UC RUSAL Sustainability report 2016

Internal controls and risk management

Internal control

Internal control system

Main results in 2016

          119 audits were carried out, including 60% of unscheduled audits performed at the request of the Company's management. The audit plan approved by the Audit Committee for 2016 was fully implemented (100%).

          The creation of the Company's annual Risk Map, quarterly monitoring of the main risks and timely reporting of risk management status to the shareholders and Company management are organised.

          The Internal Audit & Control Directorate continued to strengthen its control in the following areas:

          compliance with the Company's regulatory documents;

          conducting of HR procedures;

          compliance with the requirements of external regulators (HKEx) and shareholders for connected and related transactions (until December 2016);

          opening and implementation of investment projects, etc.

          The Internal Audit & Control Directorate has ensured the work of the Hotline of UC RUSAL.

Using modern management standards and procedures the Company implements effective control and risk management systems.

The internal control system is organised to protect assets, to improve business processes, to ensure that the Company's financial, economic and other activities comply with legislative requirements, and to maintain the control environment at an appropriate level. The main bodies involved in the development and implementation of activities in these areas are the Directorate for Control, Internal Audit and Business Coordination (hereinafter the Internal Audit & Control Directorate), the Audit Committee and the Review Commission. 

The Internal Audit & Control Directorate develops internal controls for the operations of the production facilities and business units of UC RUSAL, monitors their performance as part of audits and reviews, and is responsible for the development and monitoring of risk management policies, for independent evaluation of the effectiveness of management decisions and for monitoring of compliance with the requirements of external regulators.

Supervision of the efficiency of financial and economic activities and the organisation of the internal control system is carried out by Review Commissions formed at all production facilities of the Company. The statements of the production facilities are reviewed and audited annually, which is a mandatory stage in the preparation for annual shareholder meetings.


The implementation of internal controls is governed by the regulations, procedures and orders which are constantly updated, among them:

          Regulation on reporting to the Board of Directors and the Executive Committee in special cases;

          UC RUSAL Environmental Policy;

          Guidelines on UC RUSAL Health, Industrial and Fire Safety Management System;

          Methodology for the organisation of industrial monitoring of the working conditions of production facilities;

          Standard operating practices for internal investigation and analysis of accidents related to health, safety and fire protection;

          Methodology for establishing performance indicators;

          UC RUSAL Risk Management Policy;

          Regulation on emergency management, etc.

The Internal Audit & Control Directorate continuously monitors compliance by Company management with policies, regulations and procedures established by internal documents, as well as recommendations of reviews and audits.

New documents were introduced in 2016, including:

          Risk Management Regulations;

          UC RUSAL Technical Policy;

          Standard of Organisation of technical visits and audits. Requirements for accounting and monitoring of performance of corrective actions according to the results of audits/visits;

          Regulation on the commission of individual acts and provision of information and reporting to creditors in accordance with loan agreements;

          UC RUSAL Regulation on Supplier Accreditation System, etc.


The Internal Audit & Control Directorate reports regularly to the Board of Directors, the Audit Committee and the Review Commission about the results of the work, the performed audits of the internal control system, including the results of the audits of the activity of the management bodies. HKEx Appendix 27 para 9

Based on the submitted reporting, the Audit Committee assesses the effectiveness of the Company's internal controls on a quarterly basis. As a result of the evaluation conducted in late 2016, the Board of Directors considers that during the reporting period the Group's internal controls operated in compliance with the Corporate Governance Code.

One of the main areas of internal control is the establishment of a control system and coordination of compliance with:

          the requirements for public companies;

          the requirements of the shareholder agreement;

          the requirements of the ALUMINIUM FACILITY AGREEMENT (AFA) regarding the compliance of operations with the legislative and regulatory acts of the various jurisdictions;

          labour and social policy requirements of the Company;

          environmental protection requirements, etc.


The Company pays great attention to improving the system of ensuring compliance with applicable laws, regulations, standards and other applicable requirements and to preventing their violation (compliance function).

In order to strengthen the compliance function, in December 2016, the Company has appointed the Global Compliance Officer.

The main tasks of the compliance function include:

          development and implementation, as well as improvement of policies and procedures to comply with the applicable requirements;

          the implementation of procedures and other necessary measures to prevent violations of applicable requirements;

          training in compliance;

          assisting the employees of the Company in fulfilling their obligations to comply with the applicable requirements;

          promotion and development of an appropriate compliance culture in the Company that ensures the ethical behaviour of employees and their commitment to the compliance with applicable requirements.

In order to prevent conflicts of interest, the Company has an automated multi-level system of control of connected transactions (in accordance with Listing Rules and International Financial Reporting Standards), internal regulations are developed and regularly updated, and responsible employees are trained.

The Company implements the plan of staff training in compliance approved by the Board of Directors.

Fight against corruption and fraud prevention

UC RUSAL makes efforts to prevent the bribing of individuals and public servants, and is not involved in any form of unethical rewards or payments. The leading role in the prevention of corruption is vested in the Global Compliance Officer, the Internal Audit & Control Directorate and the Security Directorate, which in their turn coordinate the activities of the relevant units on the production facilities of the Company. DMA-Against corruption

In 2016, the Company approved an Anti-Corruption Policy. G4-SO4

Anti-corruption measures are also regulated by the following documents: G4-SO4

          The Business Partner Code that contains zero corruption tolerance rules;

          Code of Corporate Ethics;

          Provision on prevention and resolution of the conflict of interest;

          Internal labour regulations;

          Information Security Policy of UC RUSAL;

          Information security management policy;

       Policy on prevention of unfair actions;

       Provision on prevention and resolution of the conflict of interest;

          Regulation on audit of planned actions for compliance with antimonopoly requirements.

The Company complies with anti-money laundering legislation and has anti-money laundering policies set out in its Code of Corporate Ethics and the Business Partner Code. HKEx Appendix 27 KPI B7

The Internal Audit & Control Directorate conducts regular checks to prevent possible violations or minimise their consequences. Risks in the area of corruption and fraud are analysed and incorporated into the Company's Risk Map. G4-SO3

As a result of the audits conducted by the Internal Audit & Control Directorate at the production facilities and the Company's directorates and divisions in 2016, the following HR decisions were taken: eight employees were dismissed, 39 employees received various disciplinary sanctions. G4-SO5

All employees are informed about existing anti-corruption and fraud prevention procedures. In addition, the HR Directorate regularly conducts training of staff in anti-corruption techniques, and an exchange of experience in this area is conducted within the framework of the annual gathering of the heads of security business units.

One of the effective tools for combating corruption and fraud is a Hotline that any employee of the company can call and report violations. The Hotline provides an anonymous way to send the message and a way in which the name or other identification method of the sender is specified. A message through the Hotline can be sent by all employees and third parties having information about activities of the Company.

During 2016, 34 communications were received on the Hotline, 100% of which were processed, 48% were partially or fully confirmed. G4-SO5

Among the issues raised by those who called the Hotline were the following:

            unscrupulous actions and unethical behaviour of Company employees and counterparties – 41%;

            compliance with the requirements of labour law – 35%;

            problems in production processes – 9%;

            irrelevant messages – 15%.

In 2016, the employees of foreign production facilities did not call the Hotline.

All communications to the Hotline undergo a registration procedure and then an investigation of all the facts presented in the communication is conducted. Depending on the nature of the communication, the managers of the special units of the production facilities or divisions or directors of the Company are involved in the verification of the reported facts. All communications received on the Hotline, including anonymous ones, are subject to mandatory verification. After the communication is checked, the initiator receives the response. The Company guarantees that all communications are confidential. The audits of the Directorate for Control, Internal Audit and Business Coordination may be initiated in response to the signals, confirming the effectiveness of the management of the communications.


In view of the fact that the Company is engaged in the procurement of a large volume of raw materials, supplies and services, the special area of work of the Internal Audit & Control Directorate is the supervision of procurement activities. A Tender Committee was established under the chairmanship of the Director of Control: it is composed of the representatives of key business units of the Company, which allows for a wide range of monitoring functions. As a result of the work of the Internal Audit & Control Directorate in the Tender Committee, financial savings of USD 2.4 mln were achieved in 2016.

Plans for 2017-2018

                 Improvement of internal controls, prevention of fraud and corruption risks, increased control of asset integrity;

                 Conducting of further training of employees;

                 Ensuring control and timely notification of the Executive Committee and the Board of Directors of the Company about the risks relating to environmental aspects of the Company’s operation; conducting internal audits of business units of the Company with due regard to the targets of environmental (including greenhouse gases) and industrial safety;

                 Improvement of risk management system (tools, reporting);

                 Development, approval and implementation of target projects of production systems, continued implementation of projects initiated in 2016 (Supplier Accreditation project and others).

Risk management system

Risk analysis

In order to reduce the negative impact of potential hazards and ensure stable and sustainable business development, the Company has an effective risk management system that is part of the corporate governance system. The main goal of risk management is to choose the best practices for each of the identified risks and to provide information to management and Company shareholders. G4-2

The risk management system is an ongoing process at all levels of management aimed at accumulation and dissemination of knowledge about the risks within the Company.

Risk management is a part of the competence of the Risk Management Group created by the Board of Directors as a part of the Internal Audit & Control Directorate. G4-45, HKEx Appendix 27 KPI para 9, G4-37

The main internal instruments governing this area are:

          A risk management policy that defines the overall concept and responsibilities of the staff (approved by the instruction of Company management of May 15, 2013);

          Risk management regulations describing the main tools and methods for identification, assessment and mitigation of the risks (approved by the instruction of Company management of December 28, 2016).

The key elements of a risk management system include: identification and assessment of risks, development and implementation of risk mitigation activities, reporting on results of risk management, and evaluation of the effectiveness of the risk management system. Stages of the risk management system: 
HKEx Appendix 27 KPI para 9

          organisation of independent risk audits of Company production facilities conducted by specialists Willis Group and Ingosstrakh Engineering Centre for risk mitigation purposes and optimisation of insurance programmes;

          preparation of the annual Corporate Risk Map for four risk groups (operating, financial and market, corporate, project) and risk types (energy, technology, price change risks, legislative, legal, credit, etc.). The Audit Committee is provided with quarterly reports on the status of the risk management system; G4-49

          evaluation and audit of the risk management system;

          preparing the risk insurance programme.

The audit procedure consists of planned activities under the risk maps for the production areas and the solution of the tasks set by the Company's management authorities. The purpose of the audits is to identify significant risks, to assess existing key business process indicators, and to make recommendations to improve the internal control system, as well as to oversee the implementation of the recommendations resulting from the audits. Key risk measurement tools:

   financial risk evaluation (USD mln);

   probability of risk materialisation (0% to 100%);

   probable damages (USD mln);

   risk criticality (points 1 to 5).

Risk status and results of risk management are presented quarterly to the Board of Directors for review, including changes in groups and risk types, as well as activities aimed at reducing or preventing the negative impact of existing or materialised risks.HKEx Appendix 27 KPI para 9, G4-37

Work continues on new areas of risk that have not been identified early, as well as work on improving the quality of information provided by the Company's production facilities.

Monitoring, reporting and performance evaluation

The Internal Audit & Control Directorate reports regularly on its activities to the Board of Directors, the Audit Committee and the Review Commission, providing the following information: G4-47, HKEx Appendix 27 KPI -para 9

     report on materialised risks for the previous year (annually);

     submission of the Corporate Risk Map for the following year (annually);

     report on the status of the Company’s risk management (quarterly).

The Audit Committee monitors the compliance by the Company's management of risk management policy and procedures. The Audit Committee and the Board of Directors review the risk profile and results of performance of the Risk Management Programme on a quarterly and yearly basis. The Review Commission conducts an independent evaluation of the effectiveness of the risk management system. G4-37

In case of an event occurring or planned that will have a significant impact on the Company, the managers are promptly informed (according to the Regulations on Management Notification about Accidents in Company's Operation, 2nd version approved by the Instruction of the Company's management of January 23, 2017). G4-47

According to the Audit Committee and the Board of Directors, during the year ended December 31, 2016, the internal controls of UC RUSAL operated in accordance with the Corporate Governance Code. G4-46 HKEx Appendix 27 para 9

Major risk groups and their evaluation

The quantitative risk evaluation is based on two key factors describing the significance of risks:

     risk event probability;

     financial evaluation of probable losses – risk extent describing the consequences of risk materialisation.

The combination of probability of a risk event and financial risk evaluation is an indicator of risk criticality, which allows assessing the consequences of the effect after a risk event has materialised.



The management of the key risks in the area of sustainable development



Management measures

Environmental risks

Risks associated with damage to the environment from the Company and increased fees for the negative impact on the environment

In order to reduce the risks, the Company monitors environmental legislation and implements a range of environmental protection activities (e.g., monitoring of red mud disposal area).

Please see details in the Environment Protection Section

Violations in the area of health and safety

Risks related to the health and safety of employees

In order to prevent accidents, the Company develops the system of management of health, industrial and fire safety, including the assessment of risks in this area, conducts training of employees, implements programmes and activities to ensure safe working conditions, and conducts management audits.

Please see details in the Work Safety section

Risks associated with social tensions

Risks arising from the emergence of social tensions due to staff dissatisfaction with the current situation at production facilities

In the context of risk management, constant explanatory work is conducted with staff, management and trade unions. Work on the prevention of these risks has been systematised, so far the risks are at a minimal level.

Please see more details in the Employees section