Control system

The Company has in place an internal control system covering key business processes and all management levels across the Group. The system comprises the following supervisory bodies:

Audit Commission;
Audit Committee of the Board of Directors;
Internal Audit Department;
Internal Control and Risk Management, comprising the Internal Control Department, Financial Control Service, Risk Management Service, and the Inspectorate for Monitoring Technical, Production and Environmental Risks.

Audit Commission

Audit Commission’s
performance

In 2021, the Audit Commission audited Nornickel’s business operations for 2020, with the auditors’ report presented to the shareholders as part of materials for the Annual General Meeting of Shareholders. Results of the audit of the Company’s business operations for 2021 will be reported to the Annual General Meeting of Shareholders in 2022.

The Annual General Meeting of Shareholders held on 19 May 2021 re-elected the incumbent members of the Audit Commission and set total remuneration at RUB 1.8 million per year (before taxes) for each member of Nornickel’s Audit Commission who is not an employee of the Company. The above remuneration level is similar to the remuneration rate set for members of the Audit Commission in 2020. Members who are Nornickel employees are not paid remuneration for for their work as part of the Audit Commission.

In 2021, remuneration of the Audit Commission totalled RUB 7.2 million (USD 98 thousand). No bonuses or other rewards were paid.

THE AUDIT COMMISSION IS NORNICKEL’S STANDING INTERNAL CONTROL BODY THAT MONITORS ITS FINANCIAL AND BUSINESS OPERATIONS. THE FIVE MEMBERS OF THE AUDIT COMMISSION ARE ELECTED ANNUALLY AT THE ANNUAL GENERAL MEETING OF SHAREHOLDERS.
Members of the Audit Commission
Name Primary employment and position as of the end of 2021
Alexey Dzybalov Analyst, UC RUSAL, IPJSC (until 25 September 2020: United Company RUSAL Plc)
Anna Masalova Chief Financial Officer, Pizza Restaurants
Georgy Svanidze Head of the Financial Department, member of the Management Board at Interros Holding Company
Vladimir Shilkov CEO of AG, CIS investment Advisers, and Orion Property; Deputy Project Manager at the Financial Control Service of MMC Norilsk Nickel
Elena Yanevich CEO of Interpromleasing

Internal audit

The Internal Audit Department was established to assist the Board of Directors and executive bodies in better managing the Company and improving its financial and business operations through a systematic and consistent approach to the analysis and evaluation of risk management and internal controls as tools providing reasonable assurance that Nornickel will achieve its goals.

The internal Audit Department conducts objective and independent audits to assess the effectiveness of the internal control system and risk management system. Based on the audits, the Department prepares reports and proposals for management on improving internal controls, and monitors the development of remedial action plans.

In order to ensure independence and objectivity, the Internal Audit Department functionally reports to the Board of Directors through the Audit Committee and has an administrative reporting line to Nornickel’s President.

In 2021, the Audit Committee of the Board of Directors reviewed the annual audit plan and internal audit development plans; reviewed bonus-related performance targets (KPI scorecards) of the Internal Audit Department Director; discussed the results of completed audits, including gaps identified and corrective actions designed by management to improve internal controls and minimise risks. The Audit Committee commend the work of the Internal Audit Department in the reporting period.

In 2021, the Internal Audit Department performed 20 audits of subsidiaries’ operations, corporate governance processes, and IT asset control procedures. The Department also performed an annual performance evaluation of Nornickel’s corporate risk management system (CRMS) and internal control system (ICS) for 2021 and concluded that the Company’s CRMS and ICS as a whole function effectively, there are some comments. The evaluation results were reviewed at an Audit Committee meeting and a meeting of the Company’s Board of Directors.

Based on the recommendations issued during the audits, management developed corrective actions and implemented a total of 263 such actions over FY 2021. The actions included updating regulatory documents, developing new or amending existing control procedures, communicating them to employees, training employees, identifying and assessing risks. The Internal Audit Department continuously monitors the implementation of initiatives developed by management, with the resulting insights on types and number of initiatives regularly reviewed by the Audit Committee.

Digitalisation
of internal audit

In 2021, after the SAP Audit Management information system was implemented at the Head Office, the Internal Audit Department began rolling out the system to seven Group company-level internal control and audit units. The system was piloted in December 2021.

The system’s launch delivered a number of benefits and advantages:

  • Standardisation of internal audit processes across the Company
  • A single information space where all members of the audit teams of the Head Office and other units can collaborate regardless of location
  • Generation of analytical reports on audits of the Company’s units, as well as consolidated reports on all audits across the Company
  • Automated monitoring of the implementation of recommendations across the Company’s units

The Internal Audit Department is strongly focused on expanding the use of data analysis tools in audits.

In 2021, the Internal Audit Department leveraged digital data processing methods to perform five IT audits, as well as a working capital control audit and a mining equipment performance monitoring audit.

Internal control

The Internal Control Department regularly monitors the Company’s high-risk business processes – procurement and investment activities, capital construction and corporate insurance transactions, as well as the reliability of the existing systems of accounting for metal-bearing products. The Company also continuously monitors compliance with regulatory requirements to combat the unlawful use of insider information and market manipulation, as well as money laundering, terrorist financing, and proliferation financing.

The performance and maturity of internal control system elements are evaluated annually as part of a financial statement audit and internal control system self-evaluation. Reports containing the internal control system evaluation results are reviewed by Nornickel’s management and the Audit Committee of the Board of Directors.

The Financial Control Service audits financial and business operations of Nornickel and its subsidiaries to make updates and recommendations for the President and members of the Board of Directors. The Head of the Financial Control Service is appointed by resolution of the Board of Directors.

Internal control

Corporate Trust Line

Nornickel runs the Corporate Trust Line speak-up programme established within the Internal Control Department to respond promptly to reports of non-compliance, wrongdoing or embezzlement, violation of employees’ rights, and breach of ethical standards or rules of conduct by employees. Employees, shareholders, and other stakeholders can report any actual or potential actions that cause or may cause financial or reputational damage to Nornickel. All reports submitted via the line are registered, assigned a unique number, and investigated. The key principles underlying the operation of the Corporate Trust Line include guaranteed anonymity for whistleblowers, and timely and unbiased review of all reports. Nornickel will in no circumstances retaliate against an employee who raises a concern via the Corporate Trust Line, meaning that no disciplinary action or sanction will be taken (dismissal, demotion, forfeiture of bonuses, etc.).

Reports can be submitted via toll-free hotlines at 8,800,700 1941 and 8,800,700 1945, via e-mail at skd@nornik.ru, or via a reporting form on the Nornickel website.

Report statistics

Indicator

2019

2020

2021

Total number of reports

1,181

1,037

1,243

Total number of reports that triggered investigation

481

451

422

Percentage of corruption reports (%)

0.2

(1 confirmed case)

0

(0 cases)

0

(0 cases)

For more details on report statistics, please see the Sustainability Report.

Anti-corruption

According to the Anti-corruption Ranking of Russian Business 2021 compiled by the Russian Union of Industrialists and Entrepreneurs, Nornickel received the top rating, A1, reflecting the particular attention paid by the Company’s management to corruption prevention, as well as effective implementation of relevant measures.

Nornickel compiles with anti-corruption laws of the Russian Federation and other countries in which it operates, as well as with any applicable international laws and Nornickel’s internal documents.

Nornickel openly declares its zero tolerance to corruption in any form or manifestation. Members of Nornickel’s Board of Directors / Management Board and senior management role model a zerotolerance approach to corruption in any form or manifestation at all levels across the organisation. Facilitation payments and political contributions to obtain or retain a business advantage are strictly prohibited by Nornickel’s policy. Nornickel will not tolerate any retaliation against an employee who reports a concern about suspected corruption, or refuses to offer a bribe, facilitate bribery or take part in any other corrupt activities, even if their refusal to do so results in a lost opportunity or a failure to obtain a business or competitive advantage for Nornickel.

In line with legal requirements and its voluntary commitments, Nornickel actively implements anti-corruption measures:

  • Records and monitors entertainment expenses. Nornickel has established uniform requirements for offering and receiving business gifts applicable to all employees, which are set forth in the Regulations on Business Gifts
  • Regular anti-corruption due diligence of internal documents ensures that they present no potential for corruption
  • We perform annual assessment and quarterly monitoring of corruption risks
  • Every two years, Nornickel submits to the Russian Union of Industrialists and Entrepreneurs a Declaration of Compliance with the Anti-corruption Charter of Russian Business to confirm its compliance with anti-corruption requirements

Nornickel regularly trains its employees and involves them in implementing anti-corruption programmes. We run an online anti-corruption training course for all employees, as well as a course on compliance with anti-corruption laws for our HR function. As of the end of 2021, 100% of employees were trained to be familiar with the Group’s anti-corruption policies. Over the year, the training on statutory requirements and provisions of corporate anti-corruption regulations covered 9,805 people.

Timely identification and prevention of conflicts of interest are also key to our anti-corruption efforts. In line with the Regulations on the Prevention and Management of Conflicts of Interest, an approved standard reporting form is to be filled by candidates applying for vacant positions at Nornickel.

Nornickel maintains a Preventing and Combating Corruption section on its intranet portal, providing information on its anti-corruption regulations and measures taken to combat and prevent corruption, offer legal education, and promote lawful behaviours among employees.

In 2021, the Internal Audit Department evaluated the Company’s anti-corruption performance and proposed the following improvement measures following the audit:

  • Define a unified approach to adopting anti-corruption regulations and controls throughout the Group
  • Run additional anti-corruption training for employees

Nornickel is also implementing an initiative to identify and rank corruption risks inherent in business processes, as well as develop and implement a methodology for assessing and managing corruption risks. The following actions were taken as part of this initiative:

  • The heads of business units within Nornickel’s Head Office were surveyed to identify the business processes most prone to corruption
  • A draft register of corruption risks was compiled based on the survey findings
  • A draft Corruption Risk Management Methodology was developed

In order to mitigate potential risks associated with contractor engagement, Nornickel evaluates business standing, integrity, and solvency of its potential counterparties. To prevent procurement misconduct and maximise value capture through unbiased selection of best proposals, Nornickel’s procurement owner, customer, and secretary of a collective procurement body adhere to the following rules:

  • Procurement relies on the principle of division of roles
  • Commercial proposals submitted by qualified suppliers are compared using objective and measurable criteria approved prior to sending a relevant request for proposal
  • The selection results and the winning bidder in the material procurement process are approved by the collective procurement body comprised of representatives from various functions of Nornickel
  • A Master Agreement containing an anti-corruption clause is signed with each supplier or updated on an annual basis. The anti-corruption clause outlines the course of action to be taken between the supplier and Nornickel with respect to risks of abuse. Moreover, by signing the Master Agreement, suppliers acknowledge that they have read MMC Norilsk Nickel’s Anti-Corruption Policy

Antitrust compliance

An antitrust compliance system in place at the Company since 2017 establishes the processes for the timely prevention, identification, and elimination of causes and conditions facilitating antitrust violations and ensures compliance of the Company and its corporate entities with applicable laws.

Federal Law No. 135-FZ On Protection of Competition dated 26 July 2006 was amended in 2020 to set requirements for internal antitrust compliance regulations of organisations and establish the right of organisations to submit these regulations to the Federal Antimonopoly Service of the Russian Federation and obtain its opinion upon confirmation of compliance. The Company was the first in Russia to use the new statutory procedure to obtain a confirmation of the Federal Antimonopoly Service that its antimonopoly compliance system meets legal requirements, issued on 25 March 2021.

IN 2021, THE FEDERAL ANTIMONOPOLY SERVICE AND/ OR ITS TERRITORIAL BODIES DID NOT FIND ANY ANTITRUST VIOLATIONS BY THE COMPANY OR THE GROUP ENTERPRISES; AND NO ADMINISTRATIVE ACTIONS WERE TAKEN AGAINST THE GROUP ENTERPRISES FOR SUCH VIOLATIONS.

Corporate security

Nornickel’s corporate security system management is based on a set of programmes to ensure economic, corporate, internal, on-site, transport and information security, as well as the transparency of procurement and contractor selection procedures.

The Company continues to cooperate with the United Nations Interregional Crime and Justice Research institute (UNICRI) and the United Nations Office on Drugs and Crime (UNODC) on matters including the implementation of the UN Economic and Social Council Resolution 2019/23 on combating transnational organised crime, illicit trafficking in precious metals, and illegal mineral extraction.

In September 2021, Nornickel employees and officials from the Ministry of Transport of Russia, federal agencies for various modes of transport, and the regional transport ministries participated in the 10th National Conference on Transport Security and Anti-terrorism Technologies 2021. The conference participants proposed amendments to transport security laws and specific procedures around their enforcement.

In 2021, Nornickel conducted a total of 325 trainings, 41 general and 6 tactical and special drills.

The Company engages external contractors to ensure the safety of its facilities, making sure that contractor activities respect human rights, including those of employees of private security organisations. Respect for human rights is incorporated in the regulations of the Corporate Security Unit.

Information security

Programmes

Amid the COVID-19 pandemic with some employees still working remotely, the Company is taking extra precautions to ensure the information security of corporate resources and infrastructure. These include more stringent security requirements and controls for remote computers and devices used in audio and video conferencing. Remote work is monitored on a daily basis, with users guides and instructions updated as necessary.

The Company continues implementing its scheduled measures and programmes to protect corporate information systems and automated process control systems (APCSs) across the Group. Nornickel is providing project support for its IT initiatives programme and rolling out security tools to build the target information security architecture.

The Company assessed key information systems (criticality class A) for compliance with approved corporate information security standards.

Key information security rules are summarised in a single document – Guidelines on Permitted Use of Information Assets. The information security procedures which involve Nornickel employees include:

  • identification and classification of data assets
  • raising information security awareness
  • managing access to data assets
  • information security incident management
  • assessing IT projects for compliance with information security requirements.

Training
and education

New employees are required to take a knowledge test and extra briefing on information security. The Company has also developed and approved the Procedure Rules for Raising Information Security Awareness and has in place annual employee training plans compiled with account for current trends and newly identified risks and cyber threats. All Group employees are trained and tested on information security, on average, once a year. A total of 69 e-learning courses were delivered in 2021, with a total of 10,170 Group employees trained.

Cyber incident
response system

The Company’s Information Security Incident Response Centre uses advanced technical solutions as well as Russian and global best practices in managing cyber defence. Processes and procedures in place to ensure information security continuity in case of emergency are tested regularly, at least once per quarter.

Suspicious activity
reporting process

Nornickel improves the corporate information security system through regular drills and tests, including simulations of phishing attacks and other illegal interference with the corporate IT infrastructures. Following the drills, instructions for employees are updated, and the results are included in the quarterly bulletin forwarded to the heads of the Company’s units. In addition, the Company uses dedicated newsletters to improve employee awareness about current information security threats and digital hygiene.

Users are required to report any suspicious content or activity via the predetermined communication channels to the corporate Information Security Incident Response Centre, which assesses potential destructive impacts on the Company’s information systems and drives the planning and implementation of actions to prevent and/or address any consequences.

Certification

In line with ISO/IEC 27001:2013 and international best practices, Nornickel enterprises have been taking consistent efforts to implement and improve the information security management systems (ISMSs). By end-2021, ISMSs were introduced and proved their effectiveness for the following processes:

  • Marine freight transportation in the Murmansk Transport Division
  • Operational production management, procurement of feedstock and process materials, and monitoring progress against targets in production and shipment of finished products in the Polar Division

To demonstrate compliance with ISO/IEC 27001:2013, Nornickel’s information security management systems are audited by an independent certification body on an annual basis. 2021 was the first year in the Company’s history when a recertification audit covered the principal corporate ISMS in the Murmansk Transport Division. To verify its compliance with the standard, a repeat full audit was conducted on the division’s ISMS for the first time since its launch (in 2017). At the same time, additional tough requirements called for significant improvements across the elements of information security management. Employees involved in the operation of the Murmansk Transport Division’s ISMS showed excellent knowledge of information security, and the Company as a whole demonstrated that it can control risks and is prepared for unexpected changes when achieving its goals.

In 2021, Nornickel also expanded the list of sites that have in place a certified ISMS. Specifically, in September 2021, a certification audit of Talnakh Concentrator demonstrated that a unified approach to information security management is used across the Polar Division facilities.

An international certification body conducted a total of four audits at Nornickel in 2021: in addition to the recertification audit of the Murmansk Transport Division’s ISMS and the certification audit of Talnakh Concentrator’s ISMS, supervisory audits were run at two more sites within the Polar Division to verify the continuous improvement of the ISMS. At Nadezhda Metallurgical Plant and Copper Plant, the auditor satisfied itself that observations raised on the previous audit were followed up and conducted random standard compliance checks.

Management
involvement in information security

Nornickel’s Information Security Policy applies to all employees and includes the engagement boundaries and responsibilities of the Board of Directors and the Management Board in this regard. Their responsibilities include among other things setting up an information security risk management system along with reviewing and approving budgets for relevant programmes and projects.

Partnerships
and best practice sharing

At the national level, the Information Security in Industry Club, an industry association founded by Nornickel in 2017, has been successfully operating for four years now. Information security managers of major Russian industrial holdings are involved in its activities. The club provides a robust platform for sharing best information security practices, experience and expertise in manufacturing industry.

In international information security, Nornickel cooperates with the Security Council of the Russian Federation and the Ministry of Foreign Affairs of the Russian Federation, contributing to the development and discussion of position papers in this area. The Company also participates in the National Association for International Information Security (NAIIS) and cooperates with the International Information Security Research Consortium (IISRC).

The development and international promotion of precious metal supply chain security is an important aspect of the Company’s engagement with its business partners: Nornickel participates in dialogues on this issue on international platforms such as the UN Commission on Crime Prevention and Criminal Justice and the Security Committee of the International Platinum Group Metals Association (IPA), and is involved in the activities of the Joint Intergovernmental Committee on Trade and Economic Cooperation Between Russia and South Africa.

MURMANSK TRANSPORT DEVISION IS CONFIRMS EFFECTIVENESS THE INFORMATION SECURITY SYSTEM ALREADY FOUR YEARS
Murmansk

Independent audit

An independent auditor for MMC Norilsk Nickel’s financial statements is selected through competitive bidding in accordance with the Company’s established procedure. The Audit Committee of the Board of Directors reviews the shortlist and makes a recommendation to the Board of Directors on the proposed auditor to be approved by the Annual General Meeting of Shareholders of MMC Norilsk Nickel.

In 2021, the General Meeting of Shareholders approved KPMG as the auditor for MMC Norilsk Nickel’s RAS and IFRS financial statements for 2021 on the recommendation of its Board of Directors.

The Audit Committee of the Board of Directors also commended the effective collaboration between the Company’s management and KPMG on the 2020 audit of the Group, citing the accelerated publication of consolidated financial statements amid significant restrictions due to COVID-19.

The fee paid to KPMG for its audit and non-audit services in 2021 totalled RUB 335.1 million (USD 4.6 million), net of VAT, with the share of non-audit services accounting for 48% of the total.

To prevent conflict of interest between the audit and non-audit services, KPMG has in place a specific policy covering different types of services they provide to companies, which complies with the requirements of the International Ethics Standards Board for Accountants (IESBA), the Russian Rules for the Independence of Auditors and Audit Organisations, and other applicable standards.

Auditor’s fee

Service type

RUB mln, net of VAT

USD mln, net of VAT

Audit and related services
173.5
2.4
Non-audit services
161.6
2.2
Total auditor’s fee
335.1
4.6
Share of non-audit services (%)
48
«Nornikel»