Risk Management and Internal Control System
In accordance with the Corporate Governance Code of the Bank of RussiaCorporate Governance Code recommended by letter of the Bank of Russia No. 06-52/2463 dated 10 April 2014., Russian regulatory requirementsFederal Law No. 402-FZ On Accounting dated 6 December 2011, Federal Law No. 208-FZ On Joint-Stock Companies dated 26 December 1995, etc. and the best practices, the Company has established and is continuously improving its Risk Management and Internal Control System (RM&ICS).
In accordance with the Corporate Governance Code of the Bank of Russia, Russian regulatory requirements and the best practices, the Company has established and is continuously improving its Risk Management and Internal Control System (RM&ICS).
The objectives of the RM&ICS are set out in the Company’s Policy on the Risk Management and Internal Control SystemRosneft’s Policy on the Risk Management and Internal Control System No. P4-01 P-01 approved by Resolution of the Company’s Board of Directors, Minutes No. 8 dated 16 November 2015.drawing on recommendations of international firms engaged in risk management, internal control and audit services (including the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and the Federation of European Risk Management Associations (FERMA)). These are intended to provide reasonable assurance that the Company will achieve its following goals:
- Strategic goals contributing to the accomplishment of the Company’s mission
- Operational goals relating to the Company’s financial and operating performance and asset integrity
- Goals of maintaining compliance with applicable laws and local regulations, including HSE requirements and requirements for information and personal security
- Goals of preparing reliable financial statements or non-financial reports and non-financial reports for internal and/or external users in a timely manner
The main principles of the RM&ICS operation, approaches to identify and assess risks related to financial and business operations and business processes, as well as to develop measures for managing financial and business risks and control procedures reducing business process risks are set out in the Company’s lower-level regulationsThe Company’s Standard on the Corporate-Wide Risk Management System, the Company’s Standard on the Internal Control System, and the RM&ICS regulations and guidelines..
Owing to ongoing improvements in its RM&ICS, the Company can promptly respond to changes in the external environment and internal business processes, achieve better performance, and increase its shareholder value.
Key targets and objectives of the RM&ICS enhancement, as well as critical steps to achieve them, are set out in the Comprehensive RM&ICS Enhancement Plan.
|RM&ICS Enhancement Initiatives||Results|
|Improving RM&ICS guidelines. Employee trainings|| |
Temporary recommendations for managing risks related to business projects (including the Company’s major projects), together with recommendations for assessing the probability of risk materialisation and the risk impact, were developed and communicated to heads of the Company’s businesses.
Employees of Rosneft and Group Subsidiaries and risk and internal control experts were trained in the RM&ICS.
|Developing the Company’s risk management and internal control infrastructure and procedures|| |
The approach to identify and evaluate the Company’s strategic risks, including the assessment of strategic threats for possible impact on the achievement of the Company's strategic targets as set out in its development strategy was updated.
The Company’s quantitative risk assessment models were verified (back-tested).
A model (algorithm) was developed to evaluate the risk of accumulation of unclaimed liquid and non-liquid inventories.
|Implementing and maintaining the Internal Control System|| |
Group Subsidiaries and processes were selected for a self-assessment of internal controls.
The Company’s employees were trained in self-assessment, including control procedure testing.
|Improving the RM&ICS processes across Group Subsidiaries||The corporate-wide risk management system was implemented by nine Group Subsidiaries.|
|Improving information resources to support and maintain the RM&ICS||Risk and internal control experts from Rosneft’s business units and Group Subsidiaries received an overview training in the Risk Management and Internal Control information resources.|
To achieve the ICS objectives, the Company needs to:
- Define and update key ICS focus areas in alignment with the Company’s needs and stakeholder requirements
- Assess business process risks, develop, adopt and follow controls, including the development of uniform guidelines to support efficient ICS operations
- Identify shortcomings in existing controls, develop and implement initiatives to address the same; streamline and upgrade controls
- Develop and implement tools to facilitate communication and information sharing among all RM&ICS stakeholders, including via information systems
The Company’s management and employees ensure the ICS efficiency by managing the relevant functions and performing their job duties.
Corporate-Wide Risk Management System (CWRMS)
Risk management at Rosneft is governed by the Company’s Policy on the Risk Management and Internal Control SystemRosneft’s Policy on the Risk Management and Internal Control System No. P4-01 P-01 approved by Resolution of the Company’s Board of Directors, Minutes No. 8 dated 16 November 2015. and Standard on the Corporate-Wide Risk Management SystemRosneft’s Standard on the Corporate-Wide Risk Management System No. P4-01 P-01 put into effect by order No. 660 dated 22 October 2018. .
The CWRMS is a combination of interrelated elements embedded into various business processes of the Company (including strategic and business planning processes) and implemented at all management levels by all employees of the Company.
All strategic and financial and operational risks of the Company are reported within the CWRMS. Risk reports are delivered for review/approval to the members of the Board’s Audit Committee / the Board of Directors and communicated to the management.
Heads of the Company’s business units arrange for, and steer risk management processes within their remit. When choosing a risk response and specific mitigants, risk owners seek to find an optimal trade-off while maintaining an acceptable risk level (risk appetite).
Rosneft’s RisksFor Rosneft’s key risks, see Appendix 2 to this Annual Report.
Risk Appetite of the Company
Rosneft relies on insurance as a risk management tool enabling it to pass financial losses from the risks materialised on to insurers.
Rosneft’s corporate insurance programme covers:
- fixed assets of the Company;
- civil liability;
- business risks.
Rosneft has insurance coverage in place for its fixed assets against the risk of damage to (loss of) property and potential losses resulting from business interruption due to accidents and other accidental exposures, as well as liability insurance against the risk of legal action by third parties arising out of its onshore and offshore operations.
The most material risks are reinsured with international firms rated A– or higher by S&P, AM Best or Fitch.
Rosneft insures its liability as required by federal laws, including Federal Law No. 225-FZ On Compulsory Insurance of Owners of Hazardous Facilities against Civil Liability for Damage Caused by Accidents at Hazardous Facilities. Clause 1 of Article 1 of the above Law provides for the compulsory insurance of property interests of the facility’s owner and its obligation to indemnify for damage caused to the affected party.
In its 2020 operations, Rosneft’s Internal Audit Service was governed by the Code of Ethics of the International Institute of Internal Auditors, international professional standards of internal audit and the Company’s key internal regulations on the Internal Audit Service:
- Policy on Internal Audit;
- Regulations on the Internal Audit Quality Assurance and Improvement Programme.
The Internal Audit Service assists Rosneft’s Board of Directors and its executive bodies in enhancing the Company’s management efficiency and improving its financial and business performance, including through a systematic and consistent approach to the analysis and evaluation of the RM&ICS as well as corporate governance, therefore providing reasonable assurance that the Company will achieve its goals. It also helps ensure:
- accuracy, reliability, and integrity of information on the Company’s financial and business operations, including those of Group Subsidiaries;
- efficiency and effectiveness of the Company’s operations, including those of Group Subsidiaries;
- room for improvement available across the Company’s financial and business operations, including those of Group Subsidiaries;
- integrity of the Company’s assets, including those of Group Subsidiaries.
Functionally, the Internal Audit Service reports to Rosneft’s Board of Directors. This implies:
- approving Policy-level internal regulations on internal audit (specifically, the Policy on Internal Audit that sets out its goals, objectives, and roles);
- deciding on the appointment and removal of the Head of Internal Audit;
- reviewing internal audit plans and performance reports;
- approving the Internal Audit’s budget and remuneration of the Head of Internal Audit;
- the Board’s Audit Committee reviewing material limitations of authority and other restrictions likely to adversely affect performance of the Internal Audit Service.
Administratively, the Internal Audit reports to Rosneft’s Chief Executive Officer. This implies:
- allocating necessary funds within the approved budget;
- approving internal audit plans;
- reviewing internal audit performance reports;
- facilitating the cooperation with Rosneft’s and Group Subsidiaries’ business units;
- administering internal audit policies and procedures.
The existing reporting lines whereby the Head of Internal Audit reports to the Board of Directors and the Company’s executive bodies provide sufficient independence for performing internal audit functions.
Heads of the Internal Audit functional units do not participate in managing functional areas of the Company’s business requiring management decisions on audited entities.
In 2020, the Head of Internal Audit also acted as:
- member of the Management Board of Rosneft (until September 2020);
- member of the Management Board of Bashneft (until June 2020).
For that reason, the Company provided for ongoing monitoring of potential conflicts of interest. To ensure independence and impartiality of internal audit, the Head of Internal Audit did not vote on matters requiring management decisions on audited entities and affecting the impartiality of internal audit.
The internal auditors provide written confirmation of their personal impartiality to the heads of the Internal Audit functional units and to the Head of Internal Audit at least once a year, thereby raising awareness among the Internal Audit employees about potential conflicts of interest and related issues, as well as response procedures to situations which may influence the independence and impartiality of internal audit.
The Head of Internal Audit provides Rosneft’s Chief Executive Officer, Board of Directors (its Audit Committee) with confirmation of the organisational independence of the Internal Audit Service and individual impartiality of internal auditors at least once a year, as part of the internal audit performance report.
The internal audit plan is based on an audit model and uses information and requests received from Rosneft’s executive bodies and Board of Directors, as well as its risk evaluation results. It includes audits and other activities and is subject to approval by Rosneft’s Chief Executive Officer and endorsement by the Board’s Audit Committee. Details of the plan are presented to the Company’s Board of Directors as part of the internal audit report for the previous period.
At least twice a year, the Head of Internal Audit procures to prepare and submit this report to Rosneft’s Board of Directors and its executive bodies (including information about material risks, breaches and shortcomings, results and effectiveness of internal auditors’ proposals for eliminating the same, delivery of the internal audit plan, and assessment of reliability and performance of the Company’s RM&ICS and corporate governance).
The internal audit reports for the first six months and the full year of 2020 were reviewed by the Chief Executive Officer, the Board’s Audit Committee and the Board of Directors of Rosneft.
The Internal Audit Service completed all planned activities in line with its internal audit plan for 2020.
The Internal Audit Service prepares and annually updates a three-year plan based on the interrelation of processes, risks, and Group Subsidiaries. The plan covers the highest risk processes and major Group Subsidiaries.
In 2020, Rosneft’s Internal Audit Service ran a number of initiatives to improve the control environment, including monitoring of large investment projects, oil and petroleum products inventory management, well cost accounting, and implementation of geological solutions, as well as customer service quality control at the Company’s filling stations / oil depots. To boost ICS efficiency in procurement, the Internal Audit Service continued to implement preventive controls. In the reporting period, it carried out initiatives to develop process approach, assess working environment and employee awareness of corporate values across the Company’s business units, and implemented measures to enhance internal audit efficiency.
In 2020, the Internal Audit Service updated the Assurance Map representing a risk and control matrix across business processes broken down in three lines of defence.
The RM&ICS assessment results were reviewed by the Board’s Audit Committee and the Board of Directors of Rosneft.
In the reporting period, all employees of the Internal Audit Service underwent training in their core business areas, including internal audit, countering corruption and fraud, risk management and internal control, IT, and more.
The Company supported the master’s curriculum in Internal Audit and Control run by the Financial Management Department at Gubkin Russian State University of Oil and Gas to train internal audit specialists for the oil and gas industry.
In the reporting period, the Internal Audit Service conducted regular in-house self-assessment on its internal audit quality. It was concluded following the self-assessment that the internal audit function was generally in line with the requirements of the Company’s Policy on Internal Audit and other regulations on internal audit, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics of the International Institute of Internal Auditors.
The Internal Audit Service ensures effective communication with the Board’s Audit Committee, Rosneft’s Chief Executive Officer (including through personal reports on material audit results), Rosneft’s management, the Audit Commission, external auditor and the management of the Group Subsidiaries.