As a holding company, TMK recognizes the importance of the risk management, internal control, compliance and information security and sets higher standards for these control systems.
Control systems in place at TMK are formalized based on generally accepted international standards and cover all key assets, business processes and management levels of the Company.
PURPOSE OF THE SYSTEMS
To provide the Company’s management with an objective view of:
- the Company’s current state and prospects in terms of set goals
- risk exposure
- reliability of all types of reporting
- compliance with laws and internal regulations
- effectiveness and reliability of the risk management and internal control systems and corporate governance processes
- level of information security.
The principles of the control systems were determined by the Board of Directors and incorporated into TMK’s corporate policies and internal documents.
Control procedures are integrated into the business processes of TMK controlled entities and units and are run on a continuous basis by governing bodies at all levels and by employees in their day-to-day work.
The past year saw a some changes to the structure of control bodies: the Revision Commission was dissolved (on July 17, 2020, PAO TMK’s Articles of Association were revised).
Monitoring of the control system is done by the Board of Directors, including the Audit Committee.
TMK’s Regulations on Internal Control which define the goals, principles and elements of TMK’s internal control system, its main functions and responsibilities as well as the procedure for assessing the system.
The internal control system is a set of internal control processes based on the existing organizational structure, regulatory documents, procedures and internal control methods used at all management levels and in all functions of the Company.
The internal control system relies on a risk-based approach, helping to identify and analyze the risks impeding the Company’s business growth as well as ways to manage them. The internal control system is based on the Three Lines Model.
The Company’s Internal Audit assessed the internal control system in 2020 and concluded that its maturity is formalized and established.
The Regulations on Internal Control will be updated in 2021, with a focus on developing the control environment, control measures and methods, communication, automation and monitoring.
The multi-level hierarchical risk management system is present at various management levels and takes into account the role of each level in organization and ensuring the system’s functioning.
PURPOSE OF THE SYSTEM
To identify, assess, manage and control potential risk events or situations to provide reasonable assurance that the Company’s goals and objectives will be achieved.
DAY-TO-DAY RISK MANAGEMENT
Done by the CEO, via the Risk Management Committee. The Chairman of the Committee regularly reports to the Audit Committee on risk occurrence.
A dedicated unit, whose tasks are fully in line with the Russian Corporate Governance Code, coordinates risk management processes and cooperation between the Company business units.
The choice of a risk response method depends on the risk significance, its probability and impact, implementation costs and benefits.
During the pandemic, the Company’s risk management swiftly developed and implemented a set of crisis response measures.
- Risk reassessment and prioritization
- Development of crisis scenarios
- Analysis of possible response measures
- Measures to minimize the probability of risk occurrence
- Adjustment of the risk map
- Updates to internal documents
The table below lists the Key risks related to the Company’s business in 2020 and the measures taken to mitigate them. This table should not be seen as an exhaustive list of all TMK’s potential risks.
|Risk||Relative impact||Risk factors||Measures to eliminate the risk|
|Lower prices and demand for tubular products||high||The oil and gas industry is the largest consumer of steel pipes globally. The oil and gas industry has historically been volatile, and downturns in the oil and gas markets can adversely affect demand for tubular products, which largely depends on the number of oil and gas wells under development, their depth and drilling conditions, and the construction of oil and gas pipelines. In 2020, volatility in pipe prices was driven by deteriorating global economy, including as a result of COVID-19 restrictions.|| |
|Increase in purchase prices for raw materials||high||At the end of 2020, the market saw a significant increase in prices for raw materials, in particular scrap. This trend is expected to continue in the future as business activity recovers and global coronavirus restrictions are lifted.|| |
|Legal risks arising from potential actions of state authorities||low||In the post-COVID unfavorable global economic environment, further protectionist measures are taken. Russia and the European Union still have political tensions, which may lead to new sanctions affecting product exports.|| |
|Environmental risks||low||Our operations must comply with environmental laws in the countries of our presence.|| |
|Cyber risks||low||TMK rolls out digital technologies on a large scale in various business areas and also grows Internet communications with customers and suppliers. In 2020, the Company had to shift a significant number of its employees to remote work due to the COVID-19 pandemic. These factors may increase cyber risks.|| |
Assist TMK’s Board of Directors/Audit Committee and executive bodies in improving the management of TMK Group by objectively evaluating the performance of internal controls, risk management and corporate governance
Internal Audit Policy of TMK Group, Regulations on the Internal Audit Service of PAO TMK, Internal Audit Quality Assurance and Improvement Programme (updated on May 22, 2020).
The Internal Audit Service is an independent unit reporting directly to PAO TMK’s CEO (administratively) and to the Board of Directors via the Audit Committee (functionally), which ensures its independence and objectivity.
The difficult conditions in the reporting year required Internal Audit to make non-standard decisions, revise strategies, adopt new perspectives, and accelerate audit procedures in order to provide prompt independent and objective assurance and advice to the management to take proactive and adequate measures.
The new challenges stimulated business process diagnostics across all areas, bringing a focus to key and realizable risks and triggering a revision of plans and approaches to remote mode audits.
Internal Audit addressed the challenges and met set targets, completing 20 audits to cover 32% of the Company’s Risk Map, of which 50% were key risks (the Internal Audit Service’s report was presented to the Board of Directors on December 17, 2020).
INTERNAL AUDIT QUALITY ASSESSMENT
In line with TMK Group’s Internal Audit Quality Assurance and Improvement Programme (approved by TMK’s Order No. 216 dated May 22, 2020), usefulness and performance assessment of the Internal Audit Service is conducted annually (including self-evaluation, assessment by TMK’s management and the Board of Directors).
Improve the Company’s control systems through cooperation and interaction between Internal Audit and business units, ensuring timely response to issues hindering the achievement of strategic objectives.
Reporting procedures for both standalone controlled entities and consolidated financial statements of PAO TMK.
- Compliance of the accounting policy with national and international accounting standards (RAS and IFRS)
- Completeness and accuracy of accounting records, timely detection of errors
- Reliability of financial statements
- Conformity of financial statements to the law as well as national and international standards
- Timely preparation of financial statements
All employees engaged in the preparation of statements have a degree in accounting or finance and are regularly upskilled. PAO TMK’s Chief Accountant and the head of the department engaged in the preparation of IFRS consolidated financial statements are members of the Association of Chartered Certified Accountants (ACCA).
The preparation of consolidated financial statements at the Company has been automated in line with the latest international standards to ensure its efficiency. With highly digitized processes, despite working from home due to the COVID-19 outbreak, the consolidated financial statements were prepared smoothly and on time.
Centralized approach to developing accounting policies
During the year, the Audit Committee reviewed matters of assessing the system of internal controls and minimizing risks when preparing accounting and management reports, and provided relevant recommendations to the Board of Directors.
The Company engages an external auditor on an annual basis to independently assess the reliability of the accounting (financial) statements prepared in accordance with RAS and IFRS.
Confirm the reliability of the Company’s financial (accounting) statements prepared in accordance with national and international financial reporting standards (RAS and IFRS).
An external auditor to conduct an independent audit of the Company’s RAS statements is proposed by the Board of Directors and approved by PAO TMK’s General Meeting of Shareholders.
The Audit Committee assesses the external auditors for independence, objectivity and absence of conflicts of interest, oversees the external audit and reviews the external auditor’s opinion.
To ensure the auditor’s independence and objectivity, the following procedures are in place:
- The Company holds a tender to select TMK Group’s auditor pursuant to the terms and conditions approved by the Audit Committee, which also organizes the tender and announces its results
- The Audit Committee may request an early tender (including after the evaluation of the auditor’s performance and its independence)
- The auditor is selected from among internationally recognized independent auditors and is approved by the Board of Directors.
To mitigate the risk of a long-term relationship compromising the external auditor’s independence and objectivity, members of audit teams and the lead partner responsible for the audit are subject to rotation.
PAO TMK approved Ernst & Young LLC, a member of the Self-Regulatory Organization of Auditors Association Sodruzhestvo, as the external independent auditor of its 2020 and interim consolidated and standalone accounting (financial) statements.
In 2020, the auditor’s remuneration for auditing the annual financial statements and conducting interim reviews (including audits of standalone statements of individual TMK entities) was RUB 105.0 million, RUB 15.4 million for other audit-related services, and RUB 1.8 million for non-audit services.
TMK Group’s Code of Ethics
The key element of the Company’s activities is strict observance of the applicable laws, the Articles of Association and policies of the Company (including this Code), and good business practices. The image and reputation of the Company, as well as that of each and every one of its employees, depend on these rules being enforced.APPROVED by the CEO of PAO TMK, Order No. 65 dated February 26, 2019. APPROVED by the Board of Directors of PAO TMK, Minutes No. 16 dated February 08, 2019.
TMK has a clearly structured and independent compliance framework, which ensures compliance with legal and ethical standards. The system integrates preventive measures, detection of, and sanctions for, violations. This process is coordinated by the CEO’s Committee on Regulating Compliance Risks and its regional subcommittees which work based on a single plan across all TMK Group’s divisions and plants.
GOVERNING REGULATIONS AND STANDARDS
TMK has the Compliance section on its corporate website, in the upper part of the top navigation panel, which contains a set of documents guiding the Company’s compliance function: https://www.tmk-group.ru/compliance.
PAO TMK follows best anti-corruption standards in its business:
- Guidelines for Development and Adoption of Measures by Organizations to Prevent and Combat Corruption of the Russian Ministry of Labor
- Transparency International’s Business Principles for Countering Bribery
- Global Reporting Initiative
FIGHTING CORRUPTION AND FRAUD
Maintain a zero tolerance attitude toward corruption offences.
At any time of day or night, any Company employee can and should inform the Company of any incidences of the offences outlined above via the following channels:
- by Whistleblower Hotline: 8 800 700 8072 (you may call free of charge, from anywhere in the country, round the clock)
- by e-mail: firstname.lastname@example.org (you may send the notification from any email address)
- by post to: 40/2a Pokrovka Street, Moscow, 101000, Hotline.
During the year, TMK implemented TMK Group’s 2020 Anti-Corruption Improvement Programm as instructed by the Board of Directors of PAO TMK (Minutes No. 5 dated September 19, 2019).
VETTING COUNTERPARTIES AND MONITORING TRANSACTIONS
Transactions within counterparties’ ownership chain are continuously monitored for conflicts of interest, with anti-corruption clauses and other mandatory conditions included in contracts and with risks of all TMK’s counterparties reviewed for sanctions risks using the X-COMPLIANCE program.
MANAGING POTENTIAL CONFLICTS OF INTEREST
Identify, manage and prevent conflicts of interest involving the Company employees and potential negative outcomes of conflicts of interest for the Company.
TMK Group’s corporate standard Regulations on the Conflicts of Interest approved by Order of the CEO of PAO TMK No. 182 dated May 13, 2019.
The Regulations define the basic principles of, and the procedure for, identifying, preventing and managing conflicts of interest. The Regulations are mandatory for all Company employees regardless of their positions.
All new hires are required to familiarize themselves with the Regulations and fill out and sign a Conflict of Interest Disclosure Form.
Statutory regulations on preventing and managing conflicts of interest are reflected in PAO TMK’s Articles of Association, Regulations on the Board of Directors, Regulations of the Management Board, Code of Ethics, Corporate Governance Code and other regulations governing procurement and other business processes.
Acting reasonably and in good faith, governing bodies pass resolutions on a fully informed basis, with no conflicts of interest, subject to equal treatment of the Company’s shareholders, and assuming normal risk levels
|Level of the Company’s shareholders|
| || |
| || |
| || |
| || |
| || |
|Level of the Board of Directors|
| || |
| || |
| || |
|Level of PAO TMK employees|
| || |
| || |
Each conflict of interest is reviewed and managed as any new case arises.
The Company’s special authorized body responsible for prevention and settlement of conflicts of interest is the Committee on Regulating Compliance Risks.
To enable public control, TMK operates a hotline information system (telephone lines and email — email@example.com), which can be used by the Company’s employees, investors, clients and other stakeholders to report any known abuse or violations. Overall, in 2020, TMK’s hotline received 1,138 calls (up 32% year-on-year) and 1,144 e-mails (up nearly 34% year-on-year). The appropriate personnel and management decisions were taken to address the confirmed cases.
PROTECTION FOR WHISTLEBLOWERS
To ensure the anonymity of whistleblowers, all incoming information is directed to a dedicated group of three authorized members of the Committee on Regulating Compliance Risks, who have signed a non-disclosure agreement.
The Committee on Regulating Compliance Risks organized training workshops for senior managers and members of the Board of Directors as well as regular trainings for employees of TMK Group entities.
Nine employees of TMK Group entities were trained under the ICA program, passed exams and received international certificates in basic compliance. The head of the Compliance Risk Department holds an international professional diploma in Compliance and is an Honorary Member of the International Compliance Association (ICA).
During 2020, the Company held 34 trainings (taking into account COVID-19 restrictions) on identifying, assessing and managing compliance risks, covering a total of 1,828 people.
In addition, 250 people were trained in the Compliance Risk Management programme as part of distance learning on the TMK2U platform. The Company launched the PAO TMK’s Code of Ethics. The Company further launched the On the Shop Floor interactive course on the platform in December 2020 and continues to develop new projects, such as PAO TMK’s Code of Ethics. Office, Sanctions Compliance, and Conflict of Interest.
With some employees shifting to remote work, a new security awareness tool was introduced via the Mobi2U corporate mobile app.
Every Company employee can find out news on TMK’s security system at its enterprises from their mobile phone in the regular On the Lookout! column and also use the mobile app to take an active part in protecting corporate property, ethical standards and values.
TMK is a member of the International Compliance Association (ICA).
TMK is a member of the Russian Union of Industrialists and Entrepreneurs (RSPP) and has signed the Anti-Corruption Charter of Russian Business.
TMK regularly participates in the All-Russian Interactive Anti-Corruption Campaign launched by the Russian Chamber of Commerce and Industry.
TMK Group’s 2020 anti-corruption report was discussed at a meeting of the Audit Committee (minutes dated December 16, 2020) and received a positive assessment.
- Pass certification to international standards ISO 19600 Compliance Management Systems and ISO 37001 Anti-Bribery Management Systems in 2021 in line with TMK Group’s Anti-Corruption Improvement Programme
- Launch distance courses PAO TMK’s Code of Ethics. Office, Sanctions Compliance, and Conflict of Interest.
Protect commercially sensitive confidential information, insider information and personal data of employees, shareholders and partners.
Strategy to Ensure and Improve Cybersecurity to 2022, Information Security Policy of TMK Group Russian Entities, the medium-term programme to improve security of TMK’s IT infrastructure.
Vice President for Security, PAO TMK’s Information Technology Department, PAO TMK’s Economic Security Service, PAO TMK’s IT Infrastructure Protection Department, as well as local cybersecurity departments and desks at PAO TMK’s entities.
Adapting to current business realities and taking proactive steps, TMK promotes rapid automation/digitization of its operations. As they are mostly performed in IT systems, this significantly increases cybersecurity requirements.
DELIVERING THE 2019–2022 STRATEGY TO ENSURE AND IMPROVE CYBERSECURITY IN 2020
The projects planned for 2020 under the Strategy were, as the events of the past year have proven, strategically timely and substantiated and were implemented in full, establishing TMK’s leadership in technology in challenging conditions for business.
Following the requirements of the corporate information security standard, in early 2020, TMK transitioned to the hybrid IT infrastructure, creating a cloud-based virtual data center fully integrated with the corporate infrastructure.
- TMK was one of the first companies in Russia to start the process of shifting its workforce to remote work. The Company’s IT team was able to implement a flexible cloud solution that enabled a smooth shift with practically no interruptions in business processes or additional costs. During the pandemic, almost 9,000 TMK employees (about 20% of the total headcount) shifted to remote work.
- In 2020, TMK set up and launched the Security Operations Center (SOC) connected to the key sites of the Russian division, including the executive office and main data centers. The center serves as a platform for centralized monitoring and responding to information security incidents within TMK Group and also interacting with the State System for Detection, Prevention and Consequence Management of Cyberattacks on Web Resources in the Russian Federation (GosSOPKA). We have already seen tangible benefits from these measures amidst a growing number of cyber attacks during the COVID-19 related lockdown.
- TMK implemented a corporate information security awareness system comprising a whole range of measures to improve digital hygiene: interactive courses and trainings on countering phishing and social engineering methods on the platform of TMK2U Corporate University, regular newsletters, etc.
The conditions in which TMK had to work in 2020 have served as a testing ground for IT and information security systems in a real business environment and confirmed the systems’ reliability. As part of the corporate risk management system, cybersecurity risks were identified in a timely manner and promptly responded to, with measures developed to minimize key risks and their potential consequences in the future.
KEY IT RISKS
- Loss of control over the Company’s information systems regulating business process due to unauthorized access to the corporate network (i.e. cyberattacks)
- Disruption of business continuity
- Loss of control over information sources, data leaks from information systems.
- Ensure IT security of TMK’s digital transformation projects
- Assess the maturity of cyber security in TMK’s Russian division: develop a methodology, conduct the assessment, develop follow-up measures and solutions. These measures will significantly enhance the information security efficiency
- Proceed from audits and preparations to implementing measures and deploying security systems at critical facilities (in line with the requirements of Federal Law No. 187-FZ On Security of Critical Information Infrastructure of the Russian Federation) in 2021–2022
- Conduct corporate cyber security awareness training