Risks migration in 2017 and robust assesment

In 2017, management carried out a robust reassessment of the principal risks facing the Group. The Audit Committee has carefully reviewed this assessment on behalf of the Board.

The assessment focused on the risks that could adversely affect the Group’s strategies. It included an evaluation of risks identified at the operational level to consider their relevance and significance for the Group, as well as a detailed assessment of some specific areas where new risks have been identified or the risk profile has changed significantly. As a result, the principal risks have been updated. Management also considered the speed of impact of each risk in their assessment.

In addition, a reassessment of the cybersecurity and IT infrastructure failure risk has led to the identification of this as a principal risk, mostly due to the rising level of cybercrime globally and the increasing reliance on IT systems. On 27 June 2017, a computer virus attacked many major companies around the world, including EVRAZ.

The assessment included other risks that were not recognized as principal, eg HR and employee risks, taxation, compliance risks (including anti-corruption and anti-bribery matters), social and community risks, risks related with respect for human rights, and other risks. While the impact and probability analysis suggests that such risks could affect the Group’s operations to some extent, the management believes they are being adequately managed and does not consider them as being capable of seriously affecting the Group’s performance, future prospects or reputation. EVRAZ activity in these areas is described in more detail on CSR Report section.

All the EVRAZ IT systems and data affected by the virus attack have been quickly recovered. Although no significant damage has been caused by the cybersecurity incident to date and no financial data was affected or manipulated, the management continues to implement additional measures to minimise similar risks.

While the composition of the Group’s principal risks has not changed substantially compared with the previous year, a detailed analysis of their impact and probability of negative consequences for the Group has led to a recalibration in the assessment of some of the risks.

The Group closely monitors the impact of the UK referendum result in favour of leaving the EU and continues to believe that it will not significantly affect its business.

Key developments in 2017

Risk management training for the Group’s top management took place in early 2017. In addition to inducting new members of the top management team into the corporate risk management process and practices, this training session supported the improved risk management reporting procedure that was introduced as part of the transformation of the Risk Committee into the Risk Management Group at the end of the prior year.

To enhance the depth of analysis for individual process risks, the Group began to update its occupational safety risk assessment methodology in 2017.

The internal control self-assessment and risks analysis performed by line managers at plants has been extended to ensure increased coverage and a more comprehensive result. The major purpose is to increase the depth of involvement of management and employees in the process of improving internal control and risk management.

Principal risks and uncertainties heat map in 2017

  1. Global economic factors, industry conditions and cyclicality
  2. Product competition
  3. Cost effectiveness
  4. Treasury: availability of finance
  5. Functional currency devaluation
  6. HSE: environmental
  7. HSE: health, safety
  8. Potential action by governments
  9. Business interruption
  10. Cybersecurity and IT infrastructure failure