Risk Management and Compliance

We have a Board of Governance Risks and Compliance (GRC) that reports functionally to the Chairman of the Board of Directors and to the Statutory Audit Committee (CAE). With well-established corporate governance, the risk management policy is developed in a participatory manner, headed by specialized team that analyzes the company's risks using specific tools and indicators and reports to the collegial bodies. The policy is considered to be mature and conservative, acting in a preventive manner through the continual and comprehensive monitoring of the factors that may interfere with business progress and the attaining of the intended results.

Fibria's risk management process was determined using as a basis the Risk Management Process suggested under ISO 31000:2009 Risk Management - Principles and Guidelines, according to the following objectives:

  • Involve all the agents of the structure.
  • Standardize the concepts and practices.
  • Influence the decision making.
  • Ensure that Fibria’s Corporate Governance principles are followed and critically analyzed.
  • Provide a dynamic and efficient flow of information.
  • Increase Fibria’s level of transparency for stakeholders, market analysts and credit agencies.

Fibria Risk Management Process

Risk assessment takes into account the balance of probability against impact, the classification of which ranges from remote possibility to very likely and from minor to severe impact.

The company’s risk is classified among the following four categories:

  • Strategic Risk
    Risk associated with the organization’s strategic decisions aimed at achieving its business objectives and/or arising from the company's lack of skill or ability to protect itself or adapt to changes in the environment.
  • Financial Risk
    Market Risk: arising from the possibility of incurring losses due to changes in interest or foreign exchange rates, share prices or commodity prices. Credit Risk: defined as the possibility of loss resulting from uncertainty regarding the receipt of amounts agreed with borrowers, contract counterparties or in relation to securities issued. Liquidity Risk: the possibility of loss resulting from the inability to complete a transaction in reasonable time and without significant loss of value or the possibility of insufficient resources to honor the commitments assumed, due to a mismatch between assets and liabilities.
  • Compliance Risk
    The risk of legal or regulatory sanctions, financial loss or damaged reputation that the company may suffer as a result of failure to comply with laws, agreements, regulations, the Code of Conduct and/or policies.
  • Operational Risk
    Arises from a lack of consistency and suitability of the operational information, processing and control systems, as well as in resource management and internal control failures or fraud that renders the performing of the company's activities inadequate (e.g.: unable to produce and distribute its products under the agreed terms and deadlines).

Updating the Risk Matrix is a dynamic process, with priority risks reported periodically to the Board of Directors by the Director for Risk Management and Compliance and the Risk Manager.

For each priority risk there is a set of action plans that have been developed by the business areas and are monitored by the Risk Management area.

Compliance and Internal Controls 

For its Internal Controls and Compliance, the company has adopted a structured process that embraces the Board of Directors, the Executive Board, the Board advisory committees, the management area and the employees, so as enable the business to be conducted more efficiently, securely and appropriately, in line with the prevailing regulations. The flows of the company's processes and systems are continually reevaluated and verification tests are regularly used to assess the effectiveness of the existing controls.

Continually working towards alignment with the best market practices for the management of internal controls and compliance, the company systematically applies Control Self Assessment (CSA) methodology, an integrated solution that helps to document, on a quarterly basis, the performance of the controls relating to the financial statements, management, compliance, the business’ key obligations, and the constant monitoring of strict compliance with the laws, rules and regulations, policies and procedures, as well as the implementation and functionality of the contingency plans and the separation of duties – to avoid conflicts of interest and facilitate risk assessment through adherence to the company's controls. Fibria has consistently strengthened its management practices through its Compliance Program, focusing on the pillars of Anti-Corruption, Loss and Fraud Prevention and Defense of Free Competition, as well as conducting systemic reviews of the internal controls. The entire process of monitoring and reviewing the environment is duly documented and reported to the senior management on a quarterly basis and is signed off annually by all the management bodies using a specific tool, the GRC Process Control, which enhances the adherence to best governance practices.

As part of the Fibria Compliance Program, workshops and training sessions are held on the conduct that is expected at all of the company's units, reaching out to all its in-house and outsourced professionals. The Compliance Program covers all the internal and external requirements that are to be met, whether they be voluntary or strategic, which are grouped into seven major areas, as follows: (a) Laws and Regulations; (b) Licenses, Authorizations and Certifications; (c) Contracts and Agreements; (d) Reporting Externally; (e) Defending Free Competition; (f) Loss and Fraud Prevention; and (g) Anticorruption. The program is reviewed systemically, subject to Statutory Audit Committee approval, and presented at meetings of the Executive Board and the Board of Directors. In 2016, Fibria introduced a Manual for Relations with Government Agents, which was disseminated to its employees and its partners in the Horizonte 2 project.

The obligations arising from internal rules, external requirements and contracts are periodically monitored by Fibria, in order to keep abreast of the exposure to compliance risk and determine any action that might be needed to avoid or mitigate their impact. In the event of any violation of internal rules or external requirements, disciplinary and/or corrective measures shall be applied. If necessary, such violations shall be submitted to the Ethics and Conduct Committee, comprising the Chief Executive Officer (CEO), the Director of Human & Organizational Development, the Director of Governance, Risk Management and Compliance and the members of the Ombudsman's Office.

Certain activities strengthen and promote Fibria's internal control and compliance environment, such as:

  • Revision and adaptation of the conflict of interests form, signed during the hiring of in-house and outsourced professionals.
  • Application of the electronic conflict of interest assessment form for professionals at management level, including whenever they are promoted or transferred to another area.
  • Systemic review of the control matrix, focused on preventing losses.
  • Management of Internal Controls and Compliance within a matrix structure, formed by 125 Champions, the company’s Compliance Agents, who are appointed by the management and work within the Internal Controls and Compliance management area. These professionals must make every effort to ensure the compliance of the operational areas, applying the GRC methodology and developing the activities throughout the various processes
  • In addition to the policies and procedures, minimum guidelines are provided on the conduct expected by Fibria (e.g.: guidelines on receiving or offering gifts, presents, hospitality and/or reciprocal sponsorship).
  • The continual development of our supply chain Due Diligence, through enhancement of the on-site auditing procedures; wider application of the conflict of interests questionnaires; the issue of minerals in conflict zones; and verification controls for countries that are sanctioned or prohibited under international rules on compliance, among others.

See below the Compliance Program Manual and Compliance Handbook

Internal Auditing

The company's Internal Auditing forms part of the Governance, Risk and Compliance Department, which in turn reports directly to the Chairman of the Board of Directors and, technically, to the Statutory Audit Committee. Its function is to provide independent assessment of the company’s processes, verify their compliance with the adopted policies and rules and check for possible cases of fraud, misuse of resources or damages to assets. It also conducts investigations based on the risk matrix, internal control matrix and the considerations of the senior management (CEO, other directors and general managers) and the members of the Statutory Audit Committee.

The results of the work and action plans are reported to the CEO and to the Statutory Audit Committee. The Internal Auditing monitors the status of the action plans on a monthly basis, in order to ensure their implementation and effectiveness.

Ethics and Conduct Committee and the Ombudsman

The company has specific policies, processes and systems, such as the Ombudsman channel, to receive and handle complaints about perceived irregularities within its business environment, aimed at the immediate correction of possible misappropriations and the prevention of possible violations of the guidelines set out in its Code of Conduct, such as fraud and corruption. The channel is widely promoted – in addition to lists of Ombudsman contact information distributed within all the company units, the information is also disclosed on the company's intranet, where there is also an exclusive portal addressing Ethics and Ombudsman's Office, as well as being published on the company's website.

Moreover, all new employees participate in face-to-face training during their integration within the company, in which they receive more detailed information about the company's Code of Conduct and the Ombudsman channel.

Activities are also carried out periodically to foster and maintain a culture of business integrity, such as selecting a topic from the Code of Conduct for reading and discussion at the beginning of all the monthly results meetings at each of the company’s units, with emphasis at the end of the Ombudsman contact details for reporting concerns relating to the subject discussed.

The company has been carrying out a number of awareness-building and training activities aimed at informing and drawing the attention of its employees to the importance of ethical conduct in their daily lives. Examples of this are holding Compliance workshops and conducting specific annual training for the senior management, since 2014, reinforcing the important concepts of human rights, integrity and compliance among this group of professionals, as well as the dissemination of the latest edition of the company's Code of Conduct, which included renewing the signed endorsement of the document by all the employees over the course of 2015.

Issues raised with the Fibria Ombudsman's Office are shared with the Ethics and Conduct Committee, comprising members of Fibria's management. The committee was set up to reinforce the application of the Code and proposes action for updating, disseminating and compliance with that instrument, to ensure its effectiveness. Working impartially, it is the responsibility of the Committee to determine the criteria for dealing with situations that are not covered in the Code, resolve controversial situations, deal with ethical dilemmas and ensure the uniformity of the criteria used in resolving similar cases. Information about the membership and workings of the Commission are available to the entire organization in the online document system.

Cases relating to fraud, the misuse of resources or damages to assets are sent to Internal Auditing, which, following analysis, reports the results to the Ombudsman's Office and to the Statutory Audit Committee.

Furthermore, the Ombudsman reports on its activities every quarter, as well as providing the statistics on the channel, to the Statutory Audit Committee, which evaluates the progress of the work and the need to take new measures.


Last updated on