Risk management and internal control

The aim of the risk management process is to identify, evaluate and manage potential and actual threats to the Group’s ability to achieve its objectives.

The EVRAZ Enterprise Risk Management (ERM) process is designed to identify, quantify and respond to these threats, as well as to monitor the Group’s prevention and mitigation system.

Management maintains a risk register that encompasses both internal and external threats. The level of risk appetite approved by the Board is used to identify particular risks and uncertainties that require specific Board oversight. In 2021, the process in relation to principal risks and uncertainties was consistent with the UK Corporate Governance Code, the FRC Guidance on the Strategic Report issued in July 2018 and the abovementioned FRC guidance issued in September 2014.

Executive management is responsible for both internal controls in place and mitigating actions related to risk management throughout the Group’s business and operations. This serves to encourage a risk-conscious business culture.

EVRAZ applies the following core principles to identifying, monitoring and managing risk throughout the organisation:

  • Risks are identified, documented, assessed and monitored, and their profile is regularly communicated to the relevant levels of the management team. The business management team is primarily responsible for ERM and accountable for all risks assumed in the operations.
  • The Board is responsible for assessing an optimal balance of risk (risk appetite) through the alignment of business strategy and risk tolerance on an enterprise-wide basis. In addition, the Board oversees and approves risks outside the Group’s defined risk appetite and reviews any significant internal control weaknesses.
  • EVRAZ has established a reporting process involving business unit management teams and other relevant bodies at major enterprises. Its aim is to identify, evaluate and establish management actions for risk mitigation at a regional level, as well as at the Group’s major steel and mining operations. The Risk Management Group maintains a corporate risk register that represents a summary of this information. Business unit management teams and other relevant bodies are accountable to the Risk Management Group, which consists of business unit and function vice presidents.

The Board has delegated primary oversight of the internal control process at EVRAZ to the Audit Committee, which discusses any major internal control findings that exceed the Board’s risk appetite.

The EVRAZ Business Security department is led by a vice president and has specific responsibility for preventing and detecting business fraud and malpractice, including fraudulent behaviour by employees, customers and suppliers. Robust internal controls help to minimise risk, and the EVRAZ Business Security department ensures that appropriate processes are in place to protect the Group’s interests.

EVRAZ also maintains a comprehensive financial reporting procedures (FRP) manual detailing the Group’s internal control and risk management systems and activities. The manual was last updated in November 2021 to reflect changes in internal processes. The document was prepared in accordance with the Financial Reporting Council (FRC) Guidance on Risk Management, Internal Control and Related Financial and Business Reporting issued in September 2014.

Risk appetite

Risk appetite is an important part of the risk management process, and it serves as a measure of the risks that management is willing to accept in pursuit of value.

The Board has approved a risk appetite in accordance with the risk management methodology adopted by EVRAZ.

Risk appetite is considered in evaluating strategies and setting objectives within the Group’s strategic and budgeting cycle, in decision making and in developing risk management actions and methods, as well as in identifying particular risks and uncertainties that require specific Board oversight. The strategic objectives set by EVRAZ are aligned with, and risk mitigation actions are reflective of, the risk appetite approved by the Board. The Group takes a robust approach in relation to risk management. Risk appetite for some specific business processes (for example, health and safety, fraud, security, bribery and corruption) is assessed, defined and evaluated separately from the rest of the processes.

Management reassesses the risk appetite at least once a year through the Risk Management Group, which reports on the analysis to the Audit Committee. The committee then makes recommendations to the Board regarding the level of risk appetite.

The Risk Management Group and the Audit Committee last reviewed the Group’s risk profile in November 2021.

Based on the results of the most recent review, management concluded that the risk-acceptance approach employed by EVRAZ had not changed and that the risk appetite remained the same as in the prior year. An appropriate recommendation regarding the level of risk appetite was made to the Audit Committee and to the Board on 18 November 2021.

Internal audit

Internal audit is an independent appraisal function established by the Board to evaluate the adequacy and effectiveness of controls, systems and procedures at EVRAZ, which helps to reduce business risks to an acceptable level in a cost-effective manner. The Board approved the internal audit charter on 26 February 2020. The Audit Committee reviewed the charter on 20 January 2022 and agreed with no changes.

The internal audit function’s role in the Group is to provide an independent, objective, innovative, responsive and effective value-added internal audit service. This is achieved through a systematic and disciplined approach based on assisting management in controlling risks and monitoring compliance, as well as improving the efficiency and effectiveness of internal control systems and governance processes. Once a year, the function provides an opinion of the overall effectiveness of the internal controls in place at EVRAZ.

During 2021, the Group’s head of internal audit and the secretary of the Audit Committee attended all the committee’s meetings and addressed any reported deficiencies in internal control as required by the committee.

The internal audit planning process starts with the Group’s strategy includes the formal risk assessment process, consideration of the results of management’s internal control self-assessment and the identification of management concerns based on the results of previous audits. It ends with an internal audit plan, which the Audit Committee approves.

Audit resources are predominantly allocated to areas of higher risk and, to the extent considered necessary, to financial and business controls and processes, with appropriate resource reservation for ad hoc and follow-up assignments.

In 2021, internal audit projects covered the following risks at the Group:

  • Cost effectiveness.
    • Product competition.
  • HSE: health and safety.
    • HSE, environmental.
  • Capital projects and expenditure.
  • Human resources.
  • Transportation, sourcing, raw materials and energy supply.
  • Digital effectiveness, as well as effective, efficient and continuous IT service.

The internal audit function at EVRAZ is structured on a regional basis, reflecting its geographic spread of operations. The internal audit function aligns common internal audit practices throughout the Group through quality assurance and improvement programmes.

With the current speed of technological changes and the emergence of new risks, internal audit goes beyond the traditional approach and develops new competencies, such as the use of analytical tools for big data analysis, to better identify potential risks that threaten the company ability to achieve its goals.

Components of the internal control system

COMPONENT

BASIS FOR ASSURANCE

ACTION IN 2021

Assurance framework — principal entity-level controls to prevent and detect error or material fraud, as well as to ensure the effectiveness of operations and compliance with principal external and internal regulations

  • Annual self-assessment by management at all major operations of the internal control system using the EVRAZ Assurance Framework.
  • Review of the self-assessment by the internal audit function.
  • Assessment of the overall effectiveness of the governance, risk and control framework.

In 2021, the internal audit function reviewed the results of management’s internal control self-assessment and evaluated the overall effectiveness of the governance, risk management and internal control system.

All major production sites were certified as having effective overall governance, risk management and internal control.

Investment project management

  • Effectiveness of project management and management of project risks is monitored by an established management committee and subcommittees.
  • Reviewed by the internal audit function.

Project delivery is closely monitored against project plans resulting in high-level action to manage project investment for both timely delivery and planned project expenditure. (incl. Management committee, BU's Investment Committee, Corporate Investment committee).

Operating policies and procedures

  • Implemented, updated and monitored by the management.
  • Reviewed by the internal audit function.

Operating policies and procedures are updated as per internal initiatives by the operational management and in response to recommendations from the internal audit function.

Operating budgets

  • Approved by the Board.
  • Monitored by the controlling unit.
  • Reviewed by the internal audit function.

Operating budgets are prepared by the executive management and approved by the Board.

Objectives for 2022

Further development of the risk management system and risk management practices is planned for 2022. In 2021, the Group focused on enhancing its health and safety risk management methodology, including the risk of mass quarantine of workers due to COVID-19. This work will continue in 2022.

In 2022, in addition to continuing to implement ongoing initiatives that aim to improve risk management (in HSE, equipment maintenance and repairs, IT projects and other processes), the Group plans to focus more on addressing environmental risks, which have always been a focal point for management and are recognised as principal risks. EVRAZ also continues to closely work with other risks related to climate change and sustainability development, including decarbonisation, biodiversity and social 122 risks, among others.