GOVERNANCE

Risk management

GRI 102-15, 102-20, 102-30, 103-1, 103-2, 103-3

Klabin’s Risk and Internal Controls Management, created in 2018, seeks to ensure best practices to support business units in analyzing their processes, with a focus on controls and risk assessment. The goal is to strengthen the Company’s preventive actions and security in decision-making processes, based on the principles of transparency and sustainable growth.

Risks are assessed according to impact and vulnerability criteria, following the classification devised by the Risk and Internal Controls area, process after which they are managed according to their criticality. With regard to methodology, the approaches to risks may be: reduce, transfer, accept or exploit. According to the Risk Management Policy, risks are classified into five categories: strategic, financial, operational, regulatory and socio-environmental.

Click here for the full text of the Risk Policy and for details on the Company’s risk management.

Main risks monitored (medium and long term: 3 to 5 years) Control and mitigation actions and procedures
  • Execution of business strategy
  • Maintenance of operational activity
  • Asset insurance coverage
  • Court rulings
  • Input prices
  • Compliance with environmental legislation
  • New technologies
  • Approval of the Budget Plan by the Board, to be monitored, when appropriate;
  • Procedures for continuous and preventive maintenance of assets, including general plant shutdowns and constant employee development;
  • Active insurance policies for assets and lost profits (partial);
  • Formal contingency update procedure supported by legal advisors;
  • Supplier development, without concentration, through formal quotation processes and approval levels;
  • Planning & Development area to monitor the strategies and the markets in which the Company operates;
  • Internal Audit to review and monitor Company processes, in a joint effort with Integrity;
  • Audit Committee established, elected at the General Meeting to defend shareholders’ rights.

In addition, the risk mapping identified two risks related to human rights issues (decent work in the supply chain and discrimination). These risks’ due monitoring and mitigation actions are managed by the directly related areas.

Constant monitoring

Some risks are permanently on the Company’s monitoring radar due to its vertical business structure, such as operational risks in the production process cyber risks.

Operational risks in the production process
Associated with Mitigation measures
  • Use in the production of chemicals;
  • Storage and disposal of chemical waste;
  • Explosions, fires, wear over time and exposure to weather and natural disasters;
  • Potential mechanical failures, time required for maintenance or unscheduled repairs, interruptions in transportation, remediations, leakage of chemicals and other environmental risks.
  • Monitoring critical activities such as health, safety and environmental protocols, monitoring the energy grid and respective voltage loads, effluent treatment
  • Defining action plans and controls when applicable, in addition to periodic monitoring by the Internal Risk and Control Management and Internal Audit;
  • Procedures for continuous and preventive maintenance of assets, including annual plant shutdowns and constant employee development;
  • Active insurance policies for assets and lost profits (partial);
  • Planning & Development area to monitor the strategies and the markets in which the Klabin operates;
Cyber risks
Associated with Mitigation measures
The protection model adopted by Klabin takes into account potential offenders to the occurrence of cyber attacks:

  • Insiders (employees, service providers etc.), whether by accidental or deliberate misuse (for example, when threatened by terrorists or criminals);
  • Terrorists who are interestedin obtaining and using sensitive information to carry out a conventional attack;
  • Unfair business and intelligence services competitors, interestedin obtaining economic advantages for their companies or countries;
  • Cyber criminals interestedin making money by fraud or by selling valuable information;
  • hackers who set out to interfere in companies’ systems, just as a personal or collective challenge;
  • Cybewar: hackers with a great deal of resources at their disposal, due to state support and who are qualified;
  • Hacktivistswho fight for a cause (such as political or ideological reasons);
  • Organized crime seeking (ramsonware).
Como mitigação, a Segurança da Informação da Klabin utiliza-se de padrões como ISO 270001 e a IEC 62.443 e atua nas seguintes frentes:

  • Segurança de perímetro: tecnologia para reforçar as soluções de segurança de borda (primeira proteção do mundo externo) e segregação da infraestrutura.
  • Network security: solutions for network monitoring and management including protection against threats, secure and controlled access, content filtering and segregation of the environment
  • Endpoint security (endpoint): protection of servers, workstations, smartphones and tablets against advanced threats.
  • Application security: protection of critical applications.
  • Data security: technology to protect critical information throughout its life cycle, as well as where it is located.
  • Monitoring and response: process responsible for monitoring technologies and information security process through incident management, performance indicators and forensic analysis.
  • Prevention and management: based on risk management, governance, architecture, training, awareness and compliance.
  • patch management advanced threats and incident prevention and response through cybersegurança and Hardening.
  • Access security: responsible for the user access life cycle, service and administrative accounts and password safe.

Learn more on Information Security, in this chapter.

Main advances in 2019

GRI 103-1, 103-2, 103-3

Throughout 2019, the actions carried out by the Risk and Internal Controls area were marked by the development of Klabin’s risk management model, based on five pillars – Identification, Analysis, Treatment, Monitoring and Contingency Plan – and guided by the Risk Management Policy Also noteworthy:

  • Approval of the risk assessment carried out in 2018, by the Executive Board and the Board of Directors.
  • Approval of ten high-priority risks to be monitored by the Executive Board and the Board of Directors.
  • Creation and approval of the Crisis Management Policy by the Executive Board.
  • Structuring the risk management process on an online platform (testing phase).

How risks are mapped

GRI 102-15, 103-1, 103-2, 103-3

Klabin’s risk mapping is performed according to the following guidelines: prevent loss, anticipate events and avoid surprises

Risk identification follows a specific procedure and is carried out by the Risk and Internal Controls Management, in conjunction with the Executive Board, business managers and corporate areas. Questionnaires and/or interviews are also conducted with employees who have extensive knowledge of their respective areas to help define the main aspects to be monitored.

The identified risks are assessed regarding their criticality, which depends on the degree of impact and vulnerability defined in the internal Risk Management procedure. After determining these aspects, the risk is incorporated into a “heatmap” to determine its criticality and the priority to which it should be addressed. Criticality degree may be low, medium, high and critical. At this stage, the mapping is presented to the Risks Committee for ratification and establishment of the priority risks to be addressed.

The Risk Committee, composed of members of the Executive Board, is responsible for monitoring, assessing and communicating risks and corresponding action plans, together with the Risk and Internal Controls Management, on a regular basis, as well as forwarding risk assessment information to other areas within the company.

Ativo 5
  • Identification :identify risks and understand their characteristics.
  • Analysisassess the criticality of risks, based on the respective degree of impact and vulnerability..
  • Treatment: decide how to deal with each risk in order to structure action plans.
  • Monitoringmonitoring and reviewing risks and action plans. Defining indicators.
  • Contingency plan: Contingency and Crisis Management Plans.

Information security

GRI 103-1, 103-2, 103-3, 418-1

Under the concept of Industry 4.0 Klabin designed a technology architecture for plant security, with a focus on safely transferring information from industrial units to the external environment. The work resulted in the creation of the Cybersecurity Standard, currently being tested at the Monte Alegre Unit. The feature is foreseen in the design of the Puma II project and in new lines that require interaction with the external environment.

In order to comply with the Brazilian General Data Protection Law (Law No. 13.709/2018), which comes into effect in August 2021, Klabin has mapped risks regarding information on employees, third parties and end customers who have personal data held in custody at Klabin, in order to ensure the confidentiality of such data. The company is currently working on the implementation of necessary controls with the support of a legal firm specializing in privacy to adapt to the new legislation.

In 2019, no data leaks or losses from the Companhia customers were identified and/or recorded.

Cybersecurity training

We understand that internal engagement is key to the cybersecurity process cybersegurança at Klabin. For this reason, several initiatives are promoted for the involvement of our employees, which are reviewed on a monthly basis through the assessment of indicators. In 2019, we carried out several iniciatives to train and raise awareness among our employees, based on the Company’s Information Security Policy and the Brazilian General Data Protection Law (LGPD).

An initiative that concerned a great deal of employees was the training sessions on Pishing,a form of fraud in which the attacker tries to acquire information, such as login credentials or financial information, posing as a reputable entity or individual, either via email, instant messaging or websites In 2019, we promoted a simulation training through a platform hired to deliver Phishingmessages to our employees. Those who opened it would be required to take a quick training on how to identify a emails Phishing emails. Over 6,000 employees were trained by the platform.

Over

350

corporate employees , including business units, participated in on-site training sessions on cybersecurity.

Over

50

corporate employees were trained on topics related to the Brazilian General Data Protection Law.

12

cybersecurity-related topics

were discussed in an awareness-raising campaign disclosed to all employees.