Approach to Risk Management

MegaFon’s success and strength in the market is underpinned by a robust risk management system.

Good risk management policies and processes have been increasingly important since the IPO in 2012, and during 2015 we continued to make progress in this area.

Our approach to risk management

During 2015, we continued to develop a well-structured, tailored and explicit risk management system through the improvement of existing risk management structures, policies and processes.

In 2013, we successfully completed the roll-out of our enterprise risk management (ERM) programme across all branches. This process was accompanied by training for employees and the implementation of risk identification and mitigation procedures. As part of our further efforts in this area, we continued to broaden the Company’s risk management system and enhance our risk culture framework. In particular, risk management reports that go to management now include a risk dashboard, which affords managers a clear view of changes within the corporate risk profile, and gives them the opportunity to review mitigation activities and understand emerging issues in key risk areas. We also use a range of statistical and probabilistic models to help forecast risks.

Our ERM system comprises three levels of risk identification, analysis and discussion:

1. questionnaires, interviews and follow up discussions with every internal function,
2. cross-function workshops and brainstorming sessions, and
3. meetings of the Risk Committee (including the Company’s top managers) at our Headquarters and in the branches.

At all three levels, risks are regularly reviewed in terms of their potential impact on the Company’s business. This review process then helps us to shape and prepare a Company register of key risks, including legal, market, political and macroeconomic risks, and a set of appropriate mitigation measures. The register and mitigation procedures are discussed in depth, amended as necessary, and approved by the Head Office Risk Committee, which holds its meetings twice a year. The approved risk mitigation actions are then forwarded to branches, departments and relevant individuals. Since 2014, the risk mitigation process has been conducted via an electronic system, which allows us to exercise stricter control over the implementation of approved measures and helps to increase the efficiency of risk identification and mitigation.

Our risk management process is continually reviewed by the Audit Committee and Internal Audit. The Audit Committee evaluates the effectiveness of our overall risk management framework on a regular basis and makes recommendations for risk response and framework improvement.

Our risk management levels and flow of responsibilities are set out in the diagram opposite.

In order to comply with international risk management standards we work constantly on developing the Company’s risk management system in order to expand its scope and improve its overall compliance and effectiveness. As part of our effort to be more compliant with ISO 31000:2009, the international risk management standard, we have performed an assessment and identified areas for further development, including in particular risk culture. We have already developed a roadmap to embed a strong risk culture across the Company.

We define “risk culture” ¹ as the norms of behaviour for individuals and groups within an organisation that determine collective ability to identify and understand, openly discuss and act upon, the organisation’s current and future risks.

We believe not only that managing risks is essential to achieving corporate goals, but also that the prevailing risk culture within an organisation can have a major impact on how well the organisation manages its risks.

We are developing our risk culture model, which is based on four main aspects:

• Tone at the top: this requires that senior managers act as role models in the discussion of risk and risk tolerance, actively seek information about risk events and recognise those who help to identify and unveil risks.
• Governance: this requires that risk accountabilities are included in employees’ job descriptions and targets, timely communication about risks is encouraged, and all risks are regarded as opportunities to improve and learn.
• Competency: this requires that the risk function is given a defined remit and leadership support in order to support those employees who manage risks, a special leadership structure of risk champions is created, and all employees are trained to competently identify and manage risks. To deal with the last, we have developed an internal training course focused on risk management, which will be provided to senior managers in 2016–2017. This training is planned to be made mandatory for all new hires.

RISK IDENTIFICATION LEVELS

1  This definition is consistent with the principles set out in the guidelines of the Institute of Risk Management.