GRI 102-15, 102-20, 102-30, 103-1, 103-2, 103-3
Klabin’s Risk and Internal Controls Management, created in 2018, seeks to ensure best practices to support business units in analyzing their processes, with a focus on controls and risk assessment. The goal is to strengthen the Company’s preventive actions and security in decision-making processes, based on the principles of transparency and sustainable growth.
Risks are assessed according to impact and vulnerability criteria, following the classification devised by the Risk and Internal Controls area, process after which they are managed according to their criticality. With regard to methodology, the approaches to risks may be: reduce, transfer, accept or exploit. According to the Risk Management Policy, risks are classified into five categories: strategic, financial, operational, regulatory and socio-environmental.
Click here for the full text of the Risk Policy and for details on the Company’s risk management.
|Main risks monitored (medium and long term: 3 to 5 years)||Control and mitigation actions and procedures|
In addition, the risk mapping identified two risks related to human rights issues (decent work in the supply chain and discrimination). These risks’ due monitoring and mitigation actions are managed by the directly related areas.
Some risks are permanently on the Company’s monitoring radar due to its vertical business structure, such as operational risks in the production process cyber risks.
|Operational risks in the production process|
|Associated with||Mitigation measures|
|Associated with||Mitigation measures|
|The protection model adopted by Klabin takes into account potential offenders to the occurrence of cyber attacks:
||Como mitigação, a Segurança da Informação da Klabin utiliza-se de padrões como ISO 270001 e a IEC 62.443 e atua nas seguintes frentes:
Main advances in 2019
GRI 103-1, 103-2, 103-3
Throughout 2019, the actions carried out by the Risk and Internal Controls area were marked by the development of Klabin’s risk management model, based on five pillars – Identification, Analysis, Treatment, Monitoring and Contingency Plan – and guided by the Risk Management Policy Also noteworthy:
- Approval of the risk assessment carried out in 2018, by the Executive Board and the Board of Directors.
- Approval of ten high-priority risks to be monitored by the Executive Board and the Board of Directors.
- Creation and approval of the Crisis Management Policy by the Executive Board.
- Structuring the risk management process on an online platform (testing phase).
How risks are mapped
GRI 102-15, 103-1, 103-2, 103-3
Klabin’s risk mapping is performed according to the following guidelines: prevent loss, anticipate events and avoid surprises
Risk identification follows a specific procedure and is carried out by the Risk and Internal Controls Management, in conjunction with the Executive Board, business managers and corporate areas. Questionnaires and/or interviews are also conducted with employees who have extensive knowledge of their respective areas to help define the main aspects to be monitored.
The identified risks are assessed regarding their criticality, which depends on the degree of impact and vulnerability defined in the internal Risk Management procedure. After determining these aspects, the risk is incorporated into a “heatmap” to determine its criticality and the priority to which it should be addressed. Criticality degree may be low, medium, high and critical. At this stage, the mapping is presented to the Risks Committee for ratification and establishment of the priority risks to be addressed.
The Risk Committee, composed of members of the Executive Board, is responsible for monitoring, assessing and communicating risks and corresponding action plans, together with the Risk and Internal Controls Management, on a regular basis, as well as forwarding risk assessment information to other areas within the company.
- Identification :identify risks and understand their characteristics.
- Analysisassess the criticality of risks, based on the respective degree of impact and vulnerability..
- Treatment: decide how to deal with each risk in order to structure action plans.
- Monitoringmonitoring and reviewing risks and action plans. Defining indicators.
- Contingency plan: Contingency and Crisis Management Plans.
GRI 103-1, 103-2, 103-3, 418-1
Under the concept of Industry 4.0 Klabin designed a technology architecture for plant security, with a focus on safely transferring information from industrial units to the external environment. The work resulted in the creation of the Cybersecurity Standard, currently being tested at the Monte Alegre Unit. The feature is foreseen in the design of the Puma II project and in new lines that require interaction with the external environment.
In order to comply with the Brazilian General Data Protection Law (Law No. 13.709/2018), which comes into effect in August 2021, Klabin has mapped risks regarding information on employees, third parties and end customers who have personal data held in custody at Klabin, in order to ensure the confidentiality of such data. The company is currently working on the implementation of necessary controls with the support of a legal firm specializing in privacy to adapt to the new legislation.
In 2019, no data leaks or losses from the Companhia customers were identified and/or recorded.
We understand that internal engagement is key to the cybersecurity process cybersegurança at Klabin. For this reason, several initiatives are promoted for the involvement of our employees, which are reviewed on a monthly basis through the assessment of indicators. In 2019, we carried out several iniciatives to train and raise awareness among our employees, based on the Company’s Information Security Policy and the Brazilian General Data Protection Law (LGPD).
An initiative that concerned a great deal of employees was the training sessions on Pishing,a form of fraud in which the attacker tries to acquire information, such as login credentials or financial information, posing as a reputable entity or individual, either via email, instant messaging or websites In 2019, we promoted a simulation training through a platform hired to deliver Phishingmessages to our employees. Those who opened it would be required to take a quick training on how to identify a emails Phishing emails. Over 6,000 employees were trained by the platform.
corporate employees , including business units, participated in on-site training sessions on cybersecurity.
corporate employees were trained on topics related to the Brazilian General Data Protection Law.
were discussed in an awareness-raising campaign disclosed to all employees.