Risk Management

Overview of FPC’s overall risk management system

In 2019, we launched a risk management transformation project at FPC to build an integrated risk management system into a continuous and systematic process embedded throughout the organisation, incorporated into both business processes and decision making, and aimed at increasing the assurance that objectives will be achieved.

An important milestone in FPC’s risk management transformation journey was the adoption of an approach which reflects the continuity of experience and the inherent links between risk management and internal control. In this approach, internal control is seen as an integral, indispensable part of the risk management system, while the risk management and internal control system is part of corporate governance. The approach was reflected in the newly adopted Risk Management and Internal Control Policy (the “Policy”), approved by FPC’s Board of Directors and developed in line with the Risk Management and Internal Control Policy of Russian Railways.

In accordance with the Policy, the main purpose of risk management is to provide reasonable assurance that the Company’s objectives will be achieved. They include, but are not limited to:

  • strategic objectives
  • operational objectives
  • objectives in ensuring compliance with the requirements of applicable international regulations, regulations of the Russian Federation and internal regulations of the Company
  • objectives in ensuring the reliability, timeliness and quality of all types of reporting.

The risk management and internal control system (the “RMICS”) at FPC is set up and operated in accordance with the principles set out in GOST R ISO 31000:2010 Risk Management. Principles and Guidelines, namely:

  • risk management creates and protects value
  • risk management is an integral part of all organizational processes
  • risk management is part of the decision-making process
  • risk management is explicitly associated with uncertainty
  • risk management is systematic, structured and timely
  • risk management is based on the best available information
  • risk management is adaptable
  • risk management takes into account human and cultural factors
  • risk management is transparent and takes into account the interests of interested parties
  • risk management is dynamic, iterative and responsive to changes
  • risk management contributes to the continuous improvement of the organization.

FPC’s RMICS aims to address the following tasks:

  • creation of infrastructure and a regulatory and methodological basis for the effective functioning of the risk management process;
  • integration of risk management and internal control procedures into the strategic and operational activities of the Company, which will allow proactively responding to risks and negative changes in the external and internal environment (through planning and implementation of measures to influence the risk);
  • raising awareness among RMS and VK participants and other interested parties about the risks;
  • reduction in the number of unforeseen events that could have a negative impact on the achievement of the goals of JSC FPK.

The Policy also defines risk management actors and their skills and functions based on the three lines of defence model which provides for roles and responsibilities sharing. Each of the three lines increases the likelihood of FPC successfully achieving its objectives.

Specifically, in accordance with the Policy, all FPC’s units are involved in the risk management process within their scope of responsibility.

Coordination, implementation and improvement of the risk management system is the responsibility of the Risk Management Unit.

The Internal Audit Unit is responsible for assessing the reliability and effectiveness of the risk management and internal control systems.

Central decision-making bodies for risk management at FPC are its Board of Directors and the General Director.

The Company has the Audit and Risk Committee at the Board of Directors and the Risk Management Committee to prepare recommendations for management decision making.

Notably, the Risk Management Unit and the Internal Control Unit are not only functionally separate, but are also hierarchically independent of one another.

Roles allocation
Function Risk management Internal audit
Responsible structural unit Risk Management Unit Internal Audit Unit
Reporting to Reporting to FPC’s Deputy General Director responsible for the risk management system Functional reporting to the Board of Directors (the Audit and Risk Committee of FPC’s Board of Directors) and administrative reporting to the General Director
Full name of the unit head Sergey Selishchev Yulia Denisova
Three lines of defence model

Key risk factors

In 2019, we noted the following factors influencing the risks associated with FPC’s activities:

  • lower GDP growth
  • higher CPI growth
  • significant fluctuations in inventory and fuel and energy prices
  • increased competition (adjustments to pricing policy and dumping by FPC’s competitors, expansion of air transport infrastructure)
  • lower or no price indexation
  • changes in the economic and political environment in Russia
  • deteriorating social and demographic situation in urban and rural areas
  • lower household purchasing power and real disposable income
  • FX rate fluctuations
  • increased governmental support for air transport.

Risk mitigation approaches

In treating its risks and risk factors in 2019, FPC employed a wide range of measures based on different risk treatment strategies, such as:

  • Risk avoidance – withdrawing from an activity or project associated with a particular (inherent) risk where other treatment strategies (risk mitigation, risk sharing, risk acceptance) are not economically viable or feasible. Given that any activity of the Company is associated with risks and complete withdrawal from any activity leads to its discontinuation, this strategy can be used to manage individual, specific risks (and/or new activities, projects)
  • Risk mitigation – risk treatment involving activities to reduce the likelihood of a risk event and/or the potential impact of its occurrence to an acceptable level. Risk mitigation activities may include both the deployment and execution of control procedures and the implementation of other measures (e.g. creating provisions to cover losses caused by a risk event)
  • Risk acceptance — a risk treatment method where no active risk treatment is used, applied where: a) the level of risk is acceptable; b) risk avoidance, mitigation or sharing are not economically viable or feasible (e.g. political or macroeconomic risks)
  • Risk sharing – transfer of a risk where the Company’s risk mitigation is ineffective, while the level of risk is not acceptable (the risk cannot be accepted) and a third-party services can be used for risk treatment (risk sharing is mostly aimed at reducing the consequences, not the likelihood of risk occurrence).

Risk management process stages

In line with the Policy, the risk management process consists of five stages:

  1. Risk identification
  2. Risk analysis
  3. Risk mitigation
  4. Monitoring and control
  5. Data sharing and advice
Risk management process

FPC’s Risk register

In 2019, a total of 121 risks were identified by FPC:

  • 10 high risks
  • 18 medium risks
  • 93 low risks.

Key risks and the Company’s strategy

FPC’s operations comply with the regulations adopted by the Russian Government and Russian Railways, as well as with the Transport Strategy of the Russian Federation to 2030 and the Railway Transport Development Strategy to 2030. Seeking to follow the strategies, the Company devised the Development Strategy of JSC FPC to 2030, which is aligned with the Long-Term Development Programme of Russian Railways to 2030.

All risks faced by FPC are associated with its strategy and reflected via risk indicators based on targets and metrics. Specifically, FPC’s key risk register for 2019 included the following key risk indicators for the risks of not achieving the strategic development targets:

  • Passenger km travelled

FPC is implementing a range of risk treatment measures to mitigate the risks or eliminate their negative impact on the achievement of strategic objectives, including by keeping down or reducing the key risks.

FPC’s risk map

FPC’s risk map is based on the risk level as shown in the risk matrix, which has severity of consequences in the X direction and risk likelihood in the Y direction.

FPC’s risk map

The risk map is a tool providing graphical representation of risk levels by combining severity of consequences, in the Y direction, and likelihood, in the X direction.

Risk level Overall score rating Number of risks
High 12–25 10
Medium 5–10 18
Low 1–4 93