Risk Management and Internal Control System
The objectives of the Risk Management and Internal Control System (RM&ICS) are set out in the Company’s Policy on the Risk Management and Internal Control SystemRosneft’s Policy on the Risk Management and Internal Control System No. P4-01 P-01 approved by the Company’s Board of Directors, Minutes No. 8 dated 16 November 2015. drawing on recommendations of international firms engaged in risk management, internal control and audit services. These are intended to provide reasonable assurance that the Company will achieve its goals in four focus areas:
- Strategic goals contributing to the accomplishment of the Company’s mission
- Operational goals relating to the Company’s financial and operating performance and asset integrity
- Goals of maintaining compliance with applicable laws and local regulations, including HSE requirements and requirements for information and personal security
- Goals of preparing reliable financial statements or non-financial reports and non-financial reports for internal and/or external users in a timely manner
Board of Directors and Audit Committee of the Board of Directors
- Approve RM&ICS focus areas and follow up on their progress
- Approve corporate reports on financial and business risks
- Approve risk appetite
- Monitor the RM&ICS reliability and performance
Chief Executive Officer
- Validates RM&ICS focus areas
- Validates RM&ICS reports
- Validates risk appetite
Risk Management Committee
- Validates the RM&ICS issues reported to the Chief Executive Officer
- Resolves RM&ICS operational disputes
- Distributes roles and responsibilities among employees
- Risk management
- Develops and implements control procedures
- Conducts self-assessment of internal controls
JVs Providing Certain RM&ICS Functions
- Prepare and consolidate RM&ICS reports
- Manage the roll-out of RM&ICS elements and develop proposals for the risk management methodology
- Assist the Company’s management in conducting self-assessment of internal controls
- Implement risk management controls and initiatives
- Assist the Company’s management in managing risks
- Help identify, assess and report on risks and internal controls, and conduct self-assessment of internal controls
Risk and Internal Control Experts
- Steer risk management and internal control processes in business units
- Identify, assess, and develop risk management initiatives
- Develop, implement, and update business process controls
- Develop, implement and monitor initiatives to bridge gaps in business process controls
Internal Audit Function
- Assesses the RM&ICS reliability and performance
- Conducts audits
- Monitors the implementation of RM&ICS improvement proposals made by internal auditors
- Assists the Company’s executive bodies in investigating abusive/unlawful practices by the Company’s employees and third parties
- Audits the Company’s financial and business operations, verifies the accuracy and reliability of data included in Rosneft’s annual reports and annual accounting (financial) statements
Risk and Internal Control Department
- Plans RM&ICS focus areas
- Develops, implements and updates Company-wide RM&ICS guidelines
- Prepares reports on risks and internal controls
- Manages the RM&ICS roll-out and operation across Rosneft’s business units and Group Subsidiaries
- Provides guidelines to key RM&ICS stakeholders, trains them in risk management and internal controls
- Develops, implements and supports insurance programmes
- Reinsures the Company’s risks in Russian and international insurance markets
- Settles insurance claims on risks materialised
- Develops, updates, and introduces internal anti-fraud and anti-corruption regulations and implementing documents
- Participates in ensuring compliance with internal regulations and implementing anti-fraud and anti-corruption initiatives taken by Rosneft’s executive bodies
- Manages the Security Hotline
- Conducts inspections/investigations into abusive/unlawful practices by the Company’s employees and third parties
Owing to ongoing improvements in its RM&ICS, the Company can promptly and adequately respond to changes in the external and internal environment, achieve better performance, and maintain and increase its shareholder value.
The Comprehensive RM&ICS Enhancement Plan covers the short and medium terms. The Plan sets key targets and objectives and outlines critical steps towards the achievement of the Company’s goals for the RM&ICS.
|RM&ICS focus areas||Key results|
Improving RM&ICS guidelines. Employee trainings
The Company’s internal regulations governing the RM&ICS were updated, including:
245 employees of Rosneft and Group Subsidiaries were trained in the RM&ICS.
Developing the Company’s risk management and internal control infrastructure and procedures
The Company’s quantitative risk assessment models were verified (back-tested).
The Company-wide Register of Risks and Control Procedures is maintained and updated.
A model (algorithm) was developed to evaluate risks of adverse judgements in litigations against the Company.
Implementing and maintaining the Internal Control System
The Company keeps on developing, implementing and streamlining its business process controls.
Internal controls were self-assessed in the Retail Sales of Petroleum Products and Complementary Goods and Small-scale Wholesale of Petroleum Products business process and the Accounting Management and Financial Reporting business process.
Improving the RM&ICS processes across Group Subsidiaries
The corporate-wide risk management system was implemented by 15 Group Subsidiaries.
Developing information resources to support and maintain the RM&ICS
Risk and internal control experts from the Company and Group Subsidiaries were given access to the Risk Management and Internal Control information resources.
Risk and internal control experts were trained in using the Risk Management and Internal Control information resources.
- The both systems have aligned goals.
- The ICS is governed by the Company’s Policy on the Risk Management and Internal Control System, Standard on the Internal Control System, and Regulations on Design, Implementation and Maintenance of the Internal Control System.
- The Company relies on these regulations to identify risks inherent in its business processes and implement controls, thus improving manageability and efficiency across business processes, reliability of financial statements, and compliance with the applicable laws and internal regulations.
- Define and update key ICS focus areas in alignment with the Company’s needs and stakeholder requirements
- Develop, adopt and follow controls, including the development of uniform guidelines to support efficient ICS operations
- Identify shortcomings in existing controls, develop and implement initiatives to address the same; streamline and upgrade controls
- Develop and implement tools to facilitate communication and information sharing among all RM&ICS stakeholders, including via information systems
Risk management at Rosneft is governed by the Company’s Policy on the Risk Management and Internal Control System and Standard on the Corporate-Wide Risk Management System (CWRMS).
The CWRMS is a combination of interrelated elements embedded into various business processes of the Company (including strategic and business planning processes) and implemented at all management levels by all employees of the Company.
All key risks of the Company are reported within the CWRMS, including the risks affecting the implementation of its Long-Term Development Programme and the risks related to day-to-day financial and business operations. Risk reports are delivered for review/approval to the members of the Board’s Audit Committee / the Board of Directors and communicated to the management.
Heads of the Company’s business units arrange for and steer risk management processes within their remit. When choosing a risk response and specific mitigants, risk owners seek to find an optimal trade-off while maintaining an acceptable risk level (risk appetite).Rosneft’s RisksFor Rosneft’s key risks see Appendix 2 to this Annual Report.
COUNTRY AND REGIONAL RISKS
Since 2014, the USA, EU and some other countries have been imposing various economic constraints on the Russian Federation, among other things, affecting operations of certain companies in the Russian energy and other industries (including Rosneft and some of its subsidiaries).
Rosneft factors in and continuously monitors existing constraints to minimise their adverse effects, and consistently implements its Import Substitution and Equipment Localisation Programme in Russia.CHANGES IN LEGISLATION AND REGULATORY ENVIRONMENT
The Company’s operating results are very sensitive to changes in the applicable laws, including tax, currency and customs regulations, etc. Rosneft continuously monitors and assesses such changes, and makes projections as to their likely effect on the Company’s operations. Rosneft’s experts are regular members of working groups drafting bills in various fields of law.
Risk Appetite of the Company
In 2018, Rosneft’s Board of Directors approved the Company’s risk appetite for 2019:
Financial and economic performance
The Company strictly complies with its financial covenants. The Company ensures that all its short- and long-term commitments are fulfilled as they fall due.
Health, safety and environment
Recognising the nature and scale of the footprint of its business, products and services, the Company feels responsible for safe and accident-free operation and protects health and safety of its employees and local residents in regions of its operation.
As part of its commitment to prevent any potential adverse impact on the environment, the Company makes every effort to protect, preserve and restore natural resources.
The Company has zero tolerance for any form or manifestation of corporate fraud and corruption.
Rosneft relies on insurance as a risk management tool enabling it to pass financial losses from the risks materialised on to insurers.
Rosneft’s corporate insurance programme covers:
- fixed assets of the Company;
- civil liability;
- business risks.
The most material risks are reinsured with international firms rated A– or higher by S&P, AM Best or Fitch. Rosneft insures its liability as required by federal laws, including Federal Law No. 225-FZ On Compulsory Insurance of Owners of Hazardous Facilities against Civil Liability for Damage Caused by Accidents at Hazardous Facilities. Clause 1 of Article 1 of the above Law provides for the compulsory insurance of property interests of the facility’s owner and its obligation to indemnify for damage caused to the affected party.
The Company’s internal audit is governed by the following internal regulations:
- the Company’s Policy on Internal Audit (No. P4-01 P-02);
- the Company’s Standard on the Organisation of Internal Audit (No. P4-01 S-0021);
- the Company’s Regulations on the Internal Audit Quality Assurance and Improvement Programme (No. P4-01 R-0038);
- the Company’s Regulations on the Procedure for Cooperation between the Internal Audit Service and Business Units of Rosneft and Group Subsidiaries When Performing Internal Audit (No. P4-01 R-0041);
- Rosneft’s Instruction on the Annual Planning of Internal Audits (No. P4-01 I-01016 YuL-001);
- Rosneft’s Instruction on the Procedure for Internal Audits (No. P4-01 I-01013 YuL-001);
- Rosneft’s Instruction on the Procedure for In-house Self-assessment of Internal Audit Quality (No. P4-01 I-01014 YuL-001);
- other internal regulations governing the Company’s internal audit operations.
The Internal Audit Service assists Rosneft’s Board of Directors and its executive bodies in enhancing the Company’s management efficiency and improving its financial and business performance, including through a systematic and consistent approach to the analysis and evaluation of the risk management and internal control system (RM&ICS) as well as corporate governance, therefore providing reasonable assurance that the Company will achieve its goals. It also helps ensure:
- accuracy, reliability, and integrity of information on the Company’s financial and business operations, including those of Group Subsidiaries;
- efficiency and effectiveness of the Company’s operations, including those of Group Subsidiaries;
- room for improvement available across the Company’s financial and business operations, including those of Group Subsidiaries;
- integrity of the Company’s assets, including those of Group Subsidiaries.
- developing an internal audit plan prioritising internal audit activities based on the risk-oriented approach;
- assessing the RM&ICS reliability and performance as well as its adequacy given the scale and complexity of the Company's business;
- assessing corporate governance;
- conducting audits and activities in line with the internal audit plan approved by Rosneft’s Chief Executive Officer and endorsed by the Board’s Audit Committee;
- performing other inspections and tasks as instructed by Rosneft’s Board of Directors (its Audit Committee) and/or the Company’s Chief Executive Officer;
- analysing audit targets to look into and evaluate specific aspects of their activity;
- developing recommendations for streamlining business processes, including their integrity, risk management and internal controls;
- advising the Company’s executive bodies on risk management, internal controls, and corporate governance (provided that the internal audit remains independent and impartial);
- monitoring the Company’s progress in addressing breaches and shortcomings identified during audits;
- assisting the Company’s executive bodies in investigating abusive/unlawful practices by the Company’s employees and third parties, including negligence, corporate fraud, corrupt practices, abuses and various wrongdoings detrimental to the Company;
- cooperating with the Company’s business units on internal audit matters;
- implementing the Internal Audit Quality Assurance and Improvement Programme;
- performing other functions essential to meet the tasks assigned.
Functionally, the Internal Audit Service reports to Rosneft’s Board of Directors. This implies:
- approving Policy-level internal regulations on internal audit (specifically, the Policy on Internal Audit that sets out its goals, objectives, and roles);
- deciding on the appointment and removal of the Head of Internal Audit;
- reviewing internal audit plans and performance reports;
- approving the Internal Audit’s budget and remuneration of the Head of Internal Audit;
- the Board’s Audit Committee reviewing material limitations of authority and other restrictions likely to adversely affect performance of the Internal Audit Service.
Administratively, the Internal Audit reports to Rosneft’s Chief Executive Officer. This implies:
- allocating necessary funds within the approved budget;
- approving internal audit plans;
- reviewing internal audit performance reports;
- facilitating the cooperation with Rosneft’s and Group Subsidiaries’ business units;
- administering internal audit policies and procedures (e.g. approving internal regulations on internal audit and amendments thereto, approving organisational documents of Rosneft’s Internal Audit, validating business trips, and endorsing the engagement of external experts to work on internal audits).
The existing reporting lines whereby the Head of Internal Audit reports to the Board of Directors and the Company’s executive bodies provide sufficient independence for performing internal audit functions.
Heads of the Internal Audit functional units do not participate in managing functional areas of the Company’s business requiring management decisions on audited entities.
The Head of Internal Audit was appointed by Rosneft’s Board of Directors to its Management Board in July 2016 and was also appointed by Bashneft’s Annual General Shareholders Meeting to Bashneft’s Board of Directors in June 2019. The Head of Internal Audit is not entitled to vote on matters requiring management decisions on audited entities.
The internal auditors provide written confirmation of their personal impartiality to the heads of the Internal Audit functional units and to the Head of Internal Audit at least once a year, thereby raising awareness among the Internal Audit employees about potential conflicts of interest and related issues, as well as response procedures to situations which may influence the independence and impartiality of internal audit.
The Head of Internal Audit provides Rosneft’s Chief Executive Officer, Board of Directors (its Audit Committee) with confirmation of the organisational independence of the Internal Audit Service and individual impartiality of internal auditors at least once a year, as part of the internal audit performance report.
The internal audit plan is based on an audit model and uses information and requests received from Rosneft’s executive bodies and Board of Directors, as well as its risk evaluation results. It includes audits and other activities and is subject to approval by Rosneft’s Chief Executive Officer and endorsement by the Board’s Audit Committee. Details of the plan are presented to the Company’s Board of Directors as part of the internal audit report for the previous period.
At least twice a year, the Head of Internal Audit procures to prepare and submit this report to Rosneft’s Board of Directors and its executive bodies (including information about material risks, breaches and shortcomings, results and effectiveness of internal auditors’ proposals for eliminating the same, delivery of the internal audit plan, as-is assessment, reliability and performance of the Company’s RM&ICS and corporate governance).
The internal audit reports for the first six months and the full year of 2019 were reviewed by the Chief Executive Officer, the Board’s Audit Committee and the Board of Directors of Rosneft.
The Internal Audit Service completed all planned activities in line with its internal audit plan for 2019.
In the reporting period, internal audits covered most of the Company’s corporate risks as well as financial and operational risks, and 56% of Group Subsidiaries’ asset value.
In 2019, the Internal Audit Service ran 11 projects and initiatives seeking to improve the control environment and enhance the efficiency of both the Company and its internal audit. Since 2019, the Internal Audit Service has been implementing preventive independent inspections with a view to making the Company’s procurement processes more efficient. In the reporting period, it focused on monitoring crude oil and petroleum products inventory management, well cost accounting, disposal of overseas assets, as well as on fostering process management and corporate culture.
The assessment results were reviewed by the Board’s Audit Committee and the Board of Directors of Rosneft.
In 2019, Rosneft fully automated its internal audit function across all focus areas ranging from annual planning to monitoring the Company’s progress in addressing breaches and shortcomings identified during audits.
In the reporting period, the Internal Audit Service updated the Assurance Map representing a risk and control matrix across business process broken down in three lines of defence.
In September 2019, the Financial Management Department at Gubkin Russian State University of Oil and Gas launched master’s curriculum in Internal Audit and Control, both intra- and extramural, aiming to train internal audit specialists for the oil and gas industry. The graduates who successfully passed the corporate selection procedures became interns at Rosneft’s Internal Audit Service.
All the employees of Rosneft’s Internal Audit Service undergo training in their core business areas.
In the reporting period, the Internal Audit Service conducted regular in-house self-assessment on its internal audit quality. It was concluded following the self-assessment that the internal audit function was generally in line with the requirements of the Company’s Policy on Internal Audit and other regulations on internal audit, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics of the International Institute of Internal Auditors.
The Internal Audit Service ensures effective communication with the Board’s Audit Committee (including face-to-face meetings with its Chairman without attendance by the Company’s management), Rosneft’s Chief Executive Officer (including through personal reports on material audit results), and the management of Rosneft and Group Subsidiaries.
The Head of Internal Audit cooperates with Rosneft’s Audit Commission, external auditor, and audit commissions of Group Subsidiaries.