Risk Management and Internal Control System, Enhanced Compliance, and Internal Audit

The goals and objectives of the Risk Management and Internal Control SystemThe Company’s Policy on the Risk Management and Internal Control System No. P4-01 P-01 approved by Rosneft’s Board of Directors, Minutes No. 8 dated 16 November 2015. (RM&ICS) are set out in the Company’s Policy on the Risk Management and Internal Control System developed based on recommendations of international firms specializing in risk management, internal control, and audit services. They are designed to provide reasonable assurance that the Company will achieve its goals, including:

  • strategic goals contributing to the accomplishment of the Company’s mission
  • operational goals related to the Company’s financial and business performance, and asset integrity
  • goals of compliance with the applicable laws and local regulations
  • goals of timely preparation of reliable financial statements or non-financial reports, internal and/or external reports.

Consistent development and enhancement of the Company’s RM&ICS enables to promptly and adequately respond to changes in the external and internal environment, improve operational efficiency and effectiveness, maintain and add value.

Key RM&ICS Stakeholders and Their Responsibilities

Key RM&ICS Stakeholders are:

  • Board of Directors
  • Audit Committee of the Board of Directors
  • Chief Executive Officer
  • Management Board
  • Risk Management Committee
  • Company’s management
  • Audit Commission
  • Internal Audit Service
  • Security Service
  • Risks and Internal Control Department
  • Risk and internal control experts
  • Rosneft’s employees

RM&ICS focus areas are detailed in the Long-Term Development Program approved by Rosneft’s Board of Directors on 15 November 2017 (Minutes No. 6 dated 15 November 2017).

In furtherance of the Long-Term Development Program the Chief Executive Officer approved the RM&ICS holistic development plan for the short and medium terms. The RM&ICS holistic development plan sets goals, objectives, and key initiatives contributing to the achievement of the Company’s strategic goals for the RM&ICS.

Key RM&ICS Stakeholders

GOAL-SETTING AND CONTROL

rj THE BOARD OF DIRECTORS AND THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS
  • approve RM&ICS focus areas
  • approve corporate risk reports
  • approve risk appetite
  • monitor the RM&ICS reliability and performance

RISK MANAGEMENT AND EXECUTION OF RESOLUTIONS

CHIEF EXECUTIVE OFFICER
  • validates RM&ICS focus areas
  • validates RM&ICS reports
  • validates risk appetite.
RISK MANAGEMENT COMMITTEE
  • pre-approves RM&ICS focus areas
  • pre-approves risk reports
  • pre-approves risk appetite
  • resolves RM&ICS operational disputes.
MANAGEMENT
  • allocates responsibilities among employees
  • manages risks within the scope of its authority
  • includes risk management roles and responsibilities in employee job descriptions.

GUIDELINES AND INDEPENDENT ASSESSMENT

RISKS AND INTERNAL CONTROL DEPARTMENT
  • plans RM&ICS focus areas
  • develops, implements, and updates Company-wide RM&ICS guidelines
  • prepares reports on risks and internal controls
  • coordinates the RM&ICS rollout and operation across Rosneft’s businesses and Group Subsidiaries
  • develops, implements, and supports insurance programs
  • reinsures the Company’s risks in Russian and international insurance markets
  • settles insurance claims on risks realized.
INTERNAL AUDIT SERVICE
  • assesses the RM&ICS reliability and performance
  • conducts audits
  • assists the Company’s executive bodies in investigating wrongdoings / unlawful acts by the Company’s employees and third parties
  • monitors the incorporation of RM&ICS improvement proposals made by internal auditors.
AUDIT COMMISSION
  • performs audits of the Company’s financial and business operations, verifies the accuracy and reliability of data included in Rosneft’s annual report and annual accounting (financial) statements, and in the report on related party transactions entered into in the reporting period.

RISK MANAGEMENT AND DECISION-MAKING

RISK AND INTERNAL CONTROL EXPERTS OF BUSINESS UNITS
  • identify, assess, and develop risk management initiatives
  • develop, implement, and update business process controls
  • develop, monitor/implement projects to eliminate gaps identified in business process controls.
BUSINESS UNIT EMPLOYEES
  • execute risk management controls and projects
  • assist the Company’s management in managing risks
  • help identify, assess, and report on risks and internal controls.
Audit Commission

The Audit Commission comprises five members and is elected by the General Shareholders Meeting until the next Annual General Shareholders Meeting. A Company shareholder or any person nominated by a shareholder may be a member of the Audit Commission. Members of the Audit Commission may not concurrently serve on the Board of Directors or hold other positions in the Company’s governing bodies.

The Audit Commission audits the Company’s financial and business operations, verifies the accuracy and reliability of data included in Rosneft’s annual reports, annual accounting (financial) statements, and in reports on related party transactions entered into in the reporting period.

In 2017, the Audit Commission held two meetings.

In accordance with the approved action plan, the Audit Commission conducted a desk audit of Rosneft’s financial and business operations. The Commission prepared a report on the findings of the audit of the annual accounting (financial) statements and on the accuracy and reliability of data included in the annual report, and the report on related party transactions entered into in the reporting period.

Membership of the Audit Commission
(as at 31 December 2017)

Under the resolution of the General Shareholders Meeting dated 22 June 2017, the following persons were elected to the Audit Commission:

Chairman of the Audit Commission:

Zakhar
Sabantsev

Born in 1974.

Graduated from the Moscow State University of Economics, Statistics, and Informatics.

Section Head, Bank Sector Monitoring, Consolidated and Analytical Work Section, Financial Policy Department, Ministry of Finance of the Russian Federation.

Members of the Audit Commission

Olga
Andrianova

Born in 1958.

Graduated from the All-Russian State Distance-Learning Institute of Finance and Economics (ARDLIFE).

Holder of a ministerial award – Certificate of Honor of the Russian Ministry of Energy.

Chief Accountant – Head of the Finance and Economics Service of JSC ROSNEFTEGAZ.

Alexander
Bogashov

Born in 1989.

Graduated from the State University of Management.

Deputy Department Director for Corporate Governance, Price Environment, Control and Audit Activity in the Fuel Producing Industries of the Ministry of Energy of the Russian Federation.

Sergey
Poma

Born in 1959.

Graduated from Nakhimov Black Sea Higher Naval School, Saint Petersburg State University.

Vice President, Deputy Chairman of the National Association of Securities Market Participants (NAUFOR)

Pavel
Shumov

Born in 1978.

Graduated from the Moscow State University of Economics, Statistics, and Informatics.

Acting Deputy Department Director, Ministry of Economic Development of the Russian Federation.

Risk Management Committee

The Risk Management Committee is a collegial advisory body under Rosneft’s Chief Executive Officer, primarily responsible for pre-viewing, and forming a consolidated position on, the following matters before they are escalated to Rosneft’s executive bodies:

  • Company-wide risk management development plan
  • Progress monitoring results
  • Risk reporting
  • Risk appetite and the compliance monitoring results for risk appetite limits
  • RM&ICS operational disputes

The Committee is set up, reorganized, and abolished by resolutions of Rosneft’s Management Board, and the Committee membership structure is determined by the Company’s Chief Executive Officer. The Risk Management Committee comprises heads of core businesses and had seven permanent members as at 31 December 2017.

In accordance with the Risk Management Committee’s action plan, the Committee held four meetings in 2017 and discussed RM&ICS development, risk reporting, and the Company’s risk appetite.

Internal Control System

The internal control system (ICS) is a part of the RM&ICS, with both systems having aligned goals.

The ICS is organized as per the Company’s Policy on the Risk Management and Internal Control System, the Company’s Standard on the Internal Control System, and the Company’s Regulations on Development, Implementation, and Maintenance of the Internal Control System.

The Company relies on these documents to analyze risks inherent to business processes and implement controls so as to make business processes more efficient and manageable, while ensuring reliability of its financial statements and compliance with legislation and local regulations of the Company.

To achieve the ICS objectives the Company needs to:

  • define and update key ICS focus areas that have to be aligned with the Company’s needs and stakeholder requirements
  • develop, adopt, and follow controls, including development of uniform guidelines for the organization and high performance of the Company’s ICS
  • Identify shortcomings in existing controls, develop and implement measures to address them; streamline and upgrade controls
  • developing and implement tools to enhance communication and information sharing on internal control among all RM&ICS stakeholders, including via information systems.

These objectives are addressed as part of ongoing ics processes:

Risk Management System

The risk management process at the Company is regulated by the Company’s Policy on the Risk Management and Internal Control System and the Company’s Standard on the Corporate-Wide Risk Management System (CWRMS).

The CWRMS is a combination of interrelated elements embedded into various business processes of the Company (including strategic and business planning processes) and implemented at all management levels by all employees of the Company.

Key CWRMS Components:

All key risks of the Company are reported within the CWRMS, including the risks affecting the implementation of its Long-Term Development Program and the risks related to day-to-day financial and business operations. Risk reports are delivered to the Board of Directors and management and comprise all necessary information on risks, risk assessment, and measures taken to manage risks.

ROSNEFT’S RISKS

In 2017, the Company’s performance was considerably affected by market risks, including:

  • risks related to crude oil, gas, and petroleum product prices
  • interest rate risks
  • currency risks.

The RUB/USD exchange rate and global oil prices are heavily correlated at the moment. On top of that, the FX rate is sensitive to the ratio of RUB and USD interest rates, so the Company has to focus on the aggregate impact by the market risk portfolio when assessing its market risks.

To assess the exposure of the Company’s performance to the market risk portfolio, Rosneft recurs to mathematic modeling based on interfaces identified between individual market risk factors.

The market risk management principles are detailed in the Company’s Regulations on Market Risk Management and establish a portfolio approach that selects and combines market risk management tools to match the aggregate impact of market risks on the Company’s performance targets.

Heads of the Company’s businesses organize and coordinate risk management processes within the scope they are responsible for. When choosing a risk response and specific mitigation measures, risk owners seek to find an optimalRisk management measures are analyzed for cost-effectiveness. The scope and complexity of such measures must be necessary and sufficient to achieve risk mitigation goals and objectives. trade-off while maintaining an acceptable risk level (risk appetite).

Risk Appetite

In 2017, the Company put in place the Guidelines for Determining and Applying Risk Appetite which provide for Company-wide requirements to assessing its risk appetite and applying its value in risk management.

Corporate Insurance

Rosneft uses insurance as a risk management tool enabling it to pass financial losses caused by insured occurrence through to insurers. Rosneft’s corporate insurance program covers:

  • the Company’s assets
  • civil liability (liability to indemnify for damage caused to other persons)
  • business risks.

The most material risks are reinsured on the international market with companies having the reliability rating of at least A– by S&P.

Rosneft insures its liability as required by federal legislation, including Federal Law No. 225 On Compulsory Insurance of Owners of Hazardous Facilities against Civil Liability for Damage Caused by Accidents at Hazardous Facilities. The compulsory insurance requirement under Federal Law No. 225 applies to property interests of the facility’s owner, which relate to its obligation to indemnify for damage caused to the affected party (Part 1 of Article 1 of the Federal Law). Rosneft has in place insurance coverage against the risk of damage to (loss of) property and potential losses resulting from business interruption due to accidents and other accidental emergencies, and liability insurance against the risk of legal action by third parties related to its onshore and offshore operations.

Enhancement of the Risk Management and Internal Control System in 2017

In 2017, the Company implemented the following initiatives to support the ongoing development of the RM&ICS:

  • Developed a Company-wide register of standard risks and controls detailing standard risks that can affect the achievement by the Company of the goals outlined in its Strategy and Long-Term Development Program, standard risks for its day-to-day financial and business operations, risk factors, business process risks, controls, and their interfaces
  • Put in place the Guidelines for Determining and Applying Risk Appetite. Determined the Company’s risk appetite profile and levels for 2018 in accordance with these Guidelines
  • Approved standard functions of RM&ICS experts, as part of introducing the function of risk and internal control experts in the Company. Rosneft’s business units and 24 Group Subsidiaries appointed employees to function as risk and internal control experts
  • Over 180 employees of Rosneft and Group Subsidiaries were trained in risk management and internal control
  • Piloted Internal Control and Risk Management information tools as part of automating RM&ICS processes
Fostering Compliance

The Company has in place the Code of Business and Corporate Ethics (the Code) and the Anti-Corruption Policy (the Policy) approved by Rosneft’s Board of Directors, which outline Company-wide principles and approaches applied to comply with anti-corruption requirements.

The Code reflects the Company’s culture, while underlining its commitment to the highest standards of business ethics and imposing the responsibility for compliance with ethical standards on all employees regardless of their status and position. The Code explains the key notions of the process for settling conflicts of interest and exchanging corporate gifts.

The Policy imposes the responsibility for complying with anti-corruption principles and requirements, and for actions (omissions) of their subordinates on all employees and members of governing bodies of the Company regardless of their position. The Policy also requires employees to report all cases of being incited by any person to commit corruption offences to authorized persons and units.

In the reporting period, the Company continued to focus on improving anti-corruption and anti-fraud efforts, ensure compliance by top managers and employees with international and Russian anti-corruption legislation, and the applicable local regulations.

As part of introducing anti-corruption practices, the Company has been consistently working on improving its framework for building its culture elements, organizational structure, and rules and procedures designed to prevent corporate fraud and corruption, and to mitigate reputational risks and risks that the Company will be held liable for bribing officials:

  • Rosneft’s Comprehensive Anti-Fraud and Anti-Corruption Program for 2017–2018 was drafted and approved by Rosneft’s Council for Business Ethics
  • Rules and a procedure for anti-corruption examination of draft local regulations and administrative documents of the Company were determined to exclude the risk that they would encourage corruption
Procedure for managing conflicts of interest in rosneft and group subsidiaries

As part of implementing its Code of Business and Corporate Ethics and the Anti-Corruption Policy, and to comply with Article 11 of Federal Law No. 273-FZ On Counteracting Corruption dated 25 December 2008, and Resolution of the Russian Government No. 594 On Amending Certain Acts of the Government of the Russian Federation on Matters Related to Prevention and Settlement of Conflicts of Interest dated 28 June 2016, Rosneft’s Board of Directors approved the Company’s Regulations on the Procedure for Managing Conflicts of Interest in Rosneft and Group Subsidiaries (the Regulations) on 9 June 2017.

These Regulations detail responsibilities of the Company’s officers/employees in managing a conflict of interest, and restrictions and prohibitions designed to prevent a conflict of interest (such as business conducted by employees and their close relatives, including securities/shares/units held in other legal entities and associations, positions held in other organizations, etc.).

The Regulations prohibit the Company’s officers/employees from having their close relatives and/or family members directly reporting to, or supervised by, them and/or from participating in hiring, promoting, assessing performance of, or determining compensation (including salary, bonuses, or other remuneration) payable to, such persons.

Moreover, the Regulations introduce a framework to classify conflicts of interest, including conflicts of interest between shareholders and members of the Company’s governing bodies (e.g. decisions made by corporate governing bodies that might adversely affect the Company’s financial and business performance; the Company failing to make a statutory disclosure or members of corporate governing bodies concealing certain information on their positions in governing bodies of other entities, on stakes (shares) held in other entities, or other information required to be disclosed by legislation, the Company’s Charter or local regulations).

The Regulations also provide for ethical certification of the Company’s employees designed to identify conflicts of interest.

ANTI-CORRUPTION EFFORTS

The Corruption Control section on the official corporate website has:

  • the Company’s statement on its zero tolerance for corruption
  • key provisions of international and Russian anti-corruption legislation
  • local corruption control regulations of the Company (Rosneft’s Code of Business and Corporate Ethics, and Anti-Corruption Policy)
  • security Hotline contacts
  • information on cooperation with law enforcement authorities, etc.

Posted on the Company’s official website


  • A standard anti-corruption clause is included in agreements with legal entities and individuals
  • The Company’s Regulations on the Procedure for Charitable Activities of Rosneft and Group Subsidiaries, and on Sponsorship by Rosneft and Group Subsidiaries are applied across the Company
  • The Company operates a 24/7 Security Hotline to report on cases of corporate fraud and corruption
  • The Company keeps up its consistent efforts to identify commercial arrangements involving abuse of authority by management or third parties. In 2017, 735 criminal cases were initiated, 276 persons were held criminally liable, and 261 persons were sentenced as a result of submissions by the Company’s security services to law enforcement authorities
  • In 2017, due diligence was conducted on 117,051 potential bidders (to supply inventories, perform capital construction projects, and provide oilfield and non-operating services), with 2,618 bids rejected
  • The Company is vetting job applicants on an ongoing basis to identify potential conflicts of interest, including affiliation
  • Additionally, the Company has in place a number of organizational measures to meet the requirements for hiring former government officials, collect and verify information on income, property, and property obligations for certain categories of employees; enhance the commitment of the Company’s management to preventing corruption, including conflicts of interest, by entering relevant provisions into employment contracts, and including provisions on liability for failure to comply with anti-fraud and anti-corruption requirements of the Company’s local regulations in employee job descriptions
Internal Audit

Rosneft’s internal audit function is performed by the Vice President – Head of Internal Audit, as well as the Operational Audit Department, the Corporate Audit Department, the Regional Audit Department, the Internal Audit Methodology and Management Division, and the Economic and Organizational Analysis Division. In accordance with Rosneft’s organizational structure approved by the Board of Directors, units of the Internal Audit Service report directly to the Vice President – Head of Internal Audit.

In the reporting period, the internal audit function was guided by, and acted in accordance with:

  • the Company’s Policy on Internal Audit
  • the Company’s Standard on the Organization of Internal Audit
  • the Company’s Regulations on the Internal Audit Quality Assurance and Improvement Program
  • the Company’s Regulations on the Procedure for Cooperation between the Internal Audit Service and Business Units of Rosneft and Group Subsidiaries when Performing Internal Audit
  • Rosneft’s Instruction on the Procedure for Internal Audits
  • the Company’s other local regulations governing internal audit operations.

The internal audit function assists the Board of Directors and the Company’s executive bodies in increasing the Company’s governance efficiency and improving overall financial and business performance, including through the application of a consistent systematic approach to reviewing and assessing the RM&ICS as well as corporate governance, therefore providing reasonable assurance that the Company will achieve its goals. It also helps ensure:

  • the accuracy, reliability, and integrity of information on the Company’s financial and business operations, including those of Group Subsidiaries
  • the efficiency and effectiveness of the Company’s operations, including those of Group Subsidiaries
  • identification of internal reserves for improving the Company’s financial and business performance, including that of Group Subsidiaries
  • protection of the Company’s assets, including those of Group Subsidiaries.

The internal audit action plan is based on an audit model using information and requests received from Rosneft’s executive bodies and Board of Directors, as well as its risk evaluation results.

The internal audit action plan for the reporting period has been approved by Rosneft’s Chief Executive Officer and endorsed by the Audit Committee of the Board of Directors.

Details of the action plan were presented to the Board of Directors as part of the internal audit report for the previous period.

The internal audit report was reviewed by the Chief Executive Officer, the Audit Committee of the Board of Directors, and the Board of Directors of Rosneft.

The internal audit report includes information about material risks, violations and shortcomings, results and efficiency of internal audit proposals on eliminating identified violations or shortcomings, results of implementing the internal audit action plan, and assessment results on the actual condition, reliability, and efficiency of the Company’s corporate governance and the RM&ICS.

Based on results from the risk management and internal control system efficiency assessment, the internal audit concluded that the RM&ICS ensures overall support of the risk management process and effective functioning of the internal control system, providing reasonable assurance that the Company will achieve its goals. The assessment results have been reviewed by the Rosneft Board of Directors.

The existing reporting lines, by which the Head of Internal Audit reports to the Board of Directors and the Company’s executive bodies, provide sufficient independence for performing internal audit functions.

Heads of units within the Internal Audit Service do not participate in managing functional areas of the Company’s business that require management decision-making on audited entities.

The Head of Internal Audit was appointed to Rosneft’s Management Board following a decision made by the Board in July 2016. The Head of Internal Audit is not entitled to vote on matters requiring management decisions on audited entities.

A procedure was put in place for Internal Audit Service employees to routinely provide written confirmation of their personal objectivity and absence of a conflict of interest by signing the relevant Declaration at least once a year, thereby raising awareness among the employees of potential conflicts of interest as well as response procedures to situations which may influence the independence and objectivity of an internal audit.

The Head of Internal Audit provides Rosneft’s Chief Executive Officer, Board of Directors (its Audit Committee) with confirmation of the organizational independence of internal auditing and individual objectivity of internal auditors at least once a year, as part of the internal audit report.

In 2017, over 300 inspections were conducted, covering most of the Company’s major and significant projects.

Over 90.0% of thematic inspections and audits were assessing the RM&ICS performance, improving the efficiency of the Company’s business processes in Key Group Subsidiaries, and assessing the business performance of Group Subsidiaries.

In cooperation with the heads of business units, the Internal Audit Service prepares proposals based on its inspection results aimed at improving business processes and RM&ICS optimization, as well as resolutions for eliminating the violations and shortcomings identified during inspections.

Key Focus Areas of Internal Audit in 2017

In the reporting period, the Internal Audit Service conducted regular in-house self assessment on its internal audit quality.

Overall, internal audit operations complied with the requirements of the Company’s local regulations on internal audit, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics of the International Institute of Internal Auditors. A report was drafted following the assessment, and an action plan was formulated to further develop the Company’s internal audit function.

Based on the RM&ICS performance assessment, the internal audit concluded that Rosneft’s RM&ICS ensures overall support of the risk management process and effective functioning of the internal control system, providing reasonable assurance that the Company will achieve its goals.

To ensure compliance with the principle of internal audit independence, the Vice President – Head of Internal Audit administratively reports directly to Rosneft’s Chief Executive Officer, and functionally reports to Rosneft’s Board of Directors. Employees within the Internal Audit Service units report to the Head of Internal Audit both administratively and functionally.

External Audit

By its resolution dated 29 December 2015, Rosneft’s Procurement Commission dealing with financial, audit, and consulting services approved the material terms and conditions of the procurement procedure for contracting statutory audit of RAS accounting (financial) statements and IFRS consolidated financial statements of Rosneft and its Major Subsidiaries in 2016–2018, and selected the service provider, Ernst & Young LLC.

The Audit Committee of the Board of Directors assessed the potential auditor and proposed that Rosneft’s Board of Directors recommend the General Shareholders Meeting to approve Ernst & Young LLC as the Company’s auditor and determine its fee.

The auditor was approved by the Annual General Shareholders Meeting of Rosneft.

Ernst & Young LLC, incorporated under the laws of the Russian Federation, is an independent member of Ernst & Young’s (EY) global network offering auditing services and consulting on taxation and business conduct. Ernst & Young LLC is one of the Big Four major international auditing companies and a member of the Self-Regulatory Organization of Auditors Association, Russian Union of Auditors (RUA) with a long track record of cooperation with the Company, beginning in 2002.

The Auditor provides the following services to the Company:

  • Statutory audit of accounting (financial) statements prepared under the Russian Accounting Standards (RAS)
  • Statutory audit of consolidated financial statements of Rosneft Group prepared under the International Financial Reporting Standards (IFRS)
  • Audit review of the Company’s interim consolidated financial statements prepared under the IFRS
  • Other one-off additional audit services for new assets acquired by Rosneft Group to be reflected in its IFRS consolidated financial statements
The auditor’s fee was determined by the Board of Directors as follows:

For auditing accounting (financial) statements prepared under the RAS  – up to RUB 3,246,000.00, inclusive of VAT

For auditing consolidated financial statements prepared under the IFRS – up to RUB 98,194,904.74 , inclusive of VAT