UPM Annual Report 2021

RESPONSIBILITY

BEYOND FOSSILS

STRATEGY

BUSINESSES

GOVERNANCE

ACCOUNTS FOR 2021

UPM

RESPONSIBLE FOUNDATION OF OUR BUSINESS

COMPLIANCEUNDERPINS PERFORMANCE Regardless of the location, circumstances or people involved, we are committed to complying with applicable laws and regulations, as well as our Code of Conduct.

% Code of Conduct training

100

95

90

85

80

17

18

19

20

21

Target

2021, we updated our Risk Management Policy and Association Participation Rules. Our Code of Conduct is updated every three years. The next time will be in 2022 and the preparations have started in 2021. Training and communication Policies and procedures are implemented through training sessions and communica tion. In 2021 we updated our personal data protection training module and launched a newmodule (association participation) relating to our competition law programme. In April, we also launched new digital team discussion materials based on real-life cases to engage teams to discuss our culture of integrity and ethical dilemmas. By the end of the year more than 1,600 employees participated these discussions. Available compliance e-learnings with the target group and completion rates at year end are listed in the table on page 79. Our e-learning modules are available on the same HR platform and are easily accessible to our employees. The completion of man datory e-learnings is as a prerequisite for short-term incentive payments. The e-learning modules are comple mented with face-to-face and virtual compliance training with specific target groups, which are determined on the basis of risk assessments. The compliance training sessions are supported by active communi cation. We launched a microlearning video series concerning key compliance topics in 2021. Monitoring Our monitoring activities are aimed at ensuring compliance at all levels of the

IMPACT • Committed and engaged employees • Competitive business with no disruption • Maintaining our reputation and the trust of business partners and other stakeholders TARGETS • Compliant operations and behaviour • An engaging work environment where employees feel safe to voice their concerns • Responsible value creation Our Code of Conduct and our values help us make the right choices and guide our work in a changing business environment. This lays the foundations for long-term success. We strive to ensure compliance with our values and commitments by implementing a company-wide compliance programme through our compliance system (right). The compliance system is embedded in our governance model and is designed to bolster company performance and a culture of integrity at all levels. We follow how this culture is developing with the help of favourable responses to an integrity-related question in our annual Employee Engage ment Survey (EES). The EES was renewed in 2021 and the new integrity-related question is: • People at UPM behave ethically (UPM overall: 74) (the external bench mark: 78).

OUR WAY • We are all responsible for building a cul ture of integrity, with everything we do and every choice we make • We do not compromise our standards of integrity under any circumstance • Accountability for compliance extends down from the Board of Directors and senior management to all employees

TARGETS 2030

100% coverage of participation in UPM Code of Conduct training (continuous)

98% of active employees completed the UPM Code of Conduct training

organisation. The activities are based on a group company risk matrix that considers the country risk and complexity and the extent of our operations in each country. Our compliance team has a three-year monitoring plan for its unit-specific compli ance reviews that are based on this matrix. On top of these general reviews covering all business integrity topics, we conduct risk based reviews around specific topics such as competition law or anti-corruption. The reviews to be performed each year are agreed with the businesses during the annual risk assessment process and coor dinated with the Internal Audit. The most important compliance review findings and recommendations are reported to the Audit Committee of the Board of Directors and businesses. These recommendations are then carried out in collaboration with said businesses. In 2021, the compliance team conduct ed compliance reviews in 7 local units in South America, Asia, and Europe. Due to COVID-19 most reviews were conducted re motely. Another example of our compliance team’s monitoring activity is the counter

Risk assessment With the support of our compliance team, each business area, function and unit is responsible for identifying and managing compliance risks related to its own oper ations. The results of annual risk assess ments are used to guide compliance activ ities and mitigation actions in businesses and functions. Risk assessments and mitigation actions are updated throughout the year to respond to changes in the risk environment. The progress of mitigation actions is reported to the Audit Committee of the Board of Direc tors and businesses on a quarterly basis. Policies and procedures Policies and procedures form the basis of our compliance programme and their update needs are reviewed annually in accordance with our policy management process. Based on this annual review in

UPM COMPLIANCE SYSTEM

Company performance Corporate reputation, financial performance, operational excellence

Risk assessment Policies and procedures Preventive controls

Communication Training Proactive advice

PREVENT

Continuous improvement

Auditing, monitoring and surveys Notification/ reporting channels

Investigation and resolution Remediation

REACT

MONITOR

Culture of integrity

76

77

UPM ANNUAL REPORT 2021

UPM ANNUAL REPORT 2021