Risk Management and Internal Control

General information

Timely identification and management of risks is essential to maintaining sustainable growth and achieving the Company’s strategic and operational objectives. MegaFon is focused on continuously improving its Risk Management and Internal Control System (RMICS) to ensure that it successfully delivers on MegaFon’s corporate strategy while providing a robust platform for stable and continuous business operations.

MegaFon makes a constant effort to identify, assess and mitigate risks, and aims to minimise the negative impacts of risks beyond its control. MegaFon also continuously fosters a risk-based culture at all levels of management, providing regular training to employees in risk management theory and practice.

MegaFon’s approach to risk management and internal control is based on international and national best practice and standards and complies with Russian laws.

To manage the risks associated with preparing reliable financial statements and tax reports, the Company has in place an internal control system (ICS), which is a set of policies, guidelines, control procedures and organisational measures to ensure the preparation of such statements and reports, as well as compliance with applicable legal requirements.

Our RMICS strategy involves:

1

continuously aligning risk management and internal controls to business changes

2

embedding risks in goal-setting processes


3

developing a risk-based approach to management decision-making

4

continuously seeking out business opportunities and options for transforming threats into opportunities, as well as finding the best ways to respond to risks


5

developing risk assessment models to improve the accuracy of data available to drive decision-making

6

improving risk management and internal control communications


7

formalising and updating risk appetite metrics and aligning risk appetite with the Company’s development strategy

8

regular employee training

The ICS effectiveness is maintained through the following actions:

1

updating and ensuring compliance with ICS codes and standards

2

regular monitoring of controls performance

3

regular surveys of key process owners on the effectiveness of internal controls


4

analyses on business processes and related risks to verify the performance of applied internal controls

5

annual selective testing of key control procedures

Risk management and internal control framework

Risk management and internal controls are embedded across all operations and at all levels throughout the organisation.

MegaFon is focused on building a risk management and internal control culture, the key aspects of which include:

Tone at the Top

MegaFon’s senior managers act as role models in the discussion, identification and assessment of risks, and are actively involved in risk management.

Corporate governance

Risk ownership and responsibilities are included in employees’ job descriptions and targets. Timely communication about risks is encouraged, with all risks viewed as opportunities to improve the Company’s performance.

Skills and capabilities

The Company’s key employees are continuously trained in risk management with support from business leaders.

The Board of Directors through the Audit Committee determines the RMICS principles and approaches and evaluates the system’s effectiveness.

The CEO and the Management Board ensure the setting up and maintenance of a robust RMICS, allocation of the roles, responsibilities and accountability for specific risk management and internal control procedures among BU heads, approval of reporting format requirements, review and agreement on principal risks and promotion of a risk management and internal control culture.

The BU heads ensure that the RMICS is incorporated into functions and projects, including risk identification and assessment, and also ensure the development and implementation of risk management measures, including operation of control procedures.

The risk management function drives the development of risk management across the Company, implementing the RMICS Policy, ensuring risk updates, overseeing the implementation of risk management measures, coordinating the efforts of functions to identify and assess risks, developing appropriate risk management measures, providing functions with methodological support, and fostering a risk management and internal control culture within the Company.

Business units prepare and submit risk and internal control reports to the Management Board and the Board of Directors.

Risk and control coordinators have been designated with respect to the Company’s key functions, driving collaboration around the RMICS.

The corporate Risk Management and Internal Control System (RMICS) Policy is the key document governing MegaFon’s risk management activities. The policy, developed in line with applicable Russian laws and international risk management standards, establishes general approaches to risk management and internal control.

The Risk Management and Internal Control System Policy

Key RMICS activities

In 2020, MegaFon continued to embed risk-based management into its practices. Risk identification and management efforts are closely aligned with the Company’s goals and existing projects. The Management Board reviews the status of key risks and compliance on a quarterly basis.

To further improve risk communication, the Company holds annual meetings of risk coordinators to facilitate the sharing of risk management approaches and best practice.

In autumn 2020, MegaFon surveyed the Management Board on the maturity level of the Company’s risk management, with the findings confirming the maturity of the corporate risk management system and providing a basis for developing a plan for its further development.

Risk management and internal control training for employees remains a top priority for MegaFon. The Company’s managers take a mandatory online risk management course based on ISO 31000, which reflects the Company’s specific business profile. This course is also available to all MegaFon employees.

MegaFon continued to update its ICS in 2020, including through the following activities:

  1. The ICS updates to reflect the transformation of business processes
  2. Review of employee access rights to financial reporting information to ensure access is only provided on an as-needed basis
  3. Updates of ICS training and information materials
  4. Further development of the ICS to facilitate taxrelated monitoring, including the risk assessment process
  5. Approval of the Internal Control Rules for the prevention, detection and suppression of illegal use of insider information and (or) market manipulation in accordance with the requirements of the Bank of Russia effective from April 20, 2020.

Principal risks and mitigation

MegaFon’s analysis considers various types of risks, while setting out the measures that the Company takes to minimise them.

This analysis covers strategic, geopolitical, technological, regulatory, operational (including compliance) and financial risks. и финансовые.

Company assessment
Risk manageability Low Medium High

Low

6, 4 1, 14, 15 2, 3, 16

Medium

8, 11 5, 17 12, 13, 18

High

  7, 10 9, 19, 20
Strategic/external risks
# Risks Risk description Risk management Dynamic❶
1 Geopolitical As a company registered in the Russian Federation, MegaFon is exposed to economic and geopolitical risks specific to Russia in general, including those related to the current sanctions regime imposed by the United States, European Union (EU) and other countries against certain Russian companies. There is a risk that new sanctions may be imposed or the list of entities subject to existing sanctions may be expanded. Additional sanctions may also be imposed on supplies of equipment, software and services from the EU and the United States.

MegaFon relies on multiple international suppliers to conduct its business and develop its complex infrastructure. If the Company is unable to deliver its development plans due to supply disruption, MegaFon may face delays in infrastructure development and/or increased costs.
Since none of the Company’s managers or directors is subject to the existing sanctions programmes and the Company’s operations are conducted outside the EU, the United States and Ukraine, and are focused on telecommunications, which are usually excluded from sanctions regimes, currently MegaFon does not expect these risks to cause any disruption to its operations. Also, trade sanctions are not directly applicable to MegaFon. MegaFon monitors the sanctions legislation; however, the vast majority of the above risks are beyond MegaFon’s control, and the potential imposition of additional sanctions could have a negative impact on MegaFon’s operations.

MegaFon closely monitors on an ongoing basis the economic and political situation affecting key suppliers. MegaFon works with experts and suppliers to keep up-todate on current affairs so as to be able to prepare an appropriate action plan as necessary. The Company also works closely with its key suppliers to ensure continuity of key equipment supply.
 
2 Macroeconomic Falling oil prices and a weaker rouble may negatively impact the Russian economy.

Moreover, business activity in Russia has tended to slacken amid the current pandemic caused by COVID-19, with declines in the real disposable incomes among the population and, consequently, lower consumption in most sectors of the economy. Experts estimate that the economy will take one to two years to recover to 2019 levels.

Taken together, the current macroeconomic trends could have a negative impact on the Company’s revenues and investment programme.
The wireless market is quite resilient during an economic downturn, as customers are unwilling to reduce their minutes and mobile data usage and therefore spending on these services is less exposed to the risk of an economic downturn.

The long-term contracts MegaFon holds with major global vendors should ensure the continued construction and modernisation of its network.
 
3 Technological and digital transformation

New business models, new entrants
The telecommunications and digital industries are rapidly changing amid an accelerating pace of innovation, while new players are entering non-core markets, such as banks establishing telecoms operators and telecoms operators creating banking products. At the same time, customers are becoming more demanding and expecting superior digital customer service and a seamless online and offline experience. Failure to provide such high-level service and experience can reduce customer loyalty, and lead to increased churn and possible loss of market share. To meet the high customer expectations, MegaFon needs to be fast and agile, and have strong digital capabilities. MegaFon continues to implement its strategy aimed at the digital transformation of its business.

The Company continues to transform its internal processes, accelerating the review process for technology innovations, and enhancing Agile development practices. MegaFon is focused on developing artificial intelligence solutions which will drive the evolution of autonomous and intelligent networks while improving the customer experience through more advanced behaviour analytics.

To speed up the implementation of business initiatives, MegaFon has launched a microservice factory and continues to develop API management.

MegaFon continues to develop its technology sandbox, a tool that, by using simplified procedures, enables a faster review process for new technology to be piloted within the Company.

The Company continues to build its digital capabilities in Agile development practices, cloud technology and data virtualisation, as well as in building high-performance IT teams, Big Data and machine learning.
 
4 Competition risk The mobile market is one of the most mature segments of the Russian telecommunications industry. It is characterised by high penetration rates, which have led to increased competition as operators strive to retain existing and attract new customers. This competitive landscape is one of the most influential factors continuing to impact the mobile market. MegaFon’s key direct competitors include MTS, VEON and Tele2. New business models emerging in the market may lead to changes in the structure and dynamics of the current market, the impact of which may not currently be foreseeable. MegaFon has undertaken a wide range of initiatives to bolster its competitive advantages, including deploying cuttingedge technology, developing new and innovative products and services, creating new partnerships with other companies and building innovative infrastructure.  
Operational risks
# Risks Risk description Risk management Dynamic❶
5 Risks related to the deterioration of the sanitary and epidemiological situation With the spread of the coronavirus, the Company has significantly changed its existing business practices. Job-related office-based activities, business travel and business trips for employees were curtailed. Strict workplace hygiene and Company site access protocols were established.

These changes have required the Company to accelerate its adaptation to ensure its business runs smoothly.

In addition to organisational implications, international roaming usage has declined significantly amid the pandemic, along with changes in the domestic traffic mix.
The Company succeeded in seamlessly shifting its employees to work from home. All technical and organisational measures required to enable a majority of its workforce to work from home and establish necessary communication channels were implemented in the shortest time frame. The Company is strongly focused on enhancing electronic document management. Measures to ensure the required sanitary safety standards, including temperature screening, provision of hand sanitisers, social distancing, etc. were introduced at the Company’s facilities.

The Company puts the health and safety of its people first, so it is flexible in its approach to work formats in a “new normal” environment.
NEW
6 Pricing risk The Company uses market-based pricing approaches to price its services. There are a number of factors that can have a significant impact on tariff setting.

1. Competition law. A limited number of telecom market participants means that any tariff policy moves by operators are closely scrutinised by the regulator.

2. Regulation covering socially significant services.

3. Inflation dynamics in Russia
The Company closely monitors all factors that may influence its pricing approach. At the same time, the Company is committed to flexible tariff-setting, which drives smart, affordable tariff offers geared to the needs of different groups of its customers. NEW
7 Infrastructure risk The Company has a vast network footprint, which involves managing a huge fleet of base stations, fibre networks, data centres and other assets. The continuous growth in its subscriber base, network coverage and data speeds, coupled with increases in the wear and tear of the operated infrastructure, expose the Company to the threat of overstretching its available network resources.

The Company’s commitment to sustainability implies a stronger focus on the environmental and energy-saving aspects of network management, among other things.

Pandemic restrictions and the shift to work from home have also led to shifts in network load as many customers left large cities with well-developed infrastructure for areas with lower network resources.
MegaFon invests significant capital in upgrading and expanding its infrastructure and replacing obsolete equipment, which improves network reliability, reduces power consumption and enables higher telecommunications standards. NEW
8 Transfer pricing The practice of enforcing transfer pricing legislation is still in its early stages, and the approaches used to establish arm’s length prices under controlled transactions may be challenged by tax authorities, which could lead to additional tax liabilities being imposed. To minimise tax risks related to transfer pricing, MegaFon has introduced and continues to improve internal procedures ensuring compliance with the transfer pricing legislation, while monitoring prices used in related party transactions to ensure they are in line with the market and identifying controlled transactions as defined by the Russian Tax Code. MegaFon also formed a consolidated group of taxpayers among the members of the MegaFon Group so that transactions among members are not subject to transfer pricing control.  
9 Risk of revocation, suspension, or non-renewal of licences Changes in licensing legislation requirements applying to the Company’s core business (provision of communications services) could adversely affect MegaFon’s operations if such changes affect the process of obtaining or renewing the Company’s existing licences for the provision of communications services required for the Company to continue its business. MegaFon holds GSM, 3G and 4G/ LTE licences with varying expiry dates. The Company pays close attention to tracking licence expiry dates and keeping licence data up to date, taking all necessary steps to ensure timely renewal of licences with the Federal Service for Supervision of Communications, Information Technology, and Mass Media of the Russian Federation (Roskomnadzor).  
Technology risks
# Risks Risk description Risk management Dynamic❶
10 Business continuity and technology resilience risks Although MegaFon ensures that its technological infrastructure has a high level of reliability and resilience, an accident may affect the speed and quality of provided services. MegaFon takes all necessary measures to ensure the high quality of its services. In particular, to improve the overall resilience and business continuity, the Company has put in place infrastructure continuity measures and is focused on building its technological architecture in line with the highest global standards, ensuring redundancy in the most critical elements of its infrastructure.  
11 Telecommunications fraud risks MegaFon may incur losses resulting from wilful misconduct by unscrupulous counterparties or subscribers. The Company is also exposed to the risk of losing subscribers who become victims of fraud, as well as reputational damage. MegaFon has a dedicated unit responsible for preventing fraud and associated financial or reputational losses while safeguarding customers against fraud. MegaFon uses a number of dedicated automated anti-fraud solutions to support fraud prevention. Monitoring for the more critical fraud threats is carried out 24/7.  
12 Cyber risks Certain vulnerabilities may lead to a failure to maintain appropriate security levels for software, equipment, network and subscribers’ personal data, potentially leaving them compromised and subject to unauthorised access and use, such as the use of subscriber data and/or confidential information in fraudulent transactions or the spread of malware. MegaFon takes all necessary measures in line with its information security strategy to ensure an appropriate level of security for its IT systems, software, technology, and equipment. This includes continuous monitoring for potential threats and the use of security intelligence platforms across its IT and telecommunications infrastructures. In addition, MegaFon has in place a strong information security policy supplementing internal regulations governing personal data protection, and has developed a robust monitoring system for cyber threats.  
Regulatory risks
# Risks Risk description Risk management Dynamic❶
13 Customer identification Federal Law No. 533-FZ On Amendments to Federal Law On Communications dated 30 December 2020, adopted in late 2020, will significantly toughen the requirements for the identification of subscribers and users of communications services when signing service contracts and providing communications services.

Russian laws set out a number of requirements for the verification of subscribers’ personal data by mobile operators. Failure to confirm actual subscriber data or failure to provide upto- date data requires operators to deny services to such subscribers.
The Company strives to keep data about its subscribers up-to-date. This is achieved through a range of various data validation tools, both on the technical side and via direct customer interaction channels across its network of MegaFon-branded stores and dealer network.

At the same time, MegaFon also values the loyalty of its customers and seeks to ensure compliance with legal requirements in a way that gives its subscribers a zerofriction experience.
NEW
14 Data exchange and storage Currently, data exchange and storage regulation comprises a number of draft laws, some of which have already been passed into law. This legislation requires the Company to ensure the implementation of a range of measures covering data exchange with banks (amendments to the Federal Law on Communications); provision of data available online to the public (amendments to the Federal Law on Personal Data); processing of Big Data (amendments to the Federal Law on Information, Information Technology and Information Protection); and storage of subscriber web traffic in Russia (FZ-374 and FZ-375). The Company seeks to minimise the impact of these legislative initiatives to maintain customer loyalty.

At the same time, MegaFon believes that these draft laws and regulations require thorough elaboration and discussion with the industry players, as flawed regulation would put pressure on revenue growth from technology products. The Company participates actively in the discussions relating to all legislative initiatives on data exchange.
 
15 Risk of the introduction of minimum communications service quality parameters Legislation in the Russian Federation currently does not contain provisions specifically requiring compliance by communications service providers with minimum quality parameters.

The regulators’ philosophy to date has been that the quality of communications services will be assured as long as subscribers have the right to select their communications operator, based on the requirement that operators provide information about service quality to subscribers.

At the same time, government authorities have recently tended to revise their position in considering the introduction of minimum communications service quality parameters.
MegaFon believes it is unlikely that minimum parameters for service quality will be required in the medium term. However, even if the regulators change their current approach, the Company believes it will be able to ensure its services comply with any such minimum parameters.  
16 Risks related to 5G The Government and industry participants are developing various 5G development scenarios. The commercial 5G launch will require a wide range of regulations to be introduced.

However, there remains considerable uncertainty as to the development scenario which will be chosen, as well as the nature and scope of the implementing regulations.
MegaFon is closely monitoring all initiatives related to the development of communications technologies, above all 5G, and actively participates in discussions relating to such initiatives.  
Financial risks
# Risks Risk description Risk management Dynamic❶
17 Interest rate risk Rising interest rates could increase MegaFon’s cost of raising funds to finance its operations and CAPEX programmes. In addition, where MegaFon’s existing debt carries a floating rate, the Company is exposed to the risk of higher costs of servicing such debt. A major portion of the Company’s debt portfolio is long-term and carries attractive interest rates. Approx. 80% of the Company’s debt portfolio has fixed rates, and the remaining 20% of the portfolio is by 78% hedged against a possible increase in floating interest rates. Furthermore, MegaFon has headroom to manage its floating rate debt.

At the time of this Annual Report, MegaFon maintained stable long-term credit ratings from leading agencies – Moody’s, S&P Global and ACRA. Coupled with a consistently strong financial performance, this allows MegaFon to raise funds at the most attractive terms available in the market.
 
18 Risk of adverse changes in FX rates MegaFon’s exposure to FX risks is mostly linked to its financial and investment activities.

A significant portion of MegaFon’s capital expenditure, expenses and liabilities are denominated in foreign currencies, mostly in US dollars or euros. The rouble’s depreciation against the US dollar and/ or euro may make it difficult for MegaFon to repay or refinance its foreign currency denominated debt and maintain an adequate level of capital investment. Therefore, a weaker rouble may increase MegaFon’s investment and financial costs in roubles, leading to lower net profit.
To mitigate FX risks, MegaFon uses crosscurrency swaps and other derivative financial instruments to hedge the euro-denominated portion of its debt portfolio, and seeks to increase the share of rouble-denominated operating expenses and capital expenditures to cover such expenses using rouble revenues.  
19 Credit risk The risk of financial loss resulting from a counterparty’s failure to meet its contractual obligations. Preventive measures to mitigate credit risk with respect to other counterparties include the use of prepayments, bank guarantees and other collateral, and building relations with counterparties whose solvency is continuously monitored based on their credit history and assigned credit ratings, diversification of funds and setting position limits for banks. MegaFon also annually monitors possible impairment with respect to loans and other financial investments made.

Despite the pandemic, the Company was flexible in managing this risk, preventing it from increasing.
 
20 Liquidity risk MegaFon’s exposure to this risk is determined by the Company’s ability to meet its payment obligations in a timely manner.

Liquidity risk is affected by the rate of conversion of assets (allocated cash) of the Company into cash on current accounts, as well as the availability of financing in the capital markets and the level of interest rates.
MegaFon has access to adequate funding through its existing credit facilities, thereby reducing liquidity risk in the short and medium term.

Deposits are bank-diversified and concentrated within maturity buckets with account for the large payment schedule, best market offers and the Company’s policy.

The Company carefully monitors MegaFon’s exposure to Russian financial institutions, which could become subject to new or increased sanctions, to obtain stable access to adequate funding.
 
Securities previous
chapter
Compliance next
chapter
To the top of the page