Internal Control and Risk Management System Model
The internal control and risk management system (“IC&RM”) of the Company and its SDCs is a component of their corporate governance. The IC&RM includes a full range of control procedures, methods, and mechanisms created by the Board of Directors and executive bodies of the Company and its subsidiaries and dependent companies (“SDCs”) to efficiently control the Company’s financial and economic activities.
In order for the Company’s IC&RM to form and develop, the Board of Directors approved the following regulatory documents:
Concept of Developing and Improving the Internal Control and Risk Management System
- Internal Control Policy
- Risk Management Policy
- Guidelines for Organizing Internal Control and Risk Management
- Recommended Guidelines for Risk Management
- Code of Corporate Ethics
Subsidiaries and dependent companies have similar approved standard regulations.
The key goals of IC&RM are as follows:
- effectively achieve the strategic and shareholder objectives of the Company and SDCs
- improve the quality of the corporate governance system of the Company and SDCs
- enhance the operating and investment efficiency of the activities of the Company and SDCs
IC&RM is improved at all management levels of the Company in the following areas of control:
- preliminary control (risk management system): the identification, assessment, and management of risks (threats and opportunities) to effectively achieve the strategic and shareholder objectives, as well as the identification and management of economic and energy security risks
- routine control: the regulation and standardization of business processes, with defined control procedures and responsibilities of business process participants set out at the management level
- follow-up control: an audit of reporting reliability; asset preservation; compliance by business transactions with the laws, the Article of Association, and local regulatory documents; internal audits of the organizational efficiency of business processes and IC&RM; the control of compliance with corporate ethics; and the control of anti-corrupt practices
Regulatory documents of the Company and SDCs specify a “distributed” IC&RM model setting forth responsibilities in the following way:
- the Board of Directors of the Company and each of its SDCs defines the development areas of IC&RM
- the Audit Committee of the Board of Directors supervises IC&RM effectiveness
- the Internal Audit and Risk Management Department audits and directly evaluates IC&RM effectiveness, corporate governance effectiveness, and follow-up control procedures; additionally, the Internal Audit and Risk Management Department organizes and coordinates the preparation of risk reports and provides stakeholders with information on risks and internal control procedures of the Company and SDCs
- executive bodies are responsible for organizing the effective implementation of routine and preventive control procedures and for implementing local IC&RM regulations
- officers (business process owners) are responsible for establishing and implementing control procedures and risk management measures and for identifying and assessing risks in a timely manner.