Corporate governance

Risk Management and Internal Control System

In accordance with the Corporate Governance Code of the Bank of RussiaCorporate Governance Code recommended by letter of the Bank of Russia No. 06-52/2463 dated 10 April 2014., Russian regulatory requirementsFederal Law No. 402-FZ On Accounting dated 6 December 2011, Federal Law No. 208-FZ On Joint-Stock Companies dated 26 December 1995, etc. and the best practices, the Company has established and is continuously improving its Risk Management and Internal Control System (RM&ICS).

In accordance with the Corporate Governance Code of the Bank of Russia, Russian regulatory requirements and the best practices, the Company has established and is continuously improving its Risk Management and Internal Control System (RM&ICS).

The objectives of the RM&ICS are set out in the Company’s Policy on the Risk Management and Internal Control SystemRosneft’s Policy on the Risk Management and Internal Control System No. P4-01 P-01 approved by Resolution of the Company’s Board of Directors, Minutes No. 8 dated 16 November 2015.drawing on recommendations of international firms engaged in risk management, internal control and audit services (including the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and the Federation of European Risk Management Associations (FERMA)). These are intended to provide reasonable assurance that the Company will achieve its following goals:

  1. Strategic goals contributing to the accomplishment of the Company’s mission
  2. Operational goals relating to the Company’s financial and operating performance and asset integrity
  3. Goals of maintaining compliance with applicable laws and local regulations, including HSE requirements and requirements for information and personal security
  4. Goals of preparing reliable financial statements or non-financial reports and non-financial reports for internal and/or external users in a timely manner

The main principles of the RM&ICS operation, approaches to identify and assess risks related to financial and business operations and business processes, as well as to develop measures for managing financial and business risks and control procedures reducing business process risks are set out in the Company’s lower-level regulationsThe Company’s Standard on the Corporate-Wide Risk Management System, the Company’s Standard on the Internal Control System, and the RM&ICS regulations and guidelines..

RM&ICS stakeholders
Strategic level
Board of Directors and Audit Committee of the Board of Directors
  • Approve RM&ICS focus areas and follow up on their progress
  • Approve corporate reports on financial and business risks
  • Approve risk appetite
  • Monitor the RM&ICS reliability and performance
Operational level
Chief Executive Officer
  • Validates RM&ICS focus areas
  • Validates RM&ICS reports
  • Validates risk appetite
Management Board
  • Ensures the establishment and operation of an effective RM&ICS
Risk Management Committee
  • Validates the RM&ICS issues reported to the Chief Executive Officer
  • Resolves RM&ICS operational disputes
Management
  • Distributes roles and responsibilities among employees
  • Manages risks
  • Develops and implements control procedures
  • Conducts self-assessment of internal controls
Risk and Internal Control Methodology Department
  • Plans RM&ICS focus areas
  • Develops, implements and updates Company-wide RM&ICS guidelines
  • Prepares reports on risks and internal controls
  • Manages the RM&ICS roll-out and operation across Rosneft’s business units and Group Subsidiaries
  • Provides guidelines to key RM&ICS stakeholders, trains them in risk management and internal controls
Security Service
  • Develops, updates, and introduces internal anti-fraud and anti-corruption regulations and implementing documents
  • Participates in ensuring compliance with internal regulations and implementing anti-fraud and anti-corruption initiatives taken by Rosneft’s executive bodies
  • Manages the Security Hotline
  • Conducts inspections/investigations into abusive/unlawful practices by the Company’s employees and third parties
Business Units Providing Certain RM&ICS Functions
  • Prepare and consolidate RM&ICS reports
  • Manage the roll-out of RM&ICS elements and develop proposals for the risk management methodology
  • Assist the Company’s management in conducting self-assessment of internal controls
Employees
  • Implement risk management controls and initiatives
  • Assist the Company’s management in managing risks
  • Help identify, assess and report on risks and internal controls, and conduct self-assessment of internal controls
RM&ICS independent monitoring and performance assessment
Internal Audit Service
  • Assesses the RM&ICS reliability and performance
  • Conducts audits
  • Monitors the implementation of RM&ICS improvement proposals made by internal auditors
  • Assists the Company’s executive bodies in investigating abusive/unlawful practices by the Company’s employees and third parties
Audit Commission
  • Audits the Company’s financial and business operations, verifies the accuracy and reliability of data included in Rosneft’s annual reports and annual accounting (financial) statements
RM&ICS Enhancement

Owing to ongoing improvements in its RM&ICS, the Company can promptly respond to changes in the external environment and internal business processes, achieve better performance, and increase its shareholder value.

Key targets and objectives of the RM&ICS enhancement, as well as critical steps to achieve them, are set out in the Comprehensive RM&ICS Enhancement Plan.

The Comprehensive RM&ICS Enhancement Plan for 2020–2022 was endorsed by the Company’s Risk Management Committee and Chief Executive Officer and approved by Rosneft’s Board of Directors.

RM&ICS Enhancement Highlights for 2020
 
RM&ICS Enhancement Initiatives Results
Improving RM&ICS guidelines. Employee trainings

Temporary recommendations for managing risks related to business projects (including the Company’s major projects), together with recommendations for assessing the probability of risk materialisation and the risk impact, were developed and communicated to heads of the Company’s businesses.

Employees of Rosneft and Group Subsidiaries and risk and internal control experts were trained in the RM&ICS.

Developing the Company’s risk management and internal control infrastructure and procedures

The approach to identify and evaluate the Company’s strategic risks, including the assessment of strategic threats for possible impact on the achievement of the Company's strategic targets as set out in its development strategy was updated.

The Company’s quantitative risk assessment models were verified (back-tested).

A model (algorithm) was developed to evaluate the risk of accumulation of unclaimed liquid and non-liquid inventories.

Implementing and maintaining the Internal Control System

Group Subsidiaries and processes were selected for a self-assessment of internal controls.

The Company’s employees were trained in self-assessment, including control procedure testing.

Improving the RM&ICS processes across Group Subsidiaries The corporate-wide risk management system was implemented by nine Group Subsidiaries.
Improving information resources to support and maintain the RM&ICS Risk and internal control experts from Rosneft’s business units and Group Subsidiaries received an overview training in the Risk Management and Internal Control information resources.
Internal Control System
The internal control system (ICS) is an integral part of the RM&ICS
  • ICS is fully aligned with RM&ICS.
  • The ICS is governed by the Company’s Policy on the Risk Management and Internal Control System, Standard on the Internal Control System, and Regulations on Design, Implementation and Maintenance of the Internal Control System.
  • The Company relies on these regulations to identify risks inherent in its business processes and implement controls, thus improving manageability and efficiency across business processes, reliability of financial statements, and compliance with the applicable laws and internal regulations.

To achieve the ICS objectives, the Company needs to:

  1. Define and update key ICS focus areas in alignment with the Company’s needs and stakeholder requirements
  2. Assess business process risks, develop, adopt and follow controls, including the development of uniform guidelines to support efficient ICS operations
  3. Identify shortcomings in existing controls, develop and implement initiatives to address the same; streamline and upgrade controls
  4. Develop and implement tools to facilitate communication and information sharing among all RM&ICS stakeholders, including via information systems

The Company’s management and employees ensure the ICS efficiency by managing the relevant functions and performing their job duties.

Corporate-Wide Risk Management System (CWRMS)

Key CWRMS components

Risk management at Rosneft is governed by the Company’s Policy on the Risk Management and Internal Control SystemRosneft’s Policy on the Risk Management and Internal Control System No. P4-01 P-01 approved by Resolution of the Company’s Board of Directors, Minutes No. 8 dated 16 November 2015. and Standard on the Corporate-Wide Risk Management SystemRosneft’s Standard on the Corporate-Wide Risk Management System No. P4-01 P-01 put into effect by order No. 660 dated 22 October 2018. .

The CWRMS is a combination of interrelated elements embedded into various business processes of the Company (including strategic and business planning processes) and implemented at all management levels by all employees of the Company.

All strategic and financial and operational risks of the Company are reported within the CWRMS. Risk reports are delivered for review/approval to the members of the Board’s Audit Committee / the Board of Directors and communicated to the management.

Heads of the Company’s business units arrange for, and steer risk management processes within their remit. When choosing a risk response and specific mitigants, risk owners seek to find an optimal trade-off while maintaining an acceptable risk level (risk appetite).

Rosneft’s RisksFor Rosneft’s key risks, see Appendix 2 to this Annual Report.

Industry-wide risks
Risk of accidents
Risk of occupational injuries
Risk of failure to achieve oil and gas condensate production targets
Risk related to rising purchase prices for electric power
Risk of failure to achieve natural gas price targets
Risk of lower quality of refinery feedstock
Risk of failure to comply with the repair plan in Oil Refining
Risk of failure to achieve natural gas sales targets
Risk of environmental damage (due to pipe ruptures on land and accidents on the Russian shelf causing adverse environmental impact)
Risk of failure to achieve natural gas and gas condensate production targets
Risk of accumulation of unclaimed liquid and non-liquid inventories
Financial risks
Risk of tax claims and risk of losing tax benefits
Market risks
Credit risk related to crude oil, petroleum products, natural gas, petrochemicals and gas processing products supply contracts
Counterparty risk related to long-term advance payment crude oil and petroleum products supply contracts
Risk of default/cross-default
Legal and country risks
Risk related to international projects in Commerce and Logistics (Nayara Energy)
Risk of losing overseas assets in Commerce and Logistics
Risk of breach of competition laws
Risk of adverse judgements in legal proceedings to which the Company is a party
Changes in legislation and regulatory environment

The Company’s operating results are very sensitive to changes in the applicable laws, including tax, currency and customs regulations, etc. Rosneft continuously monitors and assesses such changes, and makes projections as to their likely effect on the Company’s operations. Rosneft’s experts are regular members of working groups drafting bills in various fields of law.

COVID-19 pandemic

In 2020, the COVID-19 pandemic affected Rosneft’s operations and key markets. The Company’s management factors in the epidemiological situation when assessing the impact of financial, operational and strategic risks on the achievement of the Company’s mid- and long-term goals, develops and implements measures to reduce such impact, as well as initiatives to protect employees.

External constraints

Since 2014, the USA, EU and some other countries have been imposing various economic constraints on the Russian Federation, among other things, affecting operations of certain companies in the Russian energy and other industries (including Rosneft and some of its subsidiaries).

Rosneft factors in and continuously monitors existing constraints to minimise their adverse effects, and consistently implements its Import Substitution and Equipment Localisation Programme in Russia.

Risk Appetite of the Company

In 2020, Rosneft’s Board of Directors approved the Company’s risk appetite for 2021:
Financial and economic performance

The Company strictly complies with its financial covenants. The Company ensures that all its short- and long-term commitments are fulfilled as they fall due.

Health, safety and environment

Recognising the nature and scale of the footprint of its business, products and services, the Company feels responsible for safe and accident-free operation and protects health and safety of its employees and local residents in regions of its operation.

As part of its commitment to prevent any potential adverse impact on the environment, the Company makes every effort to protect, preserve and restore natural resources.

Corporate governance

The Company has zero tolerance for any form or manifestation of corporate fraud and corruption.

Corporate Insurance

Rosneft relies on insurance as a risk management tool enabling it to pass financial losses from the risks materialised on to insurers.

Rosneft’s corporate insurance programme covers:

  • fixed assets of the Company;
  • civil liability;
  • business risks.

Rosneft has insurance coverage in place for its fixed assets against the risk of damage to (loss of) property and potential losses resulting from business interruption due to accidents and other accidental exposures, as well as liability insurance against the risk of legal action by third parties arising out of its onshore and offshore operations.

The most material risks are reinsured with international firms rated A– or higher by S&P, AM Best or Fitch.

Rosneft insures its liability as required by federal laws, including Federal Law No. 225-FZ On Compulsory Insurance of Owners of Hazardous Facilities against Civil Liability for Damage Caused by Accidents at Hazardous Facilities. Clause 1 of Article 1 of the above Law provides for the compulsory insurance of property interests of the facility’s owner and its obligation to indemnify for damage caused to the affected party.

Internal Audit

In its 2020 operations, Rosneft’s Internal Audit Service was governed by the Code of Ethics of the International Institute of Internal Auditors, international professional standards of internal audit and the Company’s key internal regulations on the Internal Audit Service:

  • Policy on Internal Audit;
  • Regulations on the Internal Audit Quality Assurance and Improvement Programme.
Rosneft’s internal audit function is performed by the Vice President – Head of Internal Audit and the Company’s functional units, specifically the Operational Audit Department, the Corporate Audit Department, the Regional Audit Department, the Internal Audit Methodology and Management Division, and the Economic and Organisational Analysis Division. In accordance with Rosneft’s organisational structure approved by the Board of Directors, units of the Internal Audit Service report directly to the Head of Internal Audit.

The Internal Audit Service assists Rosneft’s Board of Directors and its executive bodies in enhancing the Company’s management efficiency and improving its financial and business performance, including through a systematic and consistent approach to the analysis and evaluation of the RM&ICS as well as corporate governance, therefore providing reasonable assurance that the Company will achieve its goals. It also helps ensure:

  • accuracy, reliability, and integrity of information on the Company’s financial and business operations, including those of Group Subsidiaries;
  • efficiency and effectiveness of the Company’s operations, including those of Group Subsidiaries;
  • room for improvement available across the Company’s financial and business operations, including those of Group Subsidiaries;
  • integrity of the Company’s assets, including those of Group Subsidiaries.
Rosneft’s Internal Audit Service is mainly responsible for:
  • developing an internal audit plan based on the risk-oriented approach;
  • assessing the RM&ICS reliability and performance as well as its adequacy given the scale and complexity of the Company's business;
  • assessing corporate governance;
  • conducting audits and activities in line with the internal audit plan approved by Rosneft’s Chief Executive Officer and endorsed by the Board’s Audit Committee;
  • performing other inspections and tasks as instructed by Rosneft’s Board of Directors (its Audit Committee) and/or the Company’s Chief Executive Officer;
  • analysing audit targets to look into, and evaluate specific aspects of their activity;
  • developing recommendations for streamlining business processes, including their integrity, risk management and internal controls;
  • advising the Company’s executive bodies on risk management, internal controls, and corporate governance (provided that the internal audit remains independent and impartial);
  • monitoring the Company’s progress in addressing breaches and shortcomings identified during audits;
  • assisting the Company’s executive bodies in investigating abusive/unlawful practices by the Company’s employees and third parties, including negligence, corporate fraud, corrupt practices, abuses and various wrongdoings detrimental to the Company;
  • cooperating with the Company’s business units on internal audit matters;
  • implementing the Internal Audit Quality Assurance and Improvement Programme;
  • performing other functions essential to meet the tasks assigned.
Reporting and Accountability Lines of Internal Audit

Functionally, the Internal Audit Service reports to Rosneft’s Board of Directors. This implies:

  • approving Policy-level internal regulations on internal audit (specifically, the Policy on Internal Audit that sets out its goals, objectives, and roles);
  • deciding on the appointment and removal of the Head of Internal Audit;
  • reviewing internal audit plans and performance reports;
  • approving the Internal Audit’s budget and remuneration of the Head of Internal Audit;
  • the Board’s Audit Committee reviewing material limitations of authority and other restrictions likely to adversely affect performance of the Internal Audit Service.

Administratively, the Internal Audit reports to Rosneft’s Chief Executive Officer. This implies:

  • allocating necessary funds within the approved budget;
  • approving internal audit plans;
  • reviewing internal audit performance reports;
  • facilitating the cooperation with Rosneft’s and Group Subsidiaries’ business units;
  • administering internal audit policies and procedures.

The existing reporting lines whereby the Head of Internal Audit reports to the Board of Directors and the Company’s executive bodies provide sufficient independence for performing internal audit functions.

Heads of the Internal Audit functional units do not participate in managing functional areas of the Company’s business requiring management decisions on audited entities.

In 2020, the Head of Internal Audit also acted as:

  • member of the Management Board of Rosneft (until September 2020);
  • member of the Management Board of Bashneft (until June 2020).

For that reason, the Company provided for ongoing monitoring of potential conflicts of interest. To ensure independence and impartiality of internal audit, the Head of Internal Audit did not vote on matters requiring management decisions on audited entities and affecting the impartiality of internal audit.

The internal auditors provide written confirmation of their personal impartiality to the heads of the Internal Audit functional units and to the Head of Internal Audit at least once a year, thereby raising awareness among the Internal Audit employees about potential conflicts of interest and related issues, as well as response procedures to situations which may influence the independence and impartiality of internal audit.

The Head of Internal Audit provides Rosneft’s Chief Executive Officer, Board of Directors (its Audit Committee) with confirmation of the organisational independence of the Internal Audit Service and individual impartiality of internal auditors at least once a year, as part of the internal audit performance report.

Internal Audit Performance in 2020

The internal audit plan is based on an audit model and uses information and requests received from Rosneft’s executive bodies and Board of Directors, as well as its risk evaluation results. It includes audits and other activities and is subject to approval by Rosneft’s Chief Executive Officer and endorsement by the Board’s Audit Committee. Details of the plan are presented to the Company’s Board of Directors as part of the internal audit report for the previous period.

At least twice a year, the Head of Internal Audit procures to prepare and submit this report to Rosneft’s Board of Directors and its executive bodies (including information about material risks, breaches and shortcomings, results and effectiveness of internal auditors’ proposals for eliminating the same, delivery of the internal audit plan, and assessment of reliability and performance of the Company’s RM&ICS and corporate governance).

The internal audit reports for the first six months and the full year of 2020 were reviewed by the Chief Executive Officer, the Board’s Audit Committee and the Board of Directors of Rosneft.

The Internal Audit Service completed all planned activities in line with its internal audit plan for 2020.

The Internal Audit Service prepares and annually updates a three-year plan based on the interrelation of processes, risks, and Group Subsidiaries. The plan covers the highest risk processes and major Group Subsidiaries.

In 2020, Rosneft’s Internal Audit Service ran a number of initiatives to improve the control environment, including monitoring of large investment projects, oil and petroleum products inventory management, well cost accounting, and implementation of geological solutions, as well as customer service quality control at the Company’s filling stations / oil depots. To boost ICS efficiency in procurement, the Internal Audit Service continued to implement preventive controls. In the reporting period, it carried out initiatives to develop process approach, assess working environment and employee awareness of corporate values across the Company’s business units, and implemented measures to enhance internal audit efficiency.

In 2020, the Internal Audit Service updated the Assurance Map representing a risk and control matrix across business processes broken down in three lines of defence.

The RM&ICS assessment results were reviewed by the Board’s Audit Committee and the Board of Directors of Rosneft.

Key Focus Areas in 2020
Based on results from the risk management and internal control system efficiency assessment, the Internal Audit Service concluded that the RM&ICS ensured overall support of the risk management process and efficient ICS, providing reasonable assurance that the Company would achieve its goals.

In the reporting period, all employees of the Internal Audit Service underwent training in their core business areas, including internal audit, countering corruption and fraud, risk management and internal control, IT, and more.

The Company supported the master’s curriculum in Internal Audit and Control run by the Financial Management Department at Gubkin Russian State University of Oil and Gas to train internal audit specialists for the oil and gas industry.

In the reporting period, the Internal Audit Service conducted regular in-house self-assessment on its internal audit quality. It was concluded following the self-assessment that the internal audit function was generally in line with the requirements of the Company’s Policy on Internal Audit and other regulations on internal audit, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics of the International Institute of Internal Auditors.

The Internal Audit Service ensures effective communication with the Board’s Audit Committee, Rosneft’s Chief Executive Officer (including through personal reports on material audit results), Rosneft’s management, the Audit Commission, external auditor and the management of the Group Subsidiaries.