7.9.Risk Management
and Internal Control

TMK’s risk management and internal control framework

is a set of procedures exercised by the Board of Directors, executive and supervisory bodies, officers and employees to ensure a true and fair view of its state of affairs and prospects, risk exposure, reliability of all types of reporting, and compliance with laws and internal regulations.

The Board of Directors

has determined the principles of and approaches to building a risk management and internal control system, which are incorporated into TMK’s approved corporate policies and internal documents which comprise a framework for all risk management and control components (https://www.tmk-group.ru/Documents).

The Audit Committee

monitors the reliability and effectiveness of the risk management and internal control system, safeguards the independence and objectivity of internal audits of the Company, carries out performance assessment of the internal audit function, and monitors the effectiveness of the management information system used to report irregularities in the Company (including misconduct of employees and third parties). The Audit Committee and the Board of Directors have given a positive assessment of the performance of TMK’s risk management and internal control system, and internal audit function in the reporting year.

The Company’s executive bodies ensured the distribution of functions and powers related to risk management and internal control between the heads of TMK’s units accountable to them.

The Company also has the Risk Management Committee which reports to the CEO and is tasked with mitigating risks by drafting and implementing a uniform risk management policy and risk identification, assessment and management methodology. Its Chairman regularly reports to the Board’s Audit Committee on risk occurrence.

The overall coordination of risk management processes and cooperation between the Company’s units is ensured by a dedicated unit which consolidates risk data across TMK, reviews identification of key risks, and prepares risk management reports for the Risk Management Committee. These tasks are fully in line with the Russian Corporate Governance Code.

Executive managers of TMK identify, assess and manage business process risks, and focus on risk mitigation and control procedures at every management level.

TMK’s Board of Directors and executive management strive to incorporate internal control elements into every stage of the Company’s management processes, while maintaining impartiality and transparency of management methods and procedures across all of TMK’s business areas, as required by the Internal Control Integrated Framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

In line with the COSO model, TMK fosters a control environment, maintains a risk assessment system, and implements control procedures.

Key Elements of TMK’s Risk-Focused Internal Control Framework

The Board of Directors has approved the Regulations on Internal Control in TMK (https://www.tmk-group.ru/media_ru/files/51/tmk_pol_vnutr_kontr.pdf). The Company has built a system that ensures the use of controls at every management level based on the principles of centralisation, delegation and division of responsibilities. The CEO sets goals for the Company’s senior executives and oversees their activities aimed at maintaining proper internal controls across the units they supervise. TMK’s senior executives delegate responsibilities to implement specific control policies and procedures to the heads of business units whose responsibilities include, inter alia, assessing control processes within the scope of their competence.

Risk control system in TMK Group (three lines of defence)

Line 1

Operations management in TMK Group’s entities (assets of the Company)

  • Day-to-day functioning of internal control processes and systems
  • Initial risk identification and assessment
  • Risk management / day-to-day implementation of controls aimed at risk coverage and mitigation
  • Establishment and implementation of procedures based on the policies, regulations and standards
Line 2

Management of the Corporate Centre and TMK divisions (control functions)

  • Expert risk opinion and independent risk assessment
  • Participation in / oversight of the development of risk controls, policies, regulations and procedures
  • Audit of operational efficiency of implemented controls
  • Business process risk management
  • Reporting on the compliance with policies, regulations and standards
Line 3

Internal audit

  • Independent audit of the internal control system and risk appetite
  • Performance assessment of control procedures and recommendations on their improvement
  • Monitoring the implementation of policies, regulations and standards

The Company has a clearly structured and independent compliance framework which ensures compliance with legal and ethical standards. It integrates preventive measures and sanctions for violations and is based on vertical and horizontal interactions. This process is coordinated by the CEO’s Committee on Regulating Compliance Risks and its regional subcommittees at TMK’s divisions, and governed by the Company’s Key Compliance Risk Principles and Anti-Corruption Policy (https://www.tmk-group.ru/media_ru/files/51/anticor_ru.pdf). TMK relies on the triple pillars of prevention, identification and response to ensure the successful implementation of its compliance framework.

TMK operates a hotline as a public control instrument, using a full range of communication channels for the Company’s employees, investors, clients and other stakeholders to report any known abuses or violations.

TMK is a party to the Anti-Corruption Charter of Russian Business, developed by the Russian Union of Industrialists and Entrepreneurs. Since 2010, TMK has been a corporate member of the International Compliance Association (ICA) and is nominated for the Compliance Award 2015.

The reliability and effectiveness of internal control, risk management and corporate governance systems in TMK are assessed by the internal audit function. In order to improve the internal audit function and fully align it with the Russian Corporate Governance Code, in 2015, the Board of Directors approved the Internal Audit Policy of TMK Group (https://www.tmk-group.ru/media_ru/files/51/polit_vnutr_aud2015.pdf) and a revised version of the Regulations on the Internal Audit Department of PAO TMK (https://www.tmk-group.ru/media_ru/files/51/pol_sl_vnutr_audit2015.pdf).

TMK’s internal audit

The Internal Audit Department (IAD) is an independent structural unit reporting directly to the CEO (administratively) and to the Board of Directors via the Audit Committee (functionally), which insures its independence and objectivity. It has regional units across TMK’s geographical regions (in TMK divisions), which use a single planning and reporting system. The IAD’s regional units ensure a prompt response to any changes in business processes and operations at TMK entities. The Department develops an annual risk-focused audit plan based on priority business processes subject to audit, and on risk ranking and assessment (by probability and potential impact). The annual plan is considered and discussed at the Audit Committee’s meetings and approved by the Board of Directors and TMK’s CEO.

The IAD also oversees compliance by the Company’s governance bodies, officers and employees with insider dealing laws and regulations, and regularly reports to the Audit Committee as well as to the Board at the year-end.

TMK’s management promptly responds to gaps in controls identified by internal audit, introducing the required changes to the risk management and internal control framework, which helps enhance the corporate governance processes and quality.

Internal control over financial reporting

TMK’s management is responsible for implementing and maintaining adequate internal control over financial reporting to provide reasonable assurance as regards the reliability of financial statements and their conformity with the RAS and IFRS.

TMK has an internal control framework which reasonably assures the effectiveness of all controls, including financial and operational controls, as well as compliance with laws and regulations.

The Revision Committee

controls the Company’s financial and economic activities on behalf of shareholders and reports to the General Meeting of Shareholders on the reliability of the reporting data and deficiencies or violations identified.

The External Auditor

verifies and confirms that the Company’s financial statements are in line with the applicable accounting rules and national and international financial reporting standards (RAS and IRFS), and expresses its opinion on the reliability of the financial statements following their audit.

The Audit Committee

reviews completeness, accuracy and reliability of consolidated and separate accounting (financial) statements of the Company, assesses the Company’s external auditors for independence, objectivity and absence of a conflict, oversees external audit and its quality, and reviews the external auditor’s opinion.

In selecting an external auditor to audit the Group’s IFRS consolidated financial statements and assessing its performance, we adhere to the Policy on Selection of TMK Group’s External Auditor, as approved by the Board of Directors (http://www.tmk-group.ru/media_ru/ files/51/tmk_pol_vyb_aud14.pdf).

The following procedures are in place to ensure the auditor’s independence and impartiality:

  • The Company holds a tender to select an auditor under the terms and conditions approved by the Board of Directors based on the Audit Committee’s recommendations. The Committee organises the tender and announces its results
  • It also may request an early tender following the assessment of the auditor’s performance quality and its compliance with the independence requirement
  • The auditor is selected from among internationally recognised independent audit firms and approved by the Board of Directors.

To mitigate the risk of long-term relationship compromising the external auditor’s independence and impartiality, members of audit teams and the lead partner responsible for the audit are subject to rotation.

PAO TMK appointed Ernst & Young, a member of the Audit Chamber of Russia’s self-regulated non-profit partnership, as the external independent auditor of its FY2015 and interim consolidated and separate financial statements.

In 2015, the auditor’s remuneration for auditing the annual financial statements and reviewing interim financials (including audit of separate financials at some TMK’s entities) was USD 2.08 m and USD 0.24 m for non-audit services.