Risk management and internal controls
The risk management and internal control framework represents a set of organisational measures, methods, practices and standards of corporate culture. It also embraces actions taken by the Company to strike the right balance between value growth, profitability and risks, support financial sustainability, and ensure efficient operations, protection of its assets, compliance with the laws and bylaws, along with timely and accurate reporting.
The Board of Directors defines the key principles of, and approaches to, risk management and internal controls, oversees the Company’s executive bodies, and performs other key functions. The Risk Management Committee provides recommendations to the Board of Directors on identifying material risks and developing relevant management tools and measures to enhance the risk management framework. The Audit Committee focuses on assessing and making proposals to improve the risk management and internal control efficiency. On top of that, its members supervise the preparation of accounting (financial) statements and the measures taken to prevent fraudulent behaviour of the Company’s employees or third parties.
The Review Committee elected by the General Shareholders’ Meeting exercises control over the financial and business operations of the Company.
The executive bodies establish and maintain an efficient risk management and internal control framework. To this effect, they have set up a Risk Commission that monitors the status and effectiveness of risk management initiatives. The results serve as a basis for the relevant proposals issued by the Commission to executive bodies and the Board of Directors.
Following the audits, the Internal Audit Department provides the Board of Directors and executive bodies with recommendations and reports, including, among other things, the assessment of the current status, reliability and efficiency of the corporate governance, risk management and internal control framework.
The Risk Management and Internal Control Department is charged with the general supervision of risk management, including related activities and consolidated reporting to the Board of Directors and executive bodies.
As part of their duties, heads of other organisational units are responsible for building, documenting, implementing, monitoring and developing the risk management and internal control framework in their respective functional areas. The framework requires the Company’s employees to identify and assess relevant risks and efficiently implement the controls and risk management initiatives.
In 2020, PhosAgro’s risk management and internal control framework performed strongly thanks to timely identification and assessment of risks, as well as development and implementation of risk management measures. On a quarterly basis, the Board of Directors reviewed reports on the management of the Company’s key risks. PhosAgro’s executives paid special attention to managing these key risks. The Risk Commission continuously monitored the status of risk management activities and, when necessary, initiated changes to improve those related to key risks.
Development of the risk management and internal control framework in 2020
The Company is making a consistent effort to develop its risk management and internal control framework. In 2020, the Board of Directors reviewed the results of the framework’s assessment, which showed that it was on par with those adopted by the industry’s leading companies, including:
- full compliance with regulatory requirements;
- risk management and internal controls being in place at production sites;
- the key risk indicators being monitored;
- the risk appetites being evaluated and regularly reviewed.
The reporting year saw the production sites and the Company as a whole complete a full-year cycle of risk management and internal control, including:
- ongoing risk monitoring;
- analysis of key risk indicators;
- development of corrective actions;
- follow-up control and review.
In 2020, the Company also rearranged the risks related to climate change and analysed climate scenarios for its regions of operation.
Plans for 2021
We look to maintain the existing elements of our risk management framework, focus on their further integration into the Company’s processes and practices, and improve climate risk monitoring.
The General Shareholders’ Meeting held in May 2020 elected the following members to the Review Committee:
- Ekaterina Viktorova;
- Elena Kryuchkova;
- Olga Lizunova.
The Committee endorsed PhosAgro’s financial statements for 2020, with its report dated 19 March 2021 included in the materials for the Annual General Shareholders’ Meeting.
PhosAgro’s Internal Audit Department (IAD) assists the Company’s top executives and the Board of Directors in improving the management of business processes and enhancing the internal control and risk management framework. In doing this, it uses a risk-oriented approach and works closely with the Risk Management, Internal Control and Economic Security Departments, and the Company management.
Audit of business processes
The audit plan for the calendar year is subject to review, discussion and approval by the Audit Committee and the Board of Directors. Audits are performed at the Group level, as well as at specific subsidiaries and their standalone business units. In addition, the Internal Audit Department monitors the effectiveness and efficiency of corrective actions taken by the management following the audit, and reports to the Audit Committee on a quarterly basis and to the Board of Directors annually.
In 2020, the Internal Audit Department fully met the annual action plan. The audit covered the Company’s business processes related to human resource management and sales, as well as IT audit of internal trading, financial and economic function analysis, testing of controls over revenue and procurements. Audits were followed by proposals for automation of business processes, streamlining key controls, better cooperation between business units. The management developed and approved remedial action plans, with the progress monitored by the Internal Audit Department.
The 2021 audit plan covers following business processes: logistics, project management, insiders and inside information, as well as IT audit of production facilities.
In 2018, PwC completed an external assessment of the IAD’s compliance with the International Standards for the Professional Practice of Internal Auditing, the Institute of Internal Auditors’ Code of Ethics and the Corporate Governance Code approved by the Bank of Russia. For the IAD, the results were overall positive. The Company is consistently working to improve its internal audit function according to the plan.
Following the assessment, the internal audit methodology saw the following amendments:
- annual audit plans take into account the outcomes of reviewing and assessing IT and information security risks;
- each audit includes risk evaluation and control testing for information systems used by the audited processes.
On top of that, the Company is taking steps to improve the quality of internal audit based on feedback from the management of the audited entities, ensure regular self-assessment for compliance with the requirements of the International Standards for the Professional Practice of Internal Auditing and the Institute of Internal Auditors’ Code of Ethics, and carry out sample documentation audits.
Going forward, external assessments will take place once every three years.
PhosAgro’s auditor performs the audit of its financial and business operations in compliance with Russian laws and regulations and the agreement signed with the Company. The auditor is approved by the Company’s General Shareholders’ Meeting.
In 2020, the Company engaged KPMG (Presnenskaya Naberezhnaya, 10, Moscow, Russia) to audit its IFRS financial statements.
In 2019, the Company engaged FBK (44/1 Myasnitskaya St., Bld. 2AB, Moscow, 101990, Russia) to audit its RAS accounting statements.
PJSC PhosAgro has adopted an Inside Information Regulation compliant with the Russian laws and the EU Market Abuse Regulation (MAR). In accordance with its provisions, the Corporate Secretary’s office keeps a list of insiders, persons discharging managerial responsibilities (PDMR) and persons closely associated with them (PCA). The Regulation defines the scope of responsibilities for each insider group, which the Corporate Secretary’s office from time to time communicates to respective persons. First and foremost, these include the limitations on the use of inside information and trading in the Company’s securities. Depending on the group, an insider may be prohibited from such transactions or obliged to notify the Company or obtain its consent for such transactions. Every quarter, the Corporate Secretary’s office checks the list of shareholders to identify transactions that may have been executed in breach of such limitations.
In 2020, the Board of Directors approved a new version of PhosAgro’s Inside Information Regulation, which reflects Russia’s latest legal developments and MAR requirements.
Key aspects of the new version of the Inside Information Regulation:
- requirements applying to employees of both PhosAgro and its subsidiaries;
- detailed description of the procedure for obtaining a permit to deal in securities;
- detailed procedure for arranging and holding meetings with analysts, shareholders, and the media;
- detailed procedure for identifying the Company’s inside information;
- detailed procedure for delaying the disclosure of the Company’s inside information.
2020 saw no violations of the Inside Information Regulation.