Font size:
Site colours:
Phone number for shareholders: 8–800–700–03–70
(JSC VTB Registrator, free call in Russia)
Bolshaya Pirogovskaya ulitsa, 27 building 2, Moskva, Russia, 119435  ·   +7 (495) 664–88–40   ·  office@interrao.ru

Risk management and internal control

Risk-management

The Group has the risk management and internal control framework (RMICF) which covers material assets, business processes, business areas and management levels.

The risk management and internal control framework is a set of organizational measures, techniques, procedures, corporate culture standards and actions taken by the Group to ensure the optimal balance between increase in value, profit and risks, and to guarantee that the Group will achieve its goals (including financial stability, safety of assets, effective business, compliance with law and internal regulatory documents, and preparation of accurate reports in a timely manner).

The Group’s goals in risk management and internal control
THE RISK MANAGEMENT AND INTERNAL CONTROL FRAMEWORK ENSURES THE FOLLOWING
Objective, fair and clear idea of the current position and prospects of the Group
Reasonable confidence in achieving the Group’s goals
High level of shareholder and investor confidence in the Company’s management bodies
Protecting capital investments and assets, and keeping risks at a permissible level

The Group’s goals in risk management and internal control to be achieved as part of RMICF are the following:

  • ensuring reasonable confidence of the Company’s Board of Directors, executive and supervisory bodies, shareholders and investors in achieving the Group'’ goals: strategic, operational, and ESG;
  • ensuring high financial and business performance and resource saving;
  • ensuring asset safety;
  • monitoring compliance with legal and internal regulatory documents;
  • ensuring completeness and accuracy of reports.
Risk management and internal control objectives
RISK MANAGEMENT AND INTERNAL CONTROL OBJECTIVES
The Group’s principles and approaches to risk management and internal control
Integrity and continuity  
Responsibility and delimitation of powers  
Prioritizing and reasonable adequacy  
Establishing the limits for permissible risk  
Integration into key business processes  
The Group’s principles and approaches to risk management and internal control
Timeliness and prevention  
Adaptation and continuing development  
Supporting Strategy implementation  
Combating corruption and fraud  
Ensuring compliance  

Aims, main principles and uniform approaches to organizing risk management and internal control in Inter RAO Group are set out in Risk Management and Internal Control Policy of PJSC «Inter RAO»

Board of Directors – determining the principles and approaches to RMICF organization, approving risk appetite, Critical risk maps and Action plans, considering Reports on RMICF performance and RMICF performance assessment

Executive management bodies (Management Board, collective advisory bodies (CAB)) – RMICF management (goal setting, approval of requirements for structure and parts of RMICF processes)

Management – managing functional risks and corporate-level controls

Employees – taking risk management measures, introducing and implementing control procedures

Reporting
Methology and coordination
Effectiveness assessment
1
Collective advisory bodies (investment Development Committee, Planning and Budget Committee, and Anti-Corruption Action Commission).

Risk management and internal control are a continuing cyclical process in the Company and controlled entities. Within a calendar year, RMICF processes are implemented as part of the corporate risk management and internal control cycle.

The content of the stages and work procedures as part of a cycle are described in the Regulation on the “Risk Management and Internal Control” business process.

Target-setting

RMICF targets include:

  • The list of the Group’s companies (the RMICF scope),
  • The list of the Group’s standard risks,
  • The list of target indicators for risk impact assessment.

Criteria for including subsidiaries in the RMICF scope:

  • The subsidiary accounts for > 1% of the Group’s consolidated revenue (IFRS)
  • The subsidiary accounts for > 1% of the Group’s consolidated EBITDA (IFRS)
  • The Group’s subsidiaries facing risks which, if materialized, may prevent the Group from achieving its goals

Appointing Risk Owners for each standard risk at the Group level, who provide methodological support for risk management

Communicating the Group’s RMICF targets to subsidiaries

Identifying risks and risk factors

Identifying risk factors in risk data sheets:

  • The ​Internal Control and Risk Management Department (ICRMD) drafts a data sheet for a standard risk in accordance with RMICF targets, to be approved by the division which provides methodological support at the Group level.
  • The risk data sheet is communicated to subsidiaries to ensure that risk factors are assessed and prioritized by Risk Owners at the subsidiary level.

Identifying risks and risk factors as part of preparation a Business plan (BP)/ BP Performance Reports by Risk Owners at the subsidiary level.

The ICRMD assesses the completeness and correctness of risk factor analysis of deviations from BP targets caused by risks.

The Internal Audit Unit identifies risks and risk factors as part of audits and RMICF performance assessment.

The ICRMD analyzes and consolidates information based on risk data sheets, information on risks contained in the BP/BP Performance Report (BPPR) of subsidiaries for the previous reporting period, and findings of audits and RMICF performance assessment conducted by the Internal Audit Unit. A directory of standard risk factors is complied, with risk factors divided into controllable and uncontrollable factors, and the directory is submitted to the business planning function.

Assessing and prioritizing risks and risk factors

Assessing and prioritizing risks and risk factors listed in risk data sheets.

  • The ICRMD develops a scale for assessing risk factors based on risk probability and impact on the achievement of targets, to be approved by a Risk Owner at the Group level.
  • The scales for risk factor assessment are communicated to subsidiaries.
  • The ICRMD organizes a risk session to carry out expert assessment and prioritize risk factors in the risk data sheet.
  • Risk data sheets are approved by the Chairman of the Management Board of the Company (or the chief executive officer (CEO) of the subsidiary)

Quantitative and qualitative assessment of risks of subsidiaries is performed as part of BP preparation by Risk Owners at the subsidiary level with methodological support from the ICRMD. The results of quantitative assessment are presented in the BP, and the results of qualitative assessment are included in the materials accompanying the BP.

The ICRMD carries out an overall risk assessment across the Group, prioritizes risks, and prepares a Critical Risk Map (CRM) for the Group.

Planning and implementing measures for managing risks

Forming an action plan (AP) as part of project data sheets:

  • The Risk Owner develops additional measures at the subsidiary level for managing standard risks, to be approved by ICRMD.
  • The developed AP for managing standard risks (or risk factors) at the subsidiary level is approved by the CEO of the subsidiary.

A plan of additional risk management measures risks at the subsidiary level is prepared and included in materials accompanying the BP:

  • For risks affecting the achievement of financial targets of the BP in subsidiaries,
  • For risks which do not affect the achievement of financial targets of the BP in subsidiaries;
  • For risks affecting the achievement of sustainable development goals.

The ICRMD prepares an action plan (AP) for managing critical risks of the Group following a review of proposals for additional risk management measures from critical risk owners in the Group and subsidiaries.

The CRM, the Action Plan for Managing Critical Risks of the Group, and the Group’s Risk Appetite are approved by the Board of Directors of PJSC Inter RAO.

Monitoring and control of risks and risk factors

On a quarterly basis when a BP Performance Report (BPPR) is prepared.

Findings of scheduled risk assessments and actual deviations from BP targets caused by risks are analyzed; new risks and risk factors are identified as part of BPPR preparation by Risk Owners at the subsidiary level.

The ICRMD assesses the completeness and correctness of risk factor analysis of actual deviations from BP targets caused by risks.

A report is prepared on the execution of the plan of additional risk management measures at the subsidiary level included in materials accompanying the BPPR:

  • On risks affecting the achievement of financial targets of the BP in subsidiaries;
  • On risks which do not affect the achievement of financial targets of the BP in subsidiaries;
  • On risks affecting the achievement of sustainable development goals;
  • On risks factors listed in risk data sheets.

Based on the BPPRs of subsidiaries, the ICRMD prepares a report on materialized/new risks of the Group, after the elimination of intra-group transactions.

Risk management reporting and information disclosure

The Head of the ICRMD prepares a road map for RMICS development based on an assessment of system development progress.

The Road Map for RMICS development is approved by the Board of Directors of PJSC Inter RAO.

Subsidiaries prepare an annual Report on RMICF Performance in Subsidiaries, containing information on risk materialization in subsidiaries, on compliance with the Group’s risk appetite, and on the implementation of the Risk Management Action Plan in subsidiaries.

The Report on RMICF Performance is approved by the Board of Directors in subsidiaries.

The ICRMD prepares an annual Report on RMICS Performance in the Group, containing information on risk materialization in the Group, on compliance with the Group’s risk appetite, and on the implementation of the Action Plan for Managing Critical Risks of the Group.

The Report on RMICS Performance is approved by the Board of Directors of PJSC Inter RAO.

External reporting:

  • The ICRMD provides information for the consolidated annual report of PJSC Inter RAO;
  • The ICRMD provides information for quarterly issuer reports (QR);
  • Information disclosure to rating agencies which publish corporate governance ratings, credit ratings, and sustainable development ratings.
RMICF performance assessment

Annual RMICF performance assessment is performed by the Internal Audit Unit (IAU), and a Report is prepared containing IAU recommendations for improving RMICS performance and the findings of monitoring of compliance with IAU recommendations for the year preceding the reporting year.

The Report on RMICS Performance Assessment is provisionally reviewed by the Audit Committee of PJSC Inter RAO Board of Directors.

The Report on RMICF Performance Assessment is approved by the RAO Board of Directors of PJSC Inter.

Risk appetite means rules that must not be violated to provide reasonable confidence in achievement of the Group’s strategic goals. Risk appetite expresses the unanimous opinion of the Group management about what is permissible, acceptable or unacceptable to achieve business goals.

The Board of Directors annually updates the Group’s risk appetite with revision of permissible risk levels based on its indicators. Variance provides for establishing permissible risk levels, from higher to lower ones.

INTER RAO GROUP’S RISK APPETITE
STRATEGIC LEVEL
STRATEGIC GOALS AND DEVELOPMENT PRIORITIES OF INTER RAO
RISK APPETITE
Acceptable or unacceptable levels of risk to achieve goals
STRATEGIC RISKS
Strategic risk management measures are part of The Group's Strategy
When prioritizing risks, the likelihood and impact of risks on achieving key sustainable development indicators is taken into account
OPERATIONAL LEVEL
TARGETS FOR ASSESSING RISK IMPACT
EBIRDA
Operating cash flow
Sustainable development goals
Project success indicators
Lack of accidents
Observing compliance requirements
BUSINESS PLANNING, PROJECT IMPLEMENTATION, AND COMPLIANCE
CRITICAL RISKS
TYPICAL RISKS
PROJECT RISKS
Identification, minimization, and monitoring of operational risks requiring priority management and control.
BOARD OF DIRECTORS
AUDIT AND SUSTAINABLE DEVELOPMENT COMMITTEE
  • Review and approval of the list and risk
  • Monitoring the impact of risk on economic and strategic planning
  • Review of materialized risks as part of operational information sharing
KPI
Operational-level goals are set to assess the achievement of strategic priorities and included in the KPIs and PBs of the CEO and members of the Management Board.
CEO, MANAGEMENT BOARD
RISK OWNERS
Business management
 
  • Estimating business planning targets, taking into account risk exposure (technical and economic performance, present and financial indicators of business processes of subsidiaries/Group);
  • Estimating cumulative impact of risks on financial performance of subsidiaries/Group (EBITDA, operating cash flow);
  • Estimating the middle and lower limits for business process indicators “exposed to risk”, and the forecast for achieving planned business process targets of subsidiaries/Group
Project management
 
  • Estimating project target indicators (NPV, IRR, etc.) and making a decision on project implementation taking into account risk exposure;
  • Analyzing, monitoring and controlling risks at all stages of project life cycle, taking into account the impact on time frame / capital investment amount/ project profitability, and the Groups operational performance;
  • Estimating cumulative impact of risks for the Group’s project portfolio.
Strategic management
 
  • Estimating targets for the strategy, taking into account risk exposure;
  • Analyzing, monitoring and controlling risks in priority development areas of the Group for the period of Strategy implementation;
  • Estimating cumulative impact of risks on Strategy indicators, including the Group’s key performance indicators
Incentive system
 
  • Including PBs/KPIs related to risk management in bonus cards of CEO and members of the Company’s Management Board, and heads of the Group subsidiaries;
  • Determining threshold KPI values, taking into account risks, based on the middle and lower limits of business process indicators “exposed to risk”;
  • Monitoring compliance with Risk appetite of subsidiaries/Group, as a mechanism for meeting PBs/KPIs;
  • Streamlining compliance with PBs/KPIs of subsidiaries/Group for risks which are not controlled.