Risk management and internal control
EVRAZ maintains a comprehensive financial reporting procedures (FRP) manual detailing the Group’s internal control and risk management systems and activity. The manual was last updated in December 2016. In line with the Financial Reporting Council (FRC) Guidance on Risk Management, Internal Control and Related Financial and Business Reporting issued in September 2014. The aim of the risk management process is to identify, evaluate and manage potential and actual threats to the Group achieving its objectives.
EVRAZ’ Enterprise Risk Management (ERM) process is designed to identify, quantify, respond to and monitor the consequences of these threats. The management maintains a risk register that encompasses both internal and external critical threats. The level of risk appetite approved by the Board is used to identify particular risks and uncertainties that require specific Board oversight. In 2016, regarding principal risks and uncertainties, this process was consistent with the UK Corporate Governance Code, the FRC Guidance on the Strategic Report issued in June 2014, and the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting issued in September 2014.
The executive management is responsible for introducing the agreed internal controls and mitigating actions related to risk management throughout EVRAZ’ business and operations, as well as at all levels of management and supervision. This serves to encourage a risk-conscious business culture.
EVRAZ applies the following core principles to identifying, monitoring and managing risk throughout the organisation:
- Risks are identified, documented, assessed and monitored, and their profile is communicated to the relevant levels of the management team regularly. The business management team is primarily responsible for ERM and accountable for all risks assumed in the operations.
- The Board is responsible for assessing the optimum balance of risk (risk appetite) through the alignment of business strategy and risk tolerance on an enterprise-wide basis. In addition, the Board oversees risks above the Group’s defined risk appetite and internal control weaknesses measured in excess of the risk appetite.
- A reporting process involving business unit management teams and other relevant bodies at major enterprises has been established. Its aim is to identify, evaluate and establish management actions for risk mitigation at a regional level, as well as at EVRAZ’ major steel and mining operations. The Risk Management Group maintains a corporate risk register representing a summary of this information. Business unit management teams and other relevant bodies are accountable to the Risk Management Group by way of membership of the latter (vice presidents of business units and functions).
- All acquired businesses are brought within the Group’s system of internal control as soon as practicable.
For additional information about principal risks and uncertainties see Strategic report page.
|Component||Basis for assurance||Action in 2016|
|Assurance framework – principal entity-level controls to prevent and detect error or material fraud, ensure effectiveness of operations and compliance with principal external and internal regulations|| Self-assessment by management at all major operations |
Review of the self-assessment by the internal audit function
|In 2016, the internal audit function certified and reviewed the internal control system; more straightforward connection between the result of the self-assessment of internal control by the management and an internal audit plan has been established|
|Investment project management||Monitored by established management committee and sub-committees Reviewed by internal audit||Continuous enhancement of procedures regarding quality and reporting control, as well as other elements of the project oversight process|
|Operating policies and procedures||Implemented, updated and monitored by management Reviewed by the internal audit function||Operating policies and procedures were updated as per the internal initiatives by operational management and in response to recommendations from the internal audit function|
|Operating budgets||Monitored by controlling unit Reviewed by the internal audit function Approved by the Board||Operating budgets were prepared, and approved by the Board|
|Accounting policies and procedures as per the corporate accounting manual||Developed and updated by the reporting department Reviewed by the internal audit function||Accounting policies and procedures were updated as part of the standard annual review process|
The Board has delegated primary oversight of the Group’s internal control process to the Audit Committee. The committee has tabled for the directors’ consideration the major internal control findings in the areas where the Board’s risk appetite has been exceeded.
To ensure that control is exercised effectively across operations, the Group has adopted annual management self-assessments of the internal control system using the EVRAZ Assurance Framework. The management rates and certifies the individual components of the framework. In 2016, all major production sites were certified as having effective internal control.
A department headed by Senior Vice President Leonid Kachur has specific responsibility for preventing and detecting business fraud and abuse, including fraudulent behaviour by employees, customers and suppliers that may cause a direct economic loss to the business. Solid internal controls help minimise the risk, and EVRAZ’ Business Security department ensures that appropriate processes are in place to protect the Group’s interests.
Internal audit is an independent appraisal function that the Board has established to evaluate the adequacy and effectiveness of controls, systems and procedures at EVRAZ to reduce business risks to an acceptable level and in a cost-effective manner.
The Board approved the latest version of the internal audit charter on 28 February 2017.
The internal audit function’s role in the Group is to provide an independent, objective, innovative, responsive and effective value-added internal audit service. This is achieved through a systematic and disciplined approach based on assisting management in controlling risks, monitoring compliance, and improving the efficiency and effectiveness of internal control systems and governance processes. Once a year, the function provides an opinion of the overall effectiveness of the Group’s internal controls.
In 2016, EVRAZ’ head of internal audit, as secretary of the Audit Committee, attended all the committee’s meetings and addressed any reported deficiencies in internal control as required by the committee. The committee continued to engage with executive management during the year to monitor the effectiveness of internal control and, consequently, considered certain deficiencies that had been identified in internal control together with management’s response to such deficiencies.
The internal audit planning process starts with the Group’s strategy; includes the formal risk assessment process, consideration of the results of the self-assessment of internal control by the management, and the identification of management concerns based on the results of previous audits; and ends with an internal audit plan, which the Audit Committee then approves. Audit resources are predominantly allocated to areas of higher risk and, to the extent considered necessary, to financial and business controls and processes, with appropriate resource reservation for ad hoc and follow-up assignments.
In 2016, internal audit projects covered the following Group risks:
- Cost effectiveness
- Health, safety and environment
- Capital projects and expenditure
- Treasury and working capital management
- Human resources
- Business interruption, and equipment and infrastructure downtime management
- Transportation, sourcing, raw materials and energy supply
- IT security and IT infrastructure risk management
EVRAZ’ internal audit function is structured on a regional basis, reflecting the geographic diversity of the Group’s operations. The Group’s internal audit function works to align common internal audit practices throughout the Group via quality assurance and improvement programmes.
Our approach to risk appetite
Risk appetite is an important part of the risk management process that serves as a measure of the risks EVRAZ’ management is willing to accept in pursuit of value. The Board has approved a risk appetite in accordance with the risk management methodology adopted by EVRAZ.
Risk appetite is considered in evaluating strategies and setting objectives within the Group’s strategic cycle, in decision making and in developing risk management actions and methods, as well as in identifying particular risks and uncertainties that require specific Board oversight. The strategic objectives of the Group are aligned with and risk mitigation actions are reflective of the risk appetite approved by the Group. The Group adopts a robust approach in relation to risk management. Risk appetite for some specific business processes (eg in fraud, security, bribery and corruption, as well as in the health and safety process) is assessed, defined and evaluated separately from the rest of the processes.
The management reassesses the risk appetite at least annually via the Risk Committee/Risk Management Group. The Risk Management Group reports on the analysis performed to the Audit Committee, which makes recommendations to the Board regarding the level of risk appetite. The Risk Management Group and the Audit Committee last reviewed the Group’s risk profile in October 2016 and finalised the assessment in January 2017. Based on the results of the most recent review, the management concluded that the approach for acceptance of risks within the company had not changed and that the risk appetite remained the same as in the prior year. An appropriate recommendation regarding the level of risk appetite was made to the Audit Committee and to the Board.
Further information regarding EVRAZ’ internal control and risk management processes can be found at www.evraz.com/governance/control.
For the reports from each committee, please see page.