FCA and PRA licenses (authorisations) and ongoing compliance support, training, recruitment. Contact us 7 days a week, 8am-11pm. Free consultations. Phone / Whatsapp: +4478 3368 4449  Email: hirett.co.uk@gmail.com

TERMS AND ABBREVIATIONS

1. Designated employee – Employee of the HIRETT to whom the HIRETT has determined the obligation to examine Customers’ claims.
2. Compliance laws, rules and standards – laws and other legislative acts regulating the performance of the HIRETT, standards set by self-regulating institutions, related to the activity of the HIRETT, professional codes of conduct and ethics and other standards of good practice related to the activity of the HIRETT.
3. Employee – a physical person who has actual legal relationship with the Agent based on a labour contract or other legal arrangement, including members of the Board.
4. Internal normative documents – documents that are issued by the HIRETT and which regulate the performance of the HIRETT, separate structural units or employees, for instance, policies, procedures, regulations, instructions.
5. Customer – person, who is utilizing one or more of the services provided by the HIRETT.
6. Administration – The structure of HIRETT whose responsibilities includes record – keeping function.
7. Procedure – the Procedure of the HIRETT for Examination of Customer’s Claims.
8. HIRETT – Hirett Ltd.
9. Claim – any type of document (application, complaint, claim, etc.) that is submitted by the Customer and that contains the claim (complaint, dispute).

1 GENERAL PROVISIONS

This Risk Policy (the Policy) reflects the vision and goals of the corporate Internal Control and Risk Management System of Hirett Ltd (the Company). The primary goal of the Internal Control and Risk Management Policy is to define Risk Management System and develop a single approach to the implementation of its processes.

The company Internal Control and Risk Management System represents the organizational tools, methods and procedures implemented by the company to ensure a systematic and consistent approach to the internal control and risk management process.

Risk management is the management and control of the company risks, a process that affects all operations of the company and aims to identify events that can influence the company business, and manage the company risks.

Internal control is a process that aims to provide reasonable assurance that risks are responded to in an effective, timely and coordinated manner at different levels of management, and ensure compliance with applicable laws and reliable reporting. The goal of the internal control processes is to facilitate risk management within the organization and achieve the targets set by the HIRETT.

The company Internal Control and Risk Management System aims to ensure a good balance between the growth of the Company value, its profitability, other operational efficiency criteria and the risks facing the business while observing the risk appetite of the management.

2 KEY TERMS & DEFINITIONS

1. Critical Risk is a risk that has a high probability of occurrence and impact on the company business:
2. Compliance and Risk Management Function is the body, responsible for organizing the risk management process, and the improvement of the company internal control systems.
3. KRI is a Key Risk Indicator, an indicator which characterizes, to the fullest extent possible, the degree of the risk’s impact on the company performance, business process, subdivision or project. These indicators are monitored within the integrated risk management system for each reporting period (quarterly).
4. Maximum risk loss is the value of the maximum possible loss that may occur within the reporting year.
5. Qualitative risk assessment is the assessment of the risk level based on an analysis of the assessed risks by a subject matter expert.
6. Quantitative risk assessment is the assessment of the risk level represented by numerical values, calculated using statistical methods.
7. Risk is the effect of uncertainty on the Company goals and the likelihood of the occurrence of a particular positive or negative event that will affect the Company business.
8. Risk appetite is the level of risk which is considered acceptable to the Company; it is related to the Company goals and represents an acceptable level of possible deviation from the appropriate risk level. Acceptable risk level (risk appetite) is the total risk that the Company generally considers acceptable for creating value, achieving targets and implementing its strategy.
9. Risk Committee is the company risk management executive body, reporting to the CEO.
10. Risk Manager is the employee, head of function or management, of any company responsible for developing the risk management approach and monitoring its implementation
11. Risk Map is completed by the Risk Owner, and is a graphic representation of the risk significance level in the form of a table, where the horizontal axis represents the impact or risk significance, and the vertical axis represents the likelihood of risk.
12. Risk Owner is the employee, head of function or management of any Company responsible for all aspects of managing certain risks, particularly for reducing the probability of risk realization and/or reducing the potential impact of consequences of risk realization. The Risk Owner is responsible for managing the identified risk.
13. Risk Passport is completed by the responsible business division and the Risk Owner (if necessary), and contains the most extensive information about the risk, including a description of risk management activities, realized risks and procedures for responding to the risk.
14. Risk realization is the occurrence and materialization of the risk.
15. Risk Register is completed by the Risk Manager, and contains a list of risks and key information about each risk (risk name; risk description; risk source; risk assessment (likelihood and loss); Risk Owner; division; KRIs, their permissible and actual values).

3 GOALS AND TASKS

Goals and tasks of the Internal Control and Risk Management System are presented in Table below:

Goals Tasks
Ensure a reasonable

assurance for the achievement

of strategic goals

  • Identify, analyse and evaluate the events that affect the achievement of strategic goals;
  • Define the overall level of the Company risks, permissible risk boundaries, and the risk limits assumed by the Company;
  • Ensure preventive measures to minimize likelihood of negative impact of risks on goals;
  • Strategic planning based on risks;
  • Timely notification to top management and the Board of Directors about risk and opportunities; and
  • Monitor risk control activities.
Preserve assets and maintain

business performance

  • Identify, evaluate and manage business process risks, specifically those relevant to asset protection;
  • Provide risk information when making management decisions;
  • Develop Risk Maps;
  • Develop and manage the KRI system; and
  • Prevent fraud.
Ensure compliance with laws

and regulations

  • Internal Control:
  • Reliability, completeness and accuracy of financial reporting;
  • Operating efficiency and target achievement;
  • Security of assets; and
  • Company compliance with applicable laws, regulations and contract terms.
Company external communication
  • Control procedures for disclosing material information about the Company operations to external users by:
  • Ensuring accuracy of the disclosed information at all stages of its collection and processing; and
  • Complying with the Company information disclosure regulations.

4 PRINCIPLES OF THIS POLICY

1. Continuity: continuous functioning of the Internal Control and Risk Management System;
2. Integration: the Internal Control and Risk Management System extends to all areas of the organization’s operations and all types of related risks;
3. Priority: the company prioritizes requisite measures against risks critical to the company operations;
4. Segregation of duties: quality of the performed control functions by each person is controlled by other participants of the Internal Control Department;
5. Functionality: responsibility for risk management in different areas of the organization’s operations is distributed in line with employees’ functional responsibilities within the company;
6. Cooperation: internal control is based on cooperation between all Internal Control participants and divisions of the company;
7. Endorsement and approval: the company is committed to establishing an approval procedure for all business transactions;
8. Standardized methodology: the processes of the Internal Control and Risk Management System are based on standardized approaches and standards for all structural divisions of the Company; and
9. Timeliness of communications: information regarding identified risks or failure should be provided on a timely basis to the persons who are authorized to make relevant management decisions.

5 INTERNAL CONTROL AND RISK MANAGEMENT METHODS

Company shall apply the following set of methods and approaches to Internal Control and Risk Management:
1. Relevant segregation of duties is achieved through separation of certain responsibilities among employees at the relevant job level and through IT interface procedures. Segregation of duties between the Company structural divisions at each management level (vertically) and within each management level (horizontally) are regulated by internal regulatory documents, work flow schedules and interface procedures of the structural divisions.
2. The authorization system defines the boundaries within which employees fulfil their duties and includes internal documents that:

  • set forth the persons who are authorized to sign primary documents;
  • describe work flow schedules for approval of documents by the management; and
  • establish a system of passwords that only provide designated persons with access to assets, documents and information contained in certain information systems.

3. Documenting and system accounting records generated in the information systems are the basic forms of the Company documentary audit. All business transactions are executed as primary documents which are entered in the accounting records only if they are made using the standard forms for primary documentation or the forms developed by the Company and incorporated into internal regulatory documents.
4. Physical methods of controlling and safeguarding assets, documents, and information system data aimed at the restriction of unauthorized access to the Company property. The Company internal documents define the scope of persons who are responsible for the protection and transfer of assets, and sign written contracts as required by law.
5. In compliance with applicable legal requirements, the Company companies take stock of assets and liabilities, a procedure which is set forth in respective internal regulations.
6. Risk management is an integral part of all organizational processes: risk management is not separated from the organization’s core business areas and processes. Risk management is included in the managers’ responsibilities and is an integral part of all organizational processes, including strategic planning, and all management projects and processes.
7. Risk management is part of the decision-making process: risk management helps decision makers to make a conscious choice, prioritize actions and identify the most effective actions out of available options.
8. Risk management facilitates continuous improvement of the organization: the Company should develop and implement strategies for improving risk management alongside all other aspects of the organization.
9. The Company aims to create a risk oriented corporate culture, in which each employee understands the risks and opportunities faced by the Company business, and the prioritization of risks. Each employee is also actively involved in the risk identification and assessment process, and in selecting effective methods for responding to risks.
10. Senior managers ensure prioritization of risk management tasks and dissemination of risk management knowledge and skills across the Company, promote training on the basics of risk management and the “risk-based” corporate management culture.
11. Employees are familiar with the risk management processes and procedures, their role within the risk management process, and the level of their authority and responsibility.

6 RISK MANAGEMENT LEVELS

Risk Management in the Company is structured by level. Risk-related decisions can be made by each level. There are three management levels:

  • The Board of Directors/CEO;
  • The Risk Committee; and
  • The line management.

Each level of the Risk Management System has a decision threshold (threshold risk value), and if it is exceeded, the risk decision is passed onto the next decision-level in the following way:

  • decision making by the line management level is passed on to the Risk Committee; and
  • decision making by the Risk Committee level is passed on to the Board of Directors/CEO.

The Audit Committee oversees risk management efficiency on all management levels.

Roles and Responsibilities of the Internal Control and Risk Management System Participants

The allocation of roles and responsibilities between the participants of the Internal Control and Risk Management System is presented in table below:

Participant Role Functions and responsibility
Board of Directors Guarantor Defines the risk management strategy of the Company;

Approves corporate standards (the Policy and its changes) in the field of

internal control and risk management;

Approves at the corporate level the Company risk appetite;

Makes decisions on performance of the Internal Control and Risk Management

System; and

Receives reports and recommendations from the Audit Committee.

CEO General Manager Exercises control over creation and functioning of the Company Internal Control

and Risk Management System, establishes and exercises control over

compliance with the requirements of the System’s organization;

Develops corporate standards (the Policy) in the field of internal control and

risk management;

Defines the Company risk management strategy;

Defines at the corporate level the Group’s risk appetite;

Approves the prioritized Risk Register at the level of Board of Directors;

Approves activity plans for critical risks management;

Approves budgets for risk management activities;

Ensures achievement of the Internal Control and Risk Management System’s

key performance indicators by introducing financial incentives;

Approves internal regulations for internal control and risk management; and

Resolves disputes.

Audit Committee

under the Board

of Directors

Controller Monitors the efficiency of risks management;

Exercises control over functioning of the Internal Control and Risk

Management System, prepares resolutions for the Board of Directors on the

efficacy of the Internal Control and Risk Management System;

Identifies material drawbacks in Internal Control and Risk Management

procedures, and initiates the process for their elimination; and

Develops recommendations for the Board of Directors on improvement of the

Internal Control and Risk Management System, and the Company procedure for

reporting and information disclosure.

Risk Committee Executive

Body

Approves risk appetite levels in the form of limits and other restrictions of

permissible risks and scales of risk assessment;

Prioritizes the Company risks;

Defines and aligns the Company prioritized Risk Register;

Evaluates the completeness of the Company final Risk Map;

7

Approves Risk Owners;

Approves KRIs for critical risks;

Develops activity plans for critical risk management;

Controls implementation of the Company activity plans for critical risk

management;

Approves key performance indications of the Internal Control and Risk

Management System;

Makes risk management decisions at Risk Committee level;

Analyses risk management reports; and

Approves annual reports on implementation of the Company risk management

activities to the Board of Directors.

Compliance and

Risk

Management

Function

Methodologist

and

Coordinator

Organizes and manages internal control and risk management processes;

Coordinates the activity of, and provides information support to, the Risk

Committee;

Develops risk management methodologies and procedures in line with best

global practice;

Collects, processes and analyses information on risk identification generated

by the Company structural divisions, analyses internal documentation, and

conducts interviews;

Participates in the expert risk assessment;

Develops and updates the Company Risk Register;

Organizes risk prioritization;

Defines risk appetite levels in the form of limits and other restrictions of

permissible risks and scales of risk assessment;

Consolidates activity plans for critical risk management;

Organizes cooperation among Risk Owners in the process of additional critical

risk analysis;

Monitors risk management: collects information from Risk Owners related to

critical risks’ dynamics and implementation of risk management activity plans;

Develops KRIs with structural divisions and the Risk Owners;

Monitors values of the KRIs;

Trains and consults the Company’s management and employees on the

methodology behind risk management processes;

Establishes development areas and improvement plans for the Company’s

Internal Control and Risk Management System;

Prepares information about risks if required;

Develops and reviews, as necessary, the risk management reporting system;

Prepares reports on implementation of the Group’s risk management activities

for the Board of Directors;

Develops internal control methodologies and procedures in line with best

global practice;

Provides systematic support to the Company structural divisions regarding

control procedure achievement;

Audits and evaluates the adequacy of control procedures;

Develops and implements new control procedures in line with identified

drawbacks;

Develops and reviews, as necessary, the internal control reporting system;

Provides systematic support to the Company managers on internal control

reporting; and

Prepares reports on implementation of activities related to the Company internal

control system for the Board of Directors.

Heads of

structural

divisions

Officers, Risks

Owner

Monitors compliance with these Policy provisions;

Identifies risks in the structural division/initiated project;

Participates in expert risk assessment;

Monitors the development and execution of the risk management activity plan

within his or her division;

Performs day-to-day control over accepted risks, observance of limits, KRI

values and execution of risk management activities;

Provides information about risks and activities on a timely basis to the Risk

Manager; and

Captures and provides information on realized risks to the Risk Manager.

Company

employees

Officers Performs duties in the field of internal control and risk management as per job

descriptions;

Participates in risk assessment upon the request of the Compliance and Risk

Management Function; and

Immediately informs his/her manager about any mistakes/drawbacks or

potential mistakes/drawbacks, which have resulted in actual losses or can

result in potential losses for the Company.

7 KEY INTERNAL CONTROL PROCESSES

Analysis of Business Processes
Analysis of the Company business processes is conducted under the guidance of the Compliance and Risk Management Function in order to define the key control points and control means, and evaluate their adequacy. Business process analysis is based on process flows that reflect the sequence of functions performed within a business process, and the connection between events and functions within a business process.

Assessment of the Current Control Procedures
Based on the results of the analysis of business processes, the Compliance and Risk Management Function conducts assessments of the existing control procedures and identifies missing control procedures. Assessment of the performance of control procedures is carried out to ensure a reasonable assurance of achieving the corresponding goals of the business process in question.

A list is prepared of missing control procedures and control procedures that require improvement or revision in order to prevent potential risks in the future.

Development of Control Procedures
Control procedures are developed by the function that is the business process owner and the Compliance and Risk Management Function. Control procedures are developed by establishing a set of measures aimed at reducing the likelihood of risk occurrence and the impact of their negative consequences.

Monitoring
Monitoring of the Internal Control and Risk Management System is a mechanism for the systematic review of the status, changes, and performance of the Company control procedures in order to timely identify negative tendencies, perform analysis based on observations, and prepare data for management to make internal control decisions.

Monitoring is carried out by the Compliance and Risk Management Function. The main method used for monitoring the performance of control procedures is the monitoring by deadlines, i.e. defining control points for development, alignment, approval, and implementations.

8 KEY MANAGEMENT PROCESSES

Goal Setting
Risk management is based on a system of precise, clear and measurable strategic and operational goals of the Company formulated by the Board of Directors and senior management. General goals are set on a strategic level;
o management sets more specific tactical targets and tasks at a lower level. When risks are identified, threats to the achievement of formalized goals and tasks are analyzed.

Risk Identification
Risk identification is a process that helps to identify the underlying risk factors that impact the Company operational indicators. The risk identification process is organized by the Compliance and Risk Management Function involving employees from the Company structural divisions. Final responsibility of Risk identifications belongs to process
owners.

Risk identification includes:

  • Identification of all risk types and factors that impact the achievement of the Company strategic goals, business process functioning, and performance indicators of the Company structural divisions and projects. Both risks and possible risks should be identified;
  • Development of the Company Basic Risk Register;
  • Risk assessment that incorporates key characteristics of the identified risks, and assessment of the likelihood, potential and maximum risk loss;
  • Development of a Risk Map and rating of risk by level of significance;
  • Defining KRI values for the most critical and most significant risks; and
  • Description of methods used for the control and management of identified risks.

The risk register contains the following data:

  • Risk classification;
  • Risk description;
  • Type of risk (risk or likelihood)
  • Source of risk;
  • Risk assessment (likelihood and loss);
  • Risk Owner;
  • Division; and
  • KRIs, their permissible and actual values.

The Risk Register is updated periodically (monthly, quarterly, yearly) as necessary (depending on the type of risk – as agreed with structural divisions) and is used as an instrument for creating the Risk Map.

The Risk Map contains information regarding risks with respect to selected risk management methods. The Risk Map can be developed by core business areas, business processes, individual divisions and projects and describes the risks that directly impact this object.

The Company prioritized Risk Map is developed yearly and is to be updated once a year. The Group’s Risk Map is reviewed by the Risk Committee and approved by the Board of Directors.

9 Risk Classification

The risk classification process is organized by the Compliance and Risk Management Function involving employees from the Company structural divisions. Final responsibility of Risk classification belongs to process owners. Risk classification is based on grouping risks by category as presented in Table below:

Group Risk identification areas
Business risks Risks conditioned by industry characteristics, related to changes in consumer

behavior, changes in personnel structure, strengthening of competition, loss of

market position, untimely entrance into target market, industry decline, etc,

including third party risks; organizational risks and reputational risks.

Legal risks Current legislation;

Intellectual property;

Patent risks;

Reputational risks; and

Contractual risks.

Financial risks Taxation;

Liquidity;

Credit risks;

Currency risks; and

Evaluation of financial profit.

Information and technological

security risks

Fraud,

Security,

Cyber-crime

Compliance risks Sarbanes-Oxley Act 2002 compliance;

Anti-bribery and corruption compliance;

Sanctions compliance;

Anti-money laundering/counter-terrorist financing; and

Requirements of industry associations (PCI DSS).

Project risks Organizational complexity of the project;

Technical complexity of the project;

Labor intensity of project; and

Resource availability.

10 Risk Assessment and Analysis

Risk assessment is the totality of the risk likelihood and risk relevance (impact). Risk assessment is performed with a forecast horizon of 1 year.

The risk assessment process is organized by the Compliance and Risk Management Function involving employees from the Company structural divisions.

Depending on the quality of available risk information, risk assessment can be performed by one of the following methods:

  • Qualitative (expert) assessment based on available experience;
  • Quantitative assessment using up-to-date statistical methods for evaluating possible losses.

Risk probability is an expert metric and is defined using a 4-grade scale presented in Table below:

Probability of Risk Occurrence Interval, % Score
Considerable >=80% 4
High 50-80% 3
Medium 20-50% 2
Low <=20% 1

Risk relevance characterizes the impact of the risk and is defined using a 4-grade scale presented in Table below:

Risk relevance (impact) Interval Value interpretation,

GBP million

Score
Critical over 2%*NI (see*) >=60 4
Significant from 1.5%*NI to 2%*NI 40-60 3
Material from 1%*NI to 1.5%*NI 25-40 2
Insignificant up to 1%*NI <=2 1

*NI – net income of the Company for the current financial year after tax; the NI value for the rating scale is updated every six months by the Compliance and Risk Management Function.

The rating scale of risk assessment by relevance and impact is standardized across all divisions and is passed down by the Compliance and Risk Management Function to the key employees (experts) in the Company divisions to conduct quality risk assessment.

KRIs are developed for each risk by structural divisions with the Compliance and Risk Management Function and characterize the likelihood of a risk and/or possible loss where such risk occurs.

KRIs are periodically monitored (monthly, quarterly, or yearly, depending on the type of risks) by the responsible employee of the Compliance and Risk Management Function and structural divisions.

11 RISK APPETITE PROCEDURE

Procedure for Defining Risk Appetite and Establishing Permissible Risk Boundaries and Limits. Risk appetite is an exposure to risk which, in the opinion of the Board of Directors, is acceptable for the Company or its structural units. This means that risk appetite corresponds to the Group’s available resources when a risk occurs.

Based on the risk appetite, the Board of Directors decides whether to take on the risk or work on reducing it. The risk appetite level is used for risk prioritization, by identifying risks that are critical to the Company operations. Risk appetite is evaluated in stages by reviewing strategic alternatives, project initiatives, setting strategic and current goals, development of risk assessment and management mechanisms. The level of corporate risk appetite is defined at least once a year in conjunction with the scheduled update of the

Company Risk Map. Risk appetite is calculated as a percentage of the Company profit in the current financial year and is the critical value of the Company total risk, an excess of which may result in failure to achieve the target growth rates of the Group Net Income.

The target indicator of NI growth rate (%) is defined by the CEO, approved by the Company’s Board of Directors and is dependent on stock price forecasts and capitalization targets.

According to the principle of separating decision-making levels, each level has its own risk appetite in exceptional circumstances, if the risk appetite level is exceeded, the risk can be accepted if its mitigation measures are economically ineffective, or bear greater risks.

However, failure to achieve the requisite risk appetite level does not mean that it is not necessary to mitigate the risk.

Compliance and Risk Management Function submits a proposal on risk appetite levels in the form of limits and other restrictions of permissible risks to the Risk Committee for review and approval. For critical risks, the risk appetite is approved by a decision of the Company’s Board of Directors and may not be exceeded without relevant permission.

Depending on the risk, limits can be set in relation to:

  • Total risk of a division, business process, or project;
  • Transaction or, group of transactions, of a certain type;
  • Contractor or a group of contractors;
  • Amount of expenses (loss); or
  • Amount of profit and other indicators.

Limits should be aligned with risk related structural divisions.

In case of significant changes in the external and internal environment or KRI value, the Risk Manager or the structural division, whose activity is connected with the risk impact, can initiate a review of the permissible risk boundary, subject to a relevant approval.

12 RISK PRIORITIZATION AND CRITICAL RISKS

All risks described in the Company’s Risk Register, based on the assessment, should be prioritized by their degree of impact on the achievement of the Company strategic goals. This will allow the Company to define risks that are critical.

The risk prioritization process is organized by the Compliance and Risk Management Function.

A risk is considered critical if one of the following criteria are met:

  • The risk relevance level is “critical”, the probability of occurrence is “medium” or higher (as per the rating scale of risk assessment by likelihood and impact);
  • The risk relevance level is “significant”, the probability of occurrence is “high” or higher (as per the rating scale of risk assessment by likelihood and impact);
  • Risk realization can influence the achievement of the Company strategic goals; or
  • The Company strategy needs to be adjusted for the purpose of risk management.
  • Risks that are deemed critical, following the results of prioritization, are subject to additional analysis by the Compliance and Risk Management Function and a further review by the Risk Committee, the CEO, the Audit Committee and the Board of Directors.
  • Additional analysis includes an assessment of risks by engaging a larger number of experts and using the Delphi method (interactive forecasting method which relies on a panel of experts).
  • Non-critical risks are managed by the Company authorized employees as part of their functional duties.

13 Risk Owners

For risks which are deemed critical during the prioritization process, Risk Owners are defined as the employees of the Company who are responsible for the development and implementation of risk management activities. The Compliance and Risk Management Function develops a list of owners of Critical Risks responsible for development and implementation of risk management activities based on the nature of each risk, factors relating to its occurrence, and the nature of potential losses and potential risk management activities. The list of owners of Critical Risks is agreed with the Risks Owners and approved by the Risk Committee.

14 Selection of Risk Management Methods

The Group applies the following risk management methods:

  • Risk avoidance: Avoidance of action and/or decision making that is characterized by a high risk level.
  • Risk acceptance: Risk is accepted if it cannot be influenced and all available risk mitigation methods are not economically feasible compared with the loss that may be caused by the occurrence of the risk. The Company management is aware of the risk and its characteristics and is consciously avoiding any measures that would influence the risk.
  • Risk transfer: Transfer of risk, fully or partially, from one party to another based on a contract. For example, signing an insurance contract or outsourcing the process.
  • Risk control/mitigation: Risk control by actively working to reduce the likelihood of, or reduce the potential loss from, the occurrence of the risk.

Key risk management instruments are presented in Table below:

Risk

management

methods

Risk

management

instruments

Risk avoidance
  • Monitoring and internal control of risks; and
  • Avoidance of activities, projects, transactions, other actions
Acceptance
  • Monitoring and internal control; and
  • Creation of material and financial reserves
Transfer
  • Monitoring and internal control;
  • Documenting the interface procedure of structural divisions during risk management;
  • Defining the responsibility of managers of structural divisions;
  • Insurance;
  • Outsourcing; and
  • Exceptions in the contract.
Control/mitigation
  • Monitoring and internal control;
  • Defining the responsibility of managers of structural divisions for accepting risks that exceed permissible boundaries and/or limits;
  • Establishing limits and permissible values of risk indicators;
  • Documenting the interface procedure of structural divisions during risk management;
  • Development of plans for minimizing consequences of risks occurring;
  • Creation of material and financial reserves; and
  • Diversification.

The choice of risk management methods and instruments is made by the Compliance and Risk Management Function and the structural division, whose activity relates to the risk. The selected methods are also based on the conducted risk assessment, and the potential losses and likelihood of risks occurring. For Critical Risks, risk management methods and instruments are reviewed by the Risk Committee and approved by the Board of Directors.

Original choice of risk management methods is executed by risk owners. Identification of insignificant risks may be reported to the Risk Committee during the next scheduled meeting. If Critical Risk is identified, it should be reported to the Compliance and Risk Management Function immediately. The Risk Committee should call an extraordinary meeting in order to select risk management methods and instruments for the indicated critical risks. An extraordinary meeting of the Risk Committee should be called by the Compliance and Risk Management Function. Critical Risk management methods and instruments are chosen by the Risk Committee and approved by the Board of Directors.

On a quarterly basis, selection of methods and instruments for risk management are to be reviewed to ensure the completeness and appropriateness of applied methods. Additional measures are to be taken if required.

15 DEVELOPMENT OF RISK MANAGEMENT ACTIVITIES

Development of activity plans for critical risk management aims to reduce losses and/or risk likelihood. The activities should be based on the economic feasibility principle – the cost of implemented activities should not exceed the expected loss from risk occurrence. Activity plans are developed by the Risk Owners and should contain a clear definition of tasks, responsible persons and due dates.

When developing critical risk management activities, risk interdependencies should be taken into account. The Compliance and Risk Management Function consolidates the developed activity plans, analyses the impact of each proposed activity on other risks and organizes cooperation between Risk Owners in order to optimize activity plans.

16 MONITORING OF RISK MANAGEMENT

Monitoring of risk management involves control of the risk level. Monitoring helps to track the dynamics of changes in the risk characteristics and whether the desired result from implementation of various risk management measures has been achieved. Monitoring is performed by the Compliance and Risk Management Function by collecting information on the critical risk dynamics and executing the plan of risk management activities received from the Risk Owners, and also by tracking the values of KRIs developed during risk identification and assessment process.

The Compliance and Risk Management Function reports the monitoring results to the Group’s Board of Directors.

Implemented activities can be adjusted or additional activities developed based on the monitoring results.

The Group’s risk management performance evaluation is carried out based on:

  • Analysis of the change in dynamics of the risks assessment;
  • Analysis of the integrity and completeness of the risk mitigation measures; and
  • Change in the dynamics of KRIs.

In order to allocate responsibility for achieving target KRIs, they can be set as Key Performance Indicators for managers and divisions.

17 REPORTING UNDER THE INTERNAL CONTROL AND RISK MANAGEMENT

Presentation for the Board of Directors, Audit Committee, etc. are the presentation materials (in MS PowerPoint) including key information on risks and the status of the risk management process, current and future risk management tasks and the Company internal control system.

Internal control and risk management reporting documents ensure solving of risk management tasks, focus on a meaningful and transparent exchange of risk information, and provide information to decision makers.
Internal control and risk management regulatory documents are based on, aligned with and do not contradict the provisions of this Policy.

TERMS AND ABBREVIATIONS

1. Designated employee – Employee of the HIRETT to whom the HIRETT has determined the obligation to examine Customers’ claims.
2. Compliance laws, rules and standards – laws and other legislative acts regulating the performance of the HIRETT, standards set by self-regulating institutions, related to the activity of the HIRETT, professional codes of conduct and ethics and other standards of good practice related to the activity of the HIRETT.
3. Employee – a physical person who has actual legal relationship with the Agent based on a labour contract or other legal arrangement, including members of the Board.
4. Internal normative documents – documents that are issued by the HIRETT and which regulate the performance of the HIRETT, separate structural units or employees, for instance, policies, procedures, regulations, instructions.
5. Customer – person, who is utilizing one or more of the services provided by the HIRETT.
6. Administration – The structure of HIRETT whose responsibilities includes record – keeping function.
7. Procedure – the Procedure of the HIRETT for Examination of Customer’s Claims.
8. HIRETT – Hirett Ltd.
9. Claim – any type of document (application, complaint, claim, etc.) that is submitted by the Customer and that contains the claim (complaint, dispute).

1 GENERAL PROVISIONS

This Risk Policy (the Policy) reflects the vision and goals of the corporate Internal Control and Risk Management System of Hirett Ltd (the Company). The primary goal of the Internal Control and Risk Management Policy is to define Risk Management System and develop a single approach to the implementation of its processes.

The company Internal Control and Risk Management System represents the organizational tools, methods and procedures implemented by the company to ensure a systematic and consistent approach to the internal control and risk management process.

Risk management is the management and control of the company risks, a process that affects all operations of the company and aims to identify events that can influence the company business, and manage the company risks.

Internal control is a process that aims to provide reasonable assurance that risks are responded to in an effective, timely and coordinated manner at different levels of management, and ensure compliance with applicable laws and reliable reporting. The goal of the internal control processes is to facilitate risk management within the organization and achieve the targets set by the HIRETT.

The company Internal Control and Risk Management System aims to ensure a good balance between the growth of the Company value, its profitability, other operational efficiency criteria and the risks facing the business while observing the risk appetite of the management.

2 KEY TERMS & DEFINITIONS

1. Critical Risk is a risk that has a high probability of occurrence and impact on the company business:
2. Compliance and Risk Management Function is the body, responsible for organizing the risk management process, and the improvement of the company internal control systems.
3. KRI is a Key Risk Indicator, an indicator which characterizes, to the fullest extent possible, the degree of the risk’s impact on the company performance, business process, subdivision or project. These indicators are monitored within the integrated risk management system for each reporting period (quarterly).
4. Maximum risk loss is the value of the maximum possible loss that may occur within the reporting year.
5. Qualitative risk assessment is the assessment of the risk level based on an analysis of the assessed risks by a subject matter expert.
6. Quantitative risk assessment is the assessment of the risk level represented by numerical values, calculated using statistical methods.
7. Risk is the effect of uncertainty on the Company goals and the likelihood of the occurrence of a particular positive or negative event that will affect the Company business.
8. Risk appetite is the level of risk which is considered acceptable to the Company; it is related to the Company goals and represents an acceptable level of possible deviation from the appropriate risk level. Acceptable risk level (risk appetite) is the total risk that the Company generally considers acceptable for creating value, achieving targets and implementing its strategy.
9. Risk Committee is the company risk management executive body, reporting to the CEO.
10. Risk Manager is the employee, head of function or management, of any company responsible for developing the risk management approach and monitoring its implementation
11. Risk Map is completed by the Risk Owner, and is a graphic representation of the risk significance level in the form of a table, where the horizontal axis represents the impact or risk significance, and the vertical axis represents the likelihood of risk.
12. Risk Owner is the employee, head of function or management of any Company responsible for all aspects of managing certain risks, particularly for reducing the probability of risk realization and/or reducing the potential impact of consequences of risk realization. The Risk Owner is responsible for managing the identified risk.
13. Risk Passport is completed by the responsible business division and the Risk Owner (if necessary), and contains the most extensive information about the risk, including a description of risk management activities, realized risks and procedures for responding to the risk.
14. Risk realization is the occurrence and materialization of the risk.
15. Risk Register is completed by the Risk Manager, and contains a list of risks and key information about each risk (risk name; risk description; risk source; risk assessment (likelihood and loss); Risk Owner; division; KRIs, their permissible and actual values).

3 GOALS AND TASKS

Goals and tasks of the Internal Control and Risk Management System are presented in Table below:

Goals Tasks
Ensure a reasonable

assurance for the achievement

of strategic goals

  • Identify, analyse and evaluate the events that affect the achievement of strategic goals;
  • Define the overall level of the Company risks, permissible risk boundaries, and the risk limits assumed by the Company;
  • Ensure preventive measures to minimize likelihood of negative impact of risks on goals;
  • Strategic planning based on risks;
  • Timely notification to top management and the Board of Directors about risk and opportunities; and
  • Monitor risk control activities.
Preserve assets and maintain

business performance

  • Identify, evaluate and manage business process risks, specifically those relevant to asset protection;
  • Provide risk information when making management decisions;
  • Develop Risk Maps;
  • Develop and manage the KRI system; and
  • Prevent fraud.
Ensure compliance with laws

and regulations

  • Internal Control:
  • Reliability, completeness and accuracy of financial reporting;
  • Operating efficiency and target achievement;
  • Security of assets; and
  • Company compliance with applicable laws, regulations and contract terms.
Company external communication
  • Control procedures for disclosing material information about the Company operations to external users by:
  • Ensuring accuracy of the disclosed information at all stages of its collection and processing; and
  • Complying with the Company information disclosure regulations.

4 PRINCIPLES OF THIS POLICY

1. Continuity: continuous functioning of the Internal Control and Risk Management System;
2. Integration: the Internal Control and Risk Management System extends to all areas of the organization’s operations and all types of related risks;
3. Priority: the company prioritizes requisite measures against risks critical to the company operations;
4. Segregation of duties: quality of the performed control functions by each person is controlled by other participants of the Internal Control Department;
5. Functionality: responsibility for risk management in different areas of the organization’s operations is distributed in line with employees’ functional responsibilities within the company;
6. Cooperation: internal control is based on cooperation between all Internal Control participants and divisions of the company;
7. Endorsement and approval: the company is committed to establishing an approval procedure for all business transactions;
8. Standardized methodology: the processes of the Internal Control and Risk Management System are based on standardized approaches and standards for all structural divisions of the Company; and
9. Timeliness of communications: information regarding identified risks or failure should be provided on a timely basis to the persons who are authorized to make relevant management decisions.

5 INTERNAL CONTROL AND RISK MANAGEMENT METHODS

Company shall apply the following set of methods and approaches to Internal Control and Risk Management:
1. Relevant segregation of duties is achieved through separation of certain responsibilities among employees at the relevant job level and through IT interface procedures. Segregation of duties between the Company structural divisions at each management level (vertically) and within each management level (horizontally) are regulated by internal regulatory documents, work flow schedules and interface procedures of the structural divisions.
2. The authorization system defines the boundaries within which employees fulfil their duties and includes internal documents that:

  • set forth the persons who are authorized to sign primary documents;
  • describe work flow schedules for approval of documents by the management; and
  • establish a system of passwords that only provide designated persons with access to assets, documents and information contained in certain information systems.

3. Documenting and system accounting records generated in the information systems are the basic forms of the Company documentary audit. All business transactions are executed as primary documents which are entered in the accounting records only if they are made using the standard forms for primary documentation or the forms developed by the Company and incorporated into internal regulatory documents.
4. Physical methods of controlling and safeguarding assets, documents, and information system data aimed at the restriction of unauthorized access to the Company property. The Company internal documents define the scope of persons who are responsible for the protection and transfer of assets, and sign written contracts as required by law.
5. In compliance with applicable legal requirements, the Company companies take stock of assets and liabilities, a procedure which is set forth in respective internal regulations.
6. Risk management is an integral part of all organizational processes: risk management is not separated from the organization’s core business areas and processes. Risk management is included in the managers’ responsibilities and is an integral part of all organizational processes, including strategic planning, and all management projects and processes.
7. Risk management is part of the decision-making process: risk management helps decision makers to make a conscious choice, prioritize actions and identify the most effective actions out of available options.
8. Risk management facilitates continuous improvement of the organization: the Company should develop and implement strategies for improving risk management alongside all other aspects of the organization.
9. The Company aims to create a risk oriented corporate culture, in which each employee understands the risks and opportunities faced by the Company business, and the prioritization of risks. Each employee is also actively involved in the risk identification and assessment process, and in selecting effective methods for responding to risks.
10. Senior managers ensure prioritization of risk management tasks and dissemination of risk management knowledge and skills across the Company, promote training on the basics of risk management and the “risk-based” corporate management culture.
11. Employees are familiar with the risk management processes and procedures, their role within the risk management process, and the level of their authority and responsibility.

6 RISK MANAGEMENT LEVELS

Risk Management in the Company is structured by level. Risk-related decisions can be made by each level. There are three management levels:

  • The Board of Directors/CEO;
  • The Risk Committee; and
  • The line management.

Each level of the Risk Management System has a decision threshold (threshold risk value), and if it is exceeded, the risk decision is passed onto the next decision-level in the following way:

  • decision making by the line management level is passed on to the Risk Committee; and
  • decision making by the Risk Committee level is passed on to the Board of Directors/CEO.

The Audit Committee oversees risk management efficiency on all management levels.

Roles and Responsibilities of the Internal Control and Risk Management System Participants

The allocation of roles and responsibilities between the participants of the Internal Control and Risk Management System is presented in table below:

Participant Role Functions and responsibility
Board of Directors Guarantor Defines the risk management strategy of the Company;

Approves corporate standards (the Policy and its changes) in the field of

internal control and risk management;

Approves at the corporate level the Company risk appetite;

Makes decisions on performance of the Internal Control and Risk Management

System; and

Receives reports and recommendations from the Audit Committee.

CEO General Manager Exercises control over creation and functioning of the Company Internal Control

and Risk Management System, establishes and exercises control over

compliance with the requirements of the System’s organization;

Develops corporate standards (the Policy) in the field of internal control and

risk management;

Defines the Company risk management strategy;

Defines at the corporate level the Group’s risk appetite;

Approves the prioritized Risk Register at the level of Board of Directors;

Approves activity plans for critical risks management;

Approves budgets for risk management activities;

Ensures achievement of the Internal Control and Risk Management System’s

key performance indicators by introducing financial incentives;

Approves internal regulations for internal control and risk management; and

Resolves disputes.

Audit Committee

under the Board

of Directors

Controller Monitors the efficiency of risks management;

Exercises control over functioning of the Internal Control and Risk

Management System, prepares resolutions for the Board of Directors on the

efficacy of the Internal Control and Risk Management System;

Identifies material drawbacks in Internal Control and Risk Management

procedures, and initiates the process for their elimination; and

Develops recommendations for the Board of Directors on improvement of the

Internal Control and Risk Management System, and the Company procedure for

reporting and information disclosure.

Risk Committee Executive

Body

Approves risk appetite levels in the form of limits and other restrictions of

permissible risks and scales of risk assessment;

Prioritizes the Company risks;

Defines and aligns the Company prioritized Risk Register;

Evaluates the completeness of the Company final Risk Map;

7

Approves Risk Owners;

Approves KRIs for critical risks;

Develops activity plans for critical risk management;

Controls implementation of the Company activity plans for critical risk

management;

Approves key performance indications of the Internal Control and Risk

Management System;

Makes risk management decisions at Risk Committee level;

Analyses risk management reports; and

Approves annual reports on implementation of the Company risk management

activities to the Board of Directors.

Compliance and

Risk

Management

Function

Methodologist

and

Coordinator

Organizes and manages internal control and risk management processes;

Coordinates the activity of, and provides information support to, the Risk

Committee;

Develops risk management methodologies and procedures in line with best

global practice;

Collects, processes and analyses information on risk identification generated

by the Company structural divisions, analyses internal documentation, and

conducts interviews;

Participates in the expert risk assessment;

Develops and updates the Company Risk Register;

Organizes risk prioritization;

Defines risk appetite levels in the form of limits and other restrictions of

permissible risks and scales of risk assessment;

Consolidates activity plans for critical risk management;

Organizes cooperation among Risk Owners in the process of additional critical

risk analysis;

Monitors risk management: collects information from Risk Owners related to

critical risks’ dynamics and implementation of risk management activity plans;

Develops KRIs with structural divisions and the Risk Owners;

Monitors values of the KRIs;

Trains and consults the Company’s management and employees on the

methodology behind risk management processes;

Establishes development areas and improvement plans for the Company’s

Internal Control and Risk Management System;

Prepares information about risks if required;

Develops and reviews, as necessary, the risk management reporting system;

Prepares reports on implementation of the Group’s risk management activities

for the Board of Directors;

Develops internal control methodologies and procedures in line with best

global practice;

Provides systematic support to the Company structural divisions regarding

control procedure achievement;

Audits and evaluates the adequacy of control procedures;

Develops and implements new control procedures in line with identified

drawbacks;

Develops and reviews, as necessary, the internal control reporting system;

Provides systematic support to the Company managers on internal control

reporting; and

Prepares reports on implementation of activities related to the Company internal

control system for the Board of Directors.

Heads of

structural

divisions

Officers, Risks

Owner

Monitors compliance with these Policy provisions;

Identifies risks in the structural division/initiated project;

Participates in expert risk assessment;

Monitors the development and execution of the risk management activity plan

within his or her division;

Performs day-to-day control over accepted risks, observance of limits, KRI

values and execution of risk management activities;

Provides information about risks and activities on a timely basis to the Risk

Manager; and

Captures and provides information on realized risks to the Risk Manager.

Company

employees

Officers Performs duties in the field of internal control and risk management as per job

descriptions;

Participates in risk assessment upon the request of the Compliance and Risk

Management Function; and

Immediately informs his/her manager about any mistakes/drawbacks or

potential mistakes/drawbacks, which have resulted in actual losses or can

result in potential losses for the Company.

7 KEY INTERNAL CONTROL PROCESSES

Analysis of Business Processes
Analysis of the Company business processes is conducted under the guidance of the Compliance and Risk Management Function in order to define the key control points and control means, and evaluate their adequacy. Business process analysis is based on process flows that reflect the sequence of functions performed within a business process, and the connection between events and functions within a business process.

Assessment of the Current Control Procedures
Based on the results of the analysis of business processes, the Compliance and Risk Management Function conducts assessments of the existing control procedures and identifies missing control procedures. Assessment of the performance of control procedures is carried out to ensure a reasonable assurance of achieving the corresponding goals of the business process in question.

A list is prepared of missing control procedures and control procedures that require improvement or revision in order to prevent potential risks in the future.

Development of Control Procedures
Control procedures are developed by the function that is the business process owner and the Compliance and Risk Management Function. Control procedures are developed by establishing a set of measures aimed at reducing the likelihood of risk occurrence and the impact of their negative consequences.

Monitoring
Monitoring of the Internal Control and Risk Management System is a mechanism for the systematic review of the status, changes, and performance of the Company control procedures in order to timely identify negative tendencies, perform analysis based on observations, and prepare data for management to make internal control decisions.

Monitoring is carried out by the Compliance and Risk Management Function. The main method used for monitoring the performance of control procedures is the monitoring by deadlines, i.e. defining control points for development, alignment, approval, and implementations.

8 KEY MANAGEMENT PROCESSES

Goal Setting
Risk management is based on a system of precise, clear and measurable strategic and operational goals of the Company formulated by the Board of Directors and senior management. General goals are set on a strategic level;
o management sets more specific tactical targets and tasks at a lower level. When risks are identified, threats to the achievement of formalized goals and tasks are analyzed.

Risk Identification
Risk identification is a process that helps to identify the underlying risk factors that impact the Company operational indicators. The risk identification process is organized by the Compliance and Risk Management Function involving employees from the Company structural divisions. Final responsibility of Risk identifications belongs to process
owners.

Risk identification includes:

  • Identification of all risk types and factors that impact the achievement of the Company strategic goals, business process functioning, and performance indicators of the Company structural divisions and projects. Both risks and possible risks should be identified;
  • Development of the Company Basic Risk Register;
  • Risk assessment that incorporates key characteristics of the identified risks, and assessment of the likelihood, potential and maximum risk loss;
  • Development of a Risk Map and rating of risk by level of significance;
  • Defining KRI values for the most critical and most significant risks; and
  • Description of methods used for the control and management of identified risks.

The risk register contains the following data:

  • Risk classification;
  • Risk description;
  • Type of risk (risk or likelihood)
  • Source of risk;
  • Risk assessment (likelihood and loss);
  • Risk Owner;
  • Division; and
  • KRIs, their permissible and actual values.

The Risk Register is updated periodically (monthly, quarterly, yearly) as necessary (depending on the type of risk – as agreed with structural divisions) and is used as an instrument for creating the Risk Map.

The Risk Map contains information regarding risks with respect to selected risk management methods. The Risk Map can be developed by core business areas, business processes, individual divisions and projects and describes the risks that directly impact this object.

The Company prioritized Risk Map is developed yearly and is to be updated once a year. The Group’s Risk Map is reviewed by the Risk Committee and approved by the Board of Directors.

9 Risk Classification

The risk classification process is organized by the Compliance and Risk Management Function involving employees from the Company structural divisions. Final responsibility of Risk classification belongs to process owners. Risk classification is based on grouping risks by category as presented in Table below:

Group Risk identification areas
Business risks Risks conditioned by industry characteristics, related to changes in consumer

behavior, changes in personnel structure, strengthening of competition, loss of

market position, untimely entrance into target market, industry decline, etc,

including third party risks; organizational risks and reputational risks.

Legal risks Current legislation;

Intellectual property;

Patent risks;

Reputational risks; and

Contractual risks.

Financial risks Taxation;

Liquidity;

Credit risks;

Currency risks; and

Evaluation of financial profit.

Information and technological

security risks

Fraud,

Security,

Cyber-crime

Compliance risks Sarbanes-Oxley Act 2002 compliance;

Anti-bribery and corruption compliance;

Sanctions compliance;

Anti-money laundering/counter-terrorist financing; and

Requirements of industry associations (PCI DSS).

Project risks Organizational complexity of the project;

Technical complexity of the project;

Labor intensity of project; and

Resource availability.

10 Risk Assessment and Analysis

Risk assessment is the totality of the risk likelihood and risk relevance (impact). Risk assessment is performed with a forecast horizon of 1 year.

The risk assessment process is organized by the Compliance and Risk Management Function involving employees from the Company structural divisions.

Depending on the quality of available risk information, risk assessment can be performed by one of the following methods:

  • Qualitative (expert) assessment based on available experience;
  • Quantitative assessment using up-to-date statistical methods for evaluating possible losses.

Risk probability is an expert metric and is defined using a 4-grade scale presented in Table below:

 

Probability of Risk Occurrence Interval, % Score
Considerable >=80% 4
High 50-80% 3
Medium 20-50% 2
Low <=20% 1

 

Risk relevance characterizes the impact of the risk and is defined using a 4-grade scale presented in Table below:

 

Risk relevance (impact) Interval Value interpretation,

GBP million

Score
Critical over 2%*NI (see*) >=60 4
Significant from 1.5%*NI to 2%*NI 40-60 3
Material from 1%*NI to 1.5%*NI 25-40 2
Insignificant up to 1%*NI <=2 1

 

*NI – net income of the Company for the current financial year after tax; the NI value for the rating scale is updated every six months by the Compliance and Risk Management Function.

The rating scale of risk assessment by relevance and impact is standardized across all divisions and is passed down by the Compliance and Risk Management Function to the key employees (experts) in the Company divisions to conduct quality risk assessment.

KRIs are developed for each risk by structural divisions with the Compliance and Risk Management Function and characterize the likelihood of a risk and/or possible loss where such risk occurs.

KRIs are periodically monitored (monthly, quarterly, or yearly, depending on the type of risks) by the responsible employee of the Compliance and Risk Management Function and structural divisions.

11 RISK APPETITE PROCEDURE

Procedure for Defining Risk Appetite and Establishing Permissible Risk Boundaries and Limits. Risk appetite is an exposure to risk which, in the opinion of the Board of Directors, is acceptable for the Company or its structural units. This means that risk appetite corresponds to the Group’s available resources when a risk occurs.

Based on the risk appetite, the Board of Directors decides whether to take on the risk or work on reducing it. The risk appetite level is used for risk prioritization, by identifying risks that are critical to the Company operations. Risk appetite is evaluated in stages by reviewing strategic alternatives, project initiatives, setting strategic and current goals, development of risk assessment and management mechanisms. The level of corporate risk appetite is defined at least once a year in conjunction with the scheduled update of the

Company Risk Map. Risk appetite is calculated as a percentage of the Company profit in the current financial year and is the critical value of the Company total risk, an excess of which may result in failure to achieve the target growth rates of the Group Net Income.

The target indicator of NI growth rate (%) is defined by the CEO, approved by the Company’s Board of Directors and is dependent on stock price forecasts and capitalization targets.

According to the principle of separating decision-making levels, each level has its own risk appetite in exceptional circumstances, if the risk appetite level is exceeded, the risk can be accepted if its mitigation measures are economically ineffective, or bear greater risks.

However, failure to achieve the requisite risk appetite level does not mean that it is not necessary to mitigate the risk.

Compliance and Risk Management Function submits a proposal on risk appetite levels in the form of limits and other restrictions of permissible risks to the Risk Committee for review and approval. For critical risks, the risk appetite is approved by a decision of the Company’s Board of Directors and may not be exceeded without relevant permission.

Depending on the risk, limits can be set in relation to:
o Total risk of a division, business process, or project;
o Transaction or, group of transactions, of a certain type;
o Contractor or a group of contractors;
o Amount of expenses (loss); or
o Amount of profit and other indicators.

Limits should be aligned with risk related structural divisions.

In case of significant changes in the external and internal environment or KRI value, the Risk Manager or the structural division, whose activity is connected with the risk impact, can initiate a review of the permissible risk boundary, subject to a relevant approval.

12 RISK PRIORITIZATION AND CRITICAL RISKS
All risks described in the Company’s Risk Register, based on the assessment, should be prioritized by their degree of impact on the achievement of the Company strategic goals. This will allow the Company to define risks that are critical.

The risk prioritization process is organized by the Compliance and Risk Management Function.

A risk is considered critical if one of the following criteria are met:
o The risk relevance level is “critical”, the probability of occurrence is “medium” or higher (as per the rating scale of risk assessment by likelihood and impact);
o The risk relevance level is “significant”, the probability of occurrence is “high” or higher (as per the rating scale of risk assessment by likelihood and impact);
o Risk realization can influence the achievement of the Company strategic goals; or
o The Company strategy needs to be adjusted for the purpose of risk management.
o Risks that are deemed critical, following the results of prioritization, are subject to additional analysis by the Compliance and Risk Management Function and a further review by the Risk Committee, the CEO, the Audit Committee and the Board of Directors.
o Additional analysis includes an assessment of risks by engaging a larger number of experts and using the Delphi method (interactive forecasting method which relies on a panel of experts).
o Non-critical risks are managed by the Company authorized employees as part of their functional duties.

13 Risk Owners
For risks which are deemed critical during the prioritization process, Risk Owners are defined as the employees of the Company who are responsible for the development and implementation of risk management activities. The Compliance and Risk Management Function develops a list of owners of Critical Risks responsible for development and implementation of risk management activities based on the nature of each risk, factors relating to its occurrence, and the nature of potential losses and potential risk management activities. The list of owners of Critical Risks is agreed with the Risks Owners and approved by the Risk Committee.

14 Selection of Risk Management Methods
The Group applies the following risk management methods:
o Risk avoidance: Avoidance of action and/or decision making that is characterized by a high risk level.
o Risk acceptance: Risk is accepted if it cannot be influenced and all available risk mitigation methods are not economically feasible compared with the loss that may be caused by the occurrence of the risk. The Company management is aware of the risk and its characteristics and is consciously avoiding any measures that would influence the risk.
o Risk transfer: Transfer of risk, fully or partially, from one party to another based on a contract. For example, signing an insurance contract or outsourcing the process.
o Risk control/mitigation: Risk control by actively working to reduce the likelihood of, or reduce the potential loss from, the occurrence of the risk.

Key risk management instruments are presented in Table below:

Risk
management
methods Risk
management
instruments
Risk avoidance o Monitoring and internal control of risks; and
o Avoidance of activities, projects, transactions, other actions
Acceptance o Monitoring and internal control; and
o Creation of material and financial reserves
Transfer o Monitoring and internal control;
o Documenting the interface procedure of structural divisions during risk management;
o Defining the responsibility of managers of structural divisions;
o Insurance;
o Outsourcing; and
o Exceptions in the contract.
Control/mitigation o Monitoring and internal control;
o Defining the responsibility of managers of structural divisions for accepting risks that exceed permissible boundaries and/or limits;
o Establishing limits and permissible values of risk indicators;
o Documenting the interface procedure of structural divisions during risk management;
o Development of plans for minimizing consequences of risks occurring;
o Creation of material and financial reserves; and
o Diversification.

The choice of risk management methods and instruments is made by the Compliance and Risk Management Function and the structural division, whose activity relates to the risk. The selected methods are also based on the conducted risk assessment, and the potential losses and likelihood of risks occurring. For Critical Risks, risk management methods and instruments are reviewed by the Risk Committee and approved by the Board of Directors.

Original choice of risk management methods is executed by risk owners. Identification of insignificant risks may be reported to the Risk Committee during the next scheduled meeting. If Critical Risk is identified, it should be reported to the Compliance and Risk Management Function immediately. The Risk Committee should call an extraordinary meeting in order to select risk management methods and instruments for the indicated critical risks. An extraordinary meeting of the Risk Committee should be called by the Compliance and Risk Management Function. Critical Risk management methods and instruments are chosen by the Risk Committee and approved by the Board of Directors.

On a quarterly basis, selection of methods and instruments for risk management are to be reviewed to ensure the completeness and appropriateness of applied methods. Additional measures are to be taken if required.

15 DEVELOPMENT OF RISK MANAGEMENT ACTIVITIES
Development of activity plans for critical risk management aims to reduce losses and/or risk likelihood. The activities should be based on the economic feasibility principle – the cost of implemented activities should not exceed the expected loss from risk occurrence. Activity plans are developed by the Risk Owners and should contain a clear definition of tasks, responsible persons and due dates.

When developing critical risk management activities, risk interdependencies should be taken into account. The Compliance and Risk Management Function consolidates the developed activity plans, analyses the impact of each proposed activity on other risks and organizes cooperation between Risk Owners in order to optimize activity plans.
16 MONITORING OF RISK MANAGEMENT
Monitoring of risk management involves control of the risk level. Monitoring helps to track the dynamics of changes in the risk characteristics and whether the desired result from implementation of various risk management measures has been achieved. Monitoring is performed by the Compliance and Risk Management Function by collecting information on the critical risk dynamics and executing the plan of risk management activities received from the Risk Owners, and also by tracking the values of KRIs developed during risk identification and assessment process.

The Compliance and Risk Management Function reports the monitoring results to the Group’s Board of Directors.

Implemented activities can be adjusted or additional activities developed based on the monitoring results.

The Group’s risk management performance evaluation is carried out based on:
o Analysis of the change in dynamics of the risks assessment;
o Analysis of the integrity and completeness of the risk mitigation measures; and
o Change in the dynamics of KRIs.

In order to allocate responsibility for achieving target KRIs, they can be set as Key Performance Indicators for managers and divisions.
17 REPORTING UNDER THE INTERNAL CONTROL AND RISK MANAGEMENT
Presentation for the Board of Directors, Audit Committee, etc. are the presentation materials (in MS PowerPoint) including key information on risks and the status of the risk management process, current and future risk management tasks and the Company internal control system.

Internal control and risk management reporting documents ensure solving of risk management tasks, focus on a meaningful and transparent exchange of risk information, and provide information to decision makers.
Internal control and risk management regulatory documents are based on, aligned with and do not contradict the provisions of this Policy.