UPM Annual Report 2024

WE ARE UPM

GOVERNANCE

ACCOUNTS AND PERFORMANCE

Report of the Board of Directors

Sustainability Statement

Financial Statements

Auditor's Report

Sustainability Assurance Reports

Oversight and management of impacts, risks and opportunities Board of Directors The Board of Directors approves the Company strategy in the annual strategy session, oversees the Impact, Risk, and Opportunity (IRO) management with the assistance of the Board committees, and oversees the double materiality assessment (DMA) process with the assistance of the Audit Committee. The Board proposes the Remuneration Policy for adoption at the Annual General Meeting (AGM), approves the UPM Code of Conduct and UPM Group Policies in accordance with the policy management structure. It also approves the appointments and pay of the Group Executive Team and some senior management representatives, approves Group-level sustainability targets for the remuneration of the Group Executive Team and some senior management representatives, oversees key Group-level actions related to strategy implementation and progress against key Group-level sustainability targets, and oversees the independence of the Board. Nomination and Governance Committee The Nomination and Governance Committee regularly reviews governance matters and assesses how they interact with the strategy and business model. It prepares the Diversity Policy of the Board of Directors for Board approval and oversees its implementation, prepares proposals for director elections for the AGM, and their remuneration, prepares the election of the President and CEO, prepares other major governance matters, and oversees Board skills and expertise in sustainability and business conduct matters. Audit Committee The Audit Committee regularly reviews material sustainability topics (IROs) and assesses how they interact with the strategy and business model. It assists the Board in the oversight of the DMA process, monitors compliance with applicable legal and regulatory requirements, the UPM Code of Conduct, and other corporate policies, monitors and assesses the effectiveness of internal controls and audit, as well as risk management, regularly reviews assurance matters, including risk management, internal controls, compliance, internal and external audits, and regularly reviews sustainability matters and information in the report of the Board of Directors. In addition to undertaking the assigned matters and regular reports listed above, the Audit Committee also reviewed reports on and discussed ESG and cybersecurity and focused on the preparation of the statutory sustainability report for the first time in such a regulated scope in 2024. The Board is informed, as part of the Audit Committee Chair’s regular reporting to the Board, of any submissions received by the Committee from stakeholders that have a material impact on the economy, the environment or people. Remuneration Committee The Remuneration Committee regularly reviews selected material social sustainability topics (IROs) related to the workforce and assesses how they interact with the strategy and business model. It regularly reviews how remuneration is linked to material sustainability topics (IROs), prepares the Remuneration Policy for adoption at the AGM, oversees procedures related to executive remuneration, proposes sustainability targets in executive remuneration for Board approval, and regularly reviews executive performance against remuneration-related sustainability targets and prepares proposals for payout.

Reflection of responsibilities in charters and policies Charter of the Board of Directors The Board’s responsibilities, outlined in the Charter of the Board of Directors, include strategic oversight, risk management, and compliance and governance. Additionally, the Board monitors and assesses the Company's financial reporting process and the statutory sustainability reporting process, ensuring the integrity of financial and sustainability reporting. The Board also oversees the assessment and management of risks related to the Company's strategy and operations, including sustainability risks. It monitors the Company's audit and assurance related to statutory sustainability reporting and assesses the performance and independence of the sustainability report assurer. Charter of the Audit Committee The Audit Committee assists the Board in overseeing financial reporting, statutory sustainability reporting, internal control, internal audit and risk management. The Committee's responsibilities are detailed in the Charter of the Audit Committee. Charter of the Nomination and Governance Committee The Nomination and Governance Committee is responsible for identifying individuals qualified to serve as directors and preparing proposals for their election or re-election. The Committee also develops and recommends corporate governance principles. These responsibilities are outlined in the Charter of the Nomination and Governance Committee. Charter of the Remuneration Committee The Remuneration Committee assists the Board with responsibilities related to the preparation of the Company's remuneration principles and practices, including remuneration schemes and plans. The Committee's responsibilities are detailed in the Charter of the Remuneration Committee. Policies The UPM Code of Conduct sets out the principles that help UPM employees make ethically sound decisions and maintain high standards of integrity in its daily operations. It applies to all UPM employees globally and serves as the basis for the Company's corporate responsibility and compliance programmes, policies, and procedures. Additionally, various Group policies outline specific responsibilities and procedures for managing risks and ensuring compliance with legal and regulatory requirements. These policies provide guidance on, for example, anti-corruption, risk management and stakeholder engagement. The UPM Sustainability Policy Statement ensures that risks and impacts on people and the environment are considered throughout UPM's operations. It requires UPM's businesses and functions to perform sustainability-related due diligence, conducting regular assessments of their impacts, and prioritising the most severe issues for further focus and action. It also defines the double materiality assessment (DMA) process to be carried out regularly to assess UPM's sustainability-related impacts, risks and opportunities. » Refer to G1-1 Policies

Management's role in sustainability

UPM's governance structure

Group Executive Team The Group Executive Team (GET), led by the President and CEO, is responsible for managing sustainability, determining courses of action and guiding development. The GET is responsible for managing impacts, risks and opportunities at Group level and approves the Group's double materiality assessment, the review of sustainability focus areas, targets and key performance indicators, sustainability actions and sustainability-related policies and rules. The President and CEO reports to the Board on relevant decisions and progress. Strategy Team Among other matters, the Strategy Team assists the President and CEO in integrating sustainability into the Group's strategy for the Boards' approval. The Strategy Team prepares proposals for updating UPM's strategy and strategic plans and is responsible for identifying and managing UPM's key strategic risks. Businesses and functions The role of the Business Area Boards is to make decisions at the business area level on, among other things, sustainability issues and to oversee the implementation of Group-level policies, rules, guidelines and

procedures in the business area. In practice, sustainability efforts, including managing impacts, risks and opportunities, implementing targets and actions, reporting on progress and compliance status, and contributing to the double materiality assessment, take place in businesses and functions. Compliance controls and procedures As part of the Audit Committee’s compliance review, the Committee receives a quarterly report from the Company's Chief Compliance Officer and a report from the SVP of Internal Audit on the submissions made through the UPM Report Misconduct channel. With the support of UPM's Compliance Team, each business area, function and unit is responsible for identifying and managing compliance risks related to its own operations. The results of annual risk assessments are used to guide compliance activities and risk mitigation actions in businesses and functions. Together, the Compliance Team and the businesses update the compliance risk assessments and mitigation actions throughout the year to respond to changes in the risk environment. Progress on mitigation actions is reported to the Audit Committee and businesses on a quarterly basis as part of the compliance review.

UPM FINANCIAL REPORT 2024

132

UPM FINANCIAL REPORT 2024

133

132

133

UPM ANNUAL REPORT 2024

UPM ANNUAL REPORT 2024