Risk management


Risk management

Effective risk management is a consistent ongoing process that spans all organisational layers and is integrated with the business and decision-making processes to make Company’s targets more achievable.

The coordination, implementation and improvement of the risk management and internal control system (the “RMICS”) are led by the Risk Management and Internal Control Centre (the “Centre”).

The Centre focuses on:

  • coordinating the RMICS creation process;
  • monitoring the risk management and internal control processes to achieve Russian Railways’ objectives and mitigate risks to an acceptable level;
  • stating requirements for the RMICS and the risk management and internal control procedures and processes.

To this end, the Centre:

  • drafts corporate regulatory and methodological documents regarding risk management;
  • provides methodological support to the Company’s units in connection with creating a risk register and offers risk management advice;
  • provides RMICS training for employees;
  • creates a consolidated risk register of the Company and consolidated periodic reporting;
  • monitors the risk management process in Russian Railways’ units;
  • notifies governance bodies of the effectiveness of risk management processes.

RMICS guidelines are adopted by the Company in line with Russian laws and regulationsAlso in accordance with clause 1 of the List of the Russian President’s Instructions No. PR-3013 dated 27 December 2014., as well as international and Russian best practices of corporate governance, risk management and internal control, including those set forth in the following documents:

  • concept of the Committee of Sponsoring Organisations of the Treadway Commission (COSO): Enterprise Risk Management – Integrating with Strategy and Performance (COSO ERM, 2017);
  • concept of the Committee of Sponsoring Organisations of the Treadway Commission (COSO): Internal Control – Integrated Framework (COSO IC, 2013);
  • GOST R ISO 31 000:2010 Risk Management – Principles and GuidelinesApproved by Rosstandart’s Order No. 883-st dated 21 December 2010..
Risk management and internal control system
Risk management and internal control system

Goals and objectives

The main purpose of RMICS is to provide reasonable assurance that Russian Railways will achieve its goals.

The RMICS serves to:

  • integrate risk management and internal control processes and procedures into the strategic and operational dimensions of the Company;
  • put in place the necessary infrastructure, and policies and guidelines;
  • reduce the number of contingencies that could undermine the Company’s ability to achieve its goals;
  • raise risk awareness of RMICS participants and other stakeholders.

RMICS assessment

For a systematic and consistent approach to the integrated RMICS development, the Russian Railways Group has been implementing its Risk Management and Internal Control Development Programme for 2019–2024, which involves shaping the risk management infrastructure, continued monitoring and notification of governance bodies, conducting self-assessment, cascading the applied methodology, and building/developing RMICS in controlled entities.

RMICS must be subject to regular assessment for higher effectiveness and timely adjustment. The Company uses both internal (including assessment by the internal audit function) and external assessment.

The internal assessment is carried out from time to time at least once a year. The external assessment is carried out by an independent expert. Its frequency is set by the Russian Railways’ Board of Directors as recommended by its Audit and Risk Committee.

Improvement of the risk management system in 2019

In 2019, efforts were made to improve and develop the integrated risk management model. The RMICS in general was raised to a higher standard.

2019 key achievements:

  • the Group developed and adopted its Risk Management and Internal Control Development Programme for 2019–2024, Risk Management and Internal Control Policy, Liaison Protocol for Risk Management and Reporting Processes, Risk Management and Internal Control Guidelines;
  • Risk Appetite Guidelines submitted to Russian Railways’ Board of Directors;
  • information on risks regularly submitted to the Company’s governance bodies (from the Management Board to the Board of Directors);
  • information on risks reflected in the system of monitoring and control over Russian Railways’ operations, including information on the number of such risks and their description, risk breakdown by operations, risk materialisation events, and risk mitigants.

For a more effective risk management and internal control process, since 2018 Russian Railways has been conducting regular workshops and training sessions in RMICS for managers of different levels (from the Management Board members to specialists across the network). In 2019, a corporate training programme was developed for Russian Railways’ Corporate University to provide unified and scaled-up training based on the specific nature of the risk management process.

Risk management process

Part of the corporate governance system, risk management is a continuous and interactive process implemented across all management levels (organisational hierarchy).

Risk appetite

Russian Railways sets its risk appetite, which then shapes the decision-making on risk mitigants and controls and serves to maintain a balance between risks and opportunities. Risk appetite is determined by the Company’s Board of Directors and represents the maximum acceptable level of risk that the Company is ready to assume and stay within the bounds of when pursuing its objectives (including those defined in the Long-Term Development Programme)

Risk appetite is shaped by the Company’s goals, targets, target benchmarks, the requirements and resolutions of the General Meeting of Shareholders and the Board of Directors, as well as the Company’s key performance indicators and risk portfolio.

The procedure for setting, approving and revising the risk appetite is guided by the Company’s by-laws.

Risk management process