Risk management and internal control
Risk management framework
The Group’s business and operations are exposed to various business risks. While a number of these risks are operational or procedural in nature, several of these risks are inherent in the character and arise from the jurisdiction of the Group’s international business activities, and others relate to changes in the global economy and are largely outside management’s control.
The Board of Directors is ultimately responsible for maintaining our risk management and internal controls systems. The Board defines the Group’s risk appetite, being a measure of residue risk by impact and probability and is responsible for monitoring our risk exposures to ensure that the nature and extent of significant risks taken by the Company are aligned with our overall goals and strategic objectives.
The Audit Committee supports the Board of Directors in monitoring our risk exposures and has been delegated responsibility for reviewing the effectiveness of our risk management and internal control systems. The Internal Audit provides assurance to the Audit Committee as to the effectiveness of internal controls and risk management systems through its audit of these systems and follow-up on implementation of mitigation actions by management. The executive management assesses risk exposure and evaluates the adequacy of processes in place to mitigate these risks and their implementation by management at the Group and Regional levels.
Risk management processes and internal controls operate across our steel plants, mines, ancillary service operations, capital projects and administrative functions. Risk management and internal control procedures are embedded within our business practices across function areas including finance, HSE, human resources, procurement, IT, legal, security and insurance management. There is detailed assessment of safety risks at all hazardous work places, steel plants and mines, and of project risks for all major projects, environmental risk assessments, etc. The finance and strategic risks of major projects are prepared by the executive and presented to the Board for its consideration and key associated risks are kept under regular review by the Board.
Risk Management Group (a management body, members include the relevant senior and responsible executive management of the Company) has been established to keep under review risk identification and the evaluation of risks and to supervise the entire risk management process including response and mitigation procedures. Particular scrutiny is given to risks having an ‘inherent’ risk greater than the Group’s risk appetite and the mitigating actions to manage, where feasible, to a ‘residual’ risk evaluation directed below the Group’s risk appetite. The Group Enterprise Risk Management (ERM) process is designed to identify, quantify, respond to and to monitor the consequences of an executive risk register, approved by the Risk Management Group, that encompasses both internal and external critical risks.
This process is consistent with the listing rules published by the UK Financial Conduct Authority and the regulatory requirements published by the UK Financial Reporting Council.
The ERM process is fully supported by the Board, the Audit Committee and executive management. Senior management is tasked with the development of the ERM process, identifying key risk elements and, to further risk management accountability, executive management is assigned ownership of the relevant risk areas, according to their designated functions. The Group’s executive management is responsible for embedding the agreed risk management related internal controls and mitigating actions throughout the entirety of the Group’s business and operations and through all levels of management and supervisory personnel. Such practices serve to encourage a risk conscious business culture.
EVRAZ applies the following core principles to the identification, monitoring and management of risk throughout the organisation:
- Risks are identified, documented, assessed, monitored, tested and the risk profile communicated to the relevant risk management team on a regular basis;
- Business management and the risk management team are primarily responsible for ERM and accountable for all risks assumed in their operations;
- The Board is responsible for assessing the optimum balance of risk through the alignment of business strategy and risk tolerance on an enterprise-wide basis;
- All acquired businesses are brought within the Group’s system of internal control as soon as practicable.
EVRAZ’s system of internal control has been designed to manage rather than eliminate the risk of failure to achieve business objectives and provide reasonable but not absolute assurance against material misstatement or loss. Consistent with its governance policies, the Group continues to improve the process through which the effectiveness of its system of internal control can be regularly reviewed as required by provision C.2.1 of the UK Corporate Governance Code. The process enables the Board and the Audit Committee to review the effectiveness of the system of internal control in place within the Group to manage significant business, operational and financial risks (including, environmental, safety and ethical risks) throughout the year.
The processes of preparation of Consolidated Financial Statements are designed to prevent any material misstatements and present such Financial Statements fairly in accordance with the Group’s accounting policies. The use of our standard accounting manual and reporting pack by our finance teams throughout the Group ensures that transactions are recognised and measured in accordance with prescribed accounting policies and that information is gathered and presented in a consistent way that facilitates the production of the Consolidated Financial Statements.
The Audit Committee has the primary oversight role of the Group’s internal control regime and has direction as to the internal audit function resources and the annual audit programme thereby ensuring that the Group’s ongoing internal control process is adequate and effective.
Internal audit is an independent appraisal function established by the Board to evaluate the adequacy and effectiveness of controls, systems and procedures, within EVRAZ, in order to reduce business risks to an acceptable level in a cost effective manner. The latest version of Internal Audit Charter of EVRAZ plc was approved by the Board on 27 February 2019.
The role of the Internal Audit Department in the Group is to provide an independent, objective, innovative, responsive and effective value-added internal audit service through a systematic and disciplined approach by assisting management in controlling risks, monitoring compliance, improving the efficiency and effectiveness of internal control systems and governance processes.
EVRAZ’s Head of Internal Audit attends all the meetings of the Audit Committee and addressed any reported deficiencies in internal control as required by the Audit Committee. The Audit Committee continued to engage with executive management during the year to monitor the effectiveness of internal control and accordingly considered certain deficiencies that had been identified in internal control together with management’s response to such deficiencies.
The internal audit planning process starts with the Group’s strategy and includes the formal risk assessment process, and the process of identification of management concerns based on the previous audits results, and ends with an internal audit plan which is approved by the Audit Committee. Audit resource is predominantly allocated to risky areas and to the extent considered necessary is allocated to the company/processes universe with appropriate reservation for the ad hoc and follow-up assignments.
The Company’s internal audit is structured on a regional basis, reflecting the developing geographic diversity of the Group’s operations. In light of this the head office internal audit function has been in process of aligning common internal audit practices throughout the Group through its quality assurance and improvement programmes.
Policy for approval of services to be provided by EVRAZ external auditor
Further information regarding the Company’s risk management and internal control processes can be found in the company’s Annual Report.