Risk Management
In addressing issues related to value creation for shareholders, the Group has to make management decisions that take into account divergent factors that could have either a positive or negative impact on the achievement of its goals. One way of reducing the uncertainty caused by such factors is to increase awareness on the part of the Group’s shareholders, executives and employees of those factors that can affect the achievement of goals and to assess the potential damage they can cause.
The objectives of the risk management process are to identify, in a timely manner, all material risks; to assess the likelihood of the occurrence of such risks, as well as the materiality and consequences should they occur; and to create systems and take measures that minimise the negative and maximise the positive impact of the occurrence of such risks.
Risk Management System
Within the M.Video–Eldorado Group, risk management is centralised at the level of the holding company, PJSC M.video, and is governed by the Company’s Risk Management Policy. The objectives of this policy are to introduce and maintain an effective risk management system (RMS) that is commensurate to the scale and complexity of the Company’s business and that facilitates the achievement of key corporate objectives.
As part of the strategic management of the Company, the RMS involves a comprehensive set of measures and interrelated processes aimed at:
- development of risk management as a constant cyclical process of corporate management;
- integration of risk management principles and instruments into the Company’s routine ongoing processes;
- development of risk management as a key management competency; and
- development of risk management as an integral part of the Company’s corporate culture and all its business processes.
| Stages of risk management | Board of Directors | Senior management | Internal Control and Risk Management Department | Internal audit |
| Internal environment (philosophy and risk management policy) | Corporate governance and ethical values. | Leadership role in the Company, creating a positive internal environment. Establishment of the tone at the top. | Organisation and coordination of the structure of the RMS. Methodology for risk assessment and for determining risk appetite and the acceptable risk level in individual functional areas. | Promoting the ideas behind the RMS. Consulting support. Assessment of the methods for determining risk appetite and the acceptable risk level. |
| Goal setting | Setting strategic goals and developing a plan to achieve them. | Establishing objectives in the framework of achieving strategic goals. Breakdown of strategic goals into operational goals. | Analysis of operational goals for compliance with the strategy. Analysis of the compliance of key performance indicators (KPIs) with operational goals. | Audit of strategic goals, analysis of operational goals for compliance with the strategy (within the framework of the plan). |
| Identification of potential events and risks | Approval of the risk register. | Identification of risks at the level of setting strategic goals and their breakdown into operational goals. Identification of risks in key processes. | Risk identification methodology. Analysis of impact factors, key processes, key risk indicators and thresholds. Maintaining the risk register. | Assessment of the risk identification methodology at the stage of annual planning and during individual audits. |
| Risk assessment | Approval of assessment results. Approval of the risk map and risk appetite. | Risk assessment. Determination of the Company’s risk appetite. | Risk assessment methodology. Determination and analysis of the assessment methodology. Maintaining the risk register and risk matrix. | Risk assessment at the stage of annual planning and during individual audits. |
| Risk response | Approval of risk responses (avoidance, transfer, reduction, acceptance). | Identification of risk responses. | Analysis of a response in terms of compliance with the relevant risk assessment and acceptable risk levels. Cost-benefit analysis. | Assessment of the risk response methodology and its application during audits. |
| Internal control system (ICS) and control procedures | Approval of a risk management action plan. | Documenting the implementation of control procedures. Keeping the ICS up to date. Determination of a risk management action plan. | Formulation of activities or consultation on the formulation thereof. Analysis of the adequacy of the selected activities and monitoring their implementation. Development of an assessment methodology/approach and assessment of the ICS. | Analysis of the adequacy of selected activities and their implementation during audits. Recommendations for improvement of the ICS. |
| Information and communication | Obtaining information about the most significant risks and measures taken by management in relation to such risks. | Cooperation procedures in the framework of the RMS. Establishing and maintaining communication channels. | Cooperation within the framework of the RMS at all levels of the hierarchy and between all Company divisions. | Preparation of independent reporting on the performance of the RMS. |
| Monitoring | Knowledge of the extent to which senior management has implemented effective risk management within the Company. | Establishment of ongoing monitoring in the course of ordinary management activities (for example, KPI analysis, plan/actual, etc.). | Monitoring and verification. Preparation of reports on the performance of risk management. Implementation of measures to improve risk management. Monitoring the implementation of measures. Preparation of reports on the internal control and risk management system. | Assessment of the RMS process. Monitoring the implementation of measures. |
Risk management process
The Company’s risk management process is cyclical and continuous; it covers all of the Company’s business processes and projects.
For the purposes of building an effective RMS, the Company divides all risks into the following categories:
- Strategic risks — risks that affect the Company’s strategic long-term goals and its activities, namely issues related to the performance of corporate governance, political risks, natural risks, risks related to legislative changes or changes in the consumer market, etc.
- Operational risks — events in the Company’s business processes that are unregulated, that are caused by internal and external factors and that result in operational losses. This group also includes risks related to the preparation of financial statements.
- Financial risks: – risks that could potentially have a negative impact in terms of managing the Company’s finances. Financial risks include credit, interest-rate, currency and liquidity risks, etc.
In assessing its risks, the Company performs both qualitative and quantitative assessments. Within the assessment system, each risk is given a score and is categorised as a low, medium or high risk. Depending on the risk category, elimination and/or mitigation measures should be taken. For low risks, action must be taken within 12 months after an assessment; for medium risks, within six to nine months after an assessment; and for high risks, within six months of a risk assessment.
Key Risks
| Risk | Description | Change in risk assessment in 2018 |
| Strategic risks | ||
| Negative macroeconomic situation | Risk of new economic sanctions, increase in interest rates, decrease in consumption | ↑ |
| Loss of supplier and pressure on commercial margin | Risk of the closure of major suppliers in Russia | → |
| Change in the competitive environment and loss of market share | Risk of the strengthening of major competitors, the entry of new online players, alliances, parallel import legalisation, cross-border trade | ↑ |
| Loss of reputation | Risk of negative campaigns in traditional/social media, loss of customer loyalty, decrease in investor interest and confidence in the Company | → |
| Force majeure | Risk of fire at a store or warehouse, loss or theft of goods being transported | ↑ |
| Violation of antimonopoly, advertising and other legislation | Risk of violation of antimonopoly legislation in commercial purchases/retail pricing | → |
| E-commerce project risk | Risk of increased competition in online sales on the part of both domestic and international players | ↗ |
| Integration risk | Potential risk related to the compatibility of IT systems and a lack of resources for ongoing integration projects | ↓ |
| Operational risks | ||
| Supply chain failure | Risk of the loss of a key logistics provider and/or transport company | ↗ |
| Failure of IT systems | Risk of the inaccessibility of critical IT services used in daily operations | ↗ |
| Loss of inventory | Risk of inaccuracy of inventory records, fraud | → |
| Risk of increased staff turnover | Risk of the loss of the most competent staff, including those with unique knowledge about the Company | ↑ |
| Operational health and safety (OHS) risk | Risk of non-compliance with OHS standards, risk of store closure | ↗ |
| Risk of data leakage | Risk of leakage of clients’ personal data, theft of loyalty points and/or confidential data | ↑ |
| Financial risks | ||
| Liquidity risk | Potential risk related to liquidity and refinancing | ↑ |
| Exchange risk | Risk related to changes in exchange rates | → |
| Risk of ineffective internal control | Risk of deficiencies in the system to combat fraud and other misconduct | ↓ |
| Legal and tax risk | Risks associated with a weak regulatory framework and changes in tax regulations | ↑ |
| ↑ Increased ↗ Slightly increased → Unchanged ↓ Decreased | ||
Risk response
The Company applies the following risk response strategies:
- Risk transfer. The strategy of risk transfer eliminates risk by transferring to a third party a risk’s potential negative consequences and the onus for responding to the risk. Risk transfer usually involves the payment of a risk premium to the party taking on the risk and responsibility for the management thereof. For IT projects, a thirdparty consulting company could be responsible for risk management. This is applied when the residual risk (after transfer) is assessed as acceptable.
- Risk acceptance. No action is taken to reduce the likelihood of, or potential damage from, an event. Applied when the current level of risk is within acceptable levels.
- Risk reduction. This strategy involves efforts to reduce to an acceptable level the likelihood and/ or consequences of a risk. A risk reduction strategy involves the inclusion of additional oversight procedures in the Company’s activities that are performed regardless of risk occurrence, such as conducting additional testing of the functionality of the information system, conducting regular reconciliations, delineating authority, etc. This is applied if it is possible to carry out measures aimed at reducing the likelihood of the occurrence of a threat or to increasing the likelihood of the occurrence of opportunities.
- Risk avoidance. Termination of the activities causing the risk. Risk avoidance may include closing a facility, refusing to enter new geographic markets, or deciding to sell a unit. This strategy is applied if a risk threatens the continuity of the Company’s operations.
- Combined events. This strategy may include any combination of the above measures.
- Exit plan in case of adverse events. This strategy assumes that the Company is unable to influence a risk, but it must have an exit plan in case such a risk occurs. This strategy is applicable to global risks with zero controllability, such as natural risks, political risks, etc.
The choice of strategy in relation to an identified risk is the responsibility of the risk owner, i.e. the Company employee who, by virtue of his or her authority and duties, can and should manage this risk. The choice of strategy must, without fail, be agreed with the Department of Internal Control and Risk Management.
Risk management as part of the Company’s corporate culture
The Company recognises risk management as an integral part of its corporate culture, strives to increase awareness on the part of employees of the RMS and to encourage every employee to see risk management as an element of their day-to-day activities. The Company considers the participation of employees in risk management, including the identification and assessment thereof, to be a valuable and mandatory contribution on the part of employees to the Company’s continued development.