Risk management and internal control
Risk management framework
The Group’s business and operations are exposed to various business risks. While a number of these risks are operational or procedural in nature, several of these risks are inherent in the character and arise from the jurisdiction of the Group’s international business activities, and others relate to changes in the global economy and are largely outside management’s control.
The Board of Directors is ultimately responsible for maintaining our risk management and internal controls systems. The Board defines the Group’s risk appetite, being a measure of residue risk by impact and probability and is responsible for monitoring our risk exposures to ensure that the nature and extent of significant risks taken by the Company are aligned with our overall goals and strategic objectives.
The Audit Committee supports the Board of Directors in monitoring our risk exposures and has been delegated responsibility for reviewing the effectiveness of our risk management and internal control systems. The Internal Audit provides assurance to the Audit Committee as to the effectiveness of internal controls and risk management systems through its audit of these systems and follow-up on implementation of mitigation actions by management. The Executive Risk Committee assesses risk exposure and evaluates the adequacy of processes in place to mitigate these risks and their implementation by management at the Group and Regional levels. Detailed risk assessment and evaluation of risk issues at the site, plant, mine and operational level were instigated in 2012. Substantially operational risks are managed by the Group’s operational controls which are attested by Internal Audit; however, the Group is now instigating a parallel risk management process and culture at the
Risk management processes and internal controls operate across our steel plants, mines, ancillary service operations, capital projects and administrative functions. Risk management and internal control procedures are embedded within our business practices across function areas including finance, HSE, human resources, procurement, IT, legal, security and insurance management. There is detailed assessment of safety risks at all hazardous work places, steel plants and mines, and of project risks for all major projects which from 2012 include environmental risk assessments. The finance and strategic risks of major projects are prepared by the executive and presented to the Board for its consideration and key associated risks are kept under regular review by the Board.
Regional risk committees have been set up at all major regions of the Group’s assets and lead the process to deploy the risk management at our major steel and mining operations. The Group Enterprise Risk Management (ERM) process is designed to identify, quantify, respond to and to monitor the consequences of a Risk Committee agreed executive risk register that encompasses both internal and external critical risks.
This process is consistent with the listing rules published by the UK Financial Services Authority and is based on the Turnbull Guidance on Internal Control.
The ERM process is fully supported by the Board, the Audit Committee and executive management. Senior management is tasked with the development of the ERM process, identifying key risk elements and, to further risk management accountability, executive management is assigned ownership of the relevant risk areas, according to their designated functions.
Executive oversight of the Group risk profile is mandated to the Group’s Executive Risk Committee, under the chairmanship of the Audit Committee Chairman and including the Group’s CEO and Group’s Vice Presidents. The role and responsibility of the Executive Risk Committee is to keep under review risk identification and the evaluation of risks and to supervise the entire risk management process including response and mitigation procedures. Particular scrutiny is given to risks having an ‘inherent’ risk greater than the Group’s risk appetite and the mitigating actions to manage, where feasible, to a ‘residual’ risk evaluation directed below the Group’s risk appetite.
The Group’s executive management is responsible for embedding the agreed Risk Management related internal controls and mitigating actions throughout the entirety of the Group’s business and operations and through all levels of management and supervisory personnel. Such practices serve to encourage a risk conscious business culture.
EVRAZ applies the following core principles to the identification, monitoring and management of risk throughout the organisation:
The processes of preparation of Consolidated Financial Statements are designed to prevent any material misstatements and present such Financial Statements fairly in accordance with the Group’s accounting policies. The use of our standard accounting manual and reporting pack by our finance teams throughout the Group ensures that transactions are recognised and measured in accordance with prescribed accounting policies and that information is gathered and presented in a consistent way that facilitates the production of the Consolidated Financial Statements.
The Audit Committee has the primary oversight role of the Group’s internal control regime and has direction as to the internal audit function resources and the annual audit programme thereby ensuring that the Group’s ongoing internal control process is adequate and effective.
Internal audit is an independent appraisal function established by the Board to evaluate the adequacy and effectiveness of controls, systems and procedures, within EVRAZ, in order to reduce business risks to an acceptable level in a cost effective manner. The latest version of Internal Audit Charter of EVRAZ plc was approved by the Board on 5 March 2015.
The role of the Internal Audit Department in the Group is to provide an independent, objective, innovative, responsive and effective value-added internal audit service through a systematic and disciplined approach by assisting management in controlling risks, monitoring compliance, improving the efficiency and effectiveness of internal control systems and governance processes.
EVRAZ’s Head of Internal Audit attends all the meetings of the Audit Committee and addressed any reported deficiencies in internal control as required by the Audit Committee. The Audit Committee continued to engage with executive management during the year to monitor the effectiveness of internal control and accordingly considered certain deficiencies that had been identified in internal control together with management’s response to such deficiencies.
The internal audit planning process starts with the Group’s strategy and includes the formal risk assessment process, and the process of identification of management concerns based on the previous audits results, and ends with an internal audit plan which is approved by the Audit Committee. Audit resource is predominantly allocated to risky areas and to the extent considered necessary is allocated to the company/processes universe with appropriate reservation for the ad hoc and follow-up assignments.
The Company’s internal audit is structured on a regional basis, reflecting the developing geographic diversity of the Group’s operations. In light of this the head office internal audit function has been in process of aligning common internal audit practices throughout the Group through its quality assurance and improvement programmes.
Policy for approval of services to be provided by EVRAZ external auditor
Further information regarding the Company’s risk management and internal control processes can be found in the company’s Annual Report.