UPM Annual Report 2023

RESPONSIBILITY

UPM

BEYOND FOSSILS

BUSINESSES

GOVERNANCE

ACCOUNTS FOR 2023

COMMITTED TO COMPLIANCE CREATING VALUE FOR PEOPLE AND SOCIETY

Regardless of the location, circumstances or people involved, we are committed to complying with applicable laws and regulations, as well as our Code of Conduct.

IMPACT • Committed and engaged employees • Competitive business with no disruption • Maintaining our reputation and the trust of business partners and other stakeholders

TARGETS • Compliant operations and behaviour • An engaging work environment where employees feel safe to voice their concerns • Responsible value creation

OUR WAY • We are all responsible for building a culture of integrity, with everything we do and every choice we make • We do not compromise our standards of integrity under any circumstances • Accountability for compliance extends down from the Board of Directors and senior management to all employees

Our Code of Conduct and our values help us make the right choices and guide our work in a changing business environment. This lays the foundations for long-term success. We strive to ensure compliance with our values and commitments by implementing a company-wide compliance programme through our compliance system (on the right). The compliance system is embedded in our governance model and is designed to bolster company performance and a culture of integrity at all levels. We follow how this culture is developing with the help of our annual Employee Engagement Survey (EES). In the EES, the average score about how ethically people at UPM behave was 75 (74), when the external benchmark was 79 (78). Risk assessment With the support of our compliance team, each business area, function and unit is responsible for identifying and managing compliance risks related to its own oper ations. We use the results of annual risk assessments to guide compliance activities and mitigation actions in businesses and functions.

Together, the compliance team and the businesses update the risk assessments and mitigation actions throughout the year to respond to changes in the risk environment. The progress of mitigation actions is report ed to the Audit Committee of the Board of Directors and businesses on a quarterly basis. Policies and procedures Policies and procedures form the basis of our compliance programme. We review their update needs in accordance with our policy management process annually. The world around us is in constant movement, our businesses evolve, and the regulatory environment changes. For this reason, we want to ensure that our Group policies stay relevant and up to date. Training and communication Policies and procedures are implemented through training sessions and communi cation. Available compliance e-learnings with the target group and completion rates are listed in the table on page 77. Our e-learn ing modules are available on the same HR

% Code of Conduct training

100

95

platform and are easily accessible to our employees. The completion of mandatory e-learnings is a prerequisite for short-term incentive payments. As the compliance e-learnings have previously been available only to our own employees, in 2023 we built a platform through which we can also offer the train ings to employees of our business partners working for UPM. This ensures that they are committed to the same standards of integrity as we are. We complement the e-learning modules with face-to-face and virtual compliance training with specific target groups. The target groups are determined based on risk assessments. The compliance training sessions are supported by active communi cation. In 2023, amongst other things, we in troduced the Code Newsletter highlighting topical compliance content; this is sent to all employees via email on a regular basis.

UPM COMPLIANCE SYSTEM

90

Company performance Corporate reputation, financial performance, operational excellence

85

80

19

20 21

22 23

Target

Risk assessment Policies and procedures Preventive controls

Communication Training Proactive advice

PREVENT

TARGETS 2030

100% coverage of participation in UPM Code of Conduct training (continuous)

Continuous improvement

98% of active employees completed the UPM Code of Conduct training

Auditing, monitoring and surveys Notification/ reporting channels

Investigation and resolution Remediation

REACT

MONITOR

Culture of integrity

74

75

UPM ANNUAL REPORT 2023

UPM ANNUAL REPORT 2023