Control system

The Company has in place an internal control framework covering key business processes and all management levels across the Group. The framework comprises the following supervisory bodies:

• Internal Control and Risk Management, comprising the Internal Control Department, Financial Control Service, Risk Management Service, and Inspectorate for Monitoring Technical, Production and Environmental Risks
• Audit Commission
• Audit and Sustainable Development Committee
• Internal Audit Department

The Internal Control Department regularly monitors the reliability of the Company’s system of accountings of metal-bearing products, as well as high-risk business processes – procurement and investment operations, capital construction and corporate insurance transactions. The Department also continuously monitors compliance with regulatory requirements to counter the misuse of insider information and combat money laundering and the financing of terrorism.

The performance and maturity of internal control framework elements is evaluated annually as part of a financial statement audit and internal control framework self-evaluation. Reports containing the internal control framework evaluation results are reviewed by Nornickel’s management and the Audit and Sustainable Development Committee of the Board of Directors.

The Financial Control Service audits financial and business operations of Nornickel and its subsidiaries to make updates and recommendations for the President and members of the Board of Directors. The Head of the Financial Control Service is appointed by resolution of the Board of Directors..

Nornickel runs the Corporate Trust Service speak-up programme established within the Internal Control Department to respond promptly to reports of non-compliance, wrongdoing or embezzlement. Employees, shareholders and other stakeholders can report any actions that cause or may cause financial or reputational damage to Nornickel. The key principles underlying the operation of the Corporate Trust Service include guaranteed anonymity for whistleblowers, and timely and unbiased review of all reports. Nornickel will in no circumstances retaliate against an employee who raises a concern via the Corporate Trust Service, meaning that no disciplinary action will be taken (dismissal, demotion, forfeiture of bonuses, etc.).

Reports can be submitted via toll-free hotlines 8 (800) 700-19-41, and 8 (800) 700-19-45, via e-mail skd@nornik.ru or the reporting form on Nornickel’s website.

Internal audits are aimed at assisting the Board of Directors and senior management in enhancing Nornickel’s management efficiency and improving its financial and business operations through a systematic and consistent approach to the analysis and evaluation of risk management and internal controls as tools providing reasonable assurance that Nornickel will achieve its goals.

In order to ensure independence and objectivity, the Internal Audit Department functionally reports to the Board of Directors through the Audit and Sustainable Development Committee and has an administrative reporting line to Nornickel’s President.

The Internal Audit Department conducts objective and independent audits to assess the effectiveness of the internal control framework and risk management framework. Based on the audits, the Department prepares reports and proposals for the management on improving internal controls, and monitors the development of remedial action plans.

In 2020, the Department:

• performed 19 audits of production management, IT asset management, activities of the Russian division, and corporate governance processes
• performed an annual evaluation of Nornickel’s corporate risk management framework and internal control framework in 2020. The review concluded that the corporate risk management framework and internal control framework remain effective overall, with some minor improvements required.

Based on the recommendations issued during the audits, the management developed corrective actions and implemented a total of 322 such actions in 2020. The actions included updating regulatory documents, developing new or amending existing control procedures, communicating them to employees, training employees, identifying and assessing risks. The Internal Audit Department continuously monitors the implementation of initiatives developed by management, with the resulting insights on types and number of initiatives regularly reviewed by the Audit and Sustainable Development Committee.

Digitalisation of internal audit

In 2020, the Internal Audit Department adopted the SAP Audit Management information system. The successful implementation enabled the Company to:

• create a tool to automate standard procedures for planning, auditing, reporting, making and following up on recommendations, preparing analytical and statistical reports
• create a single point of access to the Internal Audit Department’s data, ensure convenient storage of documents and monitoring of audits, increase the transparency of internal audit activities by introducing a single workspace
• ensure the management of databases on controls and risks for internal audit.

In 2020, the Department started preparing for rolling out the SAP Audit Management system across internal audit units of the Russian division and the Company’s branches. The system’s implementation is planned for 2021.

The Internal Audit Department focuses on expanding the use of data analysis tools in audits. In 2020, in addition to IT audits, the Internal Audit Department used digital data processing methods to audit procurement processes and transportation services.

Nornickel complies with anti-corruption laws of the Russian Federation and other countries in which it operates, as well as any applicable international laws and Nornickel’s own internal documents. This commitment enhances Nornickel’s reputation and boosts trust and confidence among our shareholders, investors, business partners, and other stakeholders.

Nornickel openly declares its zero tolerance to corruption in any form or manifestation. Members of Nornickel’s Board of Directors/Management Board and senior management role model a zero-tolerance approach to corruption in any form or manifestation at all levels across the organisation. Facilitation payments and political contributions to obtain or reward the retention of a business advantage are strictly prohibited by Nornickel’s policy. Nornickel will not tolerate any retaliation against an employee who reports a concern about suspected bribery or corruption, or refuses to offer a bribe, facilitate bribery, or take part in any other corrupt activities, even if their refusal to do so has resulted in a lost opportunity or a failure to obtain a business or competitive advantage for Nornickel.

The corporate Anti-Corruption Policy is Nornickel’s key anti-corruption document, setting out the main objectives, principles and scope of anti-corruption efforts.

As part of its anti-corruption efforts, Nornickel has developed and approved the following key anti-corruption documents:

• Code of Business Ethics of MMC Norilsk Nickel
• Code of Conduct and Ethics for Members of Board of Directors
• Regulations on the Product Procurement Procedure for Norilsk Nickel Group Enterprises
• Standard anti-corruption agreement – an appendix to the employment contract
• Regulations on Information Security
• Regulations on the Prevention and Management of Conflicts of Interest
• Regulations on Business Gifts
• Procedure for Anti-Corruption Due Diligence of Internal Documents by the Head Office of MMC Norilsk Nickel
• Regulations on the Conflict of Interest Commission
• Regulations on the Information Policy

Having joined the Russian Anti-Corruption Charter for Business, Nornickel is implementing a range of dedicated anti-corruption measures based on the Charter and set forth in Nornickel’s Anti-Corruption Policy. In January 2020, the Company submitted its Declaration on Compliance with the Russian Anti-Corruption Charter for Business to the Russian Union of Industrialists and Entrepreneurs, and its participation in the Charter was extended until 2021.

The Company regularly informs its employees on corruption prevention and combating. Starting from 2015, all Nornickel employees make their personal anti-corruption commitments by signing a relevant form. The corporate Anti-Corruption Policy and related regulations are communicated to all employees upon commencement of employment. Norilsk Nickel Group provides training for employees on an ongoing basis, including anti-corruption induction briefings for all new hires, regular anti-corruption distance learning courses, and individual advice on compliance with anti-corruption requirements.

Nornickel maintains a Preventing and Combating Corruption section on its corporate intranet, providing information on anti-corruption regulations and measures taken to combat and prevent corruption, provide legal education, and promote lawful behaviours among employees.

Nornickel’s corporate security system management is based on a set of programmes to ensure economic, corporate, information, on-site, and transport security, as well as transparency of procurement and counterparty selection procedures. Particular emphasis is placed on supporting the Company’s socially significant investment and environmental projects.

The Company continues to cooperate with the United Nations Interregional Crime and Justice Research Institute (UNICRI) and the United Nations Office on Drugs and Crime (UNODC) in areas including the implementation of the UN Economic and Social Council Resolution 2019/23 on combating transnational organised crime, illicit trafficking in precious metals, and illegal mineral extraction.

Nornickel’s representatives co-chair the Security Committee of the International Platinum Group Metals Association. The Security Committee guides its members to ensure security and combat illicit trafficking in platinum group metals. The International Platinum Group Metals Association is the only international industry association of PGM producers.

The Company cooperates with law enforcement and supervisory bodies, sits on public and scientific advisory councils at the Ministry of Internal Affairs, Investigative Committee, Transport Prosecutor’s Office, Federal Security Service of the Russian Federation, and interdepartmental working groups.

In 2020, Nornickel collaborated with the Federal Security Service, Ministry of Internal Affairs and EMERCOM to conduct a total of 127 trainings, 65 general and 12 tactical and special drills.

The protection of human rights is reflected in the by-laws of the Corporate Security Unit (MMC Norilsk Nickel’s Anti-Embezzlement Regulations, In-House Investigation Regulations, etc.).

Shift to work from home

The COVID-19 pandemic has affected virtually every industry in Russia and globally, including information security. To mitigate potential health risks for the Company’s employees and prevent the potential consequences for operations, Nornickel’s management decided to shift a significant part of its personnel to remote work. Along with providing employees with the necessary equipment to work from home, additional measures were taken to enhance the information security of corporate resources and infrastructure. The Company tightened security requirements and controls for remote computers and devices used in audio and video conferencing. Remote work is monitored on a daily basis, and reminders and guidelines for users are updated.

Implementing information security programmes

Despite the pandemic-induced restrictions, the Company continues implementing its scheduled measures and programmes to protect corporate information systems and automated process control systems (APCS) at its Head Office and in the regions of operation. Nornickel continued providing project support for its IT initiatives programme and to introduce security tools to build the target information security architecture.

The Company has approved information security standards and plans to bring all information systems and APCSs into compliance with these standards in the medium term.

Implementation of policies for employees

The principle information security rules for employees are summarised in a single document – Guidelines on Permitted Use of Information Assets. The information security procedures which involve the Company employees include:

• identification and classification of information assets
• raising information security awareness
• managing access to information assets
• managing information security incidents
• assessing IT projects for compliance with information security requirements.

Training and education

Employee information security training and upskilling, along with raising information security awareness (beyond dedicated units) are directly linked to the implementation of the corporate HR policy. New hires are requested to take a respective test and complete an induction briefing. Nornickel developed and approved the Procedure for Raising Information Security Awareness and has in place annual employee training plans compiled with account for current trends, new risks and cyber threats. All employees of the Company’s Head Office and facilities located across its regions of operation undergo training and knowledge checks. The Company conducts training courses on the Digital Academy corporate platform. A total of 47 video conference trainings were held in 2020, covering 7,000 employees.

Suspicious activity reporting process

Nornickel improves the corporate information security system through regular trainings and drills, including simulations of phishing attacks and other illegal schemes to affect the corporate IT infrastructures. Following the trainings, instructions and guidelines for employees are updated, and relevant information is also included in the quarterly bulletin forwarded to heads of the Company’s structural units. All Nornickel’s internal documents on information security prompt employees to report suspicious activities to the corporate Information Security Incident Response Centre using available communication channels.

Cyber incident response system

The Company has an Information Security Incident Response Centre which uses advanced technical solutions as well as Russian and global best practices for managing cyber defence. Processes and procedures in place to ensure information security continuity in case of emergency are tested regularly, at least once per quarter.

Compliance with regulatory requirements

In accordance with Federal Law No. 187-FZ dated 26 July 2017 the Group categorised critical IT infrastructure facilities (APCSs) and submitted the results to the Federal Service for Technical and Export Control. Nornickel obtained licences for information security monitoring activities, and signed a number of data sharing agreements with state regulatory authorities to counteract cyberattacks on IT resources and infrastructure of leading Russian industrial corporations

The Company also improved its methodology and regulations covering personal data and trade secret protection, which are rolled out across its regions of operation.

The Group consistently implements the Information Security Management System across its facilities, covering operational production management, procurement of feedstock and process materials, and control over the achievement of targets in production and shipment of finished products. In 2020, Nadezhda Metallurgical Plant and Copper Plant (Nornickel’s Polar Division) implemented the information security management systems certified to ISO/IEC 27001:2013. In the course of the year, Nornickel engaged BSI (British Standards Institution), a leading international standards body, to conduct four audits, which confirmed the effectiveness of Nornickel’s efforts and compliance of its information security management systems with international standards and global best practices.

The Company regularly passes external information security audits for compliance with the requirements to personal data and critical information infrastructure protection, international cyber security management standards, as well as testing and security assessments, vetting inspections to control information security in maritime and river navigation, etc.

Nornickel’s efforts to develop and implement advanced cyber security solutions for industrial assets have been repeatedly acknowledged by the professional community and industry associations.

Engagement of the Board of Directors and senior management

Nornickel’s Information Security Policy outlines the respective engagement boundaries and responsibility of governance bodies, including the Board of Directors and the Management Board. Their responsibilities include setting up an information security risk management system, reviewing and approving the budgets of relevant programmes and projects.

The Company’s senior management regularly reports to the Board of Directors on information security at meetings of the Audit and Sustainable Development Committee.

Participation in conferences and forums

The Information Security and IT Infrastructure Department took part in the 8th international conference Kaspersky Industrial Cybersecurity Conference 2020, one of Russia’s leading dedicated forums, to share their experience and solutions in industrial cybersecurity and cyber protection of technology processes. Nornickel’s achievements and willingness to share its solutions as models to be deployed by Russia’s industrial majors were highly praised by the professional community. The Company received a badge of honour For Leadership, Openness and Responsible Approach to Protecting Industrial Facilities.

For its contribution to the development of the Russian Privacy Professionals Association, the Department won a Russian Privacy Award in the Expert of the Year category.

In addition, throughout 2020, employees of the Information Security and IT Infrastructure Department spoke at events such as the international conference TB Forum (co-organised by the Federal Service for Technical and Export Control), the 8th Conference on Information Security of Automated Control Systems for Critical Facilities, etc.

Competitive bidding to select an independent auditor for MMC Norilsk Nickel’s financial statements is carried out as per the Company’s existing procedure. The Board’s Audit and Sustainable Development Committee reviews the pre-selection results and makes a recommendation to the Board of Directors regarding a proposed auditor to be approved by the Annual General Meeting of Shareholders of MMC Norilsk Nickel.

In 2020, the General Meeting of Shareholders approved JSC KPMG as the auditor for MMC Norilsk Nickel’s RAS and IFRS financial statements for 2020.

The fee paid to JSC KPMG for its audit and non-audit services in 2020 totalled RUB 305.8 million (USD 4.2 million), net of VAT, with the share of non-audit services accounting for 45% of the total amount.

To avoid conflicts of interest, JSC KPMG has in place a policy covering different types of services provided to audited companies, which complies with the requirements of the International Ethics Standards Board for Accountants (IESBA), the Russian Rules for the Independence of Auditors and Audit Organisations, and other applicable standards.