Risk management system 102-11
of ZARUBEZHNEFT GROUP
The Risk Management System (RMS) of ZARUBEZHNEFT GROUP consists of a set of processes, policies, and procedures that are integrated into the Company’s business processes, and provides a structured approach to assessing opportunities and risks for better management decision-making.
Key internal regulatory documentation regulating the activities of the RMS:
ZARUBEZHNEFT GROUP is committed to effectively managing risks and ensuring the Company’s sustainable development, maximizing its shareholder value, and working to enhance competitiveness while preserving the government’s interests.
Goals and objectives
Key risk management objectives:
- Improve the effectiveness of management decisions by analyzing their inherent risks
- Maximize the effectiveness of risk management measures when implementing the decisions that have been adopted
Key risk management tasks:
- Conducting a cross-functional review of risk information between the Group’s structural units and the joint development of risk management measures
- Using a systematic approach to identify, analyze, and assess risks that are inherent in the Group’s activities
- Establishing a risk management culture at the Group to reach a common understanding among management and employees on the basic principles and approaches to risk management
- Providing information to support decision-making at all governance levels of the Group
Responsibility for risk management and reporting is determined in conformity with the line and staff management system: an owner is assigned for each risk and is responsible for its management.
Strategic goals and development priorities
In each Upstream, as well as in all key business processes, risk coordinators are identified among managers who disseminate and promote the introduction of corporate risk management principles. The timeframe and objectives of risk analysis take into account the specifics and requirements of each business process in which risk management is carried out. The Department of Financial and Economic Controlling is responsible for methodological support and developing and maintaining the risk management system.
Risks at the Group level
Most significant upstream risks
Business development unit risks
|Coordinators:||Deputy General Director for Economics and Finance, Deputy General Director for Organizational Development and Corporate Communications||Deputy General Director coordinating the Upstream (Upstream, Oil Refining and Sales, Services)||Deputy General Director for Business Development|
|Identification method|| |
top-down, the management strategy is determined by the Corporate Сenter
bottom-up as part of business planning (risks are consolidated by assets)
top-down and bottom-up
|Risks of current assets||Risks of oil and gas exploration projects|
The approach makes it possible to:
- Determine areas of responsibility for risk management
- Monitor risks at all governance levels of the Company
- Ensure the development of targeted plans in response to significant risks both at each subsidiary and within ZARUBEZHNEFT GROUP as a whole
Development of the risk management system
Improvements to risk management system at Zarubezhneft are made as required by law, international standards, and in line with the best practices for risk management:
- The Company’s risk management system is continuously developing and improving
- The Group’s key risks are processed on a systematic basis, relevant acceptable risk levels are determined, and a quantitative assessment is conducted of the impact on the Company’s key performance indicators
- The indicators are monitored on a quarterly basis by the Risk Committee chaired by the Company’s General Director
MATURITY MODEL OF THE RISK MANAGEMENT SYSTEM (RMS)
Risk management training
The Group attaches great importance to risk management training. In 2020, an online risk management course was developed in an effort to enhance employees’ risk management skills. The course aims to develop risk-based thinking skills, which helps to identify, prioritize, and assess the impact of risks on the Company’s key goals or decisions and is recommended so that employees can study the basic theory and understand the importance of risk management in their professional activities
Assessment of the effectiveness of the risk management system
Based on the directives of the Federal Agency for State Property Management and the Company's policy, independent consultants from RiskTeKonsult conducted a comprehensive assessment of the maturity level of the risk management system of Zarubezhneft in 2020. Assessment criteria used in 2017 were retained to compare the results of the external assessment of the risk management system in 2017 and in 2020.
Following the assessments by the consultants, Zarubezhneft significantly improved its results as compared with 2017 mainly due to the integration of risk management processes into key management processes, such as business planning and investment project management. Tools for the acceptable risk level were introduced into the management practice. The Company’s managers recognize the value of the risk management process. Risk assessment skills at the Group has significantly increased, and the relevant training sessions and seminars are being held. The Company uses modern methods of quantitative risk assessment.
RMS Maturity Model. The RMS Maturity of Zarubezhneft is assessed as a ‘Measurable and manageable RMS’. Thus, the independent assessment conducted by RiskTeKonsult confirms the transition of the risk management system from level 3 ‘Developing RMS’ to level 4 ‘Measurable and manageable RMS with partial compliance with a higher level’. The overall score was 4.5.
In addition, the Zarubezhneft Internal Audit Department assessed the effectiveness of the Group’s risk management process. As part of the audit, the risk management system was given a positive assessment regarding its maturity and operational efficiency (the audit was carried out in line with the criteria set out in Letter No. 06-52/2463 of the Bank of Russia "On the Corporate Governance Code" dated April 10, 2014).
Acceptable risk level
Zarubezhneft defines its level of preferred risk as acceptable — the maximum permissible risk level which the Company and its subsidiaries are committed to or ready to maintain (according to the Risk Management Policy of ZARUBEZHNEFT GROUP approved by a resolution of the Zarubezhneft Board of Directors, Minutes No. 125 dated May 27, 2016).
Zarubezhneft establishes and formalizes an acceptable risk level and its accounting requirements with regard to financial and operational performance indicators.
Description of key risks inherent in the company’s activities and regulation measures
The key risks matrix of Zarubezhneft is compiled annually and reflects the results of risk assessment, including with a graphical display, a list of critical risks, and the disclosure of information about them. Key risks are ones that cause the threat of deviation from the Group’s objectives and require priority management and control to meet the acceptable level of risk.
|Industrial safety risks (including damage to the environment and human life and health)|
Industrial safety risks (including damage to the environment and human life and health)
Industrial safety risks are the most significant group due to legal requirements and the presence of a large number of hazardous production facilities.
Failure to fulfill the production volume (current assets) plan due to an unplanned decrease in core production, the low efficiency of geological and technological measures, or the cancellation/deferment of geological and technological measures
Failure to fulfill the planned volume of an increase in reserves from the GEA (geological exploration activities) of current assets due to the failure to confirm reserves or the cancellation/deferment of the exploration of GEA
|Risks (uncertainties) associated with the insufficiency of information about the geological structure of deposits, the volume of reserves, etc.|
|Risks of implementation of investment projects|
Decrease in the efficiency of oil and gas projects (new projects and GEA projects)
Cost overruns of building infrastructure in capital construction
Failure to fulfill the planned volume of production and increase reserves from joining new projects due to a lag in joining new projects and/or a decrease in their efficiency during the evaluation stages
|All risks involving the Company’s investment projects, including a lack of infrastructure that provides year-round activities, a lack of experience in implementing similar projects in similar conditions, the growing technological complexity of projects, a different vision of the project’s development strategy among participants, and so on.|
Financial and reputational losses due to the failure to comply with the terms of license obligations
|Risks of claims by the state regulatory authorities in connection with the violation of the terms of licensing agreements (hydrocarbons exploration and production licenses), up to the revocation of licenses.|
Failure to meet production targets due to constraints by the federal executive authorities, infrastructure constraints, and constraints due to force majeure
|Interruptions/disruptions in oil transportation due to infrastructure constraints.|
Decrease in the efficiency of oil sales due to the loss of markets, reduced margins, rising commercial costs, or a lack of sales opportunities in separate areas
|Change in macroeconomic parameters|
Negative change in macroeconomic parameters: oil price, RUB/USD exchange rate
|The probability of changes in the cross exchange rates of major currencies and their negative impact on financial reporting and/or cash flow indicators.|
|Corporate fraud and corruption|
Corporate fraud and corruption
|The involvement of the Company or its employees in corrupt activities, as well as the failure to comply with the laws of the Russian Federation and the countries where it operates entails the imposition of legal sanctions and/or other measures of influence by the state oversight institution, which could lead to significant financial losses and damage to the Company’s reputation.|
Constraints or a reduction in performance due to the impact of political risks and events
|Zarubezhneft operates in the Middle East, Asia-Pacific Region, Eastern Europe, and the Russian Federation.|
Financial and reputational damage due to the loss of confidential data (leakage) during the operation of IT services
The disruption of process stability and sustainability due to the shutdown/disruption of the information system, software, or IT equipment
The shutdown/disruption of production processes due to disruption of critical control systems
|Risks associated with the operation of IT systems (primarily production and calculation IT systems), projects for their development as well as the risk of the inability to purchase or use foreign software.|
|Risks associated with changes in tax legislation|
Financial losses due to tax surcharges for previous periods based on audit results
Decrease in performance efficiency due to changes in tax regulation in the Russian Federation or the countries of operation
Inaccuracy of accounting and tax reporting data
The tax system of the Russian Federation is constantly developing and improving. A possible increase in taxes paid by the Company in the course of its business activities may lead to an increase in expenses and a decrease in cash volume available to the Company to finance current activities, capital expenditures, and the fulfillment of obligations.
Virtually any company in Russia has the potential to incur losses because of claims from the tax authorities that may arise regarding past periods and current activities.
The Company’s relevant units develop risk management activities according to their functional areas, the specifics of each individual risk, its assessment, and the potential to reduce the possibility or consequences of risk materialization.
The risk management measures are included in key management documents — the Group’s Long-Term Development Strategy, risk management plans within the business plans of the Group’s companies, work plans of profile commissions and workgroups, and project datasheets. In addition, the Company drafts measures when conducting a detailed analysis of the Company’s key business processes and identifying all possible reasons (factors) for the materialization of risks and formalizes them in the form of control procedures that are integrated into the operational activities of units.
Risks that materialized in 2020
Production safety risk (life and health of people, ecology, and reputation)
Given the threat of the spread of the COVID-19 pandemic as well as the need to protect the life and health of employees, the Company took the following measures in 2020:
At the Baikal Risk Forum in 2020, the measures taken by the Company were recognized as the best practice in the industry.
Negative change in macro parameters (oil prices and exchange rate).
|Optimization measures, which ensured the payment of dividends and the implementation of the investment program, were developed and introduced in an effort to offset the negative impact of macro parameters on the decrease in oil prices.|
Risks associated with information security (cybersecurity)
Ensuring information security is becoming an increasingly important task for the oil and gas industry. Information security threats increase the risk of emergencies and the scale of their consequences.
In accordance with Federal Law No. 187-FZ dated July 26, 2017 “On the Security of the Critical Information Infrastructure of the Russian Federation”, the critical information infrastructure was categorized at the organizations of Zarubezhneft: a qualitative assessment was conducted of potential damage from the loss of the integrity of critical information infrastructure, confidentiality, and availability.
The Company has approved the cybersecurity concept of ZARUBEZHNEFT GROUP, and an information security center is being set up. The companies have deployed a set of information security systems to ensure the protection of critical information systems, developed and implemented a roadmap of IT projects to introduce modern IT solutions in information security, and are planning further measures to reduce risks.