Risks and internal controls
Risks and internal controls
Managing risks is an ongoing task that must be embedded in the Company's day-to-day operations. The daily monitoring of events that may occur involves various areas and multidisciplinary groups. This process reinforces good practices and matures management as a whole.
Klabin encourages all employees, regardless of hierarchical levels, to act responsively and participatively in decision-making processes. This is even one of the KODS. With the support of the Risk Management Policy, Klabin seeks to align the Company's strategic objectives with a framework that is in line with the best market practices.
Risks are assessed by the Company according to their level of criticality, which is defined based on an analysis of possible impact and vulnerability. The levels are established according to standardized and internally validated criteria. The internal methodology classifies risks into five categories:
COMPLIANCE, REGULATORY AND LEGAL
Risks related to compliance with applicable laws and regulations.
STRATEGIC
Risks that affect the strategic objectives and can be influenced by external factors, but also subject to internal factors.
FINANCIAL
Risks that may impact the Company’s cash flow, its financial statements, and access to capital
OPERATIONAL
Risks related to the Company’s and its subsidiaries' infrastructure (processes, people and technology), which affect their operational efficiency and the effective and efficient use of their resources
SOCIAL AND ENVIRONMENTAL
Risks arising from acts or events that may result in negative effects on the environment and society, with impacts on native peoples and communities and protection of human health, cultural property, and biodiversity
The discussions on risks are subdivided into reducing, transferring and/or sharing, retaining, or accepting. The Risk Management Policy determines the roles of each of the different governance bodies, including the Board of Directors, the Audit and Related Parties Committee, the Executive Board, the Risk Committee, and the Risk and Business Continuity Department, in each of the business areas and their equivalents.
In order to ensure that the main risks inherent to the Company's activities are identified, assessed, treated, monitored, and communicated at both the strategic and operational levels, the following steps have been established:
Risk management highlights in 2023
In 2023, several initiatives were developed to promote a risk assessment and prevention culture, among which the following stand out:
-
Review of procedures for document formalization and storage;
-
Continued implementation of the Business Continuity Plan (BCP). Nine plants now have the instrument;
-
Execution of 11 production shutdown drills in manufacturing units already equipped with the BCP;
-
Completion of the implementation of IB Solutions, software that automates the process of enforcing action plans and allows management to quickly view the risks of each area;
-
Risk Management Training on the Klabin Business School (ENK) Portal, attended by over 350 employees;
-
Development and publication of the Business Continuity Plan (BCP) training on the ENK Portal, attended by more than 200 employees;
-
Continued dissemination of the risk prevention culture through internal communications to all Company employees.
Internal controls
Procedures, policies, approval authorities, evaluation and monitoring of audit reports, process mapping, and integrity assessments are some of the instruments used by Klabin for internal risk control.
In 2023, the Klabin Normative System CA Policy was approved by the Board of Directors. This document guides the creation, modification, and approval of new internal regulations within the Company and establishes criteria for their standardization. It establishes a hierarchy among internal regulations with the aim of systematizing and avoiding conflicts between norms, reinforcing the Company's governance process. The work began in 2021 with the compilation of all Klabin's internal regulations. After outlining a general overview of these internal regulations, conducting benchmarking, and identifying the appropriate structure for the Company's activities, considering the complexity of its businesses, the policy was submitted to the competent governance bodies. Based on an established schedule, all internal regulations of the Company will be reassessed and, where applicable, adjusted based on this new policy.
Other highlights of the year:
-
Beginning of the implementation of an electronic system that stores normative documents and allows traceability of files. This system also establishes approval flows and allows previous versions to be consulted. Throughout 2024, all documents undergoing review will be incorporated into the system;
-
Mapping of controls related to the issuance of financial statements. In 2023, 54 financial reports were issued, totaling 720 control processes;
-
Completion of 100% of the effectiveness tests related to internal control processes;
-
Implementation of monitoring of approvals settings and strategy and registration of approvers in the SAP System;
-
Support for the Smart Project to ensure that controls and recommendations are implemented in the new system.
Privacy and data protection
Klabin is constantly improving its procedures to promote data protection and proper processing. The Company has a Privacy and Data Protection Policy to formalize and guide these precautions.
In 2023, through the application of a questionnaire, Klabin completed the mapping of personal data from all areas of the Company. Based on this work, configurations were made in the system that evaluates suppliers and projects, reinforcing the security of personal data and information.
Klabin's websites have a specific area to handle requests from data subjects. When visiting them, the users/data subjects find a specific area to request information about the processing of their personal data, request the deletion of such data, and revoke consent for collection, among other actions. Requests are evaluated by the area specialized in privacy and data protection, which acts in accordance with Klabin's Internal Policies, the General Personal Data Protection Law (LGPD) and other standards applicable to the topic.
Klabin continually evaluates and updates the tools used to protect the Company's database and systems.
Team training
Corporate training on the topic was developed to ensure that employees are aware of the necessary precautions to guarantee the data privacy and protection outlined by the LGPD. Training can be done through the ENK Portal (Klabin Business School) anytime and anywhere. Workshops are also conducted, and communication actions are disseminated through internal channels (for example, the institutional video on the "Intern's Question" channel) and in offices (for example, the book exchange fair).
