2.2.1 Risk management and internal control
The Management Board of X5, supported by the Executive Board and the Risk Management Team, is responsible for designing, implementing and operating an adequately functioning risk management system for the Company. The aim of this system is to ensure that the extent to which the Company’s strategic and operational objectives are being achieved is understood, that the Company’s reporting is reliable and that the Company complies with relevant laws and regulation.
During 2017, the Management Board of X5, supported by the Executive Board, continued to pay special attention to strengthening the design and effectiveness of the risk management and internal control system, ensuring that:
- a comprehensive review of both internal and external risks is carried out at least annually;
- risk appetite is defined;
- risk impact is quantified;
- risks of both strategic and short-term objectives of X5 are assessed;
- desired risk responses and risk mitigating activities are put in place;
- the Company’s reporting is accurate and reliable; and
- the Company complies with relevant laws and regulations.
X5’s new risk management policy was developed and approved in 2016, providing an integrated approach to risk classification and assessment, risk mitigation and allocation of risk management responsibilities. The policy will be updated in 2018, providing more specific details on principles of managing risks, arranging responsibilities in accordance with changes in the organisational structure, and defining relations with and between other internal regulatory documents or management systems. The procedure for interaction on key risk management areas will be revised and formalised in a separate internal regulatory policy. The updated risk management and internal control systems will contribute to interacting in more open, usable and efficient ways.
Under the authority delegated by the Management Board, management teams at all levels of the organisation are responsible for identifying, managing and monitoring relevant risks. The central Risk Management Team facilitates a company-wide view of risk-relevant issues, helps to develop risk management activities in both business and functional divisions and ensures that the Management Board is continuously and promptly informed of important risk management developments.
During the annual strategy review and budgeting process, Company management reassessed strategic Company risks and developed action plans to mitigate risks and allocate appropriate resources for risk mitigation. Results of performing risk mitigation actions are regularly monitored and reported to the Audit Committee quarterly. X5 is committed to mitigating its risks and extends risk management initiatives into the following year if required.
To ensure the effectiveness and completeness of the Company’s internal control system, X5 employs a three-tier model to establish and maintain control:
- The first tier of control requires each business unit to establish and operate the necessary controls for each of their specific business processes.
- The second tier of control is owned by various central functions that design and develop X5’s internal control systems, while also ensuring compliance with controls through monitoring and testing; the risk management, internal control and compliance teams are the central part of the second tier of control.
- The third tier of control is the Internal Audit function, which reports directly to X5’s Management Board, with direct access to the Audit Committee. The Internal Audit function’s role is to regularly assess, and recommend improvements to the first and second control tiers of the Company.
In 2017, the Internal Control Policy, which outlines the framework and key requirements for internal control over X5's business processes, was approved. On an ongoing basis, the Internal Audit and Risk Management teams arrange and hold training for key employees across all businesses and functions on issues related to risk management and internal controls. The Company plans to enhance and further develop such activities.
Ethics and compliance culture
Values and business principles are crucial elements of the internal environment for risk management. X5 is committed to values and business principles that contribute to a culture of integrity and long-term value creation, and has established and internally communicated rules and policies that outline these values and principles, including X5’s Code of Business Conduct and Ethics; X5’s Policy on Countering Misconduct, Including Fraud and Corruption, and X5’s Declaration on Human Rights Protection (the ‘Policies’). These Policies are available on X5’s public website at www.x5.ru.
The principles of the Policies apply to all X5 employees. New employees are trained in the Code of Business Conduct and Ethics and acknowledge compliance with the Policies. In 2017, the Company continued to develop e-learning courses on the Policies, compulsory for all employees, specifically addressing integrity and transparency in dealings and relations with external parties.
The Policies also aim to help employees understand when and where to ask for advice or report a breach of the Policies, if necessary through the ethics hotline. All cases reported through the ethics hotline are thoroughly reviewed and investigated. X5 periodically reviews and updates the internal policies in line with new or amended legislation. Accordingly, in 2017, X5’s Policy on countering misconduct (including fraud and corruption) was thoroughly reviewed and brought in line with international rules, regulations and best practices.
The Company adheres to a principle of zero tolerance for corrupt and fraudulent activities, which is documented in X5’s Policy on Countering Misconduct, Including Fraud and Corruption, which was approved in 2017.
Employees are regularly made aware of new policies through newsletters published on the corporate intranet, and through additional communications highlighting key provisions of these documents in corporate videos and the standard Business Ethics section of the corporate news digest.
The central Compliance team is strongly embedded in the Company's businesses, monitors ongoing business processes and takes part in key projects to align business activities with applicable laws.
The Compliance team plays an important role in enhancing awareness of and compliance with the Policies.
The Compliance team also monitors X5 employees’ conflicts of interest. Significant potential conflicts of interest are reviewed by the Ethics Committee and reported to the Audit Committee.
Monitoring and assurance
Internal Audit provides independent and objective assurance of the impact of the above-mentioned control processes. Systematic and disciplined evaluations of risk management, internal control and governance activities are performed with the help of X5's Control Heat Map, which lists all the key business processes with an overall evaluation of the effectiveness of internal control in each business process. Following a risk-based audit planning approach, Internal Audit performs evaluations of operational, financial and information systems and tests of controls on key business processes that reveal internal control issues. Internal Audit provides recommendations to improve controls to the responsible executives. Action plans that address control issues raised by Internal Audit are prepared by business process owners and approved by the General Directors of retail formats or the Directors of corporate functions. The timely implementation of management action plans is monitored and followed up on a monthly basis, and the status of addressing these control issues is regularly reported and discussed with the CEO and the Audit Committee.