Risk management reporting. Risk management report of XXX LLC
The risk management system is part of common system management of the Group and is aimed at ensuring sustainable development as part of the implementation of the Development Strategy of Sberbank 2020. The risk management system of the Group is formed taking into account the requirements of the Bank of Russia and regulations Russian Federation, as well as the recommendations of the Basel Committee on Banking Supervision.
The Group is constantly improving its risk management system; consistent implementation and improvement of risk management methods and processes is carried out both at the integrated level and at the level of management systems for certain types of risks.
One of the bank's key achievements in 2017 was obtaining approval to apply the Internal Ratings Based Approach (IRB) to credit risk assessment. The permission was issued by the Banking Supervision Committee of the Bank of Russia on November 16, 2017 and became effective on January 1, 2018 after the decision of the Supervisory Board to apply the IRB approach.
The transition to IRR will allow Sberbank to more accurately assess credit risk for the purposes of calculating capital adequacy ratios, as well as introduce a system strategic management business, taking into account the consumed capital in accordance with the best world practices.
The following is a summary of the Group's risk management. For more detailed information about the Group's risks, see the report "Information on Risks Accepted, Procedures for Their Assessment, and Management of Risks and Capital of the Banking Group" on the corporate website of Sberbank.
Risk Management Principles
The basic principles of risk management are defined in the Risk and Capital Management Strategy of Sberbank Group, the second edition of which was approved by the Supervisory Board in April 2017 (the Strategy can be found here).
Risk awareness
The decision to conduct any operation is made only after a comprehensive analysis of the risks arising from such an operation.
Management of activities taking into account the accepted risk
Priority directions for the development and allocation of capital are determined based on the analysis of risk-adjusted performance indicators.
Top management involvement
Supervisory Board, President, Chairman of the Board, Management Board and others collegiate bodies Sberbank, and supervisory boards and executive bodies members of the Group regularly review reports on the level of accepted risks and violations of established risk management procedures, limits and restrictions.
Risk limitation
The Group has a system of limits and restrictions that ensures an acceptable level of risks within the established Risk Appetite.
Separation of functions, powers and responsibilities
The distribution of functions and responsibilities between the divisions of Sberbank and the Group members is carried out in accordance with the principle of "three lines of defense".
Centralized and decentralized approaches
The Group uses a combination of centralized and decentralized approaches to risk management and capital adequacy to ensure the most efficient.
Usage information technologies
Risk and capital adequacy management is based on the use of modern information technologies that improve the quality and efficiency of decision-making.
Improving methods
Methods for managing risks and capital adequacy are constantly being improved, procedures, technologies and Information Systems taking into account the set strategic objectives, changes in external environment, innovations in international practice.
risk culture
The Group is implementing a project to develop a risk culture, the goals of which are to develop behavior among employees in which they openly discuss and respond to existing and potential risks, and also show intolerance for ignoring, hushing up risks and the risky behavior of others.
Risk culture complements the existing formal mechanisms and is an integral part of the integrated risk management system.
The formation of a risk culture occurs through three main channels: the personal example of the head, general banking communications and training. At the end of 2017, 89% of Sberbank employees completed risk management training programs. Communication between managers and employees on the risk culture was held in most divisions of Sberbank and covered 80% of the Group's employees. Similar activities have been started in subsidiary banks. Regular information campaigns are carried out in the bank-wide communication channels to promote the targets of risk-prudent behavior.
Risk-based motivation system
The Group's remuneration system ensures that the amount of employee remuneration is in line with the nature and scale of operations performed, performance results, and the level and combination of risks assumed.
Information disclosure
All information on risk management and capital adequacy required in accordance with the requirements of regulators is subject to timely disclosure.
The risks associated with the geographical features of the regions include: the risk of losses (for example, the failure of fixed assets) due to manifestations of seismic activity, avalanches and mudflows, likely landslides and rain floods, as well as other adverse weather conditions (hurricanes , heavy snowfalls, frosts, etc.).
In general, the regions of the Company's operations are characterized by a developed transport infrastructure and are not subject to risks associated with the termination of transport communications. At the same time, some generating assets are located in remote areas with a harsh climate, including in the Krasnoyarsk Territory and in some areas of the Far Eastern Federal District.
The Company is working to improve access technologies and operations in harsh climatic conditions in these areas. However, there can be no guarantee that additional costs will not be required to overcome the technical difficulties associated with the climate and accessibility of these places, which may have a negative impact on income, financial condition, performance results and prospects of the Company. Within the foreseeable future, these risks are assessed as insignificant.
ACT OF TERRORISM
Due to the tense political and social situation, increased activity of bandit formations in the North Caucasus, a high probability of local and regional armed conflicts, a growing threat from international terrorism, an increase in the level of political instability in a number of developing countries due to economic crisis, the activity of radical organizations, the development of industrial terrorism PJSC RusHydro is afraid of possible risks associated with terrorist activity, including at facilities located in the North Caucasus.
To mitigate these risks, ongoing security efforts are underway. Implemented Comprehensive program to ensure the security and protection against terrorism of the Company's facilities. Regular inspections of the anti-terrorist security of facilities and training of personnel are carried out, including through specialized anti-terrorist exercises and drills.
This risk is listed as one of the three key risks for Russia in the Global Risks Report of the annual World Economic Forum in Davos (Global risks 2015), along with the risk of interstate conflicts and sharp fluctuations in energy prices.
A plan was implemented to improve the security of the Company's facilities, within the framework of which changes were made to the current safety program at plants, including those under construction. Monitoring of factors influencing the state of security of objects is carried out, audits of information and technical security are carried out.
Armed security of facilities is carried out by the Federal State Unitary Enterprise " Departmental security» Ministry of Energy of Russia. Plans have been developed for interaction with law enforcement agencies to protect facilities in the event of a terrorist act being committed or threatened. On the territory of the Company's facilities, access and intra-site regimes have been introduced. Together with law enforcement agencies, work is underway to prevent theft. The most dangerous threats are assessed and plans for the elimination of consequences are developed together with the civil defense and emergency services of the constituent entities of the Russian Federation (at the location of generating assets). The main equipment of the Company is insured, including against terrorist attacks.
SEISMIC TERRITORIES
Most of the Company's facilities are located in seismically quiet regions, however, such facilities as Pauzhetskaya GeoPP and Verkhne-Mutnovskaya GeoPP are located in a seismically hazardous zone with a possible earthquake strength of up to 9 on the Richter scale. In 2014, the seismological network of the Dagestan branch of VNIIG named after V.I. B.E. Vedeneeva. Also, work was carried out on seismometric control of the structures of the Bureyskaya HPP.
In the event of an earthquake, an emergency action plan has been developed, the situation is constantly monitored, and seismic monitoring stations are operating at the Company's facilities. Issues of transport communication are worked out in advance with an emphasis on the above-mentioned risk, the scheme for the delivery of goods and people is being optimized. All the Company's facilities comply with the requirements of seismic resistance standards.
SEASONAL FLOOD ZONES
Seasonal flood risks play an important role in the Company's activities and are included in the list of significant risks for the Company. To minimize them, water regimes are managed, including forecasting and monitoring of hydrological regimes at facilities, regulation of reservoirs, construction and operation of spillways, and other activities.
In order to prepare for the passage of the spring-summer flood, the Company's branches set up flood commissions. They are working to ensure a trouble-free passage of the flood season. In particular, in reporting period surveys of the ice situation in the area of the dam site of the Bureyskaya HPP, inspection of the permanent supports of the floodwaters were carried out in order to ensure their readiness for operation during the flood period, check the readiness of backup power supply sources (diesel generator sets), release the gates of the operational spillway from icing and ice fast ice in order to ensure the possibility of maneuvering them, inspections of hydraulic structures, the drainage system of the dam, the building of the hydroelectric power station and the installation site, visual inspections of the junction of the body of the dam to the banks from the side of the upstream and downstream pools.
Traditional agreements were signed between the Bureyskaya HPP and the Government of the Amur Region, the administration of the Bureysky District and the territorial bodies of the Ministry of Emergency Situations and Rostekhnadzor on the procedure for interaction on issues of prompt submission of information and prompt response parties to emergency situations during the period of flood skipping. The branch of PJSC RusHydro - Zeya HPP signed agreements on the procedure for interaction on the prompt provision of information and the response of the parties to emergency situations during the period of high water passing through the hydraulic structures of the Zeya HPP with the Operations Department of the Zeya reservoir, the administration of the city of Zeya and the Zeya district. Similar work is being done on other objects.
All the Company's facilities operated in accordance with the instructions of the interdepartmental working group under the Federal Water Resources Agency. Control of the state of production assets was strengthened. In 2015, no accidents were recorded at the Company's facilities.
In an era of economic and financial crisis risk management is the most topical issue facing Russian industrial companies. The processes of globalization are becoming another source of economic risks, so the use of the basics of risk management in management will contribute to the achievement of the goals and objectives of chemical companies, although, of course, it will not reduce the likelihood of various kinds of risks to zero.
The introduction of a risk management system at enterprises makes it possible to:
- identify possible risks at all stages of activity;
- predict, compare and analyze emerging risks;
- develop the necessary management strategy and a set of decision-making to minimize and eliminate risks;
- create the conditions necessary for the implementation of the developed measures;
- monitor the operation of the risk management system;
- analyze and control the results.
The features of risk management include: the need for the management of companies to have anticipatory thinking, intuition and foresight of the situation; the possibility of formalizing the risk management system; the ability to respond quickly and identify ways to improve the functioning of the organization, reduce the likelihood of an undesirable course of events.
Comprehensive risk management system ERM (Enterprise risk management) in many foreign companies, for example, in the USA, is already used quite widely, since the owners of large world companies have already made sure in practice that the old management methods do not correspond to modern ones. market conditions and unable to provide successful development their business.
The application of risk management implies a clear distribution of responsibility and authority between all structural units. Top management functions include appointing those responsible for the implementation of the necessary risk management procedures at all levels. Such decisions should be in line with strategic goals and the objectives of the company and not violate the terms of applicable law. At the same time, it is necessary to correctly distribute among the executors the measure to identify risks and the functions of control over the created risk situation.
Risk management as a key tool aimed at improving performance
Risk management is one of the key tools to improve the effectiveness of enterprise management programs that they can use to reduce product life cycle costs and mitigate or avoid potential problems that could interfere with the success of the enterprise.
Achieving the goals of the enterprise requires specific ideas about the main activity, production technologies, as well as studying the main types of risks. Prevention of risks and reduction of losses from impact leads to sustainable development of the enterprise. The process by which the activities of an enterprise are directed and coordinated in terms of the effectiveness of risk management and constitutes risk management. Risk management is the process of identifying the losses an organization faces in its core business and their impact, and selecting the most appropriate method to manage each. separate view risk.
In another view, risk management is a systematic process in which risks are assessed and analyzed in order to reduce or eliminate their consequences, as well as to achieve goals.
Based on the foregoing, it can be concluded that risk management to ensure the viability and efficiency of an enterprise is a cyclical and continuous process that coordinates and directs the main activities. It is advisable to do this by identifying, controlling and reducing the impact of all types of risks, including monitoring, contacts and consultations aimed at meeting the needs of the population, without compromising the ability of future generations to meet their own needs. Risk assessment leads to the stability of the enterprise, contributing to its sustainable development. Risk management is a contribution to sustainable development and is an essential factor in maintaining and improving stable activity enterprises. Proactive risk management is critical to the management process to ensure that risks are being handled at the appropriate level.
Planning and implementation of risk management includes the following steps:
- Management of risks;
- identification of risks and the degree of their impact on business processes;
- application of quality and quantitative analysis risks;
- development and execution of risk response plans and their implementation;
- monitoring risks and management processes;
- the relationship between risk management and performance;
- evaluation of the overall risk management process.
Methodology (program) for continuous risk management
In order to facilitate risk management activities, an enterprise needs to develop a methodology (program) for continuous risk management (CRRM). MNRM is a theoretically significant program aimed at developing project management mechanisms with best practice processes, methods and tools for enterprise risk management. It provides conditions for active decision-making, continuous risk assessment, determining the degree of significance and the level of impact of risks on management decisions, and implementing strategies to combat them. In addition, progress can also be made in the scope of the project, the budget of the enterprise, the timing of its implementation, etc. Figure 1 clearly illustrates the methodology of the continuous risk management process.
Rice. 1. Continuous risk management process
The performance management process acts as an auxiliary tool for obtaining the information necessary for the developed risk management mechanism. Unfavorable trends should be analyzed and assessed for their impact on this mechanism. Appropriate actions of the control mechanism should be taken for those areas of activity that are defined as basic in the business processes of the enterprise. Corrective actions may include a reallocation of resources (funds, personnel, and rescheduling of production) or the activation of a planned risk mitigation strategy. Severe cases, adverse trends and key indicators can also be taken into account when using this mechanism.
It is important that this mechanism emphasizes the need to reassess the identified risks that systematically affect the activities of the enterprise. As the system goes through life cycle development, in this case most of information will become available for risk assessment. If the magnitude of the risk changes significantly, approaches to its treatment should be adjusted.
Overall, this progressive approach to risk management is critical to a comprehensive management process and ensures that risk metrics are handled efficiently and at the appropriate level.
Development of a risk management program at the enterprise
Consider the risk management policy that should be applied in the enterprise. The developed mechanism (program) should be aimed at effective and continuous risk management. Thus, early, accurate and continuous identification and assessment of risks is encouraged, and the creation of informationally transparent risk reporting, planning of measures to reduce and prevent changes in external and internal conditions will have a positive impact on the program.
This mechanism, including relationships with counterparties and contractors, should perform the functions of identifying risks and monitoring them. For its implementation, it is necessary to have a plan in the form of a set of guidance documents developed for specific areas of activity. This plan sets out the guidelines for the implementation of the ISDM in a specific time frame. It does not affect the conduct of other activities of the entire enterprise, but rather can provide management leadership in risk management.
The risk management process must meet a number of requirements: it must be flexible, proactive, and must also work towards providing conditions for effective decision-making. Risk management will influence risks by:
- encouraging risk identification;
- decriminalization;
- identifying active risks (constant assessment of what could go wrong);
- identifying opportunities (constantly evaluating the likelihood of favorable or timely cases);
- estimates of the likelihood of occurrence and severity of impact for each identified risk;
- determining appropriate courses of action to reduce the possible significant impact of risks on the enterprise;
- developing action plans or steps to neutralize the impact of any risk that needs to be mitigated;
- maintaining continuous monitoring of the occurrence of risks with a negligible degree of impact at the present time, which may change over time;
- production and dissemination of reliable and timely information;
- facilitating communication between all program stakeholders.
The risk management process will be carried out in a flexible manner, taking into account the circumstances in which each risk occurs. The main risk management strategy is to identify the critical areas of risk events, both technical and non-technical, and take the necessary measures in advance to deal with them before they have a significant impact on the enterprise, causing serious costs, reducing product quality or productivity.
Let us consider in more detail the functional elements that are components of the risk management process: identification (detection), analysis, planning and response, as well as monitoring and management. Each functional element will be discussed below.
- Identification
- Data review (i.e. earned value, critical path analysis, integrated scheduling, Monte Carlo analysis, budgeting, defect analysis and trend analysis, etc.);
- Consideration of submitted risk identification forms;
- Conducting and assessing risk using brainstorming, individual or group peer review
- Conducting an independent assessment of identified risks
- Enter the risk in the risk register
- Risk identification/analysis of tools and methods to be used include:
- Interview methods for determining risk
- Fault tree analysis
- Historical data
- Lessons learned
- Risk Accounting - Checklist
- Individual or group judgment of experts
- Detailed work breakdown structure analysis, resource exploration and scheduling
- Analysis
- Conducting a probability assessment - each risk will be assigned a high, medium or low level probability of occurrence
- Creation of risk categories – identified risks should be associated with one or more of the following risk categories (e.g. cost, timing, technical, software, process, etc.)
- Assess the impact of risks - evaluate the impact of each risk depending on the identified risk categories
- Determining Risk Severity - assign probabilities and rating impacts in each of the risk categories
- Determine when the risk event is likely to occur
- Planning and response
- risk priorities
- Risk Analysis
- Appoint a person responsible for the occurrence of the risk
- Determine an appropriate risk management strategy
- Develop an appropriate risk response plan
- Make an overview of priorities and determine its level in reporting
- Supervision and control
- Define reporting formats
- Define review form and frequency of occurrence for all risk classes
- Risk report based on triggers and categories
- Conducting a risk assessment
- Submission of monthly risk reports
For effective risk management at the enterprise, we consider it expedient to create a risk management department. The main responsibilities of this structural unit, including for staff and other users (including employees, consultants and contractors), in order to successful implementation risk management strategies and processes are given in Table. one.
Table 1 — Risk Management Department Roles and Responsibilities
| Roles | Assigned duties | |
| Program Director (DP) | oversight of risk management activities. Risk monitoring and risk response plans. Approval of the decision to finance risk response plans. Monitoring of management decisions. | |
| Project Manager | assisting in the control of risk management activities Assistance in creating organizational authority for all risk management activities. Timely response to funding risk. | |
| employee | facilitating the implementation of risk management (the employee is not responsible for the identification of risks, or the success of individual risk response plans). The need to encourage proactive decision-making in determining appropriate risk responses for risk owners and department managers. Stakeholder administration and commitment, risk management process Ensuring regular coordination and exchange of information on risk between all stakeholders, Management of risks in the registered risk register (database). Development of knowledge of personnel and contractors in the field of risk management activities. | |
| Secretary | the functions of the secretary are performed by an employee of the risk department or they alternate between all employees. Features include: Planning and coordinating meetings; Preparing meeting agenda, risk assessment packages, and meeting minutes. Get and track the status of proposed risk types. Performing an initial assessment of the proposed types of risk to determine the most important. Expert in the subject area of risk analysis at the request of the Chairman of the Board of Directors. Facilitate analysis by members of the Board of Directors who will decide whether risk mitigation is necessary. Regular coordination and communication of risk information exchange with all stakeholders, | |
| Department Director (DO) | appointment of risk owners in their area of responsibility and / or competence. Active promotion of employees Tracking the integration of risk management efforts of responsible persons in their areas of responsibility. Selecting and approving a risk response strategy. This includes approving resources (e.g. owner risk) for further risk analysis and/or drawing up a more detailed risk response plan if necessary. Approval of all tasks. Assign resources to the risk management response contained in the detailed plan. |
|
| Individual member of the Office of Management (OMP) program | identification of risks. Access to risk management data Identification of possible risks from the data using a standard form of identification if necessary Drawing up and implementing a risk response plan Determination of the time and all costs associated with the implementation of the risk response plan |
|
| Risk owner / Responsible person | attending meetings of the risk management department. Review and/or provision of relevant data, e.g. critical path analysis, project management/data support tools, defect analysis, auditing, and the possibility of adverse trends Participation in the development of response plans Risk status report and effectiveness of risk response plans Work to identify means of responding to risks through any additional or residual risk. |
|
| Integrated Brigade (KB) | identification and provision of information on the risks that may arise as a result of the CB's activities. Participation in the planning of any risk in accordance with this program. Such planning requires coordination with the risk management department, who, acting as a guide, can help acquire resources to respond to risks. Report on the progress and results of the risk response. |
|
| Quality control | control and review of the RCM when updating or changing the plan Commitment to maintain the quality of documentation practices and risk management processes |
|
Risk management functions consist in organizing interaction with existing divisions organizational structure. CPIs are formed for functional areas that are critical to the successful implementation of the objectives. All functional departments or business processes not covered by the CU are assessed and reviewed by the DP, PM, and employees to ensure adequate behavior in relation to the occurrence of risk. Risk identification is the process of determining which events may affect the operation of the enterprise and documenting their characteristics. It is important to note that risk identification is an iterative process. The first iteration is a pre-assessment and risk check of the team, as needed, with a risk ID. The second iteration includes presentation, review and discussion. The risk management process includes three separate risk characterization steps: identification, assessment and adjustment, and confirmation.
A graphical representation of the risk identification process is shown in fig. 2.
Rice. 2. Structural scheme risk identification algorithm
As a result of its implementation, a set of measures can be developed to assess the operational risks of an enterprise, an integral risk, the quantitative assessment of which is based on complex analysis financial and accounting reporting, and assessing the integral risk based on all levels of responsibility of the enterprise.
Conclusion
Risk management at chemical enterprises must be carried out within the framework of system and process approaches, taking into account the specifics of the industry using modern effective methods management and production organizations, as well as using risk management tools. The risk management system for the activities of a chemical enterprise must necessarily take into account the safety requirements established by government bodies authorities, and ensure the safety and health of personnel associated with a hazardous technological facility. For the purpose of effective risk management of an enterprise, an integral risk management system is needed, which consists in integrated approach to the assessment of the maximum number of risk factors for the enterprise's activities carried out in a dynamic economic environment. The author believes that the development of the above set of measures will be accompanied by an increase in the level of management and risk assessment in industrial organizations.
The reporting is formed by the RM, is coordinated (approved) by the Risk Committee under the Management Board and submitted for consideration to the Audit Committee under the Board of Directors for further approval by the Board of Directors.
The Risk Committee must be established under the Management Board of the Enterprise. The Risk Committee should include heads of departments - Risk Owners, including the risk manager. The head of the Committee should be the Chairman of the Board of the Enterprise.
Based on the results of the annual full-scale survey and / or interviewing of the employees of the Company (as well as the Managing Directors, members of the Management Board, members of the Board of Directors of the Company and Corporate Secretary) carried out by the RM, the risks are identified and assessed. The Risk Register and the Risk Map are being formed.
Identification and evaluation is carried out at two levels:
- 1) at the organization level: structural subdivision, block, Enterprise, Subsidiary organization;
- 2) at the level of activities:
- - at the functional level (planning, ecology, production, health and safety, supply, etc.);
- - at the level of business processes.
In addition to this mandatory procedure, it should be noted that all employees of the Company must have a common understanding of the basic principles and approaches to risk management adopted by the Company, be able to report new / realized risks, respectively, the Risk Register and the Risk Map can be adjusted during the year.
These actions are carried out in accordance with the Risk Management Policy and the procedure for identifying risk assessments, which must be approved by the Board of Directors. Also, the Board of Directors must approve the Policies for managing individual (specific to the Enterprise) risks
The Risk Committee considers and approves (before being submitted for consideration by the Audit Committee under the BoD and further approval by the BoD) the following documents/ indicators:
- 1) Risk Register, Risk Map;
- 2) Action plan for managing critical risks;
- 3) risk and control matrix;
- 4) critical risk indicators that are recommended to be associated with key indicators activities (where possible);
- 5) risk appetite of the Enterprise;
- 6) tolerance levels for each critical risk.
- 7) limits;
- 8) quarterly Risk Management Report, which contains:
- - the above data;
- - description and analysis of critical risks of the Enterprise;
- - information on the implementation of the Action Plan for the management of critical risks;
- - information on the implementation of the Plan to improve the risk management system;
- - information about the realized risks and negative effects from the realization of the risk (if it happened);
- - changes in the Risk Map / Risk Register (if any);
- - information on non-compliance with risk limits (if any);
- - information about risk insurance;
- - information on significant deviations from the established risk management procedures (if any);
The Risk Committee annually approves (and monitors the implementation during the year) of the Action Plan to improve the risk management system. Data on the implementation of the plan are included in the quarterly Risk Management Report.
Audit Committee under the Board of Directors through the Service internal audit The enterprise performs the following main functions within the framework of risk management:
- 1) audit of risk management procedures and risk assessment methodology, with the development of proposals to improve the efficiency of risk management procedures;
- 2) annual submission of the Report on the effectiveness of the risk management system for approval by the Board of Directors, including at least once every three years the Report on independent evaluation risk management system prepared by an independent expert.
At the same time, the Board of Directors must approve the performance indicators of the risk management system, review them on a regular basis and, in accordance with them, evaluate the effectiveness of the risk management system.
In order to increase the responsibility of the Management Board for the effectiveness of the risk management system, the Management Board of the Enterprise annually submits to the Board of Directors a confirmation of the effectiveness of the risk management system of the Enterprise.
