Internal Control and Risk Management System (ICS and RMS)

In the current climate of change and constraint, a timely overhaul of internal controls and risk management becomes imperative for the efficient operation of the company”.
Alexey Menshenin Head of Internal Control and Risk Management Directorate, Rosseti Kuban, PJSC

Functioning of ICS and RMS

The Internal Control System and Risk Management System (ICS and RMS) of Rosseti Kuban are integrated into the Corporate-Wide Management System; they are established to provide reasonable assurance regarding the achievement of the objectives related to the following focus areas:

  • Operational efficiency and strong performances of the Company including achievement of financial and operating results, protection of the Company’s assets
  • Compliance with the applicable laws and local regulations in the Company’s commercial activities and financial accounting
  • Reliability and timeliness of financial statements and other types of statements
  • Ensuring sustainable continuous operation and development of the Company through timely identification, assessment, and management of risks that pose a threat to the effective implementation of the Company’s business and reputation, the health of its employees, the environment, or property interests of shareholders and investors

In order to ensure the functioning of the ICS and RMS, the Company put the following fundamental regulatory documents in place:

  • Internal Control Policy of the Company (Minutes No. 233/2016 of the Board of Directors dated 18 March 2016). The Company’s Internal Control Policy discloses the main requirements for the organisation and operation of ICS and RMS as established by the Board of Directors of the Company.
  • Procedure for implementing the requirements of the Internal Control Policy of the Company (approved by Order No. 369-od dated 30 June 2021). The components and principles of the ICS and RMS specified in the Internal Control Policy are elaborated, detailed and described in the Internal Control Policy Implementation Procedure.
  • Risk Management Policy (Minutes dated 18 March 2016 No. 233/2016), in 2021. The Board of Directors approved a new version of the Policy (Minutes No. 420/2021 dated 24 February 2021). The Policy is a Company’s internal document, which determines its attitude to risks, establishes the general principles, objectives, and tasks of ICS and RMS, approaches to ICS and RMS organisation, the allocation of responsibility between ICS and RMS participants, and the nature of their cooperation, risk management milestones.

In addition, the Company has the following risk management regulations:

  • Company’s Risk Management Regulation
  • Tree risk model
  • ICS and RMS maturity model of the Company
  • List of basic risk management activities
  • Procedure for determining the preferred risk (risk appetite) of the Company

Main Participants of ICS and RMS

The internal control and risk management process covers all areas of activity and is carried out at all levels of corporate governance: the Board of Directors, the Authorised Committee of the Board of Directors, the Company’s Auditing Commission, the Company’s executive bodies, managers and employees at all management levels of the Company, the Internal Control and Risk Management Directorate, and the Internal Audit Directorate.

ЛЭП

INTERACTION OF ICS AND RMS PARTICIPANTS

The control procedures are implemented continually in all of the Company processes (areas of activity), at all management levels according to the Three Defence Lines model:

  • the level of governing bodies (sole and collective executive bodies), the Company’s units and divisions performing control procedures as part of their functions and professional duties is the first line of defence;
  • the level of the Company’s control divisions is the second line of defence;
  • the level of Internal Audit Department is the third line of defence.

By the resolution of the Board of DirectorsMinutes No. 241/2016 dated 31 May 2016., the Company established the Internal Control and Risk Management Directorate.

The main functions of the Internal Control and Risk Management Directorate are as follows:

  • Developing and ensuring the implementation and adaptation of the main methodological documents for the establishment and improvement of ICS and RMS
  • Assisting the Company’s management in creation of a control environment, developing the recommendations on the description and implementation of control procedures in processes (areas of activity) and assigning relevant responsibilities to officials, and ongoing monitoring of the implementation of internal control measures and procedures in the Company
  • General coordination of risk management processes

The functions of the ICS and RMS parties can be found in Appendices 7 and 8 to the Annual Report; the same is described and formalised in the following documents:

Control procedures for processes and sub-processes of the main and supporting activities, as well as governance processes of the Company are recorded in control and risk matrices.


ICS and RMS Performance Evaluation

In order to ensure that the ICS and RMS are effective and in line with objectively changing requirements and conditions, the Company carries out the following on the annual basis:

  • Self-assessment of the ICS by the Company’s management
  • Self-assessment of RMS effectiveness by the Internal Control And Risk Management Directorate
  • Independent assessment of the effectiveness of the ICS and RMS by internal audit
  • The Company's management completes check-lists with methodological support from the Internal Control and Risk Management Directorate
  • The ICS maturity level is assessed as intermediate between "Optimum" (Level 5) and "High" (Level 6)
  • The Internal Control and Risk Management Directorate assesses whether the current level of RMS maturity meets the established criteria of the Company's RMS Maturity Model
  • RMS maturity level is assessed as intermediate between "Moderate" (Level 4) and "Optimal" (Level 5)

For all processes, the ICS is assessed by process owners as effective; for most processes, the ICS is “fully compliant” with the ICS criteria set out in the Methodology for Self-assessment of the Effectiveness of Control Procedures and ICS Processes (Areas of Activities).

THIS DECISION RATED THE MATURITY LEVEL OF THE ICS AS BEING BETWEEN “OPTIMUM” (LEVEL 5) AND “HIGH” (LEVEL 6) — 5.3 POINTS, AND THE MATURITY LEVEL OF THE RMS AS BEING BETWEEN “MODERATE” (LEVEL 4) AND “OPTIMUM” (LEVEL 5) — 4.6 POINTS.

The results of the 2021 self-assessment indicate an optimal level of RMS maturity. Of the 14 elements in the Risk Management Framework group, seven are at an “optimum” maturity level, five are at a “high” maturity level and two are at a “basic” maturity level.

The results of the assessment of the effectiveness of the Company’s ICS and RMS at the end of 2021 and recommendations aimed at improving the effectiveness of ICS and RMS are reflected in the internal auditor’s report and were considered at the meeting of the Company’s Board of Directors (Minutes No. 477/2022 dated 19 May 2022 ) with a preliminary review by the Audit Committee of the Board of Directors (Minutes No. 127/2022 dated 6 May 2022).

Due to the change in the methodology for assessing ICS and RMS in 2021, no information is provided on the dynamics of ICS and RMS maturity levels for 2021 compared to the previous year.


Improvement of ICS and RMS in 2021

In order to develop and improve ICS and RMS, the Board of DirectorsMinutes No. 433/2021 dated 24 May 2021. approved the Plan for maintaining the efficiency and development of ICS and RMS of Rosseti Kuban PJSC, aimed at achieving a “high” maturity level of ICS and “optimal” maturity level of RMS. The plan for 2021 had 14 activities to be implemented. All activities have been completed on time, in addition, one activity planned for 2022 has been completed ahead of schedule.

In the reporting year, the Company implemented the following key actions aimed at the improvement of the ICS and RMS:

  • Ongoing control of high-risk business processes within the activities of the collegial bodies (on settlement of receivables, consolidation of energy supply facilities, identification of non-core assets, introduction of automated information systems)
  • Technical specifications for the implementation and improvement of the Company’s automated information systems with regard to the automation of control procedures were agreed upon
  • Local regulations defining control procedures, including those intended for control efficiency and sufficiency were approved;
  • Control measures were taken to assess the adequacy, effectiveness and efficiency of the ICS and RMS
  • ICS, RMS and management system were integrated within the framework of development and approval of the process regulations containing information on description, indicators of progress, risks and control procedures of the process as a single document
  • The methodological basis of ICS and RMS was updated. In particular, new revisions of the Internal Control Policy Implementation Procedure, Regulations On Specialised Internal Control Bodies, and methodologies for self-assessment (by process owners) of the effectiveness of the internal control system of the processes supervised were approved. The Risk Management Policy was also updated; a unified methodology for determining risk appetite in accordance with Rosseti Group standards was introduced; the format of the annual report on the organisation, functioning and efficiency of ICS and RMS to be submitted to the Board of Directors was approved. In addition, a uniform procedure for planning, organising and carrying out verification activities in the Company was developed.
ICS and RMS improvement plans for 2022

In accordance with the Plan for maintaining the efficiency and development of ICS and RMS of PJSC Rosseti Kuban, the main ICS and RMS objectives for 2022 are as follows:

  • Linking strategic objectives to the risk register
  • Applying a mechanism for considering and analysing risk scenario conditions and their possible consequences when setting business goals, developing strategic initiatives, and planning and implementing the Investment Programme
  • Updating the methodology for identifying, assessing, passporting and managing risks and carrying out a self-assessment of the effectiveness of the RMS
  • Implementing/updating and evaluating the effectiveness of existing control procedures, including self-assessment by process owners
  • Carrying out control activities and implementing procedures for ongoing monitoring of high-risk processes
  • Developing a mechanism for monitoring financial stability, supporting the procedures for liquidation and bankruptcy of counterparties

Key Risks

The risk management system of the Company involves regular identification, assessment and monitoring of risks, as well as measures to reduce the probability and potential consequences of risk realisation, with informing shareholders and other stakeholders thereof.

According to the Company’s Risk Management Regulation, the Management Board established and approved the Company’s 2021 Risk RegisterMinutes No. 31/2020 dated 26 November 2020. of 19 functional risks, i.e., aggregated risks of business processes that have a significant impact on the Company’s activities, including key performance indicators of the Company’s sole executive body, and respectively on achieving goals in the management of the power grid complex and meeting the strategic objectives of Rosseti Group.

To determine the risk impact on the Company's operations, the level of risk materiality is defined. Risks are ranked according to three levels of materiality: moderate, significant, and critical.

Based on the quarterly risk reassessment conducted during 2021, nine risks were rated as “critical” and “significant” at year-end.

Materiality of critical and significant functional risks of the Company
Sl.No.
Risk ID
Risk
Risk materiality
as at 31 December 2020
as at 31 December 2021
1
FR01-01
Reducing the scope of electricity transmission services to consumers connected to regional distribution grids
Significant
Moderate
2
FR01-05
Increased costs for transmission services of other grid organisations
Moderate
Significant
3
FR01-14
Court ruling (dispute resolution) to recover debts for electricity transmission services against the Company
Significant
Significant
4
FR02-01
Increased funding for the investment programme as a whole and/or for individual titles (in relation to the limits established)
Moderate
Significant
5
FR03-01
Failure of counterparties to pay for electricity transmission services within the timeframe and/or in an incomplete amount set out in the agreement/contract
Significant
Moderate
6
FR04-02
Increase in interest rates on loans and borrows
Significant
Significant
7
FR09-01
Occupational accidents in the Company
Critical
Critical
8
FR12-04
Involvement of the Company/the Company's employees in corrupt practices
Significant
Critical
9
FR13-03
Disruption and/or interruption of the information infrastructure and telecommunication systems of power grid facilities
Significant
Significant
10
FR13-05
Undue influence on power grid facilities and their information and telecommunication systems (of a terrorist, subversive, criminal or other nature), including through the use of information technologies
Significant
Significant
11
FR13-07
Deliberate illegal acts by both legal entities and individuals and Company’s employees, causing economic damage and damage to business reputation
Significant
Significant

For all functional risks, the Company develops measures aimed at reducing and minimising the consequences of the realisation of risks, and approves the Company's Risk Management Action Plan.

Management of “significant” and “critical” risks in 2021
Name, designation and level of risk materiality
Impact on performance indicators
Risk materiality
Risk management activities
Increased costs for transmission services of other grid organisations (FR01-05)
Achievement of consolidated profit from operations (EBITDA)
Significant
  • Submission of supporting material to the regulatory authorities (STRD-KT) confirming the level of economically justified costs.
  • Working with the regional regulator (STRD-KT) to advocate the need for Rosseti Kuban to outpace the growth of expenses as a backbone company holding the “common pot” of the Krasnodar Territory and the Republic of Adygea
Court ruling (dispute resolution) to recover debts for electricity transmission services against the Company (FR01-14)
Achievement of consolidated profit from operations (EBITDA)
Significant
  • Submission of documents for the claim procedures.
  • Preparation of documents confirming the actual performance of the Company's obligations, by the responsible unit
Increased funding for the investment programme as a whole and/or for individual titles (in relation to the limits established) (FR02-01)
Achievement of the consolidated net debt/ EBITDA indicators
Significant
  • Monitoring of non-exceeding the approved amount of funding for the Investment Programme.
  • Monitoring of the implementation of investment projects in terms of cost and time-frames.
  • Application of the methodology for planning the cost of investment projects in compiling the Company's Investment Programme (during planning, tendering and implementation of the Investment Programme)
Increase in interest rates on loans and borrows (FR04-02)
Ensurance of dividend flow
Significant
  • Negotiations with creditor banks, sending letters about considering the possibility of reducing interest rates on loans
Occupational accidents in the Company (FR09-01)
No increase in the number of employees injured in accidents
Critical
  • Delivery on the comprehensive programme for mitigating injury risk aimed at the safe performance of works at electrical facilities.
  • Control of the performance of regulatory and administrative documents, health, and labour safety programmes.
  • Timely and high-quality work with the staff.
  • Preliminary and periodic medical examinations of employees.
  • Video recording of works at electrical facilities
Involvement of the Company/the Company's employees in corrupt practices (FR12-04)
Legal compliance, including anti-corruption and anti-trust laws
Critical
Implementation of the Anti-Corruption Plan in PJSC Rosseti Kuban for 2021, including:
  • Conduct of supervisory checks on employees' compliance with the principles of the Company's Anti-Corruption Policy
  • Conduct of internal audits and investigations into violations of the Company's Anti-Corruption Policy
  • Identification and clearing of conflict of interests; Review and verification of reports of corruption and other abuses
  • Education and laying foundations of lawful behaviours, consulting and training for employees
Disruption and/or interruption of the information infrastructure and telecommunication systems of power grid facilities (FR13-03)
Ensuring comprehensive security of the Company's operations
Significant
  • Introducing the information protection tools at information infrastructure facilities pursuant to the relevant statements of work.
  • Monitoring the actions of the Company’s employees via information security systems.
  • Monitoring and analysis of external information security events
Undue influence on power grid facilities and their information and telecommunication systems (of a terrorist, subversive, criminal or other nature), including through the use of information technologies (FR13-05)
Ensuring comprehensive security of the Company's operation
Significant
  • Installation of technical security equipment, video surveillance systems, access control system, and security alarm system.
  • Ensuring the physical security of the most critical fuel and energy facilities of the Company.
  • Introducing the information protection tools at information infrastructure facilities pursuant to the relevant statements of work.
  • Monitoring the actions of the Company’s employees via information security systems.
  • Monitoring and analysis of external information security events
Deliberate illegal acts by both legal entities and individuals and Company’s employees, causing economic damage and damage to business reputation (FR13-07)
Ensuring comprehensive security of the Company's operations
Significant
Implementing the action plan of the Department of Security of Rosseti Kuban for 2021, including:
  • Strengthening the protection of the Company’s facilities and property
  • Conducting control measures and official inspections to identify the signs of illegal actions on the part of legal entities and individuals, as well as employees of the Company
  • Sending applicant materials to law enforcement agencies, organising interaction with law enforcement agencies
KEY RISK ASSESSMENT MAP OF THE COMPANY AS AT 31 DECEMBER 2021

The dynamic profile of the risk assessment in 2021 is shown in the charts.

INITIAL ESTIMATE FOR 2021
FINAL ASSESSMENT BASED ON Q4 2021 RESULTS