Risk Management and Internal Control

General information

In 2021, MegaFon continued to develop its risk management and internal control system (RMICS), which is an integral part of the Company’s governance framework. To ensure stable and continuous business operations, we are constantly working to identify, assess and minimise risks, as well as to mitigate their negative consequences should they materialise.

MegaFon acknowledges that risk management can only be effective when every employee is involved in the process. Therefore, we continuously foster a robust risk culture among all employees and provide regular training.

MegaFon’s approach to the RMICS complies with Russian legal requirements and is based on international and Russian best practices, as confirmed by an independent diagnostic conducted in 2021. In particular, full compliance of our system with core standards, ISO 31000 and COSO, was confirmed for most of its components. This positive evaluation would not have been possible without strong employee ownership of risk management and the RMICS integration into the decision making process.

Principles underlying MegaFon’s RMICS:

  • Integration into the Company’s corporate governance framework — activities of the Board of Directors, Management Board, and business units
  • A risk-based approach to management decision making and to setting up processes, including strategic planning and project management
  • Contribution to achieving the Company’s goals, and continuous improvement of its business processes
  • Continuity, agility and adaptability of the risk identification and management process, as opposed to a reactive, request-based model with actions triggered only by requests from management or external users
  • Use of accurate, complete, and reliable information from available sources, subject to uncertainty
  • Transparency, engagement of all participants in the risk management and internal control process, with their views taken into account
  • Continuous development and improvement of the RMICS

To manage the risks associated with preparing reliable financial statements and tax reports, the Company has in place an internal control system (ICS), which is a set of policies, guidelines, control procedures and organisational measures to ensure the preparation of such statements and reports, as well as compliance with applicable legal requirements.

The ICS effectiveness is maintained through the following actions:

  • Updating and ensuring compliance with ICS codes and standards
  • Timely development of control procedures to cover relevant risks
  • Regular performance monitoring of control procedures
  • Regular surveys of key process owners on the effectiveness of internal controls
  • Analyses on business processes and related risks to verify the performance of applied internal controls
  • Annual selective testing of key control procedures
Internal control system

Risk management and internal control framework

Risk management and internal controls are embedded across all operations and at all management levels throughout the organisation.

Coordinators at the level of business units, project teams, and subsidiaries Risk management function Audit Committee Board of Directors CEO and Management Board Business units, project teams, and subsidiaries

The Board of Directors through the Audit Committee determines the RMICS principles and approaches and evaluates the system’s effectiveness.

The CEO and the Management Board ensure the setting up and maintenance of a robust RMICS, allocation of the roles, responsibilities and accountability for specific risk management and internal control procedures among the business-unit heads, approval of reporting format requirements, review of, and agreement on, principal risks, and promotion of a risk management and internal control culture.

The risk management function drives the development of risk management across the Company, implementing the RMICS Policy, ensuring risk updates, overseeing the implementation of risk management measures, coordinating the efforts of business units, project teams, and subsidiaries to identify and assess risks, and develop appropriate risk management measures, providing methodological support, preparing relevant materials and submitting them to the Management Board and the Board of Directors, and fostering a risk culture within the Company. The Company has in place an internal control function responsible for managing the risks that affect the reliability of financial statements and tax reports.

Business-unit heads, project teams, and subsidiaries ensure the RMICS operation within their areas of responsibility, including risk identification and assessment, and also drive the development and implementation of risk management measures, including operation of control procedures. They designate coordinators in charge of day-to-day process management and involve the risk management function as necessary.

MegaFon is focused on building a robust risk culture, the key aspects of which include:

Tone at the Top

MegaFon’s managers act as role models in the discussion, identification, and assessment of risks, and are actively involved in risk management.

A positive risk culture

Timely communication about risks is encouraged. Risks can be accepted if they are not critical and risk taking can contribute to business growth. Risks are viewed not only as potentially negative events but also as opportunities to improve processes within the Company.

Engagement

Employees have access to risk management training and relevant guidelines, as well as communication and support channels.

MegaFon uses the RiskCom automated solution to maintain its risk inventory and conduct risk analysis, ensuring streamlined management of risks controlled at the Board of Directors, CEO, and Management Board levels.
For their convenience, business units, project teams, and subsidiaries can store information about their risks in their own information systems. If risks escalate, they are replicated in RiskCom. SAP GRC PC is used to manage risks that affect the preparation of reliable financial statements and tax reports.

The Risk Management and Internal Control System Policy is the key document governing MegaFon’s risk management activities. The Policy, developed in line with applicable Russian laws and international standards, establishes general approaches to risk management and internal control.

The Company has also adopted a Risk Management Methodology outlining the applied aspects of the process, and various regulations of business units and subsidiaries detailing the approaches to managing specific risks.

Key RMICS activities

In 2021, MegaFon continued to embed risk-based management into its practices, adopting a new Risk Management Methodology to support this effort. Risk identification and management efforts are closely aligned with the Company’s goals. The Management Board reviews the status of key risks and compliance on a quarterly basis.

To further improve risk communication, the Company holds annual meetings of risk coordinators to facilitate the sharing of risk management approaches and best practice.

In the second half of 2021, we engaged an external consultancy to conduct a diagnostic of the risk management and internal control system to verify compliance with best practice and the ISO 31000 and COSO standards.
The diagnostic exercise confirmed the system’s maturity.

Furthermore, in the reporting period, the business continuity management process was included in the scope of risk management. The adopted Policy set out the requirement for users to be alert to the need to ensure the smooth operation of the Company’s business processes, so that MegaFon can continue offering the best services in the market.

Risk management and internal control training for employees remains a top priority for MegaFon. Managers take a mandatory online risk management course based on ISO 31000, which reflects the Company’s specific business profile. This course is also available to all MegaFon employees.

In 2021, MegaFon continued to enhance the performance of its ICS, including through the following activities:

  • Development of new features for process owners to coordinate and approve control procedures in SAP GRC PC
  • Review of employee access rights to financial reporting information to ensure access is only provided on an as-needed basis and there is no conflict of powers
  • Updates of ICS training and information materials
  • Further development of the ICS to facilitate tax-related monitoring, including the build-out of a risk assessment process (transition to quantitative assessment of consequences of risks materialising) and automation of reporting forms for tax-related monitoring
  • Analyses on business processes, including those related to changing the functionalities of IT systems, to update risks and relevant control procedures

Principal risks and mitigation

Low Medium High High Medium Low Damage Risk manageability 4 S 5 S 11 T 14 R 6 O 7 O 8 O 10 T 12 T 18 F 17 F 9 O 19 F 16 R 2 0 F 15 R 1 S 13 R 3 S 2 S

MegaFon’s analysis considers various types of risks while setting out the measures that the Company takes to mitigate them. This analysis covers strategic, geopolitical, technological, regulatory, operational (including compliance) and financial risks.

S Strategic/external risks Operational risks Technological risks Regulatory risks Financial risks O T R F
Risks Risk description Risk management Change
Strategic/external risks
1

Geopolitical

On 28 February 2022 and on 3 March 2022, the United States and the UK imposed sanctions on Mr Alisher Usmanov, an indirect shareholder in MegaFon.

The US Office of Foreign Assets Control (OFAC) also issued General License No. 15 which authorised all otherwise prohibited transactions with any entities owned 50% or more by Mr Alisher Usmanov.

MegaFon is not considered a blocked entity under OFAC’s 50 Percent Rule, because Mr Alisher Usmanov’s indirect ownership in the Company is less than 50%. Neither is MegaFon designated as a blocked entity in the EU and the UK.

Mr Alisher Usmanov has an indirect 39.2% ownership interest in the Company and is not the Company’s ultimate controlling person. Mr Usmanov has no direct or indirect influence on MegaFon’s activities, nor is he a member of any governing body of the Company.

Nevertheless, as a company registered in the Russian Federation, MegaFon is facing challenges and reputational losses specific to Russia in general as a result of the current geopolitical situation, including those related to the current sanctions regime imposed by the United States, the EU and other countries against a substantial shareholder of the Company.

Due to the sanctions in early 2022, many international companies decided to discontinue their partnerships with Russian entities, including with MegaFon. This has disrupted a significant number of business chains, related to:

  • infrastructure development
  • software management
  • logistics and equipment supplies for in-store sales
  • international roaming services
  • activities in international financial and other markets.

As we had kept this risk on our radar for quite some time, MegaFon had already built a fairly large pool of alternative partners in various business areas by the time the risk event occurred. However, as more companies have been withdrawing from partnerships and new restrictions are introduced en masse, we have had difficulties implementing the previously identified partner options and searching for new options to replace them.

This situation may worsen if current conditions persist — as they continue or escalate further, the list of self-sanctioning companies and firms may expand.

The inability to do business with key suppliers, business partners or other key counterparties may have a material adverse effect on our business, financial position, operating results, cash flow, or prospects.

2

Macroeconomic

The health of the Russian and global economies has an impact on MegaFon’s business.

2021 saw signs of an economic recovery and increasing demand (including in the telecommunications market), which, however, were accompanied by rising inflation, rate hikes by the Bank of Russia and fluctuations in FX rates. All three factors worsened even more in early 2022, with inflation substantially accelerated amid lower commodity imports to Russia and a rush of demand from consumers. The Bank of Russia raised its key rate. The rouble exchange rate became more volatile, with a rush of demand followed by a rapid correction. According to the Bank of Russia consensus forecast, the country’s GDP is expected to fall by up to 8% in 2022.

Taken together, these macroeconomic trends will have a negative impact on the Company’s revenue and its investment programme in 2022.

The telecommunications market is quite resilient, as customers are unwilling to reduce their minutes and mobile data usage, and therefore their spending on these services is less exposed to the risk of an economic downturn than spending on goods and services in other markets.

Retaining and growing its subscriber base is MegaFon’s key tool for managing this risk. The Company closely monitors changes in its subscriber base and does its best to meet customer expectations.

3

Technological and digital transformation

New business models, new entrants

The telecommunications and digital industries are rapidly changing as new players are entering non-core markets, such as banks establishing mobile and fixed virtual network operators. Some incumbents are betting on ecosystems, which in the short term may lead to certain subscriber migration. At the same time, customers are becoming more demanding and expecting superior digital customer service and a seamless experience for all service channels. Failure to provide such high-level service and experience can reduce customer loyalty and lead to increased churn and possible loss of market share.

MegaFon continues to implement its strategy aimed at the digital transformation of its business.

MegaFon also cooperates with service providers to offer better services to its subscribers.

4

Competition risk

The mobile market tends to slow down, which leads to increased competition as operators strive to retain existing and attract new customers. High penetration rates have already boosted this competition. This competitive landscape is one of the most influential factors continuing to impact the mobile market.

MegaFon’s key direct competitors include MTS, VEON, and Tele2. New business models emerging in the market may lead to changes in the structure and dynamics of the current market, the impact of which may not currently be foreseeable.

To mitigate this factor, the Company prioritises maintaining the loyalty of existing customers by constantly improving the quality of services and providing them with the best unique products and services through timely network expansion, infrastructure development, and provision of convenient digital services and tariff lines. With its unrivalled spectrum advantage in the Russian 4G/LTE market, MegaFon enjoys a faster time to market in 4G products while delivering high-speed mobile data.

The Company plans to keep up with the pace of technological advances and new industry standards by maintaining its focus on integration of emerging technologies and development of new and more effective, innovative products and services.

5

Risks associated with MegaFon’s participation in other companies

The Company’s business management involves acquisition or sale of companies, as well as participation in strategic alliances and partnerships. In case of such activities, there is a slight probability that MegaFon’s focus may be diverted away from other business concerns. In addition, any potential acquisition could negatively impact MegaFon’s financial position or credit ratings, or have other consequences subject to the acquisition or sale deal structure, possible deferred payments, FX exposure in the transaction price, and the successful delivery of targeted synergies and integration processes.

MegaFon aims is to achieve maximum synergy from participation in other companies, including in costs and revenue, and ensure further successful growth for the acquired assets. Any asset acquisition is always preceded by extensive due diligence on the financial and operational performance of the target business, an evaluation of the transaction’s viability, and legal due diligence. The Company’s management has the necessary expertise for effective decision making on acquisition opportunities. When entering into transactions, MegaFon also endeavours to include special clauses in the relevant agreements which are contingent on the target’s ability to meet set objectives and KPIs, and on MegaFon’s exposure to tax, legal, and commercial risks. Asset sale transactions are subject to comprehensive assessment of the deal’s viability.

new
Operational risks
6

Risks related to the deterioration of the sanitary and epidemiological situation

With the spread of the coronavirus, the Company has significantly changed its existing business practices. Job-related office-based activities, business travel and business trips for employees, and in-person meetings and events were curtailed. Strict workplace hygiene and Company site access protocols were established.

These changes have required the Company to accelerate its adaptation to ensure its business runs smoothly.

Stricter anti-pandemic measures can lead to local lockdowns, hindering the operation of offices and retail stores and thus negatively affecting the Company’s revenues.

Together with the relevant authorities, the Company successfully implements measures to prevent the spread of COVID-19.

Measures are taken across all Company facilities to ensure compliance with COVID-19 protocols, including regular employee communications about the COVID-19 situation and rules, disinfection protocols for rooms and ventilation and air conditioning systems, thermal imaging cameras and sanitiser products, temperature measurement, social distancing, mask enforcement, etc.

The Company puts the health and safety of its people first, so it is flexible in its approach to work formats in the new normal. Employees have been shifted to work from home seamlessly without compromising their performance.

The Company also set up remote sales channels to mitigate the impacts of local lockdowns.

7

Pricing risk

The Company uses market-based pricing approaches to price its services. However, a limited number of telecom market participants believe that any tariff policy moves by operators are closely scrutinised by the anti-trust regulator.

This risk is amplified by the rising inflation in 2021.

The Company is committed to flexible tariffsetting, which drives smart, affordable tariff offers geared to the needs of different groups of its customers.

8

Infrastructure risk

The Company has a vast network footprint, which involves managing a huge fleet of base stations, fibre networks, data centres, and other assets. The continuous growth in its subscriber base, network coverage, and data speeds, coupled with increases in the wear and tear of the operated infrastructure, expose the Company to the threat of overstretching its available network resources.

The Company’s commitment to sustainability implies a stronger focus on the environmental and energy-saving aspects of network management, among other things.

MegaFon leverages existing processes to focus on priority tasks through targeted financing as well as network infrastructure expansion and maintenance to improve network reliability, reduce power consumption, and ensure high quality services for its subscribers.

9

Licence renewal risks

The Company’s failure to obtain or renew its existing telecom licences required to maintain operations will have a negative impact. However, historical experience shows that the exposure of major telecom operators to this risk is insignificant.

MegaFon holds GSM, 3G and 4G/ LTE licences with varying expiry dates.
The Company pays close attention to tracking licence expiry dates and keeping licence data up to date, taking all necessary steps to ensure timely renewal of licences with the Federal Service for Supervision of Communications, Information Technology, and Mass Media of the Russian Federation (Roskomnadzor).

Technological risks
10

Business continuity and technology resilience risks

Although MegaFon ensures that its technological infrastructure has a high level of reliability and resilience, an accident may affect the speed and quality of provided services. In addition, the quality of services may be negatively affected by the inaccessibility of buildings and facilities due to man-made or natural causes and workforce shortage due to the pandemic.

MegaFon takes all necessary measures to ensure the high quality of its services, continuously monitoring the integrity of its infrastructure and tracking industry-specific risks and accidents that may affect the provided services.

The Company has put in place a range of infrastructure and business continuity measures, such as ensuring redundancy in the most critical elements of its infrastructure in case of accidents or emergencies, as well as continuity and post-accident recovery plans.

11

Telecommunications fraud risks

MegaFon may incur losses resulting from wilful misconduct by unscrupulous counterparties or subscribers. Such fraudulent actions are aimed at obtaining services and products for free or at a lower cost, which means financial losses for the Company.

The Company is also exposed to the risk of reputational losses from fraudulent actions against MegaFon subscribers through digital services, social engineering, unfair competition, and theft of money from subscribers’ accounts.

MegaFon has a dedicated unit responsible for preventing fraud and associated financial or reputational losses while safeguarding customers against fraud. MegaFon uses a number of dedicated automated antifraud solutions to support fraud prevention. Monitoring for the more critical fraud threats is carried out 24/7.

12

Cyber risks

There is a risk of intrusion into the Company’s internal networks, including IT systems, which may result in malicious applications being introduced onto the equipment of MegaFon employees, unauthorised access to customers’ personal data or confidential information, with such data being compromised, or the spread of malware (viruses). There is also a risk of intrusion into the Company’s internal networks through the infrastructure of its subsidiaries.

These risks have significantly increased in early 2022 amid the heightened tensions between Russia and a number of Western countries.

The Company may also be exposed to the vulnerability risk and the risk of a failure to maintain appropriate security levels due to the human factor or inadequate financing of strategic initiatives for preventing cyber threats amid the rapid adoption of new digital solutions and development approaches.

The Company takes all necessary measures to en-sure the appropriate levels of security for its IT systems, software, technologies and equipment, including continuous monitoring for potential threats, the use of Security Intelligence platforms across its IT and telecommunications infrastructures, as well as the use of the latest software ensuring high levels of security both within the Company and across its subsidiaries.
MegaFon has adopted a dedicated information security strategy and an information security policy, and is developing cyber threat monitoring. The Company continues to seek for new solutions in cyber defence.

Regulatory risks
13

Risks associated with MegaFon’s status as a systemically important company

MegaFon is a systemically important company for the Russian economy and is thus eligible for certain preferential policies in case of crisis. However, to retain this status, the Company should carefully consider wishes and initiatives related to national interests, build a dialogue with the general public, and be aware of the importance of social support for communities, security matters, and strategic development of the industry.

The Company strives to be represented at all key platforms where social, security, and the industry’s strategic development initiatives are discussed. All new initiatives are subject to an internal expert review.

At the same time, MegaFon is proactive about considering the interests of all stakeholders in its development plans as this is a cornerstone of the Company’s business.

new
14

Customer identification

In 2021, the Government introduced significantly tougher requirements for the identification of subscribers and users of communications services when signing service contracts and providing communications services. Russian laws set out a number of requirements for verifying data provided by subscribers who are legal entities and for collecting data about the usage of SIM cards for smart devices. Failure to confirm actual subscriber data or failure to provide up-to-date data requires operators to terminate services for such subscribers.

The Company strives to strictly comply with laws on user identification. This is achieved through a range of various customer notification tools and a flexible tailored approach to customer data verification based on what options are available to each individual customer.

15

Risks related to 5G

The Government and industry participants are developing various 5G development scenarios. Current proposals on 5G development envisage the use of frequencies outside the optimal 3.4–3.8 GHz spectrum and are uncertain about the equipment to power the technology.

A commercial 5G launch will require a wide range of regulations to be introduced to take into account the interests of operators, the regulator, and the current spectrum owners.

There is also a risk of the mass nonacceptance of 5G caused by health concerns fuelled by conspiracy theories.

MegaFon is closely monitoring all initiatives related to the development of communications technologies, above all 5G, and actively participates in discussions relating to such initiatives. MegaFon also participates in a joint venture focused on promoting 5G development in Russia. When testing the performance of this technology, MegaFon is monitoring the impact of 5G on human health.

16

Risks of noncompliance with personal data laws

Personal data protection is increasingly gaining importance in the industry. Amid closer public scrutiny, the Company has to take utmost care to protect the data entrusted to it by subscribers and employees.

MegaFon builds business processes with a maximum focus on personal data protection and conducts regular audits of systems and processes. Risks associated with potential personal data breaches are monitored and controlled.

new
Financial risks
17

Interest rate risk

Rising interest rates in the market could increase MegaFon’s cost of raising funds to finance its operations and CAPEX programmes. In addition, where MegaFon’s existing debt carries a floating rate, the Company is exposed to the risk of higher costs of servicing such debt.

In 2022 (after the reporting date), the Bank of Russia increased its key rate. IInternational agencies withdrew both their Russian sovereign ratings and ratings on Russian companies.

A major portion of the Company’s debt portfolio is long-term and carries attractive interest rates. Approximately 82% of the Company’s debt portfolio has fixed rates, and a major part of the remaining portfolio is hedged against a possible increase in interest rates. Furthermore, MegaFon has head-room to manage its liabilities.

At the end of the reporting year, MegaFon maintained stable longterm credit ratings from leading agencies — Moody’s, S&P Global, and ACRA. Coupled with a consistently strong financial performance, this allows MegaFon to raise funds at the most attractive terms available in the market.

18

FX risk

MegaFon’s exposure to FX risks is mostly linked to its financial and investment activities.

A significant portion of MegaFon’s capital expenditure, expenses, and liabilities are denominated in foreign currencies, mostly in US dollars or euros. The rouble’s depreciation against the US dollar and/or euro may make it difficult for MegaFon to repay or refinance its foreign currency denominated debt and maintain an adequate level of capital investment. Therefore, a weaker rouble may increase MegaFon’s investment and financial costs in roubles, leading to lower net profit.

The early 2022 (after the reporting date) saw the rouble’s sharp depreciation. The regulator imposed restrictions on transactions in foreign currencies, which, along with other factors (including the market ones), subsequently led to a trend reversal — the rouble’s rapid appreciation.

The Company mitigates FX risks by using various liquidity management methods, including not only making provisions but also using cross-currency swaps and other derivatives to hedge the FX-denominated portion of its loan portfolio. The Company also seeks to increase the share of roubledenominated operating expenses and capital expenditures to cover such expenses using rouble revenues.

To address currency restrictions, MegaFon closely monitors payment schedules and takes steps to demonstrate its solvency.

19

Credit risk

There is a risk that the Company may incur financial losses in case a customer or counterparty fails to perform its contractual obligations, mostly in relation to loans provided by the Company and its receivables.

Measures to mitigate credit risk with respect to other counterparties include operational control over receivables, the use of prepayments, bank guarantees and other collateral, and building relations with counterparties whose solvency is continuously monitored based on their scoring, credit history, and credit ratings.
The Company also diversifies its deposited funds, sets limits for banks, and uses post-payment arrangements for procured goods and services while running an annual monitoring procedure to look into its possible loan impairment.

20

Liquidity risk

MegaFon’s exposure to this risk is determined by the Company’s ability to meet its payment obligations in a timely manner. Liquidity risk is affected by the rate of conversion of the Company’s assets (deposited funds) into cash on current accounts, as well as the availability of financing in the capital markets and the level of interest rates.

MegaFon has access to adequate funding through its existing credit facilities, thereby reducing liquidity risk in the short and medium term. Deposits are bank-diversified and concentrated within maturity buckets with account for the large payment schedule, best market offers, and the Company’s policies. The Company is closely monitoring the current sanctions on Russian financial institutions to ensure stable access to finance.

Open
Type of risk: Low Medium High Risk dynamic: Decreased No changes Increased NEW New risk