Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
Summary
1 – PURPOSE 2
2 – REFERENCE DOCUMENTS 2
3 – TERMS, DEFINITIONS AND ABBREVIATIONS 2
4 – GUIDELINES 3
4.1. SCOPE 3
4.2. PRINCIPLES 3
4.3. GUIDELINES 4
4.4. PROCESS 4
4.4.1 Types of Risk 4
4.4.2. Risk Management Process 5
4.4.3. Context Establishment 5
4.4.4. Risk Identification 6
4.4.5. Risk analysis 6
4.4.6. Risk Evaluation 6
4.4.7. Risk Treatment 7
4.4.8. Monitoring 8
4.4.9. Report and Communication 9
5 – RESPONSIBILITIES 9
5.1. STATUTORY AUDIT COMMITTEE (SAC) 10
5.1. BOARD OF DIRECTORS (BD) 10
5.3. EXECUTIVE BOARD 10
5.4. CORPORATE RISKS DEPARTMENT 10
5.5. FUNCTIONAL AND BUSINESS AREA 11
6 – APPROVAL of the policy 11
7 – violation of the policy 11
8 – MISCELLANEOUS 11
9 – APPENDICES 11
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
The purpose of this Integrated Risk Management Policy is to provide the principles and guidelines for Company’s Risk Management, define and document related processes and activities, as well as the main responsibilities assigned to the various management bodies or areas of the Corporation.
Not applicable.
3 – TERMS, DEFINITIONS AND ABBREVIATIONS
| ● | Risk Appetite means the level of Risks that the Corporation's management is willing to accept in conducting its business strategy and/or operations. |
| ● | Corporate Risk Department means Suzano's risks management department, which reports to the Company’s Executive Board of Finances, Legal and Investor Relations. |
| ● | Internal Audit means Suzano's Internal Audit department. |
| ● | Company or “Suzano” means Suzano S.A., together with its subsidiaries in Brazil and in foreign countries. |
| ● | Compliance means adherence to and compliance with legislation and other applicable standards. |
| ● | Board of Directors (BD) means Suzano's Board of Directors. |
| ● | Statutory Audit Committee (SAC) means Suzano’s Statutory Audit Committee. |
| ● | Board of Executive Officers means Suzano's Board of Executive Officers, elected in accordance with its By-laws. |
| ● | Stakeholders means person, group of people or organization which influence and/or can be affected by a Company’s decision or activity. |
| ● | Risk Management means the activities carried out for the purpose of identify, analyze, evaluate, treat and monitor Company’s risks. |
| ● | Risk Impact means the qualitative and/or quantitative evaluation of the effects or consequences of the materialization of a risk to the Company. |
| ● | Risk Probability means the qualitative and/or quantitative evaluation of the occurrence probability of a risk. |
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
| ● | Risk Level means the combined analysis between the risk’s final impact and its occurrence probability. |
| ● | Materiality of Risk means losses and/or consequences of a risk’s impact that could possible negatively affect the Company. |
| ● | Risk Management Process means the application of practices and procedures aiming at identification, evaluation, treatment, monitoring and reporting event that may represent a Risk. |
| ● | Risks means uncertain factors or events, which may cause negative impacts, making it difficult or impossible to meet the Company's purposes. |
| ● | Inherent Risk means the risk before the application of Suzano’s mitigation actions and measures. |
| ● | Residual Risk means the reminiscent risk after the result of the mitigation actions and measures adopted by the Company. |
| ● | Risk Owners means Employees (leaders) formally defined by the Company and which have responsibility and authority to manage their attributed risks. |
This policy applies to the Suzano S.A, including its units in Brazil and in foreign countries.
| i. | Risk management promotes the protection, creation and generation of value, and must be aligned with the Company's strategic plan, contributing to the achievement of goals and objectives. |
| ii. | Risk management is directly related to the performance improvement of activities, legal and regulatory compliance, quality of service, generation of value, governance, reputation, environment protection, among other relevant topics. |
| iii. | Risk management must be recognized as an integral part of the Company's main organizational processes. |
| iv. | Risk management must support, when applicable, the Company's decision-making process. |
| v. | Risk management explicitly addresses uncertainty. |
| vi. | Risk management process inputs are based on the best information currently available. |
| vii. | Risk management is adaptable and dynamic, attending, when it is possible possible, changes in internal and external contexts and promoting critical analysis to ensure assertiveness in risk governance. |
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
| i. | Establish an integrated methodology unifying concepts, tools, metrics and activities that supports the risk management process, ensuring a cohesive and dynamic global process. |
| ii. | Fortify a risk management culture in the Company through continuous communication and regular training. |
| iii. | Adopt as a reference the concepts and guidelines of the ISO 31000, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and market good practices (when applicable) to systematize and support the process. |
| iv. | Develop and implement management control activities that should consider the evaluation of internal and external changes, allowing Suzano’s operation in a systematic, structural and suitable way. |
| v. | Support the evaluation process of potential impacts related to new projects, investments, acquisitions and other strategic actions. |
| vi. | Map emergent risks aiming to evaluate mitigation measures that can minimize potential negative impacts of such risks within Company’s strategic plan. |
Suzano categorizes its Risks as follows:
| ● | Strategic Risks: mean Risks the materialization of which results in losses to the Corporation due to the failure of the adopted strategies, taking into account the dynamics of business and competition, as well as political and economic changes, both nationally and internationally. |
| ● | Financial Risks: mean Risks the materialization of which results in losses of financial funds by the Company, subdivided into three categories: |
| o | Market Risks: mean Risks the materialization of which results in losses caused by changes in the behavior of interest rates, exchange rates, share prices and commodities prices and/or other products purchased and/or sold by the Company. |
| o | Credit Risks: mean the Risks the materialization of which results in the loss of amounts agreed with borrowers or customers of products sold by the Company at term with counterparties of contracts or that have issued securities in favor of the Company. |
| o | Liquidity Risks: mean Risks the materialization of which results in: (i) the Company's inability to carry out transactions in a reasonable time and without significant loss of value; or (ii) the lack of funds to honor the |
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
| commitments assumed due to the mismatch between available assets and past due liabilities. |
| ● | Operational Risks: mean Risks the materialization of which results in losses due to failure, deficiency or inadequacy of internal processes, people and systems, or external events. |
| ● | Compliance Risks: mean Risks associated with legal or regulatory sanctions, financial loss or reputation, resulting from any failure to comply with laws, agreements, regulations, the Code of Conduct and/or Company’s internal policies or standards. |
4.4.2. Risk Management Process
Suzano's Risk Management is composed by 7 stages, according the following figure:
Figure 1 - Risk Management’s Stages
It provides the scope of risk identification, analyzing the internal context, regarding the organizational structure, processes, responsibilities, systems and the relation of internal
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
stakeholders, and the external context, which involves the analysis of the cultural, legal, social, political, financial, technological and economic environment surrounding the Company, both in regional, national and international spheres.
The risk identification occurs through the evaluation of business processes, consisting in the search, recognition and description of the risks, considering its respective source, events, causes and potential negative consequences.
The risk analysis involves assessing the causes and sources of Risk, their negative consequences, coming from any impact spheres, and the probability that they may occur. Accordingly, all events, whether internal or external, that may negatively affect the Company's strategies and business objectives must be mapped and monitored to ensure that any risk materialization that may occur is known and managed at an acceptable level.
The process of risk evaluation consists in the definition of the probability and impact of a risk.
The probability of occurrence can be defined in four levels, according to the following criteria:
| ● | Remote (below 30%): Remote chance of event occurrence and/or low frequency history or no history of risk materialization. |
| ● | Possible (between 31% and 60%): The probability of the event not occurs is higher than to occurs and/or history of moderate frequency regarding risk materialization. |
| ● | Probable (between 61% and 90%): The probability of the event occurs is higher than not to occurs and/or frequent history of risk materialization. |
| ● | Highly Probable (above 90%): It is almost certain the occurrence of certain event and/or highly frequent history of risk materialization. |
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
The impact of the risk is also defined in four levels (minor, moderate, major and extreme) and it should be determined accordingly to the following spheres: financial, health and security, environment, social and cultural, image and reputation, organizational climate and legal.
For the definition of the risk’s level it is used the final impact, established by the sphere that represents greater level.
The result of the risk analysis between probability and impact is represented in the risk matrix or heatmap, correspondingly the following Figure 2. Therefore, the risk’s levels are defined as: Very Low, Low, Medium, High and Critical.
Figure 2 – Suzano’s matrix of risk’s Impact x Probability
From this matrix, it is possible to define Company’s risk prioritization.
This stage consists in verify which approach is more adequate to the risk, being possible the following strategies:
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
| ● | Accept: The Corporation, within the limits of the authority, decides to live with the Risk, thus not taking actions that will treat it. |
| ● | Reject: The act of rejecting Risk means that Suzano does not wish to live with it, thus requiring a treatment to be addressed by the Risk Owner. |
If the Company chooses to reject the risk, the following actions can be defined:
| ● | Avoid: The activities that originate the Risk must be interrupted, either through the sale of the risk generating asset or through commercial redirection, for example; |
| ● | Reduce: Seek alternatives for process restructuring to reduce the Risk Impact in case of materialization, the probability of materialization, or both; |
| ● | Share: Take actions to transfer the Risk to a third party, paying a certain amount for such, such as insurance or hedging. |
This process of decision-making can be summarized through the following Figure 3:
Figure 3 – Risk Treatment
The monitoring is the stage in which occurs the tracking over time of risk evolution, verifying if the Company’s adoptable actions were efficient as well as the effects of eventual changes in internal and/or external environment within the evaluation.
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
4.4.9. Report and Communication
In this stage, it is necessary that the information attached to the process of risk management are properly communicated to the responsible instances. This conduct guarantees the good fluidity of the information, the agility and transparency in the process of communication to the respective publics, assuring that all the stakeholders can share, provide and obtain information.
The definition of responsibilities in the process of risk management follows the principle of 3 Defense Lines, aiming to organize the function in each line of risk governance and decentralize the respective management flow, providing the roles and responsibilities of risk’s management, supervision and evaluation in the several Company’s levels.
The organization chart, in the following Figure 4, illustrates the organizational structure of Company’s risk management:
Figure 4 – Organization chart of the organizational structure of Suzano’s risk management
Below are the responsibilities of the bodies involved in the process:
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
5.1. STATUTORY AUDIT COMMITTEE (SAC)
| ● | Supervises the risk management and monitoring process, ensuring that the Company has internal mechanisms capable of identifying, analyzing, treating and monitoring them as a way of managing the Company's Risk profile. |
| ● | Assist the Board of Directors (BD) regarding the Company’s process of risk management. |
| ● | Evaluates the parameters of the Company's Risk management model, as well as its human resources and financial funds allocated to the Risk management process, in addition to the maximum tolerance determined by management. |
| ● | Supervise strategic issues in the risk management process, such as the degree of appetite, as well as evaluate and monitor the Company’s risk exposure. |
| ● | Support de BD in the process of the approval of this policy, as well as propose to the BD eventual alterations. |
| ● | Establishes the level of risk appetite for the Corporation based on the risk/return ratio it intends to assume. |
| ● | Validate strategic aspects of the risk management process, as well as evaluate and monitor the Company’s risk exposure. |
| ● | Considerate in its analysis and decision-making the received reports from the SAC regarding the Company’s risk management process. |
| ● | Approve this policy and its alterations, with the support of the SAC. |
| ● | To act in solidarity and committed to risk management through knowledge, understanding and monitoring of the Corporation's main risks. |
| ● | To maintain an appropriate organizational structure to operate and reasonably manage the Risks to which Suzano is subject. |
| ● | Ratify the prioritization of risks to be addressed/managed. |
5.4. CORPORATE RISKS DEPARTMENT
| ● | Define methodologies, guidelines and tools for risk management. |
| ● | To develop planning and ensure the systemic operationalization of risk management, considering all dimensions of the defined structure, encompassing strategic, tactical and operational activities. |
| ● | To validate the scope of Risk management work with the Board of Executive Officers and Board of Directors. |
| ● | To monitor Risks in partnership with other areas of the Corporation. |
Exhibit 99.1
INTEGRATED RISK MANAGEMENT POLICY | |||
Area: | Risk Management and Compliance | Date: | 20.04.2023 |
Code: | | Review: | 0.0. |
| ● | Assist the business areas in the identification and evaluation of several risk types, as well as support in the definition of the action plans. |
| ● | To report the relevant information arising from the risk management process to the interested publics, including the report to the Company’s Board of Directors, through the Statutory Audit Committee. |
| ● | To continuously disseminate the risk management culture in the Corporation. |
| ● | To ensure the maintenance of the risk management policy and verify its compliance. |
5.5. FUNCTIONAL AND BUSINESS AREA
| ● | To identify eventual new risks that could affect its respective areas, as well as maintain the evaluation of the identified risks consistent and updated. |
| ● | To manage and monitor the risks of its respective areas, following the defined mitigation strategies. |
The Corporate Risks Department has exclusive competency to realize eventual needing alterations in this policy.
Any alteration in this Policy must be approved by the Executive Director of Finance, Legal and Investor Relations and by the Board of Directors.
This policy must be observed by all Company employees who are conducting business involving the Company, and non-compliance will be considered as a violation of rules.
Not applicable.
Not applicable.