Risk management system 102-11

of ZARUBEZHNEFT GROUP

The Risk Management System (RMS) of ZARUBEZHNEFT GROUP consists of a set of processes, policies, and procedures that are integrated into the Company’s business processes, and provides a structured approach to assessing opportunities and risks for better management decision-making.

Key internal regulatory documentation regulating the activities of the RMS:

Risk Management Policy of ZARUBEZHNEFT GROUP dated June 27, 2016

approved by Minutes No. 124 of the Board of Directors

Standard for the Business Process Risk Management of ZARUBEZHNEFT GROUP dated May 24, 2019

Order No. 147

Regulation on the Corporate Risk Management Committee of ZARUBEZHNEFT GROUP

Order No. 159 dated April 26, 2016

RMS = better management decision-making

ZARUBEZHNEFT GROUP is committed to effectively managing risks and ensuring the Company’s sustainable development, maximizing its shareholder value, and working to enhance competitiveness while preserving the government’s interests.

Goals and objectives

Key risk management objectives:

  • Improve the effectiveness of management decisions by analyzing their inherent risks
  • Maximize the effectiveness of risk management measures when implementing the decisions that have been adopted

Key risk management tasks:

  • Conducting a cross-functional review of risk information between the Group’s structural units and the joint development of risk management measures
  • Using a systematic approach to identify, analyze, and assess risks that are inherent in the Group’s activities
  • Establishing a risk management culture at the Group to reach a common understanding among management and employees on the basic principles and approaches to risk management
  • Providing information to support decision-making at all governance levels of the Group

Responsibility for risk management and reporting is determined in conformity with the line and staff management system: an owner is assigned for each risk and is responsible for its management.

Strategic goals and development priorities

In each Upstream, as well as in all key business processes, risk coordinators are identified among managers who disseminate and promote the introduction of corporate risk management principles. The timeframe and objectives of risk analysis take into account the specifics and requirements of each business process in which risk management is carried out. The Department of Financial and Economic Controlling is responsible for methodological support and developing and maintaining the risk management system.

Risk Committee
Risks at the Group level
Most significant upstream risks
Business development unit risks
Coordinators: Deputy General Director for Economics and Finance, Deputy General Director for Organizational Development and Corporate Communications Deputy General Director coordinating the Upstream (Upstream, Oil Refining and Sales, Services) Deputy General Director for Business Development
Identification method

top-down, the management strategy is determined by the Corporate Сenter

bottom-up as part of business planning (risks are consolidated by assets)

top-down and bottom-up
Risks of current assets Risks of oil and gas exploration projects

The approach makes it possible to:

  • Determine areas of responsibility for risk management
  • Monitor risks at all governance levels of the Company
  • Ensure the development of targeted plans in response to significant risks both at each subsidiary and within ZARUBEZHNEFT GROUP as a whole

Development of the risk management system

Improvements to risk management system at Zarubezhneft are made as required by law, international standards, and in line with the best practices for risk management:

  • The Company’s risk management system is continuously developing and improving
  • The Group’s key risks are processed on a systematic basis, relevant acceptable risk levels are determined, and a quantitative assessment is conducted of the impact on the Company’s key performance indicators
  • The indicators are monitored on a quarterly basis by the Risk Committee chaired by the Company’s General Director

MATURITY MODEL OF THE RISK MANAGEMENT SYSTEM (RMS)

Risk management training

The Group attaches great importance to risk management training. In 2020, an online risk management course was developed in an effort to enhance employees’ risk management skills. The course aims to develop risk-based thinking skills, which helps to identify, prioritize, and assess the impact of risks on the Company’s key goals or decisions and is recommended so that employees can study the basic theory and understand the importance of risk management in their professional activities

Assessment of the effectiveness of the risk management system

External assessment

Based on the directives of the Federal Agency for State Property Management and the Company's policy, independent consultants from RiskTeKonsult conducted a comprehensive assessment of the maturity level of the risk management system of Zarubezhneft in 2020. Assessment criteria used in 2017 were retained to compare the results of the external assessment of the risk management system in 2017 and in 2020.

Results:

Following the assessments by the consultants, Zarubezhneft significantly improved its results as compared with 2017 mainly due to the integration of risk management processes into key management processes, such as business planning and investment project management. Tools for the acceptable risk level were introduced into the management practice. The Company’s managers recognize the value of the risk management process. Risk assessment skills at the Group has significantly increased, and the relevant training sessions and seminars are being held. The Company uses modern methods of quantitative risk assessment.

RMS Maturity Model. The RMS Maturity of Zarubezhneft is assessed as a ‘Measurable and manageable RMS’. Thus, the independent assessment conducted by RiskTeKonsult confirms the transition of the risk management system from level 3 ‘Developing RMS’ to level 4 ‘Measurable and manageable RMS with partial compliance with a higher level’. The overall score was 4.5.

Internal assessment

In addition, the Zarubezhneft Internal Audit Department assessed the effectiveness of the Group’s risk management process. As part of the audit, the risk management system was given a positive assessment regarding its maturity and operational efficiency (the audit was carried out in line with the criteria set out in Letter No. 06-52/2463 of the Bank of Russia "On the Corporate Governance Code" dated April 10, 2014).

Acceptable risk level

Zarubezhneft defines its level of preferred risk as acceptable — the maximum permissible risk level which the Company and its subsidiaries are committed to or ready to maintain (according to the Risk Management Policy of ZARUBEZHNEFT GROUP approved by a resolution of the Zarubezhneft Board of Directors, Minutes No. 125 dated May 27, 2016).

Zarubezhneft establishes and formalizes an acceptable risk level and its accounting requirements with regard to financial and operational performance indicators.

This approach is governed by the following internal regulations:
  • Regulation on Key Performance Indicators of Zarubezhneft approved by the resolution of the Board of Directors (Minutes No. 189 dated January 29, 2021)
  • Policy on the Protection of Health, Labor, Environment, Safety, and Social Responsibility (Minutes No. 133 dated December 27, 2016) within the Regulation on the Quality Management System of Zarubezhneft
  • ‘BR OB-06 Risk Management’ Standard for the Risk Management Business Process of ZARUBEZHNEFT GROUP (approved on May 24, 2019)

Description of key risks inherent in the company’s activities and regulation measures

The key risks matrix of Zarubezhneft is compiled annually and reflects the results of risk assessment, including with a graphical display, a list of critical risks, and the disclosure of information about them. Key risks are ones that cause the threat of deviation from the Group’s objectives and require priority management and control to meet the acceptable level of risk.

KEY RISKS INHERENT IN THE COMPANY'S ACTIVITIES
Risk Risk group
Industrial safety risks (including damage to the environment and human life and health)

Industrial safety risks (including damage to the environment and human life and health)

Industrial safety risks are the most significant group due to legal requirements and the presence of a large number of hazardous production facilities.

They include:

  • Threat to the life and health of workers due to the spread of COVID-19 in the countries of ongoing operations
  • Accidents with workers and third parties
  • Manmade accidents and catastrophes
  • Failure to comply with the requirements of industrial safety legislation
  • Failure to comply with the requirements of environmental safety legislation.
Geological uncertainties

Failure to fulfill the production volume (current assets) plan due to an unplanned decrease in core production, the low efficiency of geological and technological measures, or the cancellation/deferment of geological and technological measures

Failure to fulfill the planned volume of an increase in reserves from the GEA (geological exploration activities) of current assets due to the failure to confirm reserves or the cancellation/deferment of the exploration of GEA

Risks (uncertainties) associated with the insufficiency of information about the geological structure of deposits, the volume of reserves, etc.
Risks of implementation of investment projects

Decrease in the efficiency of oil and gas projects (new projects and GEA projects)

Cost overruns of building infrastructure in capital construction

Failure to fulfill the planned volume of production and increase reserves from joining new projects due to a lag in joining new projects and/or a decrease in their efficiency during the evaluation stages

All risks involving the Company’s investment projects, including a lack of infrastructure that provides year-round activities, a lack of experience in implementing similar projects in similar conditions, the growing technological complexity of projects, a different vision of the project’s development strategy among participants, and so on.
Licensing risks

Financial and reputational losses due to the failure to comply with the terms of license obligations

Risks of claims by the state regulatory authorities in connection with the violation of the terms of licensing agreements (hydrocarbons exploration and production licenses), up to the revocation of licenses.
Logistics limitations

Failure to meet production targets due to constraints by the federal executive authorities, infrastructure constraints, and constraints due to force majeure

Interruptions/disruptions in oil transportation due to infrastructure constraints.

Decrease in the efficiency of oil sales due to the loss of markets, reduced margins, rising commercial costs, or a lack of sales opportunities in separate areas

Change in macroeconomic parameters

Negative change in macroeconomic parameters: oil price, RUB/USD exchange rate

The probability of changes in the cross exchange rates of major currencies and their negative impact on financial reporting and/or cash flow indicators.
Corporate fraud and corruption

Corporate fraud and corruption

The involvement of the Company or its employees in corrupt activities, as well as the failure to comply with the laws of the Russian Federation and the countries where it operates entails the imposition of legal sanctions and/or other measures of influence by the state oversight institution, which could lead to significant financial losses and damage to the Company’s reputation.
Political risk

Constraints or a reduction in performance due to the impact of political risks and events

Zarubezhneft operates in the Middle East, Asia-Pacific Region, Eastern Europe, and the Russian Federation.
IT risks

Financial and reputational damage due to the loss of confidential data (leakage) during the operation of IT services

The disruption of process stability and sustainability due to the shutdown/disruption of the information system, software, or IT equipment

The shutdown/disruption of production processes due to disruption of critical control systems

Risks associated with the operation of IT systems (primarily production and calculation IT systems), projects for their development as well as the risk of the inability to purchase or use foreign software.
Risks associated with changes in tax legislation

Financial losses due to tax surcharges for previous periods based on audit results

Decrease in performance efficiency due to changes in tax regulation in the Russian Federation or the countries of operation

Inaccuracy of accounting and tax reporting data

The tax system of the Russian Federation is constantly developing and improving. A possible increase in taxes paid by the Company in the course of its business activities may lead to an increase in expenses and a decrease in cash volume available to the Company to finance current activities, capital expenditures, and the fulfillment of obligations.

Virtually any company in Russia has the potential to incur losses because of claims from the tax authorities that may arise regarding past periods and current activities.

Zarubezhneft’s operations are subject to a large number of risks, so effective risk management is a fundamental element of the strategy and an integral part of the company

The Company’s relevant units develop risk management activities according to their functional areas, the specifics of each individual risk, its assessment, and the potential to reduce the possibility or consequences of risk materialization.

The risk management measures are included in key management documents — the Group’s Long-Term Development Strategy, risk management plans within the business plans of the Group’s companies, work plans of profile commissions and workgroups, and project datasheets. In addition, the Company drafts measures when conducting a detailed analysis of the Company’s key business processes and identifying all possible reasons (factors) for the materialization of risks and formalizes them in the form of control procedures that are integrated into the operational activities of units.

Risks that materialized in 2020

Risk Commentary

Production safety risk (life and health of people, ecology, and reputation)

Starting in April 2020, a number of COVID-19 cases were found among employees of ZARUBEZHNEFT GROUP. The mass spread of the virus throughout the Company was avoided.

There were no cases of the infection among oil field employees.

Given the threat of the spread of the COVID-19 pandemic as well as the need to protect the life and health of employees, the Company took the following measures in 2020:

  • An operational headquarters was set up to monitor the COVID-19 situation
  • Measures were introduced to prevent infection (remote work, social distancing, provision of employees with PPE, and testing)
  • A unified shift change concept was developed

At the Baikal Risk Forum in 2020, the measures taken by the Company were recognized as the best practice in the industry.

Negative change in macro parameters (oil prices and exchange rate).

There was a strong negative change in macro parameters in 2020 due to the reduction and subsequent long-term recovery of global hydrocarbon consumption (by 15–30%) as a result of the spread of COVID-19.

Optimization measures, which ensured the payment of dividends and the implementation of the investment program, were developed and introduced in an effort to offset the negative impact of macro parameters on the decrease in oil prices.

Risks associated with information security (cybersecurity)

Ensuring information security is becoming an increasingly important task for the oil and gas industry. Information security threats increase the risk of emergencies and the scale of their consequences.

In accordance with Federal Law No. 187-FZ dated July 26, 2017 “On the Security of the Critical Information Infrastructure of the Russian Federation”, the critical information infrastructure was categorized at the organizations of Zarubezhneft: a qualitative assessment was conducted of potential damage from the loss of the integrity of critical information infrastructure, confidentiality, and availability.

The Company has approved the cybersecurity concept of ZARUBEZHNEFT GROUP, and an information security center is being set up. The companies have deployed a set of information security systems to ensure the protection of critical information systems, developed and implemented a roadmap of IT projects to introduce modern IT solutions in information security, and are planning further measures to reduce risks.