Internal Control and Risk Management System

How the Internal Control and Risk Management System operates

The Internal Control System (ICS) and Risk Management System (RMS) of Rosseti Kuban are integrated into the company-wide management system and provide reasonable assurance to the achievement of the objectives in the following focus areas:

  • Operational efficiency and strong performances of the Company including the achievement of financial and operating results, protection of the Company’s assets
  • Compliance with the applicable laws of the Russian Federation and by-laws of the Company, in particular during commercial activities and maintenance of accounting records
  • Reliability and timeliness of financial statements and other reporting records
  • Sustainable continuous operation and development of the Company through timely identification, assessment and management of risks that jeopardise the Company’s effective performance and reputation, the health of its employees, the environment, or property interests of shareholders and investors

To facilitate the ICS and RMS, the Company put the following fundamental regulatory documents in place:

  • Internal Control Policy of the Company (Minutes No. 233/2016 of the Board of Directors dated 18 March 2016). The Company’s Internal Control Policy discloses the main requirements for the organisation and operation of the ICS established by the Board of Directors of the Company
  • Procedure for implementing the requirements of the Internal Control Policy of the Company (approved by Order No. 369-od dated 30 June 2021). The components and principles of the ICS set forth in the Internal Control Policy are elaborated, detailed and disclosed in the Internal Control Policy Implementation Procedure
  • Risk Management Policy (Minutes of the Board of Directors of the Company No. 420/2021 dated 24 February 2021). The Policy is a by-law, which determines the Company’s risk attitude, establishes the general principles, objectives and tasks of the RMS, RMS organisation approaches, the allocation of responsibility between RMS participants and the nature of their cooperation, and risk management steps

In addition, the Company has the following risk management regulations in place:

  • Risk management regulations
  • Risk tree model
  • RMS maturity model
  • List of basic risk management measures
  • Risk appetite determination procedure

In accordance with the Risk Management Policy, the risk appetite was approved by decision of the Board of Directors of the Company (Minutes No. 480/2022 dated 15 June 2022).

Operating within the specified risk appetite gives Rosseti Kuban a higher degree of confidence that its stated goals will be accomplished.

The following risk appetite targets were established:

Ensuring reliable and quality power supply

Developing and improving accessibility of power grid infrastructure

Maintaining a sound financial position

Ensuring the observance of shareholders’ rights

Seeking to ensure technological and innovative development through the introduction of scientific research and technology

Ensuring the implementation of occupational safety policy obligations and the principles of the zero-accident concept

Reducing electricity losses during transmission and distribution

Reducing (minimising) the negative impact on the environment

Promoting zero tolerance of violations of the requirements established by the legislation of the Russian Federation

Ensuring the development of the electric grid sector’s human resources potential and maintaining a consistently high level of availability of production personnel

Key participants in the ICS & RMS process

The internal control and risk management framework covers all areas of activity and all levels of corporate governance: the Board of Directors, the authorised committee of the Board of Directors, the Company’s Auditing Commission, the Company’s executive bodies, managers and employees at all management levels of the Company, the Internal Control and Risk Management Directorate and the Internal Audit Directorate.

interaction between the ICS & RMS participants

According to the Three-Line Defence model, the control procedures are continuously executed in all Company processes (areas of activity) at all management levels:

  • Level of governing bodies (sole and collective executive bodies), the Company’s units and divisions performing control procedures as part of their functions and professional duties – the first line of defence
  • Level of the Company’s control divisions – the second line of defence
  • Level of the Internal Audit Department – the third line of defence

The Company’s organisational structure was approved by decision of the Board of Directors (Minutes No. 241/2016 dated 31 May 2016). As a result, the Internal Control and Risk Management Department was established that is an independent unit responsible for the implementation, development and improvement of the Company’s unified framework to building internal control and risk management systems, as well as for methodological and organisational support for the implementation of preventive and current control in the Company.

The main functions of the Internal Control and Risk Management Directorate are as follows:

  • Assistance to the Company’s management in building and maintaining internal control and risk management systems through the development, implementation and adaptation of key methodological documents for the creation and improvement of ICS and RMS
  • Analysis of the risk portfolio and reporting on the risk realisation in the Company, development of proposals for response and reallocation of resources in relation to risk management, operational control of the risk management process by business units of the Company, overall coordination of risk management processes
  • Organisation of control measures in the Company to minimise risks in the functioning of internal control and risk management systems (including current control measures in processes), accounting and monitoring of inspections carried out by external control (supervision) bodies, the Auditing Commission and internal audit
  • Preparation and presentation of information to stakeholders on the status and effectiveness of internal control and risk management processes

The functions of the ICS and RMS participants can be found in Appendices No. 7 and8 to the Annual Report, and they are described and formalised in the following documents:

Control procedures for processes and sub-processes of the main and supporting activities, as well as governance processes of the Company, are recorded in control and risk matrices.

Performance Assessment and Improvement of ICS and RMS

In order to ensure that the ICS and RMS are effective and compliant with objectively changing requirements and conditions, the Company carries out the following assessments on the annual basis:

  • Self-assessment of ICS effectiveness (carried out by the Company’s management)
  • Self-assessment of RMS effectiveness (carried out by the Internal Control And Risk Management Directorate)
  • Internal independent assessment of reliability and effectiveness of the ICS and RMS (carried out by internal audit)

Self-assessment of the effectiveness of the control procedures and ICS processes as at the end of 2022 was carried out by process owners in the format of filling in checklists, with methodological support of the self-assessment process by the Internal Control and Risk Management Directorate. For all processes, the ICS is assessed by process owners as effective; for most processes, the ICS is “fully compliant” with the ICS criteria set out in the Methodology for Self-assessment of the Effectiveness of Control Procedures and ICS Processes (areas of activities).

A self-assessment of the effectiveness of the RMS as at the end of 2022 was carried out by the Internal Control and Risk Management Directorate by assessing whether the current level of RMS maturity meets the established criteria of the Company’s RMS Maturity Model. According to the greatest number of characteristics, the maturity model of the Company’s RMS meets the Optimal (developed) and High (integrated) criteria.

The results of the effectiveness assessment of the Company’s ICS and RMS for 2022 and recommendations for their improvement are reflected in the internal auditor’s reports and considered at the meeting of the Company’s Board of Directors (Minutes No. 517/2023 dated 21 April 2023).

By the above decision of the Company’s Board of Directors, the maturity level of the ICS for 2022 is assessed as being between the Optimal (Level 5) and High (Level 6) levels – 5.3 points, which corresponds to the 2021 year-end assessment results. The maturity level of the RMS in 2022 is assessed as being at an intermediate level between Moderate (Level 4) and Optimal (Level 5) – 4.7 points, up 0.1 point from the 2021 assessment.

ICS and RMS activities implemented in 2022

By decision of the Board of Directors (Minutes No. 433/2021 dated 24 May 2021), the Plan for Maintaining the Effectiveness and Development of ICS and RMS at Rosseti Kuban, PJSC was approved for the purpose of development and improvement of ICS and RMS.

In the reporting year, the Company implemented the following key activities aimed at the improvement of the ICS and RMS:

  • Approval of the risk appetite for 2022 (Minutes of the Board of Directors of the Company No. 480/2022 dated 15 June 2022)
  • Ongoing control of high-risk business processes within the activities of the collegial bodies (on settlement of receivables, consolidation of energy supply facilities, identification of non-core assets, introduction of automated information systems)
  • Approval of local regulations governing control procedures, including those intended for availability, efficiency and sufficiency of controls
  • Conduct of control measures to assess the adequacy, effectiveness and efficiency of the ICS and RMS
  • Monthly monitoring of financial stability, supervision of counterparty liquidation and bankruptcy proceedings
  • Update of process regulations with regard to risk matrices and process control procedures
  • Update of the methodological framework of the ICS and RMS (approval of the Risk Appetite Determination Procedure), the risk tree, the regulations on accounting for inspections carried out by external control (oversight) bodies, and methodological recommendations on organising and conducting an anonymous questionnaire survey of employees)
  • Participation in training events for Rosseti Group employees on the organisation and operation of the risk management and internal control system: Knowledge Days (four training events), conferences on topical issues and the development strategy of the risk management and internal control system
  • Training of four employees of the Internal Control and Risk Management Department with successful Internal Controller re-qualification examinations.

ICS and RMS improvement activities planned for 2023

The main ICS and RMS objectives for 2023 are as follows:

  • Improving approaches to integrating risk management into key business processes
  • Updating the regulating and methodological documents relating to ICS and RMS
  • Implementing/updating and evaluating the effectiveness of existing control procedures, including self-assessment by process owners
  • Promoting a culture of risk awareness, training on the organisation and operation of the ICS and RMS

Key Risks

The risk management system of the Company involves regular identification, assessment and monitoring of risks, as well as measures to reduce the probability and potential consequences of risk realisation, with informing shareholders and other stakeholders thereof.

According to the Company’s Risk Management Regulation, the Management Board established and approved the Company’s 2022 Risk Register (Minutes No. 33/2021 dated 19 November 2021) containing 19 functional risks, i.e., aggregated risks of business processes that have a significant impact on the Company’s activities, including key performance indicators of the Company’s sole executive body, and respectively on the achievement of goals in the management of the power grid complex and the accommodation of strategic objectives of Rosseti Group.

Every quarter in 2022, the Company’s Management Board reviewed risk owner reports on the management of functional and business process risks. While preparing reports, the risk owners updated the risk register, reviewed an action plan progress report and a report on the implementation of compensating measures, and generated a risk map based on the updated Risk Register.

The degree of risk materiality is established to determine the impact of risk on the Company’s operations. Risks are ranked according to three levels of materiality: moderate, significant and critical.

Based on the quarterly risk reassessment conducted during 2022, ten risks were rated as critical and significant as at year-end.

The Company creates methods to lessen and minimise the effects of risks being realised for all functional hazards, and approves the Company’s Risk Management Action Plan.

Information about the Company’s risk management with the significant and critical materiality level in 2022
Description and designation Impact on performance indicators Risk materiality as at 31.12.2021 Risk materiality as at 31.12.2022 Risk management
Higher inflation (FR01-06) Achievement of consolidated profit from operations (EBITDA) Moderate Significant The objectives of risk management measures included cost optimisation through rational resource usage, effective management of material resources, and the application of procurement guidelines to encourage the use of Russian-made items that are less prone to inflationary processes
Bankruptcy and liquidation of counterparties (FR01-13) Achievement of consolidated profit from operations (EBITDA) Included in the risk register in 2022 Significant

Timely submission of applications to the court for inclusion of the Company’s claims in the register of creditors

Preparation of documents by the responsible business units (financial responsibility centre (FRC), initiator of litigation) confirming the actual discharge of obligations, services and costs incurred by the Company, including substantiating materials, inconsistencies between business units, etc.

Performance of judicial acts (settlement of disputes) on collection of debts for electricity transmission services against the Company (FR01-14) Achievement of consolidated net debt/ EBITDA indicators Significant Significant

Submission of FRC documents to the legal department for enforcement work

Preparation of documents by the responsible business units (FRC, initiator of litigation) confirming the actual discharge of obligations, services and costs incurred by the Company, including substantiating materials, inconsistencies between business units, etc.

Increased funding for the investment programme as a whole and/or for individual titles (in relation to the limits established) (FR02-01) Achievement of consolidated net debt/ EBITDA indicators Significant Significant

Oversight that the actual unit cost of construction (renovation) of facilities is not exceeded, based on the results of the work for the year

Monitoring of the implementation of investment projects in terms of cost and deadlines

Application of the methodology for planning the cost of investment projects in the process of preparation of the Company’s investment programme (during planning, bidding and at the implementation stage of the investment programme)

Increase in interest rates on loans and borrowings (FR04-02) Ensuring dividend flow Significant Significant

Negotiations with creditor banks, sending letters about considering the possibility of reducing interest rates on loans

Procurement procedures to select financial institutions in order to reduce the cost of borrowing during the competition of participating banks

Maintenance of debt and liquidity ratios

Work-related incidents in the Company (FR09-01) No increase in the number of workers injured in accidents Critical Critical

Ensuring safe working conditions

Monitoring of the implementation of local regulations, programmes containing health and safety requirements

Timely and high-quality work with the staff

Preliminary and periodic medical examinations of employees

Effective functioning of the occupational health and safety management system

Video recording of works conducting in electrical installations

Elimination of causes of accidents

Motivation of employees to comply with health and safety requirements

Training in first aid techniques

Education of the general population on the risks associated with accessing and being near electrical facilities

Psycho-physiological support for reliability

Involvement of the Company / the Company’s employees in corrupt practices (FR12-04) Legal compliance, including anti-corruption and anti-trust laws Critical Critical

Implementation of the Anti-Corruption Plan in Rosseti Kuban in 2022, including:

Conduct of supervisory checks on employees’ compliance with the principles of the Company’s Anti-Corruption Policy

Conduct of internal audits and investigations into violations of the Company’s Anti-Corruption Policy

Identification and clearing of conflict of interests

Review and verification of reports of corruption and sundry abuses

Training, counselling and education to help employees become law-abiding citizens

Disruption and/or interruption of the information infrastructure and telecommunication systems of power grid facilities (FR13-03) Comprehensive security of the Company’s operations Significant Significant

Inclusion of information security requirements in technical specifications for the creation of information infrastructure facilities and telecommunications systems of power grid facilities

Introduction of the information protection tools at information infrastructure facilities pursuant to the relevant work statements

Monitoring of the actions of the Company’s employees through information security systems

Monitoring and analysis of external information security events

Use of certified information security means

Update of the information security regulations and use of information security means in accordance with the current requirements of Federal legislation

Undue influence (of a terrorist, subversive, criminal or other nature) on power grid facilities and their information and telecommunication systems, including through the use of information technologies (FR13-05) Comprehensive security of the Company’s operations Significant Significant

Installation of technical security equipment, video surveillance systems, access control system and security alarm system

Refurbishment of security engineering equipment at fuel and energy facilities

Physical security of the most critical fuel and energy facilities of the Company

Inclusion of information security requirements in technical specifications for the creation of information infrastructure facilities and telecommunications systems of power grid facilities

Introduction of the information protection tools at information infrastructure facilities pursuant to the relevant work statements

Deliberate illegal acts by both legal entities and individuals and Company’s employees, causing economic damage and harm to business reputation (FR13-07) Comprehensive security of the Company’s operations Significant Significant

Checks of financial and economic activities

Detection of economic misconduct by employees and third-party entities or individuals

Submission and follow-up of the application materials to law enforcement agencies

Key risk assessment map of the Company as at 31 DECEMBER 2022

The dynamic risk assessment profile in 2022 is shown in the following charts.

Initial Estimate for 2022
Final assessment on 2022 year-end result

Sustainability risk information

The focus of the Company’s management is on health and safety, employee development, mitigating negative environmental consequences, and other ESG concerns, which are continuously monitored by dedicated divisions. The Company’s overall risk management framework includes sustainability risk management. Risk assessment and management take a variety of factors into account, including ESG, which helps the business comply with its sustainability standards. The reliability and continuity of the power supply, higher customer satisfaction and service quality and wider range of customer communication channels all received significant attention in risk management in 2022.

Information on information security risks and cyber threats

Due to a rise in cyberthreats at the Company, the following information security vulnerabilities were identified:

  • Risk of disruption and/or interruption of the information infrastructure and telecommunication systems of power grid facilities
  • Risk of undue influence on power grid facilities and their information and telecommunication systems (of a terrorist, subversive, criminal or other nature), including through the use of information technologies
  • Risk associated with the realisation of information threats, including those arising from deficiencies (vulnerabilities) in the information technology used

In order to exclude (minimise) the realisation of the above risks, the Company is working on:

  • Installation of security equipment, video surveillance systems, access control system and security alarm system on power grid facilities
  • Renovation of security equipment at the fuel and energy facilities as set forth in the Company’s investment programme
  • Physical security of the most critical fuel and energy facilities of the Company
  • Inclusion of information security requirements in technical specifications for the creation of information infrastructure facilities and telecommunications systems of power grid facilities
  • Introduction of the information protection tools at information infrastructure facilities pursuant to the relevant work statements
  • Monitoring of the actions of the Company’s employees through information security systems. In addition to using certified information security solutions, external information security events are monitored and investigated

Considering the Company’s zero accident tolerance, the risk of work-related injuries was evaluated as critical in 2022. There were three work-related accidents, one of which was fatal.

Risk number Risk Actual occurrence of the risk with an indication of the consequences Measures to minimise the risk impact
FR09-01 Work-related injuries in the Company One fatality, two minor injuries
  • Implementation of a comprehensive programme to reduce the risks of injuries to workers.
  • Implementation of a targeted programme for the phase-out of injury-prone equipment.
  • Employee training and development, including planned/ unplanned health and safety training (briefings).
  • Introduction and use of technology to ensure safe working practices and safe working conditions.
  • Examination of the causes and circumstances of accidents, with follow-up of measures stated in the accident investigation reports.
  • Video recording of the preparation and execution of work at facilities.