosions, fires, wear over time and exposure to weather and natural disasters; and– Potential mechanical failures, time required for maintenance or unscheduled repairs, interruptions in transportation, remediations, leakage of chemicals and other environmental risks. |
| Mitigation measures | – Budget monitoring; – Monitoring of critical activities such as: health, safety and environmental protocols, monitoring the energy grid and respective voltage loads, effluent treatment;– Definition of action plans and controls when applicable, in addition to periodic monitoring by the Internal Controls and Risk Management and, when defined in its scope, by Internal Audit;– Procedures for continuous and preventive maintenance of assets, including annual plant shutdowns and constant employee development;– Monitoring of priority risk indicators on the CA agenda;– Active insurance policies for assets and lost profits (partial); and– Planning & Development area to monitor the strategies and the markets in which Klabin operates. |
Cyber risks:
| Potential offenders considered in Klabin's protection model | – Insiders (employees, service providers etc.), whether by accidental or deliberate misuse (for example, when threatened by terrorists or criminals);– Terrorists who are interestedin obtaining and using sensitive information to carry out a conventional attack;– Unfair business and intelligence services competitors, interestedin obtaining economic advantages for their companies or countries;– Cyber criminals interestedin making money by fraud or by selling valuable information;– Virus hackers who set out to interfere in companies’ systems, just as a personal or collective challenge;– Cybewar: hackers with a great deal of resources at their disposal due to state support and who are qualified;– Hacktivists who fight for a cause (such as political or ideological reasons); and– Organized crime seeking ransom (ransomware). |
Mitigation measures: |
As a mitigation measure, Klabin’s Information Security uses standards such as ISO 270001 and IEC 62.443 and operates on the following fronts: – Perimeter security: technology to reinforce edge security solutions (external world’s first protection) and infrastructure segregation.– Network security: solutions for network monitoring and management including protection against threats, secure and controlled access, content filtering and segregation of the environment.– Endpoint security: protection of servers, workstations, smartphones and tablets against advanced threats.– Application security: protection of critical applications.– Data security: technology to protect critical information throughout its life cycle, as well as where they are located.– Monitoring and response: process responsible for monitoring technologies and the information security process through incident management, performance indicators and forensic analysis.– Prevention and management: based on risk management, governance, architecture, training, awareness and compliance.– Patch management, advanced threats and incident prevention and response through cybersecurity and hardening.– Access security: responsible for the user access life cycle, service and administrative accounts and password safe. |
Emerging Risks
Based on the 2021 Top Global Risks Report produced by the World Economic Forum, Klabin’s risk analysis identifies the following long-term risks:
| Emerging risk 1: | Risk of biodiversity loss |
|---|---|
| Definition | "Irreversible consequences for the environment, humankind, and economic activity, and a permanent destruction of natural capital, as a result of species extinction and/or reduction." |
| Impact to the business | Regarding the potential impacts of biodiversity loss on Klabin's business, it is important to mention the deprivation of several ecosystem services that forests can provide; for example, pollen and seed dispersal, natural pest control, water and climate regulation, soil and nutrient conservation, and prevention of natural diseases, which are essential to maintaining the high productivity rates of Klabin's plantations. |
| Mitigation measures | – Responsible Forest Management, with maintenance of ecological corridors; – Continuous Fauna and Flora Monitoring Program;– Klabin Ecological Park with biodiversity study center, which in addition to clinical care also conducts restoration initiatives through projects for reintroduction of native species and population reinforcement;– Addressing the topic in the Klabin 2030 Agenda under two biodiversity goals. |
| Emerging risk 2: | Risk of natural resource crises |
|---|---|
| Definition | "Existential threat involving chemical, food, mineral, water or other natural resource crises at a global scale as a result of human overexploitation and/or mismanagement of critical natural resources." |
| Impact to the business | The increase in demand for land for other uses due to the expectation of a significant increase in the population can raise production costs and generate tensions between the company, community and local authorities fostered by land and water resource disputes. |
| Mitigation measures | – Adaptation of forest management techniques as expressed in the 2030 Goal on 100% of forest operations under own management to use hydrosolidarity management to ensure the perenity of planting and water supply in the territory; – Use of new technologies for planting and harvesting on uneven ground that is not intended for other crops;– Renewal of the Fomento program, Plant with Klabin, to encourage a larger number of forest producers and increase the diversification of wood suppliers;– 2030 Goals of Local Development and Impact on the community for alignment with local agendas. |
The theme of human rights is transversal at Klabin and considers environmental, social and governance issues, such as: Labor practices and Health and Safety, diversity and non-discrimination, relationship with communities, environment and data protection.
Although there is no specific policy that brings together all human rights issues in a single document, all of them have their governance established by the following set of rules: Code of Conduct, Anti-Corruption Manual, Sustainability Policy, Diversity and Employability Policy, Fundamental Rights Policy in Labor Relations, Socio-environmental Responsibility Policy in Contracting Suppliers, Life Protection Policy and Cybersecurity Policy.
All these commitments are based on internationally recognized frameworks such as: the Guiding Principles on Business and Human Rights, the International Bill of Human Rights (which considers the Universal Declaration of Human Rights and the UN Covenants on Civil and Political Rights, and Economic and Social Rights), Conventions of the International Labor Organization, Conventions on biological diversity, environment and climate. The guidelines of the Global Compact and the Sustainable Development Goals (SDGs) of the United Nations are also considered guiding principles.
In 2022, there were no reports of any case or violation of Human Rights involving the Company.
GRI-411-1 SASB-RR-FM-210a.1 SASB-RR-FM-210a.2
TRADITIONAL COMMUNITIES
Total forest area on indigenous lands (in acres)
| 2022 | 2021 | 2020 |
|---|---|---|
| 0 | 0 | 0 |
Number of identified traditional communities (10km buffer of Klabin's forest management areas)
| 2022 | 2021 |
|---|---|
| 172 | 161 |
Klabin maps all the traditional communities in its areas of influence, such as quilombolas, faxinalenses (communities that inhabit small areas and live off their relationship with the forest) and indigenous groups. In its relationship with these communities, the company follows Brazilian legislation and the recommendations of ILO 169, resolution of the International Labor Organization for Indigenous and Tribal Peoples, guaranteeing their right to prior, free and informed consent (CLPI).
In 2020, Phase II was completed, characterizing the traditional communities identified in the 10km buffer of Klabin's forest management areas, in Paraná, in a total of 81, as follows: 12 indigenous lands identified and characterized in 10 municipalities; 27 quilombola communities, identified and characterized in 6 municipalities, and 42 communities from Faxinal, identified and characterized in 10 municipalities. Continuing the process of identifying traditional peoples, 11 more traditional communities were recently mapped on the December 2022 forest base. The next phase of this work is the characterization of these communities.
In 2022, there were no cases of violation of the rights of indigenous peoples and traditional communities.
For the units and operations in Paraná, a Manual for the area of Social Responsibility and Community Relations was prepared, as well as other internal procedures, to record the entire process of engagement with stakeholders.
Klabin's Social Responsibility and Community Relations area operates on several fronts, with the aim of preserving and improving the company's relationship with its stakeholders and affected parties; nullify or mitigate impacts caused by its operation; and, promote actions that contribute to the local development of the municipalities where it operates, among others. Thus, its main work fronts are:
Preventive action on possible impacts linked to Klabin's forestry and manufacturing operations;
Identification of opportunities for engagement with the local community and regional development of the territory;
Promotion and expansion of dialogue between Klabin and public authorities, the local community (including the traditional community) and other interested publics.
In 2021, the expansion to other Klabin units began, due to corporate activities.
Human Rights risk and impacts diagnosis
In 2021, Klabin started the first stage of due diligence on Human Rights conducted by a third party. This process was based on the UN Guiding Principles on Business and Human Rights and covered 100% of Klabin's businesses, considering not only its operations, but also its value chain, communities and new commercial relationships (acquisitions and joint ventures).
The first phase covered a diagnosis to identify risks from the point of view of rights holders, and not just from the point of view of corporate risk management, which only considers inherent risks for the company.
This diagnosis considered the pre-established risks for each of the supply chains involved: wood, chips, logistics and other goods and services. Local communities are considered all those that may be impacted by Klabin's value chain operations, including forestry, industrial, logistics (including ports) and forestry producers that supply Klabin.
|
Rights Holders |
Included subgroups |
Inherent Risks |
|
Own and third-party employees |
Minority groups: women, blacks, people with disabilities, LGBTQI+ people, among others |
|
|
Supply chain workers |
- Minority groups: women, blacks, people with disabilities, LGBTQI+ people, among others - Minors |
|
|
Local communities |
- Minority groups: women, blacks, people with disabilities, LGBTQI+ people, among others |
|
|
Customers |
|
|
* Includes tenant farmers, housekeepers, squatters
** Includes environmental and human rights defenders
In 2022, based on the diagnosis and from the perspective of an external consulting firm that represented the active voice of rights holders, the company conducted a cross-analysis of the impact on these groups versus Klabin's ability to manage each of the prioritized topics. The process generated a heatmap of priorities and recommendations, which were broken down into a short-term, medium-term, and long-term action plan, divided among:
a. Human rights management system: political commitment, risk and impact assessment, internal integration of prevention and mitigation measures, reporting and whistleblowing mechanisms, and reparative measures.
b. Management of specific topics: employees of the company and third parties, supply chain workers, local communities, and customers and users of the products.
In 2022, the diagnosis was the basis for the second stage of due diligence conducted by the external consulting firm, which, due to pandemic and the impossibility of carrying out consultations in person, assumed the representation of the active voice of the rights holders, based on their technical prerogative. The company conducted a cross-analysis of the impact on these groups versus Klabin's ability to manage each of the prioritized topics. The process led to a heatmap of priorities and recommendations, which were broken down into a short-term, medium-term, and long-term roadmap:
|
|
Short-term |
Medium term |
Long term** |
|
Management system |
Commitment political |
- |
- |
|
Risk assessment and impact |
- |
- |
|
|
Adoption of prevention and mitigation measures |
- |
- |
|
|
Monitoring of effectiveness |
- |
- |
|
|
Reporting |
- |
- |
|
|
Complaint and reporting mechanism |
- |
- |
|
|
Specific themes |
Health and safety |
Supply chain workers |
- |
|
Freedom of collective association* |
Access to land and means of subsistence |
- |
|
|
Discrimination and harassment* |
Decent wage* |
- |
|
|
Working hours* |
Conflicts involving security forces |
- |
|
|
Safety of indigenous peoples and traditional communities |
- |
- |
|
|
Impacts on public infrastructure |
- |
- |
|
|
Child sexual exploitation |
- |
- |
*Topics that include direct and indirect collaborators.
**Actions prioritized and planned for the medium term, at least.
Human Rights Governance:
-
The entire due diligence process, findings and recommendations involved the Fixed Sustainability Committee and the Sustainability Committee.
-
The risks identified from the impact on the rightholder group were integrated to the Company’s official Risk Matrix, with monitoring along with sponsoring areas carried out bimonthly.
-
100% of short-term action plans are linked to the individual goals of corporate managers.
Based on the assumption that due diligence in human rights is an ongoing process, Klabin regularly assesses updates of the heatmap of management capacity x impacts from significant changes in business and operations.
Mitigation and preventive actions
| Topic | % Covered operations | Actions taken | |
|---|---|---|---|
| Health and Safety | 100 | .Klabin has an Occupational Health and Safety Management System (SGSSO) that covers all operations, own employees and third parties. Six industrial units are ISO 45001 certified. The forestry units' own plantations are FSC Management certified, which assesses health and safety aspects of the employees involved in these activities. In addition, periodic audits are carried out on procedures to assess compliance with the requirements of the Occupational Health and Safety Management System (SGSSO), ISO 45001 and FSC. Also, there are procedures in place for (a) ongoing identification of hazards, risk assessment and determination of necessary controls, (b) provision of OH&S training in accordance with role and legal requirements, (c) recording, investigation and analysis of accidents and incidents, (d) identification of potential for emergencies and procedures for response. |
|
| Freedom of association and collective bargaining | 100 | All own employees are covered by collective agreements. Additionally, the Code of Conduct includes freedom of union membership for all employees. | |
| Diversity and Inclusion | 100 | There are procedures directed at addressing complaints of harassment and discrimination via the Ombudsman Channel. Campaigns, training, workshops, lectures and conversation circles have been developed since 2019. Most activities are aimed at all own employees and third parties. Specific topics such as racism, gender equity, unconscious biases, inclusive language, and harassment are addressed for the various hierarchical levels, in these events and trainings. Welcoming groups are also trained, as well as People & Management teams (which are directly involved in these cases), with monitoring by the Integrity area and a professor and Anthropology consultant. | |
| Supply chain | 100 |
The Code of Conduct and the Vendor Contracting Policy set minimum human rights standards for vendors. For contracts, there is an additional document with minimum standards: List of Minimum Safety, Environment, and Occupational Health Requirements for the Contractor. In addition, in the scope of purchase requests, the requesting area is responsible for defining any additional health and safety requirements for the scope of contract. |
|
| Labor analogous to slavery and/or child labor | 100 |
|
|
| Communities | 100 | Implementation of the procedure for managing conflicts with communities, which establishes an internal committee to address complaints considered valid. In addition, the company maintains Fale com a Klabin, a channel dedicated to answering demands, complaints and complaints from the community. | |
| Traditional communities (quilombolas, indigenous, faxinalenses, etc.) | 100 | Klabin maps all the traditional communities in its areas of influence, such as quilombolas, faxinalenses (communities that inhabit small areas and live off their relationship with the forest) and indigenous groups. In its relationship with these communities, the company follows Brazilian legislation and the recommendations of ILO 169, resolution of the International Labor Organization for Indigenous and Tribal Peoples, guaranteeing their right to prior, free and informed consent (CLPI). | |
| Engagement with stakeholders | 100 |
Klabin's Social Responsibility and Community Relations area operates on several fronts, with the aim of preserving and improving the company's relationship with its stakeholders and affected parties; nullify or mitigate impacts caused by its operation; and, promote actions that contribute to the local development of the municipalities where it operates, among others. Thus, its main work fronts are: |
|
|
|
|||
| Environment | 100 | All operating units have an environmental management system that includes: - system for recording environmental anomalies within Klabin's units, - system for recording occurrences and complaints by stakeholders, with due analysis of the occurrence, monitoring of applicable legal requirements, - survey of environmental aspects and impacts of all operations,- mitigation actions (e.g., forest: mosaic, hydrosolidarity management);- environmental monitoring programs in the surrounding regions. |
|
| Data Protection | 100 | Klabin has a governance structure and cyber security policies and procedures, and engages in constant system monitoring. The policies and standards are based on ISO standards and consider the Brazilian General Data Protection Law (LGPD) and the Brazilian Civil Rights Framework for the Internet. The process and information is made available to all employees through a Cyber Security Booklet and trainings. Vendors who have access to Klabin and Klabin employee data are informed of their responsibilities through the contract, and fill out an LGPD Compliance form. |
Klabin’s Risk Management and Internal Controls, created in 2018, are supported by Senior Management (Board of Directors and Executive Board) in approving its budget, as well as its work agenda. This area seeks to ensure best practices to support business units in analyzing their processes, with a focus on controls, business continuity and operational plans, and risk assessment. The goal is to strengthen the Company’s preventive actions and security in decision-making processes, based on the principles of transparency and sustainable growth.
In November 2020, the Audit and Related Parties Committee was created as an advisory committee to the Board of Directors. Its roles include the evaluation of mechanisms for controlling the Company’s risk exposure. Risk management has 2 fixed annual meetings with this committee to promote together with the other members the risk management methodology and the “Tone the Top” model, updating the concepts and methodology, and also discussions about the main risks, emerging risks, and action plans.
In 2021, highlights of the main results for the Risk Management area include:
– The Risk Management policy was revised and once again approved by the Board of Directors in August 2021;
– Consolidation of the risk management software through the implementation of Self-Assessement of action plan status and progress;
– Implementation of the business continuity plan in several manufacturing units;
– Definition of monitoring indicators for Priority risks;
– Survey of risks and action plans of the new factories acquired by Klabin;
– Implementation of a risk management software for the purpose of automating the follow-up process of the actions and controls together with the action owners and risk owners, in addition to improving the updating process, risk change history, and dashboard creation;
– Continuation of the process of building the Key Risk Indicators (KRIs) for the risks prioritized by the Company;
– Implementation of a Business Continuity Plan (BCP) in the manufacturing units to improve crisis management in situations where risks materialize;
– Development of a Risk Management book, in which the instructions for Klabin’s risk management and crisis management process will be described to update the concepts. This document will be presented and distributed to the Senior Management directors and executives in 2022.
Dissemination and propagation of the risk management culture
In 2021, we conducted several actions related to training for dissemination:
– Training with the manufacturing units focusing on risk management that may cause crises. These training sessions were conducted through the application of a simulated “table top” with the managers of the manufacturing units. After this was done, a report was built with the points where the managers acted positively and also the gaps that require further development;
– Dissemination of knowledge pills through Klabin’s intranet, with the intention of disseminating and reinforcing concepts used in the risk management process;
– A Podcast discussing the topic of Risk Management was held and is available to all the Company’s employees;
– The Company is developing e-Learning available to all employees to provide instruction on the objectives and advantages of implementing the risk management process;
– In April/22, along with the Board of Directors, a meeting was held to detail the methodology used for risk management, with an annual agenda for improvement of members of the board in relation to the propagation of the risk management culture.
Channels for employees to report risk situations:
– Employees are encouraged to report any risk event by sending an email to Risk Management (gestao_riscos@klabin.com.br)
– We have an integrity channel and ombudsman used for reporting risk situations, conduct issues, and non-compliance with policies and laws. This channel is secure and managed by an independent company, ensuring the confidentiality and anonymity of information. We have a website and also communication can be made via phone;
– We implemented Crisis Prevention Centers in the manufacturing units, consisting of quarterly meetings in which employees can present possible risks for discussion and issues that could lead to crises should they materialize;
– We have established a Crisis Committee in each unit, with a structured communication flow for reporting by employees related to potential risk scenarios that can become crises.
Updated and verified on: 07/31/2023
31/07/23