Business continuity planning
Business continuity planning
Risks and internal controls
Risk identification and management
Klabin works continuously to identify and understand the main characteristics of risks related to its business, with a focus on preventing losses and anticipating events that could potentially impact the Company. This mapping and management process is carried out in five stages:
1. Identifying risks and understanding their characteristics;
2. Classifying risks according to the origin of events;
3. Assessing the criticality of risks, considering their impact and vulnerability;
4. Determining how each risk should be treated, including the creation of action plans;
5. Monitoring risks and periodically reviewing their respective action plans.
Mapped risks may be treated in two main ways: Avoid or Accept (encompassing Retain, Reduce, Transfer or Exploit). Klabin’s Risk Management Policy determines the role of each governance body, including the Board of Directors, the Audit and Related Parties Committee, executive leadership, the Risk Committee, the Risk Area and the Business Continuity Area.
Risks classified as High and Critical are prioritized for the development of action plans and indicator-based monitoring.
Business continuity planning is a wide-ranging process used by Klabin to identify potential threats to the Company and the impacts these threats may have on its business. This organizational preparation goals on cushioning risks and providing an effective response in order to safeguard the interests of the Company’s stakeholders, reputation, brand and value creation activities.
To implement business continuity plans at its plants, the Company needs to carry out five steps:
1. Business impact analysis;
2. Creation of scenario matrix;
3. Creation of operational continuity plan;
4. Creation of disaster recovery plan;
5. Tabletop exercise.
Once a site has implemented a business continuity plan, it receives a handbook containing a wide range of information, to be consulted whenever necessary. A tabletop exercise is carried out once a year during which decisions are made and evaluated. The results of these analysis, as well as any recommendations for improvement, are consolidated in a report.
Operational continuity governance
Klabin employs operational continuity governance for risk management. Its main objective is to assist plants in reviewing, updating and maintaining their business continuity plan (including all the materials and/or documents that make it up) after it has been implemented. The governance processes include crisis committee meetings, periodic tabletop exercises and reviews of Operational Continuity Plans.
Production of corrugated cardboard packaging at the Piracicaba II Plant (SP).
Internal controls
- The year 2024 was marked by the review and reassessment of standards, based on the Board of Directors’ Policy for Klabin’s Normative System. In force since the end of 2023, this policy guides the creation, amendment and approval of the Company’s internal rules and defines criteria for their standardization. The process is essential for each area to establish its procedures without duplication or inconsistencies.
- The following notable milestones were also reached in 2024:
-
Klabin finished implementing the SoftExpert system and began migrating revised documents to this platform;
-
The Company started identifying operational controls in different areas, in line with the corporate risk matrix, as well as mapping activities to check the entry and exit of vehicles and people at operating sites, with the aim of standardizing this process;
-
Klabin continued to conduct the Smart Project (see the Information technology section for more information), monitoring the approvals portal, validating existing controls and migrating these controls to the new system, as well as tracking and validating process changes;
-
The Company tested the design and effectiveness of the entire control matrix for the Company’s financial reports.
In 2025, proposals for mapping controls based on IFRS S1, IFRS S2 and CVM Resolution 198 will be presented to executive leadership.
Data privacy
In 2024, various measures were taken to ensure the security of data managed by Klabin. In line with Brazil’s General Data Protection Law (known by its Portuguese initials, LGPD) and other domestic and international standards, the Company continued to execute its data implementation program, completing mapping work for the Legal, Integrity and Community Relations areas, as well as Parque Ecológico Klabin. This process made it possible to identify data circulating in each area and to review procedures in order to strengthen security. The Company also transformed its Privacy Policy into an International Data Protection Plan, based on studies of legislation in the locations where it operates, and it included data use consent notices to its websites.
Other notable initiatives conducted in 2024:
-
Creation of a risk matrix for privacy and data protection, based on Klabin’s risk matrix and the European Union’s methodology for assessing impacts on data subjects;
-
Training on privacy and data protection, including an online course on Argentine legislation, as well as in-person training in Argentina and Pernambuco;
-
Implementation of a Data Loss Prevention (DLP) system to monitor and control the inappropriate processing of personal data;
-
Formal ratification of the appointment of a Data Protection Officer (DPO) and appointment of Substitute DPO following the publication of regulations by Brazil’s National Data Protection Agency (known by its Portuguese initials, ANPD).
Employees at the Otacílio Costa Plant (SC).
