Risk Management and Internal Control
Timely identification and management of risks is essential to maintaining sustainable growth and achieving the Company’s strategic and operational objectives. MegaFon is focused on continuously improving its Risk Management and Internal Control System (RMICS) to ensure that it successfully delivers on MegaFon’s corporate strategy while providing a robust platform for stable and continuous business operations.
MegaFon makes a constant effort to identify, assess and mitigate risks, and aims to minimise the negative impacts of risks beyond its control. MegaFon also continuously fosters a risk-based culture at all levels of management, providing regular training to employees in risk management theory and practice.
MegaFon’s approach to risk management and internal control is based on international and national best practice and standards and complies with Russian laws.
To manage the risks associated with preparing reliable financial statements and tax reports, the Company has in place an internal control system (ICS), which is a set of policies, guidelines, control procedures and organisational measures to ensure the preparation of such statements and reports, as well as compliance with applicable legal requirements.
Our RMICS strategy involves:
continuously aligning risk management and internal controls to business changes
embedding risks in goal-setting processes
developing a risk-based approach to management decision-making
continuously seeking out business opportunities and options for transforming threats into opportunities, as well as finding the best ways to respond to risks
developing risk assessment models to improve the accuracy of data available to drive decision-making
improving risk management and internal control communications
formalising and updating risk appetite metrics and aligning risk appetite with the Company’s development strategy
regular employee training
The ICS effectiveness is maintained through the following actions:
updating and ensuring compliance with ICS codes and standards
regular monitoring of controls performance
regular surveys of key process owners on the effectiveness of internal controls
analyses on business processes and related risks to verify the performance of applied internal controls
annual selective testing of key control procedures
Risk management and internal control framework
Risk management and internal controls are embedded across all operations and at all levels throughout the organisation.
MegaFon is focused on building a risk management and internal control culture, the key aspects of which include:
Tone at the Top
|MegaFon’s senior managers act as role models in the discussion, identification and assessment of risks, and are actively involved in risk management.|
|Risk ownership and responsibilities are included in employees’ job descriptions and targets. Timely communication about risks is encouraged, with all risks viewed as opportunities to improve the Company’s performance.|
Skills and capabilities
|The Company’s key employees are continuously trained in risk management with support from business leaders.|
The Board of Directors through the Audit Committee determines the RMICS principles and approaches and evaluates the system’s effectiveness.
The CEO and the Management Board ensure the setting up and maintenance of a robust RMICS, allocation of the roles, responsibilities and accountability for specific risk management and internal control procedures among BU heads, approval of reporting format requirements, review and agreement on principal risks and promotion of a risk management and internal control culture.
The BU heads ensure that the RMICS is incorporated into functions and projects, including risk identification and assessment, and also ensure the development and implementation of risk management measures, including operation of control procedures.
The risk management function drives the development of risk management across the Company, implementing the RMICS Policy, ensuring risk updates, overseeing the implementation of risk management measures, coordinating the efforts of functions to identify and assess risks, developing appropriate risk management measures, providing functions with methodological support, and fostering a risk management and internal control culture within the Company.
Business units prepare and submit risk and internal control reports to the Management Board and the Board of Directors.
Risk and control coordinators have been designated with respect to the Company’s key functions, driving collaboration around the RMICS.
The corporate Risk Management and Internal Control System (RMICS) Policy is the key document governing MegaFon’s risk management activities. The policy, developed in line with applicable Russian laws and international risk management standards, establishes general approaches to risk management and internal control.
Key RMICS activities
In 2020, MegaFon continued to embed risk-based management into its practices. Risk identification and management efforts are closely aligned with the Company’s goals and existing projects. The Management Board reviews the status of key risks and compliance on a quarterly basis.
To further improve risk communication, the Company holds annual meetings of risk coordinators to facilitate the sharing of risk management approaches and best practice.
In autumn 2020, MegaFon surveyed the Management Board on the maturity level of the Company’s risk management, with the findings confirming the maturity of the corporate risk management system and providing a basis for developing a plan for its further development.
Risk management and internal control training for employees remains a top priority for MegaFon. The Company’s managers take a mandatory online risk management course based on ISO 31000, which reflects the Company’s specific business profile. This course is also available to all MegaFon employees.
MegaFon continued to update its ICS in 2020, including through the following activities:
- The ICS updates to reflect the transformation of business processes
- Review of employee access rights to financial reporting information to ensure access is only provided on an as-needed basis
- Updates of ICS training and information materials
- Further development of the ICS to facilitate taxrelated monitoring, including the risk assessment process
- Approval of the Internal Control Rules for the prevention, detection and suppression of illegal use of insider information and (or) market manipulation in accordance with the requirements of the Bank of Russia effective from April 20, 2020.
Principal risks and mitigation
MegaFon’s analysis considers various types of risks, while setting out the measures that the Company takes to minimise them.
This analysis covers strategic, geopolitical, technological, regulatory, operational (including compliance) and financial risks. и финансовые.
|6, 4||1, 14, 15||2, 3, 16|
|8, 11||5, 17||12, 13, 18|
|7, 10||9, 19, 20|
|#||Risks||Risk description||Risk management||Dynamic❶|
|1||Geopolitical||As a company registered in the Russian
Federation, MegaFon is exposed to
economic and geopolitical risks specific to
Russia in general, including those related
to the current sanctions regime imposed
by the United States, European Union
(EU) and other countries against certain
Russian companies. There is a risk that new
sanctions may be imposed or the list of
entities subject to existing sanctions may be
expanded. Additional sanctions may also be
imposed on supplies of equipment, software
and services from the EU and the United
MegaFon relies on multiple international suppliers to conduct its business and develop its complex infrastructure. If the Company is unable to deliver its development plans due to supply disruption, MegaFon may face delays in infrastructure development and/or increased costs.
|Since none of the Company’s managers
or directors is subject to the existing
sanctions programmes and the Company’s
operations are conducted outside the EU,
the United States and Ukraine, and are
focused on telecommunications, which are
usually excluded from sanctions regimes,
currently MegaFon does not expect
these risks to cause any disruption to its
operations. Also, trade sanctions are not
directly applicable to MegaFon. MegaFon
monitors the sanctions legislation;
however, the vast majority of the above
risks are beyond MegaFon’s control, and
the potential imposition of additional
sanctions could have a negative impact on
MegaFon closely monitors on an ongoing basis the economic and political situation affecting key suppliers. MegaFon works with experts and suppliers to keep up-todate on current affairs so as to be able to prepare an appropriate action plan as necessary. The Company also works closely with its key suppliers to ensure continuity of key equipment supply.
|2||Macroeconomic||Falling oil prices and a weaker rouble may
negatively impact the Russian economy.
Moreover, business activity in Russia has tended to slacken amid the current pandemic caused by COVID-19, with declines in the real disposable incomes among the population and, consequently, lower consumption in most sectors of the economy. Experts estimate that the economy will take one to two years to recover to 2019 levels.
Taken together, the current macroeconomic trends could have a negative impact on the Company’s revenues and investment programme.
|The wireless market is quite resilient during
an economic downturn, as customers
are unwilling to reduce their minutes and
mobile data usage and therefore spending
on these services is less exposed to the risk
of an economic downturn.
The long-term contracts MegaFon holds with major global vendors should ensure the continued construction and modernisation of its network.
New business models, new entrants
|The telecommunications and digital industries are rapidly changing amid an accelerating pace of innovation, while new players are entering non-core markets, such as banks establishing telecoms operators and telecoms operators creating banking products. At the same time, customers are becoming more demanding and expecting superior digital customer service and a seamless online and offline experience. Failure to provide such high-level service and experience can reduce customer loyalty, and lead to increased churn and possible loss of market share. To meet the high customer expectations, MegaFon needs to be fast and agile, and have strong digital capabilities.||MegaFon continues to implement
its strategy aimed at the digital
transformation of its business.
The Company continues to transform its internal processes, accelerating the review process for technology innovations, and enhancing Agile development practices. MegaFon is focused on developing artificial intelligence solutions which will drive the evolution of autonomous and intelligent networks while improving the customer experience through more advanced behaviour analytics.
To speed up the implementation of business initiatives, MegaFon has launched a microservice factory and continues to develop API management.
MegaFon continues to develop its technology sandbox, a tool that, by using simplified procedures, enables a faster review process for new technology to be piloted within the Company.
The Company continues to build its digital capabilities in Agile development practices, cloud technology and data virtualisation, as well as in building high-performance IT teams, Big Data and machine learning.
|4||Competition risk||The mobile market is one of the most mature segments of the Russian telecommunications industry. It is characterised by high penetration rates, which have led to increased competition as operators strive to retain existing and attract new customers. This competitive landscape is one of the most influential factors continuing to impact the mobile market. MegaFon’s key direct competitors include MTS, VEON and Tele2. New business models emerging in the market may lead to changes in the structure and dynamics of the current market, the impact of which may not currently be foreseeable.||MegaFon has undertaken a wide range of initiatives to bolster its competitive advantages, including deploying cuttingedge technology, developing new and innovative products and services, creating new partnerships with other companies and building innovative infrastructure.|
|#||Risks||Risk description||Risk management||Dynamic❶|
|5||Risks related to the deterioration of the sanitary and epidemiological situation||With the spread of the coronavirus, the
Company has significantly changed its
existing business practices. Job-related
office-based activities, business travel and
business trips for employees were curtailed.
Strict workplace hygiene and Company site
access protocols were established.
These changes have required the Company to accelerate its adaptation to ensure its business runs smoothly.
In addition to organisational implications, international roaming usage has declined significantly amid the pandemic, along with changes in the domestic traffic mix.
|The Company succeeded in seamlessly
shifting its employees to work from
home. All technical and organisational
measures required to enable a majority
of its workforce to work from home and
establish necessary communication
channels were implemented in the shortest
time frame. The Company is strongly
focused on enhancing electronic document
management. Measures to ensure the
required sanitary safety standards,
including temperature screening, provision
of hand sanitisers, social distancing,
etc. were introduced at the Company’s
The Company puts the health and safety of its people first, so it is flexible in its approach to work formats in a “new normal” environment.
|6||Pricing risk||The Company uses market-based pricing
approaches to price its services. There are
a number of factors that can have
a significant impact on tariff setting.
1. Competition law. A limited number of telecom market participants means that any tariff policy moves by operators are closely scrutinised by the regulator.
2. Regulation covering socially significant services.
3. Inflation dynamics in Russia
|The Company closely monitors all factors that may influence its pricing approach. At the same time, the Company is committed to flexible tariff-setting, which drives smart, affordable tariff offers geared to the needs of different groups of its customers.||NEW|
|7||Infrastructure risk||The Company has a vast network footprint,
which involves managing a huge fleet of
base stations, fibre networks, data centres
and other assets. The continuous growth in
its subscriber base, network coverage and
data speeds, coupled with increases in the
wear and tear of the operated infrastructure,
expose the Company to the threat of
overstretching its available network resources.
The Company’s commitment to sustainability implies a stronger focus on the environmental and energy-saving aspects of network management, among other things.
Pandemic restrictions and the shift to work from home have also led to shifts in network load as many customers left large cities with well-developed infrastructure for areas with lower network resources.
|MegaFon invests significant capital in upgrading and expanding its infrastructure and replacing obsolete equipment, which improves network reliability, reduces power consumption and enables higher telecommunications standards.||NEW|
|8||Transfer pricing||The practice of enforcing transfer pricing legislation is still in its early stages, and the approaches used to establish arm’s length prices under controlled transactions may be challenged by tax authorities, which could lead to additional tax liabilities being imposed.||To minimise tax risks related to transfer pricing, MegaFon has introduced and continues to improve internal procedures ensuring compliance with the transfer pricing legislation, while monitoring prices used in related party transactions to ensure they are in line with the market and identifying controlled transactions as defined by the Russian Tax Code. MegaFon also formed a consolidated group of taxpayers among the members of the MegaFon Group so that transactions among members are not subject to transfer pricing control.|
|9||Risk of revocation, suspension, or non-renewal of licences||Changes in licensing legislation requirements applying to the Company’s core business (provision of communications services) could adversely affect MegaFon’s operations if such changes affect the process of obtaining or renewing the Company’s existing licences for the provision of communications services required for the Company to continue its business.||MegaFon holds GSM, 3G and 4G/ LTE licences with varying expiry dates. The Company pays close attention to tracking licence expiry dates and keeping licence data up to date, taking all necessary steps to ensure timely renewal of licences with the Federal Service for Supervision of Communications, Information Technology, and Mass Media of the Russian Federation (Roskomnadzor).|
|#||Risks||Risk description||Risk management||Dynamic❶|
|10||Business continuity and technology resilience risks||Although MegaFon ensures that its technological infrastructure has a high level of reliability and resilience, an accident may affect the speed and quality of provided services.||MegaFon takes all necessary measures to ensure the high quality of its services. In particular, to improve the overall resilience and business continuity, the Company has put in place infrastructure continuity measures and is focused on building its technological architecture in line with the highest global standards, ensuring redundancy in the most critical elements of its infrastructure.|
|11||Telecommunications fraud risks||MegaFon may incur losses resulting from wilful misconduct by unscrupulous counterparties or subscribers. The Company is also exposed to the risk of losing subscribers who become victims of fraud, as well as reputational damage.||MegaFon has a dedicated unit responsible for preventing fraud and associated financial or reputational losses while safeguarding customers against fraud. MegaFon uses a number of dedicated automated anti-fraud solutions to support fraud prevention. Monitoring for the more critical fraud threats is carried out 24/7.|
|12||Cyber risks||Certain vulnerabilities may lead to a failure to maintain appropriate security levels for software, equipment, network and subscribers’ personal data, potentially leaving them compromised and subject to unauthorised access and use, such as the use of subscriber data and/or confidential information in fraudulent transactions or the spread of malware.||MegaFon takes all necessary measures in line with its information security strategy to ensure an appropriate level of security for its IT systems, software, technology, and equipment. This includes continuous monitoring for potential threats and the use of security intelligence platforms across its IT and telecommunications infrastructures. In addition, MegaFon has in place a strong information security policy supplementing internal regulations governing personal data protection, and has developed a robust monitoring system for cyber threats.|
|#||Risks||Risk description||Risk management||Dynamic❶|
|13||Customer identification||Federal Law No. 533-FZ On Amendments
to Federal Law On Communications dated
30 December 2020, adopted in late 2020,
will significantly toughen the requirements
for the identification of subscribers and
users of communications services when
signing service contracts and providing
Russian laws set out a number of requirements for the verification of subscribers’ personal data by mobile operators. Failure to confirm actual subscriber data or failure to provide upto- date data requires operators to deny services to such subscribers.
|The Company strives to keep data about
its subscribers up-to-date. This is achieved
through a range of various data validation
tools, both on the technical side and via
direct customer interaction channels
across its network of MegaFon-branded
stores and dealer network.
At the same time, MegaFon also values the loyalty of its customers and seeks to ensure compliance with legal requirements in a way that gives its subscribers a zerofriction experience.
|14||Data exchange and storage||Currently, data exchange and storage regulation comprises a number of draft laws, some of which have already been passed into law. This legislation requires the Company to ensure the implementation of a range of measures covering data exchange with banks (amendments to the Federal Law on Communications); provision of data available online to the public (amendments to the Federal Law on Personal Data); processing of Big Data (amendments to the Federal Law on Information, Information Technology and Information Protection); and storage of subscriber web traffic in Russia (FZ-374 and FZ-375).||The Company seeks to minimise the
impact of these legislative initiatives to
maintain customer loyalty.
At the same time, MegaFon believes that these draft laws and regulations require thorough elaboration and discussion with the industry players, as flawed regulation would put pressure on revenue growth from technology products. The Company participates actively in the discussions relating to all legislative initiatives on data exchange.
|15||Risk of the introduction of minimum communications service quality parameters||Legislation in the Russian Federation
currently does not contain provisions
specifically requiring compliance by
communications service providers with
minimum quality parameters.
The regulators’ philosophy to date has been that the quality of communications services will be assured as long as subscribers have the right to select their communications operator, based on the requirement that operators provide information about service quality to subscribers.
At the same time, government authorities have recently tended to revise their position in considering the introduction of minimum communications service quality parameters.
|MegaFon believes it is unlikely that minimum parameters for service quality will be required in the medium term. However, even if the regulators change their current approach, the Company believes it will be able to ensure its services comply with any such minimum parameters.|
|16||Risks related to 5G||The Government and industry participants
are developing various 5G development
scenarios. The commercial 5G launch will
require a wide range of regulations to be
However, there remains considerable uncertainty as to the development scenario which will be chosen, as well as the nature and scope of the implementing regulations.
|MegaFon is closely monitoring all initiatives related to the development of communications technologies, above all 5G, and actively participates in discussions relating to such initiatives.|
|#||Risks||Risk description||Risk management||Dynamic❶|
|17||Interest rate risk||Rising interest rates could increase MegaFon’s cost of raising funds to finance its operations and CAPEX programmes. In addition, where MegaFon’s existing debt carries a floating rate, the Company is exposed to the risk of higher costs of servicing such debt.||A major portion of the Company’s debt
portfolio is long-term and carries attractive
interest rates. Approx. 80% of the
Company’s debt portfolio has fixed rates,
and the remaining 20% of the portfolio is
by 78% hedged against a possible increase
in floating interest rates. Furthermore,
MegaFon has headroom to manage its
floating rate debt.
At the time of this Annual Report, MegaFon maintained stable long-term credit ratings from leading agencies – Moody’s, S&P Global and ACRA. Coupled with a consistently strong financial performance, this allows MegaFon to raise funds at the most attractive terms available in the market.
|18||Risk of adverse changes in FX rates||MegaFon’s exposure to FX risks is mostly
linked to its financial and investment
A significant portion of MegaFon’s capital expenditure, expenses and liabilities are denominated in foreign currencies, mostly in US dollars or euros. The rouble’s depreciation against the US dollar and/ or euro may make it difficult for MegaFon to repay or refinance its foreign currency denominated debt and maintain an adequate level of capital investment. Therefore, a weaker rouble may increase MegaFon’s investment and financial costs in roubles, leading to lower net profit.
|To mitigate FX risks, MegaFon uses crosscurrency swaps and other derivative financial instruments to hedge the euro-denominated portion of its debt portfolio, and seeks to increase the share of rouble-denominated operating expenses and capital expenditures to cover such expenses using rouble revenues.|
|19||Credit risk||The risk of financial loss resulting from a counterparty’s failure to meet its contractual obligations.||Preventive measures to mitigate credit risk
with respect to other counterparties include
the use of prepayments, bank guarantees
and other collateral, and building relations
with counterparties whose solvency is
continuously monitored based on their
credit history and assigned credit ratings,
diversification of funds and setting position
limits for banks. MegaFon also annually
monitors possible impairment with respect to
loans and other financial investments made.
Despite the pandemic, the Company was flexible in managing this risk, preventing it from increasing.
|20||Liquidity risk||MegaFon’s exposure to this risk is
determined by the Company’s ability to
meet its payment obligations in a timely
Liquidity risk is affected by the rate of conversion of assets (allocated cash) of the Company into cash on current accounts, as well as the availability of financing in the capital markets and the level of interest rates.
|MegaFon has access to adequate funding
through its existing credit facilities, thereby
reducing liquidity risk in the short and
Deposits are bank-diversified and concentrated within maturity buckets with account for the large payment schedule, best market offers and the Company’s policy.
The Company carefully monitors MegaFon’s exposure to Russian financial institutions, which could become subject to new or increased sanctions, to obtain stable access to adequate funding.