Corporate controls

GRI 2‑12

Risk management and internal control

Organisational structure of the risk management and internal control framework

The risk management and internal control framework is a set of organisational measures, methods, practices and standards of corporate culture. It also embraces actions taken by the Company to strike the right balance between value growth, profitability and risks, support sustainable development, and ensure efficient operations, protection of its assets, compliance with applicable laws and internal documents, along with timely and accurate reporting.

The Board of Directors defines the key principles of, and approaches to, risk management and internal controls, oversees the Company’s executive bodies, and performs other key functions, including setting the overall risk appetite and reviewing material risks and ways to manage them.

The Board’s Audit Committee focuses on assessing and making proposals to improve the risk management and internal controls. On top of that, its members supervise the preparation of accounting (financial) statements and the measures taken to prevent fraudulent behaviour of the Company’s employees or third parties.

The Review Committee elected by the General Meeting of Shareholders exercises control over the financial and business operations of the Company.

The Annual General Meeting of Shareholders held in March 2023 elected the following members to the Review Committee:

  • Lusine Agabekyan, Deputy Head of Group Financial Control and Management Reporting at PhosAgro;
  • Ekaterina Viktorova, Deputy Head of Treasury at PhosAgro;
  • Olga Lizunova, head of unit (functional in other areas), budgeting office, Economics Department at Apatit.

The Review Committee’s goals, objectives and powers are outlined in the Regulations on Review Committee of PhosAgro as approved by the General Meeting of Shareholders on 12 May 2011.

The Committee endorsed PhosAgro’s financial statements for 2023, with its report dated 5 April 2024 included in the materials for the shareholders to prepare for the Annual General Meeting of Shareholders.

The executive bodies establish and maintain an efficient risk management and internal control framework.

To this effect, they have set up a Risk Commission that monitors the status and effectiveness of risk management initiatives. The monitoring results serve as a basis for the relevant proposals issued by the Commission to executive bodies and the Board of Directors.

Following the audits, the Internal Audit Department provides the Board of Directors and executive bodies with recommendations and reports, including, among other things, the assessment of the current status, reliability and effectiveness of the corporate governance, risk management and internal control framework.

The Risk Management and Internal Control Department is charged with the general supervision of risk management, including related activities, and consolidated reporting to the executive bodies and the Board of Directors.

As part of their duties, heads of other organisational units are responsible for building, documenting, implementing, monitoring and developing the risk management and internal control framework in their respective functional areas. The framework requires the Company’s employees to identify and assess relevant risks and efficiently implement the controls and risk management initiatives.

Risk management

In 2023, PhosAgro’s risk management and internal control framework performed strongly thanks to timely identification and assessment of risks, as well as development and implementation of risk management measures. On a quarterly basis, the Board of Directors reviewed reports on the management of the Company’s key risks. PhosAgro’s executives paid special attention to managing these key risks. The Risk Commission continuously monitored the status of risk management activities and, when necessary, initiated changes to improve those related to key risks.

The development of risk management and internal control framework in 2023

The Company is making a consistent effort to develop its risk management and internal control framework. The Board of Directors reviewed the results of the framework’s assessment, which showed that it was on par with those adopted by the industry’s leading companies, including:

  • compliance with applicable regulatory requirements;
  • adoption of most of the leading risk management practices such as alignment with the Company’s development strategy, risk appetite, key risk indicators, automation and robotisation in risk management, as well as integration into the Company’s incentive system and governance framework.

The reporting year saw both the production sites and PhosAgro Group as a whole complete a full‑year cycle of risk management and internal control, including:

  • ongoing risk monitoring;
  • analysis of key risk indicators;
  • development of corrective actions;
  • follow‑up control and review.

In 2023, the Company sustained its focus on addressing risks across certain business areas, including the continuity of procurement, logistics, and software and IT infrastructure operation, in response to geopolitical developments. We also continued work to develop risk management competencies among managers at different levels, alongside further implementation of a risk‑oriented approach within key functions such as information security and occupational health and safety.

Plans for 2024

PhosAgro Group looks to maintain and further develop the existing elements of its risk management framework based on the best practices, while also taking into account the changing external and internal factors.

Internal audit

PhosAgro’s Internal Audit Department assists the Company’s top executives and the Board of Directors in improving the management of business processes and enhancing the internal control and risk management framework. In doing this, it uses a risk‑oriented approach and works closely with the Risk Management, Internal Control and Economic Security Departments, and the Company management.

Internal audit goals, objectives and powers are outlined in the Internal Audit Policy as approved by the Board of Directors on 18 May 2021. The Company’s internal audit procedure is set out in the Internal Audit Guidelines.

Audits

Audit of business processes

The audit plan along with the budget of the Internal Audit Department for the calendar year is subject to review, discussion and approval by the Audit Committee and the Board of Directors. Audits are performed at the Company level, as well as at specific subsidiaries and their standalone business units. In addition, the Internal Audit Department monitors the effectiveness and efficiency of corrective actions taken by the management following the audit, and reports to the Audit Committee on a quarterly basis and to the Board of Directors annually.

In 2023, the Internal Audit Department fully met the annual action plan. It carried out audits that covered PhosAgro Group’s business processes related to personnel management, cash management, and capital investments as well as an IT audit of sales units and an audit of ESG targets. Based on the audit findings, recommendations were developed to improve the efficiency of personnel management processes and approaches, and enhance measures related to information security. The management developed and approved corrective action plans, with the progress monitored by the Internal Audit Department.

Plans for 2024 encompass audits of various business processes, including logistics management, repairs, industrial safety, and occupational health and safety, as well as IT audits and audits of insider information handling.

Team development

In order to achieve the strategic goals in internal audit, we continue working to develop and diversify the competencies of our team by holding regular training sessions, which focus on sourcing data from information systems and further processing and visualising it. Training initiatives addressing this focus area are scheduled for 2024.

Self‑assessment and external assessment

Internal audit quality is assured through regular external independent assessments and self‑assessment.

An external independent assessment takes place once every three years. The previous one was conducted in late 2021 by PwC.

At the end of 2023, the Internal Audit Department held a self‑assessment of its compliance with the International Standards for the Professional Practice of Internal Auditing and the Institute of Internal Auditors’ Code of Ethics. The self‑assessment showed the Department’s full compliance with all applicable standards and requirements.

External audit

A key element of the Audit Committee’s operations is ongoing interaction with external auditors and development of recommendations for the Board of Directors regarding the choice and approval of auditors. When selecting an auditor, we evaluate the following factors in addition to the cost of their services:

  • composition of the audit team (in terms of experience and qualifications), which should ensure that the statements are audited within acceptable deadlines and with adequate quality;
  • the auditor’s independence evaluated based on a variety of factors, including assessment of the scope of non‑audit services provided to us by the candidate company during the relevant periods. Each offer from the current auditor for non‑audit services requires confirmation by the audit partner to make sure there is no risk to independence and is submitted to PhosAgro’s Audit Committee for consideration and approval. The Committee consents to the contract only if the scope of the non‑audit services does not call into question the ability to perform the audit service independently and impartially. The Committee’s assessment of the auditor’s independence is also significantly influenced by the auditor’s internal procedures for controlling the impartiality and professional ethics of the auditor’s staff, including requirements for periodic rotation of the audit partner, training arranged in this area and the use of specialised software to perform the respective audits;
  • balance between the benefits of long‑term cooperation with the auditor and the need for a fresh look at PhosAgro’s statements and preparation procedures;
  • the auditor’s performance over the previous period. The Committee may form its opinion on the quality of the external auditor’s work during in‑person Committee meetings, where the external auditor’s mandatory participants are a manager and the partner, as well as during meetings between the audit team and the Chairman of the Audit Committee held prior to the Committee meetings.

PhosAgro’s auditor performs the audit of its financial and business operations in compliance with Russian laws and regulations and the agreement signed with the Company. The auditor is approved by the Company’s General Meeting of Shareholders. The Company engaged JSC Technologies of Trust – Audit (Ferro‑Plaza Business Centre, 14/3 Krzhizhanovsky street, bldg. 5/1, Moscow, Russia) to audit its 2023 IFRS financial statements.

The Company’s 2023 RAS accounting statements were audited by JSC Unicon (8 Preobrazhenskaya Ploshchad, Preo 8 Business Centre, Moscow, Russia).

The approach to assessing external audit’s independence and efficiency, as well as appointment and re‑appointment of the external auditor is set out in the External Auditor Selection and Cooperation Policy of PhosAgro as approved by the Board of Directors on 30 August 2023.

Insider information

PhosAgro has adopted the Insider Information Regulations compliant with the Russian laws and the EU Market Abuse Regulation (MAR).

In accordance with its provisions, the Corporate Secretary Office keeps a list of insiders, persons discharging managerial responsibilities (PDMR) and persons closely associated with them (PCA). The Regulations define the scope of responsibilities for each insider group, which the Corporate Secretary Office from time to time communicates to respective persons.

First and foremost, these include the limitations on the use of insider information and trading in the Company’s securities. Depending on the group, an insider may be prohibited from such transactions or obliged to notify the Company or obtain its consent for such transactions. Every quarter, the Corporate Secretary Office checks the list of shareholders to identify transactions that may have been executed in breach of such limitations.

For 2024, the Internal Audit Department has scheduled an audit to evaluate the Company’s insider information practices.

Information security

GRI 3‑3

The Information Security Policy is the Company’s fundamental document defining the general provisions and principles for ensuring information security. Its adoption ensues from the risks and hazards faced by the Group companies in their operations and the respective need to respond to the hazards and minimise the risks.

The Policy states high priority of information security activities and sets up its key principles. They cover the target setting and planning of information security activities, as well as their implementation, quality management and process improvement. The above principles define the contents of the lower‑level documents such as the Information Security Framework and other internal documents covering respective issues. This set of documents reflects modern solutions and best practices in information security.

Ensuring information security is the responsibility of each employee. To this end, the Group regularly holds events to raise employees’ awareness of information security issues and develop practical skills to deal with modern threats. This, together with the use of modern information security tools and well‑coordinated work of the department, helped avoid information security incidents in 2023 and in previous periods that could have caused tangible material or reputational damage. Information security issues are submitted for consideration by the Board of Directors every six months.

In 2023, the Company implemented the following information initiatives to enhance information security:

  • increasing awareness of information security: over 12,000 employees completed courses and testing on a corporate training platform to enhance their knowledge of information security;
  • improving processes to comply with legal requirements: a total of 21 internal regulations were issued, with measures taken to ensure their implementation;
  • enhancing protection of an automated process control system: information security safeguards were implemented on all significant components of critical information infrastructure, with dedicated training sessions conducted for personnel responsible for operating and supporting the automated process control system;
  • improving processes for managing access to information resources, transitioning to automated control of access rights;
  • automating processes for managing security events and incidents, implementing a security information and event management (SIEM) system and establishing an operations centre;
  • assessing the security of the Group’s information resources, developing plans to enhance security safeguards;
  • identifying and blocking fraudulent IT resources linked to the generation of fake commercial offers on behalf of the Group.
GRI 410‑1

All employees of the Economic Security Department receive training in terrorism prevention and the main goals and principles of PhosAgro Group Code of Ethics.

Security personnel who completed human rights training, %