Internal control and risk management system

The Company’s internal control and risk management system is set up to provide reasonable assurance that the Company fulfils its mission and values, whilst meeting business targets. The system gives an accurate, fair and clear representation of the Company’s current affairs and prospects, whilst also ensuring the integrity and transparency of Magnit’s accounts and reports. Finally, the system establishes a reasonable and acceptable Company risk level.

The Company’s Board of Directors and Management Board ensure the effective operation and development of the internal control and risk management system. This helps control the Company’s strategic and operational goal achievement, the reliability of information disclosure and compliance with external and internal requirements.

Goals of the internal control and risk management system:

  • strategic goals ensuring the accomplishment of the Company’s mission and efficient management of its operations
  • operational goals related to the efficient and effective use of the Company’s resources
  • goals ensuring the accuracy of the Company’s accounts and reports
  • goals related to compliance with applicable laws and the Company’s by-laws.

Objectives of the internal control and risk management system:

  • reduce the number of unexpected events in the Company’s operations
  • define and manage Company risks to provide reasonable assurance that the Company will achieve its goals
  • ensure the right balance between risk appetite and development strategy
  • improve managerial decision-making, including risk response decisions
  • develop a risk-oriented corporate culture with the corporate bodies and management disseminating knowledge and skills across the Company and engaging employees along the way.

In the process of creating shareholder value, the Company makes management decisions based on a number of mixed factors that can have both a positive and negative impact on progress towards the set goals. One of the ways to reduce uncertainty caused by such factors is to raise the awareness of shareholders, management and employees of such factors and assess their potential impact.

The Company adopts a consistent approach to the organisation of internal control and risk management with a focus on five key components.

The control and risk management system is governed by the following internal regulations:

  • Internal Control and Risk Management PolicyApproved by the Board of Directors on 12 December 2019 (Minutes w/o No. dated 13 December 2019).
  • Regulations on Process-Oriented Risk Management
  • Risk Register

Core principles:

  • comprehensive and continuous operation. Risk management and internal control are undertaken on a constant and cyclical basis and cover all areas of the Company’s business operations across the governance hierarchy;
  • integration with governance. Risk management is an integral part of the decision-making process. It supports sound management decisions and factors in the probability and consequences of risks;
  • distinction of decision-making levels. Risk management decisions shall be made at various governance levels subject to the significance of the risk and area of the Company’s business activities;
  • responsibility. All subjects of internal control are responsible for compliance with risk management and internal control standards and approaches within their respective remit;
  • distribution of responsibilities and powers. The responsibilities and powers of the internal control and risk management bodies are distributed to eliminate or reduce the risk of error and/or fraud;
  • balance between risk exposure and profitability. Risks in each area of the Company’s business activities are monitored with a focus on the risk/profitability ratio;
  • risk-focused approach. Control procedures shall be established for business lines based on their significance in terms of the Company’s operational efficiency;
  • reasonable assurance. The Company relies on high rather than absolute confidence regarding the reliability of risk management and internal control;
  • ongoing improvement. The Company constantly monitors its risk management system and works out new ways for its improvement and development.

The Company applies a three lines of defence model A control model developed and recommended by the Institute of Internal Auditors (IIA). to coordinate risk management and internal control processes by clearly defining and delimiting respective functions and responsibilities.

Three lines model

In the first line of defence, risks are managed by business process and business unit owners supported by control mechanisms that are responsible for embedding risk controls into the decision-making process and key business operations. Business units are risk owners responsible for identifying, managing and mitigating risks, analysing and reporting on key risks. Heads of business units draft, implement, and ensure the operation of controls in business processes.

The second line of defence consists of the Risk Management Office, Economic Security Department, Department for Compliance and Antitrust Practices, Financial Control and Operational Controlling Office, etc. They draft and implement risk management and internal control methodologies, set standards and coordinate the Company’s activities related to risk management and internal control, including relevant processes, technologies, and culture, ensure continuous monitoring of the development and functioning of controls related to the first line of defence, and provide advice on risk management.

The third line of defence is operated by the Internal Audit Department, which provides independent performance assessment of internal controls and risk management and gives recommendations for their improvement.