Risk management

Highlights

Effective risk management at Russian Railways is a consistent ongoing process that spans all organisational layers and is integrated with the business and decisionmaking processes to make targets more achievable.

The internal control is an integral part of the risk management system, and the risk management and internal control system (the “RMICS”) forms part of the corporate governance system ensuring sustainable development of the Company amid external uncertainties and changes, which is reflected both in the adopted policies and guidelines as well as in the constantly improved and developed risk management process. The overall coordination and methodological support of RMICS risk management process at Russian Railways are led by the Risk Management and Internal Control Centre (the “Centre”).

The main results of the Centre activity in the reporting year with respect to RMICS development include:

• approval of the Risk Appetite Guidelines and the risk appetite by the Board of Directors;
• implementation of the procedures to monitor the risk tolerance and the risk appetite;
• implementation of the self-assessment tools to identify further development focus and needs, feedback-based improvement of risk management processes;
• development and approval of the functional requirements for the Company-wide risk management automation;
• development and launch of onsite and online risk management courses at the Russian Railways’ Corporate University; workshops involving representatives of affiliates and youth programmes;
• RMICS development in affiliates based on the common guidelines;
• identification of trends and alignment of the risk management policies and guidelines for business lines with the corporate RMICS documents;
• implementation of weekly routine reporting on material risks impacted by COVID-19.

The Company has developed and implemented a hierarchy of risk management and internal control policies and guidelines in line with:

• instruction of the President of the Russian Federation No. Pr-3013 dated 27 December 2014;
• Article 87.1 of Federal Law On Joint-Stock Companies;
• Corporate Governance CodeApproved by the Bank of Russia’s Board of Directors on 21 March 2014.;
• guidelines for drafting risk management policies developed by the Federal Agency for State Property ManagementApproved by the Russian Government’s Order No. ISh-P13-4148 dated 24 June 2015.;
• concepts of the Committee of Sponsoring Organisations of the Treadway Commission (COSO): Enterprise Risk Management — Integrating with Strategy and Performance (COSO ERM, 2017) and Internal Control — Integrated Framework (COSO IC, 2013); GOST R ISO 31 000:2010 Risk Management — Principles and GuidelinesApproved by Rosstandart’s Order No. 883-st dated 21 December 2010.;
• international and Russian best practices of corporate governance, risk management and internal control.

The corporate policies and guidelines as well as the mid-term RMICS development programme define the consistent ongoing process of risk management integrated with the business and decision-making processes to make Company’s targets, including the strategic ones, more achievable.

For a systematic and consistent approach to the integrated RMICS development, the Russian Railways Group has been implementing its Risk Management and Internal Control Development Programme for 2019–2024, which involves:

• shaping the risk management infrastructure (including regulatory and methodological support, process automation, development of risk management and internal control skills and expertise);
• continued monitoring and notification of governance bodies;
• self-assessment;
• cascading the applied methodology;
• building/developing RMICS in Russian Railways’ affiliates based on a unified approach to ensure the integrity of the risk management process within the Group.

RMICS is subject to regular independent assessment through internal audits for higher effectiveness and timely adjustment.