Risk management and internal control system

The Company is constantly engaging with risk management in all parts of the business. The Risk Management and Internal Control System (RMICS) is a company-wide initiative that has been in operation since 2015.

Функционирование системы осуществляется в соответствии с внутренним стандартом Компании «Общекорпоративная система управления рисками и внутреннего контроля Группы «Металлоинвест», разработанным с учетом требований российского законодательства, рекомендаций Кодекса корпоративного управления и передовой международной практики.

The risk management and internal control system was given new momentum in 2018 as the Board of Directors adopted the RMCIS Development Strategy for the period 2019–21. The strategy was produced taking account of the risk management system maturity auditSee Annual Report 2017 conducted by PricewaterhouseCoopers in 2017.

In line with the Company’s strategy of digitising management processes, the development of the RMICS will proceed using modern information technology for improved data quality and faster decision making.

The main priority is to integrate risk management with strategic and operational decision-making. This task is approached systematically in conjunction with the business transformation programme and in synchrony with the deployment of the ERP system in the perimeter of the Company’s enterprises.

The priorities for the development of the RMICS in the medium term are:

  • further integration with the Group’s business processes, especially in terms of incorporating the RMICS into everyday operating activities, planning processes and efficiency assessments;
  • improving he methodological basis of the RMICS, including the development of methods to make financial assessments for different risk categories;
  • development of a Business Continuity Plan (BCP) allowing for asset prioritisation, critical systems, and BCP programme processes;
  • development of the compliance function;
  • development of an integral compliance programme;
  • assessment of conformity with ISO 37001:2016 Anti-bribery management systems.
  • devise and implement targeted risk management programmes in the field of OHS, industrial safety and environmental safety;
  • devise and implement ISO conformity programmes in the field of information security;
  • inculcate a risk averse culture in the Group; devise and implement training programmes on RMICS development areas;
  • automation of risk management processes; big data analysis; introduction of new technologies for real-time asset monitoring (data actuality, improved reliability of critical equipment); other areas of development.

Risk management

The Company’s corporate risk portfolio includes approximately 100 items which have their assessment and status updated regularly to facilitate the prompt response to changes in both external and internal factors. The Company identifies 20 corporate risks as key risks, which are analysed and monitored by the Board of Directors on a regular basis.

The Company identifies 20 corporate risks as key risks, which are analysed and monitored by the Board of Directors on a regular basis. For key corporate risks, a desired level of risk appetite is identified, with the aim of ensuring the continuity of business activities through relevant risk management activities.

The Board of Directors specifies an annual risk appetite in relation to managed risks. It sets limits on all strategically important decisions. KPIs relating to compliance with risk appetite in relation to realised risks are included in the operational KPIs of the Company and management.

Main risks managed by the Company

The Company has a policy of zero tolerance for all manifestations of risk due to corruption, fraud, or harm to human health or the environment.

In 2018, Metalloinvest’s greatest risks remained external environment risks, and price risks due to fluctuating exchange rates on products and raw materials. The general trend in prices for Metalloinvest’s main product types was positive in the report period. The effects of interest, tax and transport cost risks were in the low range.

Managed risks (production, investment and credit risks) had less effect and were retained in the risk appetite. Commercial risks/risks of loss of markets and customers were not realised in 2018.

Systemic risks are managed by Company management by the following measures:

  • development of business processes;
  • drawing up of regulatory documents;
  • introduction and implementation of control and analytical procedures;
  • protection and promotion of the Company’s interests in the regulatory sphere.

The Board of Directors Audit Committee carries out quarterly monitoring of risk appetite, realised risks and risk management activities. Internal Audit makes annual verifications of KPIs relating to compliance with the risk appetite and the accuracy of reporting of realised risks.

The Risk Management and Internal Control Department works on function development, methodological support and coordination of the risk management process.

Internal control system

Risk management at the level of business processes takes place in the framework of the internal control system, which is an integral component of the whole-company risk management and internal control system.

The main work of establishing an effective internal control system takes place in the framework of the introduction of the ERP system. It includes support of a shared process model, documentation of key business process risks, and the introduction, regulation and monitoring of control procedures.

In introducing the internal control system, the Company aims to optimise and automate control procedures in order to improve the effectiveness and transparency of business processes, reduce the influence of the “human factor”, reduce the risk of fraud, and increase smart working.

The Company, within the system’s framework, manages centrally the risk of conflict of competences among managers and employees both inside and outside ERP systems.