Risk management and internal control system

Goals and objectives

The main purpose of RMICS is to provide reasonable assurance that Russian Railways will achieve its goals and to protect the value and assets of the Company.

The RMICS serves to:
  • integrate risk management and internal control processes and procedures into the strategic and operational dimensions of the Company;
  • put in place the necessary infrastructure, and policies and guidelines;
  • reduce the number of contingencies that could undermine the Company’s ability to achieve its goals;
  • proactively respond to possible threats to the Company’s operations, failure to achieve the Company’s goals, or adverse changes in the external and internal environment;
  • raise risk awareness of the Company’s Board of Directors and management at all levels.
Process and stages of risk management

Part of the corporate governance system, risk management is a continuous and interactive process implemented across all management levels (organisational hierarchy) and encompassing all types of the Company’s operations, which is embedded into its mission, strategies, business processes and management decisions and aimed at providing a reasonable level of assurance about achieving the targets.

Risk appetite

Risk appetite is set by the Company’s Board of Directors. It is defined as an acceptable level of risks and is used for making decisions on mitigation methods and measures.

Risk appetite is shaped by the Company’s goals, targets, target benchmarks, the requirements and resolutions of the General Meeting of Shareholders and the Board of Directors, as well as the Company’s key performance indicators and risk portfolio.

The procedure for setting, approving and revising the risk appetite is guided by the Company’s by-laws.

RMICS assessment

Russian Railways conducts internal and external assessments of RMICS.

The internal assessment is carried out at least once a year by Zheldoraudit Internal Audit Centre.

In 2018, the internal assessment focused on compliance with the established requirements and involved a selective assessment of the efficiency of specific risk management initiatives and control procedures.

The current status and improvement of the RMICS were considered at the meeting of the Management Board of Russian Railways, with the results reported to the Board of Directors’ Audit and Risk Committee. According to the audit report, in 2018 Russian Railways took a number of measures to organise and ensure the efficient functioning of RMICS resulting in its ability to meet higher requirements and demonstrate a positive development trend.

The external assessment is carried out by an independent expert. Its frequency is set by the Russian Railways’ Board of Directors as recommended by its Audit and Risk Committee.

Improvement of the risk management system in 2018

In 2018, efforts were made to improve the existing risk management and internal control system (by creating an integrated RMICS). This was partly driven by the release of updated COSO Enterprise Risk Management – Integrating with Strategy and Performance and a new version of ISO 31000.

In the reporting period, the following initiatives were launched to enhance the risk management system:
  • analysis of the peers’ best practices in risk management and internal control;
  • continued improvement of the RMICS policies and guidelines;
  • seminars for the employees of the divisions in charge of the RMICS;
  • development of the target model of the integrated RMICS until 2021.

As part of the target model integration, an independent consultant was engaged to benchmark the implemented initiatives against the best risk management practices.

In 2019, the Company plans to continue RMICS development by further updating the applicable policies and guidelines, developing and running training programmes, improving approaches to risk assessment with an emphasis on their modelling, as well as conducting a comprehensive risk analysis and using its results in decision-making processes and further integration of the RMICS into the process-based management model. A special focus will be given to the uniformity and consistency of processes applied across Group to be ensured by RMICS improvement in the Russian Railways’ subsidiaries and affiliates. The Company also plans to consider options available for RMICS automation and creation of a single information platform.