CMPC’s Risk Management Program
Empresas CMPC and its subsidiaries are exposed to a series of risks inherent to their businesses. CMPC’s Risk Management Program seeks to identify and manage the main risks that may affect the business strategy and objectives.
The corporate risk management program is audited by various external entities, verifying topics such as governance, methodology, international standards on which the program is based, policy, procedure, and identification and analysis of specific risks. The external audits that have been carried out, and consider the review of the risk management program, are regarding ISO 14001, ISO 45001, ISO 50001, and ISO 9001.
Both in the processes of product and service development, as well as in the evaluation of projects, risk management topics are considered, mainly to identify those risks that could affect the fulfillment of the established objectives, and thus, determine measures to anticipate such events.
CMPC has a policy of compensation, indemnities, and incentives for executives and managers, outlined in the Compendium of Corporate Governance Policies and Procedures. Annually, indicators related to the risk management of critical business activities are determined, aligned with the company’s 2030 strategy.
In addition, the Risk Management program incorporates monitoring of emerging risks, including, for example, the risks caused by cyberattacks on industrial plants, in the most appropriate way, with the aim of minimizing potential adverse effects.
Two examples of emerging risks that CMPC has identified are:
1. Cyberattacks on industrial plants
Description of risk
The increasing number of cyber-attacks and computer crime around the world represents a potential risk to the security of information technology systems. This goes for the production plants and service provider systems, and could also impact the confidentiality, integrity and availability of the data stored in those systems, some of which depend on services provided by third parties.
Potential impact on CMPC
If these risks were to materialize, they could have a significant impact on operational continuity, causing work stoppages, affecting production goals and ultimately hindering our ability to meet customer needs. There could also be significant consequences for workers’ health and safety, the environment, local communities and the Company’s reputation.
Risk Management
CMPC takes all the necessary prevention measures and mitigation controls against cyber threats using cybersecurity solutions and market leaders selected in accordance with the main global standards in this matter. Processes are guided by specialized frameworks and teams of duly trained personnel in order to protect the integrity of operations and the confidentiality of customers, suppliers and the community.
To guarantee the proper functioning of operations and safeguard sensitive information, the Company has a Technology Committee as well as contingency plans arranged with its main computer service providers, who have adopted measures to prevent or mitigate the impact of events such as interruptions, failures or non-compliance due to causes ranging from natural disasters and power outages to security breaches, computer viruses or cybersecurity attacks.
Cyber-attacks, such as identity theft, malware and phishing, are increasingly sophisticated and can make a significant impact on the reputation, productivity and profitability of the Company. For these reasons, monitoring and incident management services are in use along with threat intelligence for early identification and ensuring the required preventive actions are always in place.
2. Reduced water availability for production process impacting management & industrial asset continuity
Risk description
Water is a fundamental element for the production of cellulose and paper, and scarcity in water availability could significantly affect several of CMPC’s industrial plants that are intensive in the use of water. CMPC has defined this as an emerging risk for the company, considering that:
1) This is a new condition, growing in importance in recent years, even though Chile has been facing low precipitation levels for 14 years;
2) There could be a significant long-term impact, requiring the company to adapt its strategies to these conditions;
3) The impact may affect a large part of the company, in this case, for example, Cardboard, Paper and Cellulose operations in Chile;
4) The risk is external, since the condition of lower rainfall is exogenous to the company;
5) The impact of the risk is specific to the company, since the reality of CMPC regarding the type of industrial plants and the location of the plants is specific to the company. Even within the same company, industrial plants in Brazil are not facing this risk.
Potential impact
Management and industrial asset continuity could be significantly affected by reduced water availability for production processes, which is a climate-related chronic physical risk: the scarcity of water for production processes could result in the need to spend on the purchase of water from other sources or for technologies to reduce water use in the processes. There is certain equipment that due to their level of criticality is essential for the production of the company’s goods, and if they fail, the operational continuity of the industrial plants would be affected. Under certain conditions, the failure of critical equipment could lead to an incident or operational accident and could significantly affect the health and safety of workers and/or the environment.
Although internal failures could lead to explosions or industrial fires, there are also external causes, such as natural phenomena. Risks that, if they materialize, could have serious consequences for operational continuity, the environment, the health and safety of collaborators, as well as affecting the community and the company’s reputation.
Risk management
Since 2021, the Company has a Water Resources and Effluents Sub-Management, in charge of the responsible and efficient use of water, its ecosystem management, compliance with the corporate goal, the search for new sources of supply to minimize the vulnerability of operations to climate change, among other priorities.
In addition, CMPC established four sustainability goals linked to its environmental performance, one of which is the reduction in water use (the goal is to reduce the use of water per ton of product by 25% by 2025). This goal considers the context of future water availability for our operations. The Sustainability Committee, which meets bimonthly, reviews and proposes the adoption of best practices to reinforce the long-term commitment to sustainable development. During the year, the Committee reviews the Company’s overall performance towards its four environmental sustainability goals in relation to the established objectives.
CMPC also has maintenance standards and objectives to avoid equipment obsolescence to manage the risk of failure. Additionally, the management of this risk considers the implementation of emergency plans focused on workers and operational continuity plans to mitigate the impact on assets and operations. The company has contracted insurance coverage through which a substantial part of its industrial risk is transferred.
Empresas CMPC and its subsidiaries are exposed to a series of risks inherent to their businesses. CMPC’s Risk Management Program seeks to identify and manage the main risks that may affect the business strategy and objectives.
The corporate risk management program is audited by various external entities, verifying topics such as governance, methodology, international standards on which the program is based, policy, procedure, and identification and analysis of specific risks. The external audits that have been carried out, and consider the review of the risk management program, are regarding ISO 14001, ISO 45001, ISO 50001, and ISO 9001.
Both in the processes of product and service development, as well as in the evaluation of projects, risk management topics are considered, mainly to identify those risks that could affect the fulfillment of the established objectives, and thus, determine measures to anticipate such events.
CMPC has a policy of compensation, indemnities, and incentives for executives and managers, outlined in the Compendium of Corporate Governance Policies and Procedures. Annually, indicators related to the risk management of critical business activities are determined, aligned with the company’s 2030 strategy.
In addition, the Risk Management program incorporates monitoring of emerging risks, including, for example, the risks caused by cyberattacks on industrial plants, in the most appropriate way, with the aim of minimizing potential adverse effects.
Two examples of emerging risks that CMPC has identified are:
1. Cyberattacks on industrial plants
Description of risk
The increasing number of cyber-attacks and computer crime around the world represents a potential risk to the security of information technology systems. This goes for the production plants and service provider systems, and could also impact the confidentiality, integrity and availability of the data stored in those systems, some of which depend on services provided by third parties.
Potential impact on CMPC
If these risks were to materialize, they could have a significant impact on operational continuity, causing work stoppages, affecting production goals and ultimately hindering our ability to meet customer needs. There could also be significant consequences for workers’ health and safety, the environment, local communities and the Company’s reputation.
Risk Management
CMPC takes all the necessary prevention measures and mitigation controls against cyber threats using cybersecurity solutions and market leaders selected in accordance with the main global standards in this matter. Processes are guided by specialized frameworks and teams of duly trained personnel in order to protect the integrity of operations and the confidentiality of customers, suppliers and the community.
To guarantee the proper functioning of operations and safeguard sensitive information, the Company has a Technology Committee as well as contingency plans arranged with its main computer service providers, who have adopted measures to prevent or mitigate the impact of events such as interruptions, failures or non-compliance due to causes ranging from natural disasters and power outages to security breaches, computer viruses or cybersecurity attacks.
Cyber-attacks, such as identity theft, malware and phishing, are increasingly sophisticated and can make a significant impact on the reputation, productivity and profitability of the Company. For these reasons, monitoring and incident management services are in use along with threat intelligence for early identification and ensuring the required preventive actions are always in place.
2. Reduced water availability for production process impacting management & industrial asset continuity
Risk description
Water is a fundamental element for the production of cellulose and paper, and scarcity in water availability could significantly affect several of CMPC’s industrial plants that are intensive in the use of water. CMPC has defined this as an emerging risk for the company, considering that:
1) This is a new condition, growing in importance in recent years, even though Chile has been facing low precipitation levels for 14 years;
2) There could be a significant long-term impact, requiring the company to adapt its strategies to these conditions;
3) The impact may affect a large part of the company, in this case, for example, Cardboard, Paper and Cellulose operations in Chile;
4) The risk is external, since the condition of lower rainfall is exogenous to the company;
5) The impact of the risk is specific to the company, since the reality of CMPC regarding the type of industrial plants and the location of the plants is specific to the company. Even within the same company, industrial plants in Brazil are not facing this risk.
Potential impact
Management and industrial asset continuity could be significantly affected by reduced water availability for production processes, which is a climate-related chronic physical risk: the scarcity of water for production processes could result in the need to spend on the purchase of water from other sources or for technologies to reduce water use in the processes. There is certain equipment that due to their level of criticality is essential for the production of the company’s goods, and if they fail, the operational continuity of the industrial plants would be affected. Under certain conditions, the failure of critical equipment could lead to an incident or operational accident and could significantly affect the health and safety of workers and/or the environment.
Although internal failures could lead to explosions or industrial fires, there are also external causes, such as natural phenomena. Risks that, if they materialize, could have serious consequences for operational continuity, the environment, the health and safety of collaborators, as well as affecting the community and the company’s reputation.
Risk management
Since 2021, the Company has a Water Resources and Effluents Sub-Management, in charge of the responsible and efficient use of water, its ecosystem management, compliance with the corporate goal, the search for new sources of supply to minimize the vulnerability of operations to climate change, among other priorities.
In addition, CMPC established four sustainability goals linked to its environmental performance, one of which is the reduction in water use (the goal is to reduce the use of water per ton of product by 25% by 2025). This goal considers the context of future water availability for our operations. The Sustainability Committee, which meets bimonthly, reviews and proposes the adoption of best practices to reinforce the long-term commitment to sustainable development. During the year, the Committee reviews the Company’s overall performance towards its four environmental sustainability goals in relation to the established objectives.
CMPC also has maintenance standards and objectives to avoid equipment obsolescence to manage the risk of failure. Additionally, the management of this risk considers the implementation of emergency plans focused on workers and operational continuity plans to mitigate the impact on assets and operations. The company has contracted insurance coverage through which a substantial part of its industrial risk is transferred.