Risk management and internal control system

Goals and objectives

The main purpose of RMICS is to provide reasonable assurance that Russian Railways will achieve its goals. The Company’s goals include, but not limited to:

  • strategic goals;
  • operational goals;
  • compliance goals;
  • goals related to the reliability, timeliness and quality of reporting of any type.

The RMICS serves to:

  • put in place the necessary infrastructure, policies and guidelines;
  • integrate risk management and internal control processes and procedures into the strategic and operational dimensions of the Company;
  • raise risk awareness of RMICS participants and other stakeholders;
  • reduce the number of contingencies that could undermine the Company’s ability to achieve its goals.

The Company operates its RMICS in line with GOST R ISO 31 000:2010 Risk Management — Principles and GuidelinesApproved by Rosstandart’s Order No. 883-st dated 21 December 2010 as amended by GOST R ISO 31 000:2019 Risk Management — Principles and GuidelinesApproved and enacted by Rosstandart’s Order No. 1379-st dated 10 December 2019..

RMICS organisational structure

Allocation of RMICS rights and obligations in line with the Company’s policies and guidelines is based on the Three Lines of Defence model involving the following participants of risk management process:

  • Russian Railways’ Board of Directors, including its Audit and Risk Committee;
  • Russian Railways’ Audit Commission;
  • risk management and internal control unit;
  • the unit responsible for independent assessment of individual RMICS elements and overall RMICS operation.

Effective RMICS operation is underpinned by interaction and information exchange between the participants of the risk management and internal control system. As risk management and internal control procedures form an integral part of the business processes, operations and corporate governance, the interaction within RMICS is based on the established governance structures, segregation of duties, corporate culture and code of conduct, business process and activity structure.

Risk appetite and risk management process

Russian Railways sets its risk appetite, which then shapes the decision-making on risk responses and controls and serves to maintain a balance between risks and opportunities.

Risk appetite is determined by the Company’s Board of Directors and represents the maximum acceptable level of risk that the Company is willing to accept and hold on while pursuing its goals. Risk management process is regulated by internal regulatory documents of the Company. RMICS process generates risk reports which are submitted to and approved by the executive bodies, the Audit and Risk Committee, and the Board of Directors. The reports include information about the risks, risk mitigation measures, and RMICS performance.

Main reports and records are generated based on the risk IDs and include the summary of monitoring the key risks, risk appetite, maximum acceptable risk level, and risk portfolio of the Company, as well as the RMICS self-assessment results.

Information exchange as well as vertical and horizontal interaction of participants are key to RMICS efficiency. Interaction and consultations are not limited by reporting periods because risk management and internal control are ongoing and integrated into business processes and corporate governance. The correlation between RMICS and KPIs links the strategic, operational, compliance and reporting reliability goals and defines the relevant criteria to achieve them.

Participants of the Russian Railways’ risk management and internal control system
Risk management stages

RMICS assessment

RMICS must be subject to regular assessment to verify its relevance to the Company’s current needs, higher effectiveness and timely adjustment. The Company uses internal (including self-assessment and assessment by the internal audit function, which is at the third line of defence) and external assessment. The internal assessment is carried out from time to time at least once a year. The external assessment is carried out by an independent expert. Its frequency is set by Russian Railways’ Board of Directors as recommended by its Audit and Risk Committee. In 2020, no external assessment was carried out.

The results of RMICS self-assessment in 2019 were discussed by the Russian Railways’ Board of Directors in July 2020 following a preliminary study by the Audit and Risk Committee and the Management Board. The Board of Directors plans to review the RMICS self-assessment report 2020 in June 2021.

Russian Railways’ risk management and internal control system is assessed from time to time at least once a year by Zheldoraudit Internal Audit Centre.

Zheldoraudit assessed the risk management and internal control system of the Company in accordance with Russian Railways’ internal audit plan for 2020. The audit was conducted in line with the Internal Audit Manual on Assessment of the Risk Management and Internal Control SystemPR.003-2019 approved by Russian Railways’ Order No. 2941/r dated 20 December 2019.. In 2020, the internal audit was focused on RMICS compliance with the established requirements and involved risk management assessment in individual business processes of the Company.

In 2020, efforts were made to develop and improve RMICS in line with the Russian Railways Risk Management and Internal Control Development Programme for 2019–2024 and based on the internal audit recommendations. The internal assessment resulted in the internal audit report on RMICS current status, compliance with the main RMICS requirements and the opinion on efficient development and improvement of the Russian Railways’ risk management and internal control system.

Plans for risk management development in 2021

In 2021, it is planned to continue developing RMICS by:

  • expanding the training coverage of Russian Railways employees, knowledge sharing, further improvement of the training programmes;
  • increasing the number of knowledge sharing sites within and outside the Group;
  • enhancing feedback tools and developing proactive risk management improvement measures;
  • implementing a single information platform (portal) for RMICS, developing risk management automation;
  • further comprehensive risk analysis, evaluation and modification of risk responses; using the results in decision-making and further RMICS integration into the process management model;
  • further building uniform approaches in the Group by improving RMICS of the affiliates.