Risk Management and Internal Control Framework

The Group has introduced and employs the Risk Management and Internal Control Framework (RMICF), which encompasses key assets, business processes, lines of business, and all levels of the Group’s management.

Goals and objectives of the Risk Management and Internal Control Framework

The use of the Risk Management and Internal Control Framework ensures:

  • An objective, fair, and clear view of the Group’s current state and prospects
  • Reasonable confidence in achieving the goals set for the Group
  • A high level of trust among shareholders and investors in the Company’s management bodies
  • The protection of investments and assets and the containment of risks within acceptable limits

Participants in the Risk Management and Internal Control Framework

The Group’s management ensures the RMICF is integrated into key business processes and the Group’s activities, above all in the planning and monitoring of business activities, including business planning and project management in the Generation, Supply, Trading, and Engineering segments.

Interaction with the Board of Directors.

Inter RAO has established a separate risk management and internal control unit at PJSC Inter RAO, which remains in constant cooperation with the Board of Directors and the Audit and Sustainable Development Committee.

Based on the independent evaluation of the activities of the Board of Directors and its committees, the Board of Directors decided to review the risk management report on a semi-annual basis.

With the support of the Internal Control and Risk Management Department (ICRMD), senior management is responsible for coordinating and drafting a unified methodology and ensuring the stages of the RMICF cycle are properly implemented and produce the key results. The head of the ICRMD reports directly to the CEO, which ensures the independent identification and assessment of risks as well as the development and monitoring of risk management measures, including control procedures.

The objectives, core principles, approaches, and parties involved in risk management and internal control processes at PJSC Inter RAO are enshrined in theRisk Management and Internal Control Policy of PJSC Inter RAO, which is approved by the Company’s Board of DirectorsMinutes No. 234 dated November 19, 2018.. This Policy is a top-level document drafted based on the Charter of PJSC Inter RAO that takes into account the recommendations of Russian and international risk management standards, the Corporate Governance Code, the guidelines of the Federal Agency for State Property Management, risk management and corporate governance best practices, and the listing rules of Russian and international stock exchanges.

The Risk Management and Internal Control Policy was approved as a corporate standard for the Group’s companies by an orderOrder No. IRAO/652 dated December 17, 2018 “On the Risk Management and Internal Control Policy of PJSC Inter RAO” approved by the Board of Directors of the CEO.

Flow chart of responsibility of participants in the Inter RAO RMICF

Functions and objectives of participants in the RMICF

Participants Key functions and objectives
Board of Directors
  • Determination of the principles and approaches to the organization of the RMICF and approval of the Risk Management and Internal Control Policy
  • Approval of risk appetite for the planned period, critical risk maps, and a critical risk management action plan
  • Annual review of a report on the operation of the RMICF and an assessment report on the effectiveness of the RMICF

Level of executive management bodies

CEO

Management Board

Collegial advisory bodies

  • Ensuring the RMICF functions effectively at the Company
  • Distribution of powers, duties, and responsibilities for specific risk management and internal control procedures
  • Approval of requirements for the structure, content, and formats of reporting processes and risk management and internal control procedures
  • Approval of benchmarks for the RMICF, including:
    • A list of the Group’s companies that fall within the perimeter of the RMICF
    • A list of the Group’s standard risks with the distribution of management’s scope of responsibility for the risks
    • Acceptable risk levels
    • Target indicators for assessing the impact of risks
    • The review and adoption of decisions on risk management and internal control issues
    • Dissemination of knowledge and skills in risk management and internal control and the development of a risk management culture

Level of risk owners

Managers who report directly to the CEO

Managers of structural units of the Group’s companies

  • Establishing and maintaining the RMICF within the functional areas they manage, ensuring it functions effectively, and introducing, implementing, and improving internal control and risk management procedures
  • Introducing a risk-based approach to operational practices and disseminating the standards and values of a risk management culture among employees
  • Drafting internal regulatory documents on risk management and internal control for functional areas
  • Ensuring the stages of the RMICF cycle are properly implemented and produce the key results
  • Implementing functional risk management measures, including control procedures, and ensuring their monitoring
  • Coordinating employees’ actions, information flows, and resources in order to manage the risks of their functional areas
Internal Control and Risk Management Department
  • Overall coordination of risk management and internal control processes
  • Creation of a unified methodology for the RMICF and monitoring its compliance
  • Implementing and improving RMICF processes and ensuring the stages of the RMICF cycle are properly implemented and produce the key results
  • Informing the Company’s Board of Directors and executive bodies about the operational results of the RMICF
  • Disclosing information on risk management and internal control issues to internal and external stakeholders
  • Organizing training for the Company’s employees and controlling entities on matters concerning risk management and internal control and ensuring the dissemination of knowledge and skills in risk management and internal control at the Group’s companies
Internal Audit
  • Assessing the effectiveness of the RMICF
  • Monitoring measures that aim to improve the effectiveness of the RMICF
  • Advising the Company’s executive bodies on matters concerning risk management and internal control
Level of employees
  • Taking a risk-oriented approach to activities, including the adoption of risk-oriented decisions and following compliance principles in the areas of functional responsibility stipulated by official duties
  • Documenting and monitoring risks in day-to-day operating activities as part of the performance of official duties, carrying out risk management measures and control procedures, and/or ensuring their monitoring
  • Informing immediate superiors in a timely manner about changes to the internal and external conditions of the Company’s activities that could lead to changes in the degree of risk or the emergence of new risks as well as cases where risk management measures cannot be implemented or need to be adjusted

Development of the Risk Management and Internal Control Framework

Results of the functioning of the Risk Management and Internal Control Framework in 2019:

  • The Group’s risk appetite was drafted and approved
  • Additional training and information sharing was organized for the Group’s employees in an effort to promote norms and standards of conduct and apply risk-based approaches in business planning and when developing control procedures
  • A list of the Group’s strategic risks was drafted and approved for inclusion in the updated strategy
  • The Antimonopoly Risk Map was approved and contains a quantitative calculation of risk consequences; antimonopoly compliance subcommittees were formed at subsidiaries; and advanced training on antimonopoly compliance was provided to the staff of the Group’s companies
  • Cybersecurity risks were verified through external penetration testing. PJSC Inter RAO set up an information security division
  • A list of the main cyber threats was developed and an assessment of these risks was conducted
  • The level of organization of the PJSC Inter RAO internal control system was assessed and measures were developed to improve the internal control system of the Company as a participant in tax monitoring
Risk appetite approved by the Board of Directors

In 2019, the Board of Directors approved 12 principles of risk appetite. Details are in the Strategic Report.

Efficiency assessment of the RMICF

  • Management informs the Board of Directors each year about the results achieved in matters concerning risk management and internal control over the reporting period as part of an annual report on the operation of the RMICF
  • The internal audit division conducts an annual efficiency assessment of the RMICF and provides the Board of Directors with reporting on the results of the assessment
  • The Board of Directors reviews matters concerning the organization, functioning, and effectiveness of the RMICF at least once a year and makes recommendations for its improvement, and also has the power to initiate an external assessment of the RMICF with the hiring of an independent organization
  • The efficiency assessment of the RMICF for 2019 was presented by the Internal Audit Unit to the Company’s Board of Directors for review and approved on March 31, 2020Minutes No. 270 dated April 6, 2020.. The results of the efficiency assessment of the RMICF are presented in the section ‘Internal Audit – 2019 Results’ of this Report.