The Group has the risk management and internal control framework (RMICF) which covers material assets, business processes, business areas and management levels.
The risk management and internal control framework is a set of organizational measures, techniques, procedures, corporate culture standards and actions taken by the Group to ensure the optimal balance between increase in value, profit and risks, and to guarantee that the Group will achieve its goals (including financial stability, safety of assets, effective business, compliance with law and internal regulatory documents, and preparation of accurate reports in a timely manner).
The Group’s goals in risk management and internal control to be achieved as part of RMICF are the following:
- ensuring reasonable confidence of the Company’s Board of Directors, executive and supervisory bodies, shareholders and investors in achieving the Group'’ goals: strategic, operational, and ESG;
- ensuring high financial and business performance and resource saving;
- ensuring asset safety;
- monitoring compliance with legal and internal regulatory documents;
- ensuring completeness and accuracy of reports.
Risk management and internal control activities are continuing, systematic, comprehensive, and are taken at all management levels, covering all units and employees when they perform their functions as part of any business processes and business areas of the Group.
All RMICF subjects are responsible for proper performance of risk management and internal control functions within their powers. Roles, powers and responsibility of RMICF subjects are determined and set out in internal regulatory documents, and communicated to them.
Maximum performance in risk management and internal control is achieved through assessing and prioritizing risks, taking into account probability and impact on achievement of the Group’s goals, which allows focusing on implementation of risk management and internal control procedures in business processes and business areas which are most at risk.
A single idea of permissible risk levels related to the Group’s mission, implementation of the Group’s strategy and achievement of business goals of the Company and subsidiaries is provided for by determining the Group’s Risk appetite approved by the Board of Directors and cascaded to controlled entities and persons.
Risk management and internal control are an integral part of corporate governance and a basis for decision-making in management. This is achieved through integration with the main systems and business processes of the Group: strategic management, economic planning, project management, incentives and corporate approval of transactions.
RMICF subjects provide information on risks and risk factors, the status of measures for managing risks and implementing control procedures in a timely manner.
The Group focuses on preventing risk realization by taking preventive action in relation to risk factors, quick response to changes in environment and decline in business processes, and taking timely corrective management decisions.
Risk management and internal control are dynamic: they meet the requirements of the Group’s relevant tasks, and immediately respond to changes in goals and conditions of external and internal environment.
Performance of RMICF are continuously monitored and controlled, and measures for its improvement and development are taken.
Risk management is a tool for ensuring reasonable confidence in Strategy implementation and maintaining the growth of the Group value in the long term. When the Strategy is formed, a list of strategic risks whose realization can cause a decline from the strategic course is taken into account. Management, monitoring and control of these risks during Strategy implementation ensure maintaining the relevance of the selected target development model, timely decision-making in management and protection of shareholder and investor interests.
Risk management and internal control in preventing and combating corruption are carried out in a systematic manner in accordance with the Anti-Fraud and Corruption Policy of PJSC Inter RAO as part of the Anti-fraud and corruption system functioning as part of RMICF.
Risk management and internal control in compliance is carried out in a systematic manner in accordance with the Compliance Policy of PJSC Inter RAO to ensure that the Group’s business meets the requirements of laws, internal regulatory documents and business ethics standards, and preventing violations in compliance.
Aims, main principles and uniform approaches to organizing risk management and internal control in Inter RAO Group are set out in Risk Management and Internal Control Policy of PJSC «Inter RAO»
Board of Directors – determining the principles and approaches to RMICF organization, approving risk appetite, Critical risk maps and Action plans, considering Reports on RMICF performance and RMICF performance assessment
Executive management bodies (Management Board, collective advisory bodies (CAB)) – RMICF management (goal setting, approval of requirements for structure and parts of RMICF processes)
Management – managing functional risks and corporate-level controls
Employees – taking risk management measures, introducing and implementing control procedures
Risk management and internal control are a continuing cyclical process in the Company and controlled entities. Within a calendar year, RMICF processes are implemented as part of the corporate risk management and internal control cycle.
The content of the stages and work procedures as part of a cycle are described in the Regulation on the “Risk Management and Internal Control” business process.
RMICF targets include:
- The list of the Group’s companies (the RMICF scope),
- The list of the Group’s standard risks,
- The list of target indicators for risk impact assessment.
Criteria for including subsidiaries in the RMICF scope:
- The subsidiary accounts for > 1% of the Group’s consolidated revenue (IFRS)
- The subsidiary accounts for > 1% of the Group’s consolidated EBITDA (IFRS)
- The Group’s subsidiaries facing risks which, if materialized, may prevent the Group from achieving its goals
Appointing Risk Owners for each standard risk at the Group level, who provide methodological support for risk management
Communicating the Group’s RMICF targets to subsidiaries
Identifying risk factors in risk data sheets:
- The Internal Control and Risk Management Department (ICRMD) drafts a data sheet for a standard risk in accordance with RMICF targets, to be approved by the division which provides methodological support at the Group level.
- The risk data sheet is communicated to subsidiaries to ensure that risk factors are assessed and prioritized by Risk Owners at the subsidiary level.
Identifying risks and risk factors as part of preparation a Business plan (BP)/ BP Performance Reports by Risk Owners at the subsidiary level.
The ICRMD assesses the completeness and correctness of risk factor analysis of deviations from BP targets caused by risks.
The Internal Audit Unit identifies risks and risk factors as part of audits and RMICF performance assessment.
The ICRMD analyzes and consolidates information based on risk data sheets, information on risks contained in the BP/BP Performance Report (BPPR) of subsidiaries for the previous reporting period, and findings of audits and RMICF performance assessment conducted by the Internal Audit Unit. A directory of standard risk factors is complied, with risk factors divided into controllable and uncontrollable factors, and the directory is submitted to the business planning function.
Assessing and prioritizing risks and risk factors listed in risk data sheets.
- The ICRMD develops a scale for assessing risk factors based on risk probability and impact on the achievement of targets, to be approved by a Risk Owner at the Group level.
- The scales for risk factor assessment are communicated to subsidiaries.
- The ICRMD organizes a risk session to carry out expert assessment and prioritize risk factors in the risk data sheet.
- Risk data sheets are approved by the Chairman of the Management Board of the Company (or the chief executive officer (CEO) of the subsidiary)
Quantitative and qualitative assessment of risks of subsidiaries is performed as part of BP preparation by Risk Owners at the subsidiary level with methodological support from the ICRMD. The results of quantitative assessment are presented in the BP, and the results of qualitative assessment are included in the materials accompanying the BP.
The ICRMD carries out an overall risk assessment across the Group, prioritizes risks, and prepares a Critical Risk Map (CRM) for the Group.
Forming an action plan (AP) as part of project data sheets:
- The Risk Owner develops additional measures at the subsidiary level for managing standard risks, to be approved by ICRMD.
- The developed AP for managing standard risks (or risk factors) at the subsidiary level is approved by the CEO of the subsidiary.
A plan of additional risk management measures risks at the subsidiary level is prepared and included in materials accompanying the BP:
- For risks affecting the achievement of financial targets of the BP in subsidiaries,
- For risks which do not affect the achievement of financial targets of the BP in subsidiaries;
- For risks affecting the achievement of sustainable development goals.
The ICRMD prepares an action plan (AP) for managing critical risks of the Group following a review of proposals for additional risk management measures from critical risk owners in the Group and subsidiaries.
The CRM, the Action Plan for Managing Critical Risks of the Group, and the Group’s Risk Appetite are approved by the Board of Directors of PJSC Inter RAO.
On a quarterly basis when a BP Performance Report (BPPR) is prepared.
Findings of scheduled risk assessments and actual deviations from BP targets caused by risks are analyzed; new risks and risk factors are identified as part of BPPR preparation by Risk Owners at the subsidiary level.
The ICRMD assesses the completeness and correctness of risk factor analysis of actual deviations from BP targets caused by risks.
A report is prepared on the execution of the plan of additional risk management measures at the subsidiary level included in materials accompanying the BPPR:
- On risks affecting the achievement of financial targets of the BP in subsidiaries;
- On risks which do not affect the achievement of financial targets of the BP in subsidiaries;
- On risks affecting the achievement of sustainable development goals;
- On risks factors listed in risk data sheets.
Based on the BPPRs of subsidiaries, the ICRMD prepares a report on materialized/new risks of the Group, after the elimination of intra-group transactions.
The Head of the ICRMD prepares a road map for RMICS development based on an assessment of system development progress.
The Road Map for RMICS development is approved by the Board of Directors of PJSC Inter RAO.
Subsidiaries prepare an annual Report on RMICF Performance in Subsidiaries, containing information on risk materialization in subsidiaries, on compliance with the Group’s risk appetite, and on the implementation of the Risk Management Action Plan in subsidiaries.
The Report on RMICF Performance is approved by the Board of Directors in subsidiaries.
The ICRMD prepares an annual Report on RMICS Performance in the Group, containing information on risk materialization in the Group, on compliance with the Group’s risk appetite, and on the implementation of the Action Plan for Managing Critical Risks of the Group.
The Report on RMICS Performance is approved by the Board of Directors of PJSC Inter RAO.
- The ICRMD provides information for the consolidated annual report of PJSC Inter RAO;
- The ICRMD provides information for quarterly issuer reports (QR);
- Information disclosure to rating agencies which publish corporate governance ratings, credit ratings, and sustainable development ratings.
Annual RMICF performance assessment is performed by the Internal Audit Unit (IAU), and a Report is prepared containing IAU recommendations for improving RMICS performance and the findings of monitoring of compliance with IAU recommendations for the year preceding the reporting year.
The Report on RMICS Performance Assessment is provisionally reviewed by the Audit Committee of PJSC Inter RAO Board of Directors.
The Report on RMICF Performance Assessment is approved by the RAO Board of Directors of PJSC Inter.
Risk appetite means rules that must not be violated to provide reasonable confidence in achievement of the Group’s strategic goals. Risk appetite expresses the unanimous opinion of the Group management about what is permissible, acceptable or unacceptable to achieve business goals.
The Board of Directors annually updates the Group’s risk appetite with revision of permissible risk levels based on its indicators. Variance provides for establishing permissible risk levels, from higher to lower ones.
- Review and approval of the list and risk
- Monitoring the impact of risk on economic and strategic planning
- Review of materialized risks as part of operational information sharing
- Estimating business planning targets, taking into account risk exposure (technical and economic performance, present and financial indicators of business processes of subsidiaries/Group);
- Estimating cumulative impact of risks on financial performance of subsidiaries/Group (EBITDA, operating cash flow);
- Estimating the middle and lower limits for business process indicators “exposed to risk”, and the forecast for achieving planned business process targets of subsidiaries/Group
- Estimating project target indicators (NPV, IRR, etc.) and making a decision on project implementation taking into account risk exposure;
- Analyzing, monitoring and controlling risks at all stages of project life cycle, taking into account the impact on time frame / capital investment amount/ project profitability, and the Groups operational performance;
- Estimating cumulative impact of risks for the Group’s project portfolio.
- Estimating targets for the strategy, taking into account risk exposure;
- Analyzing, monitoring and controlling risks in priority development areas of the Group for the period of Strategy implementation;
- Estimating cumulative impact of risks on Strategy indicators, including the Group’s key performance indicators
- Including PBs/KPIs related to risk management in bonus cards of CEO and members of the Company’s Management Board, and heads of the Group subsidiaries;
- Determining threshold KPI values, taking into account risks, based on the middle and lower limits of business process indicators “exposed to risk”;
- Monitoring compliance with Risk appetite of subsidiaries/Group, as a mechanism for meeting PBs/KPIs;
- Streamlining compliance with PBs/KPIs of subsidiaries/Group for risks which are not controlled.