CMPC ensures that oversight of risk management is entrusted to a dedicated committee of the highest governing body, composed exclusively of independent and non-executive directors, in accordance with best corporate governance practices. The Risk, Audit and Compliance Committee of CMPC is composed of directors Hernán Rodríguez Wilson, Bernardo Larraín Matte, Ximena Corbo Urzúa, and Francisco Ruiz-Tagle Edwards. Its main responsibilities include approving and overseeing the execution of the annual internal audit plan; approving and monitoring the company’s compliance strategy; following up on actions derived from the implementation of CMPC’s prevention model; and monitoring the comprehensive execution of the company’s risk management strategy, which includes, among other areas, cybersecurity.

CMPC’s Risk Management Program is structured according to the three lines of defense model, ensuring a clear allocation of responsibilities for the identification, management, oversight, and independent assurance of risks. This structure enables the company to maintain an integrated and effective approach to risk governance, aligned with international standards such as ISO 31000 and COSO ERM.

The following describes how each line of defense is implemented within CMPC’s risk governance framework:

• First Line of Defense: At CMPC, all administrative, functional, and operational areas are responsible for identifying and managing the risks associated with their activities. This means that risk ownership is clearly assigned at the business unit level, where operational teams actively oversee and manage risks as part of their core responsibilities. These areas are also involved in implementing control measures and reporting to the relevant committees, ensuring an integrated and cross-functional approach to risk management across the organization.
• Second Line of Defense: CMPC has a consolidated governance structure that supports risk management oversight through various specialized functions and committees. The Corporate Risk and Compliance Department is responsible for the implementation, continuous improvement, and supervision of the risk program, including its monitoring, reporting, and alignment with international best practices. In addition, the Risk Committee and the Sustainability and Regulation Committee support oversight efforts and provide strategic guidance, while the executive owners of each risk category individually oversee their respective risk sources. Together, these structures ensure compliance with risk management objectives and regulatory control throughout the company.
• Third Line of Defense: CMPC’s Internal Audit Department provides independent and objective assurance regarding the quality and level of implementation of internal controls and risk mitigation measures. This department reports directly to the Board of Directors through the Risk, Audit and Compliance Committee, maintaining its independence from operational and oversight functions. Through periodic audits, the Internal Audit Department evaluates the effectiveness of the risk management program, verifies regulatory compliance, and promotes continuous improvement by identifying weaknesses and areas for enhancement.

Empresas CMPC and its subsidiaries are exposed to a series of risks inherent to their businesses. CMPC’s Risk Management Program seeks to identify and manage the main risks that may affect the business strategy and objectives.

CMPC implements a comprehensive methodological process for risk management, consisting of six structured stages: communication and consultation; definition of scope, context, and criteria; risk assessment; treatment; monitoring and review; and recording and reporting. This approach is applied organization-wide, from strategic to operational levels, and covers all types of material risks, regardless of their origin (financial, operational, legal, environmental, among others). Risk identification is carried out through participatory sessions such as workshops, where risks are identified and prioritized. A risk is classified as material when its exposure level in a maximum loss scenario is rated at least “high” according to the established severity scale. From that point, risks are analyzed, assessed, and managed based on their criticality.

The risk assessment process includes a key stage to determine whether an identified risk is acceptable, based on the company’s defined risk appetite. This evaluation is conducted using a matrix that considers severity (or impact) and likelihood criteria, enabling the identification of whether risks fall within the company’s risk tolerance zone. Only those risks whose residual level exceeds the defined “acceptable” thresholds must be addressed with specific treatment plans, following a cost-benefit rationale. This approach aligns the desired level of risk exposure with the company’s strategic objectives and establishes clear limits for each risk category.

Risk exposure is continuously monitored by the Corporate Risk and Compliance Management Office and formally evaluated on a quarterly basis during the sessions of the Risk, Audit, and Compliance Committee. During these meetings, updated risk analyses, the effectiveness of implemented controls, the evolution of key indicators, and other initiatives within the risk program are reviewed. The results are recorded within the corporate risk management program, which consolidates the information into reports that support trend analysis, anticipation of critical scenarios, and the strengthening of organizational resilience in a dynamic environment. Both in the processes of product and service development, as well as in the evaluation of projects, risk management topics are considered, mainly to identify those risks that could affect the fulfillment of the established objectives, and thus, determine measures to anticipate such events.

All identified risks are analyzed to determine their material nature. A severity table is used for this purpose, as stated in the methodology. A risk is “material”* when its potential level of risk, in a maximum loss scenario, is at least “high”4 according to the severity scale, which determines the Residual Risk Level, which in turn helps to identify those with greater exposure. This identification procedure considers amended or new regulations, in addition to due diligence procedures regarding human rights. The foregoing means that the detected risk will enter the Risk Management Program, thus continuing the step-by-step scheme of the methodological procedure for risk management, resulting in a higher level of managerial supervision. 

*What are material risks? These are risks that, if materialized, would have a significant impact on the Company and its strategic objectives. The Internal Audit Unit assists in this process with an independent opinion on the quality and degree of implementation of critical controls and treatment measures.

The corporate risk management program is audited by various certified and independent external entities at least annually, verifying topics such as governance, methodology, international standards on which the program is based, policy, procedure, and identification and analysis of specific risks, all under the ISO 31000 framework. Over the past two years, the external audits that have been carried out and considered the review of the entire risk management program, are regarding ISO 14001, ISO 45001, ISO 50001, and ISO 9001.

Both in the processes of product and service development, as well as in the evaluation of projects, risk management topics are considered, mainly to identify those risks that could affect the fulfillment of the established objectives, and thus, determine measures to anticipate such events.

CMPC has a policy of compensation, indemnities, and incentives for executives and managers, outlined in the Compendium of Corporate Governance Policies and Procedures. Annually, indicators related to the risk management of critical business activities are determined, aligned with the company’s 2030 strategy.

In addition, the Risk Management program incorporates monitoring of emerging risks, including, for example, the risks caused by cyberattacks on industrial plants, in the most appropriate way, with the aim of minimizing potential adverse effects.

Two examples of emerging risks that CMPC has identified are:

1. Discretionary tariff disruptions

Risk description

A tariff is an additional cost paid by the importer or absorbed by the exporter, affecting a company’s trade flow. While the imposition of tariffs between countries is a common and expected practice, this risk refers to the sudden, unilateral, and arbitrary imposition of tariffs or trade barriers by key economies, lacking predictability and creating uncertainty.

These measures represent a fundamental and structural shift in how international trade is conducted, from a system based on predictable rules to one where political unpredictability and unilateralism become the norm. This generates uncertainties and cascading effects that were previously less prominent or understood, directly impacting CMPC’s operations.

Tariffs not only result in direct costs but can also lead to unexpected additional charges. Companies may be forced to renegotiate contracts, adjust logistics, quickly explore new markets, and sometimes absorb part of the cost in order to retain customers.

CMPC has identified this as an emerging risk for the company, based on the following considerations:

1. The unilateral, abrupt, and discretionary imposition of tariffs is a growing risk given the current macroeconomic and political context, particularly from the United States and potentially other economies in the long term.
2. Although the Chilean forestry sector (including wood and pulp) may initially be exempt or subject to lower tariffs, the risk and uncertainty remain. While the impact may not be immediate, it could materialize in the medium to long term.
3. This is an external risk, driven by the broader macroeconomic context.

Potential impact 

The potential impacts of this risk include:

• Increase in direct or indirect costs if CMPC’s products are affected by discretionary tariffs, resulting in a direct reduction in profit margins.
• Loss of competitiveness, as CMPC’s products may become more expensive than those from countries not subject to such tariffs, reducing their commercial appeal and potentially leading to a loss of market share.
• Strategic planning uncertainty due to the unpredictability of potential tariff measures, which makes it difficult for CMPC to develop reliable financial forecasts and long-term investment plans. This impact is primarily strategic in nature, creating uncertainty that affects future decision-making rather than causing immediate financial repercussions. It may also require CMPC to fundamentally reassess and adapt its international commercial strategy going forward.
• Supply chain reorganization and increased operating costs, as CMPC may need to seek alternative suppliers or redirect logistics flows to mitigate part of the tariff risk, leading to higher transportation and operational costs.

Risk Management

CMPC continuously monitors macroeconomic risks, including potential tariff measures, and conducts scenario analyses to assess and understand their possible impacts.

2. Reduced water availability for production process impacting management & industrial asset continuity

Risk description 

Water is a fundamental element for the production of cellulose and paper, and scarcity in water availability could significantly affect several of CMPC’s industrial plants that are intensive in the use of water. CMPC has defined this as an emerging risk for the company, considering that:

1) This is a new condition, growing in importance in recent years, even though Chile has been facing low precipitation levels for 14 years;

2) There could be a significant long-term impact, requiring the company to adapt its strategies to these conditions;

3) The impact may affect a large part of the company, in this case, for example, Cardboard, Paper and Cellulose operations in Chile;

4) The risk is external, since the condition of lower rainfall is exogenous to the company;

5) The impact of the risk is specific to the company, since the reality of CMPC regarding the type of industrial plants and the location of the plants is specific to the company. Even within the same company, industrial plants in Brazil are not facing this risk.

Potential impact 

Management and industrial asset continuity could be significantly affected by reduced water availability for production processes, which is a climate-related chronic physical risk: the scarcity of water for production processes could result in the need to spend on the purchase of water from other sources or for technologies to reduce water use in the processes. There is certain equipment that due to their level of criticality is essential for the production of the company’s goods, and if they fail, the operational continuity of the industrial plants would be affected. Under certain conditions, the failure of critical equipment could lead to an incident or operational accident and could significantly affect the health and safety of workers and/or the environment.

Although internal failures could lead to explosions or industrial fires, there are also external causes, such as natural phenomena. Risks that, if they materialize, could have serious consequences for operational continuity, the environment, the health and safety of collaborators, as well as affecting the community and the company’s reputation.

Risk management

Since 2021, the Company has a Water Resources and Effluents Sub-Management, in charge of the responsible and efficient use of water, its ecosystem management, compliance with the corporate goal, the search for new sources of supply to minimize the vulnerability of operations to climate change, among other priorities.

In addition, CMPC established four sustainability goals linked to its environmental performance, one of which is the reduction in water use (the goal is to reduce the use of water per ton of product by 25% by 2025). This goal considers the context of future water availability for our operations. The Sustainability Committee, which meets bimonthly, reviews and proposes the adoption of best practices to reinforce the long-term commitment to sustainable development.  During the year, the Committee reviews the Company’s overall performance towards its four environmental sustainability goals in relation to the established objectives.

CMPC also has maintenance standards and objectives to avoid equipment obsolescence to manage the risk of failure. Additionally, the management of this risk considers the implementation of emergency plans focused on workers and operational continuity plans to mitigate the impact on assets and operations. The company has contracted insurance coverage through which a substantial part of its industrial risk is transferred.