Risk Management

Risk Management System

Risk management at JSC FPC is a continuous and systematic process embedded throughout the organisation, integrated with business processes and aimed at mitigating exposure and strengthening the assurance that the objectives and goals of the Company will be achieved.

All units and divisions are involved in the risk management process within their scope of responsibility. The Risk Management Department is responsible for the overall coordination and methodological support of the risk management process, the creation and submission of reports to the management, and the risk management training for the Company's personnel.

The following documents serve as the foundation for risk management at JSC FPC:

Risk Management Policy of JSC FPCApproved by the resolution of the Board of Directors (Minutes No. 11 dated 27 December 2019).
Methodological recommendations for determining the acceptable risk profile (risk appetite)Approved by the decision of the Board of Directors (Minutes No. 24 dated 2 July 2020).
Methodological recommendations on risk management and internal controlApproved by Order of the General Director of JSC FPC No. 258r dated 20 March 2020.
Regulations on interaction in the risk management and reporting processApproved by Order of the General Director of JSC FPC No. 258r dated 20 March 2020.

In 2023, JSC FPC managed corporate‑wide risks in accordance with the mentioned regulations. Lower‑level operational risks were managed in a simplified manner, with limited procedures.

The Internal Audit Department is responsible for assessing the RM&ICS system reliability and effectiveness.

Management principles

The Board of Directors approved the Risk Management and Internal Control Policy of JSC FPC (hereinafter, the Policy), which was developed in accordance with the Risk Management and Internal Control Policy of the parent company.

In accordance with the Policy, the main purpose of the RM&ICS is to provide reasonable assurance that the following will be achieved:

Strategic objectives
Operational objectives
Objectives in ensuring compliance with applicable international regulations, regulations of the Russian Federation and internal regulations of the Company
Objectives in ensuring the reliability, timeliness and quality of all types of reporting

The Risk Management and Internal Control Policy stipulates that RM&ICS organisation and functioning in the Company is to be carried out in accordance with the principles set out in GOST R ISO 31000‑2019 Risk Management. Principles and guidelines, namely:

Risk management creates and protects value
Risk management is an integral part of all organisational processes
Risk management is part of the decision‑making process
Risk management is explicitly associated with uncertainty
Risk management is systematic, structured and timely
Risk management is based on the best available information
Risk management is adaptable
Risk management takes into account human and cultural factors
Risk management is transparent and takes into account the interests of stakeholders
Risk management is dynamic, iterative and responsive to changes
Risk management contributes to the continuous improvement of the organisation

Main objectives of the RM&ICS

Creation of infrastructure and a regulatory and methodological basis for the effective functioning of the risk management process
Integration of risk management and internal control procedures into the strategic and operational activities of the Company, which will enable proactive responses to risks and negative changes in the external and internal environment (through planning and implementation of risk treatment activities)
Awareness‑building among RM&ICS participants and other stakeholders
Reduction in the number of unforeseen events that could have a negative impact on the achievement of JSC FPC’s goals
Central decision‑making bodies for risk management are its Board of Directors and the General Director The Audit and Risk Committee of the Board of Directors and the Risk Management Committee, a collegial advisory body consisting of the relevant heads of FPC’s divisions and chaired by the Deputy General Director, function to develop recommendations for management decision‑making

Improvement of the RM&ICS in 2023

Though 2023 was a challenging year, FPC's risk management system still facilitated increased adaptability of the Company, its core processes and systems. In turn, this made it possible to promptly adjust business objectives and form scenario options for the development of JSC FPC until 2025. Thus, the risk management system supported the achievement of the Company's objectives.

During 2023, the Programme for the Development of the Risk Management and Internal Control System at FPC JSC for 2023 was put in force, aiming to develop and improve the effectiveness of the RM&ICS:

Approaches to identifying, analysing and assessing the Company's risks were upgraded
Advanced training of risk owners was provided through one of the country's leading educational institutions
Automation of the risk management process continued, including the development and implementation of an automated risk indicator monitoring panel

The Internal Audit Department assessed the reliability and efficiency of the risk management and internal control process for 2023. Based on the results of the assessment, a conclusion was drawn that the risk management and internal control process at JSC FPC is functioning in accordance with the principles and approaches approved by the Board of Directors, COSO documents and GOST R ISO 31000‑2019. To further improve the efficiency of the risk management and internal control process, a number of relevant recommendations were prepared and an Action Plan was developed to eliminate the identified violations, deficiencies and improve the risk management and internal control systems; all items of the action plan were implemented.

RM&ICS Improvement plans for 2024:

To develop the risk management system in line with the realisation of the project to improve and develop the integrated risk management model of the parent company
To finalise methodological materials in the area of risk management
To upgrade the skills and expertise of the staff involved at various levels
To continue to automate the risk management process
To further improve approaches to identifying, analysing and assessing the Company’s risks

Three lines of defence model

In its operations, JSC FPC uses an approach driven by Three Lines of Defence Model, which is based on roles and responsibilities sharing. Each of three lines increases the likelihood of JSC FPC successfully achieving its objectives.

Risk treatment methods applied

Risk avoidance – withdrawing from an activity or project associated with a particular (inherent) risk where other treatment strategies (risk mitigation, risk sharing, risk acceptance) are not economically viable or feasible. Given that any activity of the Company is associated with risks and complete withdrawal from any activity leads to its discontinuation, this strategy can be used to manage individual, specific risks (and/or new activities, projects).
Risk mitigation – risk treatment involving activities to reduce the likelihood of a risk event and/or the potential impact of its occurrence to an acceptable level. Risk mitigation activities may include both the deployment and execution of control procedures and the implementation of other measures (e.g., creating provisions to cover losses caused by a risk event).
Risk acceptance – method which involves no active risk treatment. It is used when:
- the level of risk is at an acceptable level
- risk avoidance, risk mitigation, risk sharing is economically inefficient or impossible (e.g., political or macroeconomic risks)
Risk sharing – transfer of a risk where the Company’s risk mitigation is ineffective, while the level of risk is not acceptable (the risk cannot be accepted) and third‑party services can be used for risk treatment. Risk sharing is mainly aimed to mitigate the consequences rather than the likelihood of risk occurrence.

Risk management structure

The showed risk management structure is in line with FPC’s Risk Management and Internal Control Policy.

Risk management process stages

In line with the Policy, the risk management process at JSC FPC has five stages:

1. Risk identification

2. Risk analysis and assessment

3. Risk treatment

4. Monitoring and review

5. Communication and consultation

As part of these processes, risk reports are prepared to be submitted to the executive bodies, Audit and Risk Committee, the Company’s Board of Directors and external stakeholders (if necessary), including information on risks, risk treatment measures and effectiveness of the RM&ICS.

Risk register

In 2023, risk aggregation was done to capture risks at the corporate level. Some of them remained in FPC's risk register, while others were taken into account as risk factors or consequences of other risks. The remaining risks are excluded from FPC's risk register due to their low or zero probability of realisation. The following year‑on‑year changes were recorded:

The total number of risks in the register decreased from 104 to 23
The number of key risks increased from 8 to 12
The number of risk owners was reduced to 15, with the heads of the remaining divisions involved in the risk management process as those responsible for key indicators and implementation of risk management measures.

Thus, as a result of the work carried out in 2023 to improve the RM&ICS and the risk management process in terms of risk identification, analysis and assessment (approaches to risk identification, analysis and assessment changed) and risk aggregation, a completely new risk register of JSC FPC was made, which is not comparable with the previous one in terms of both quantity and quality.

Key risks

The key risk register of JSC FPC for 2023 contains 12 risks which have been identified based on their impact on the achievement of the Company's goals and grouped into categories by business process.

Business process	Risk factors	Risk treatment measures
Financial and economic management	Failure to release rolling stock from maintenance and repairs. Diversion of rolling stock fleet (including leasing). Violation of terms and conditions of concluded contracts by suppliers/contractors for the objects within the project. Macroeconomic factors, including increased inflation rates, taxation in the Russian Federation and external sanctions. Increase in the cost of tariffs for counterparty services. Change in carriage‑km is not proportional to passenger‑km travelled	Redistribution of the carriage fleet between branches to maximise its efficient use. Optimising the amount of traffic. Redistribution of repair volumes to third‑party car repair organisations. Amendments to contracts. Claims handling with suppliers/contractors on issues of rolling stock supply. Organisation of multi‑group and two‑group trains. Agreement with contractors on the amount of indexation of tariffs for their services not exceeding the deflator index. Preferential loaning
Security assurance	Failure of hardware and (or) software parts of automated systems, computing and peripheral equipment, communication and telecommunication devices. Lack of possibility to purchase/upgrade equipment, software, licences. Emergency. Insufficient provision of stationary facilities with technical and primary fire safety means. Exacerbation of political, social, national and religious tensions. Increase in terrorist acts	Analysis of the status and efficiency of the system for protecting information resources and software and hardware of JSC FPC. Implementation of a unified technical policy in the field of information security with the parent company. Enhancement of FPC's information security. Planning and control over the implementation of information security measures at FPC’s facilities
Shaping and implementing a marketing policy	Lowed appeal of domestic tourism. Competition with alternative modes of transport. Shortage of rolling stock. Macroeconomic situation. Cancellation of the airport closure regime, as well as resolution of associated problems related to aircraft operations. User‑friendliness of the Loyalty Programme. Quality of catering and service provision in dining carriages. Quality of service in ticketing. Usability of the mobile app. Website usability. Quality of services and passenger care in the carriage. Quality and sanitary safety of children carried. Quality of work and content of the Poputchik portal	Implementation of marketing promotions and tariff management. Expansion of the menu based on modern trends in healthy eating, setting the frequency of menu updates (seasonality). Upgrading of dining carriages. Increase the share of e‑ticket sales. Introduction of children's compartments in trains, hot meals for children. Better cleaning quality before and during the trip. Elaboration of the issue of train escort by private security companies and the Ministry of Internal Affairs. Update of content on the Poputchik portal, improvement of the interface and quality of internet connection. Redundancy of critical infrastructure nodes. Investigation of fire incidents, analysis of these incidents and organisation of measures for their prevention. Equipping stationary facilities with technical fire safety equipment, installation of alarm and fire extinguishing systems, provision of primary fire extinguishing equipment. Establishment of transport security control points at each branch of JSC FPC. Installation of video surveillance and registration systems in the carriages
Compliance	Significant change in environmental legislation. Emergencies, natural disasters. FPC managers and employees at all levels of corporate governance violated the requirements of anti‑corruption legislation and FPC's anti‑corruption regulations. Unauthorised access to FPC's information systems. Industrial espionage	Planning and implementation of investment projects of environmental significance (wastewater treatment facilities, carriage washing facilities, storm sewers). Measures of the FPC Anti‑Corruption Plan for 2021–2024. Analysis of the status and efficiency of the system for protecting information resources and software and hardware of JSC FPC. Implementation of a unified technical policy in the field of information security with the parent company. Orchestration of measures to protect personal data, confidential and insider information, information constituting a trade secret of the Company, and ensuring the information security of JSC FPC

Business process

Risk factors

Risk treatment measures

Financial and economic management

Failure to release rolling stock from maintenance and repairs.

Diversion of rolling stock fleet (including leasing).

Violation of terms and conditions of concluded contracts by suppliers/contractors for the objects within the project.

Macroeconomic factors, including increased inflation rates, taxation in the Russian Federation and external sanctions.

Increase in the cost of tariffs for counterparty services.

Change in carriage‑km is not proportional to passenger‑km travelled

Redistribution of the carriage fleet between branches to maximise its efficient use.

Optimising the amount of traffic.

Redistribution of repair volumes to third‑party car repair organisations.

Amendments to contracts.

Claims handling with suppliers/contractors on issues of rolling stock supply.

Organisation of multi‑group and two‑group trains.

Agreement with contractors on the amount of indexation of tariffs for their services not exceeding the deflator index.

Preferential loaning

Security assurance

Failure of hardware and (or) software parts of automated systems, computing and peripheral equipment, communication and telecommunication devices.

Lack of possibility to purchase/upgrade equipment, software, licences.

Emergency.

Insufficient provision of stationary facilities with technical and primary fire safety means.

Exacerbation of political, social, national and religious tensions.

Increase in terrorist acts

Analysis of the status and efficiency of the system for protecting information resources and software and hardware of JSC FPC.

Implementation of a unified technical policy in the field of information security with the parent company.

Enhancement of FPC's information security.

Planning and control over the implementation of information security measures at FPC’s facilities

Shaping and implementing a marketing policy

Lowed appeal of domestic tourism.

Competition with alternative modes of transport.

Shortage of rolling stock.

Macroeconomic situation.

Cancellation of the airport closure regime, as well as resolution of associated problems related to aircraft operations.

User‑friendliness of the Loyalty Programme.

Quality of catering and service provision in dining carriages.

Quality of service in ticketing.

Usability of the mobile app.

Website usability.

Quality of services and passenger care in the carriage.

Quality and sanitary safety of children carried.

Quality of work and content of the Poputchik portal

Implementation of marketing promotions and tariff management.

Expansion of the menu based on modern trends in healthy eating, setting the frequency of menu updates (seasonality).

Upgrading of dining carriages.

Increase the share of e‑ticket sales.

Introduction of children's compartments in trains, hot meals for children.

Better cleaning quality before and during the trip.

Elaboration of the issue of train escort by private security companies and the Ministry of Internal Affairs.

Update of content on the Poputchik portal, improvement of the interface and quality of internet connection.

Redundancy of critical infrastructure nodes.

Investigation of fire incidents, analysis of these incidents and organisation of measures for their prevention.

Equipping stationary facilities with technical fire safety equipment, installation of alarm and fire extinguishing systems, provision of primary fire extinguishing equipment.

Establishment of transport security control points at each branch of JSC FPC.

Installation of video surveillance and registration systems in the carriages

Compliance

Significant change in environmental legislation.

Emergencies, natural disasters.

FPC managers and employees at all levels of corporate governance violated the requirements of anti‑corruption legislation and FPC's anti‑corruption regulations.

Unauthorised access to FPC's information systems.

Industrial espionage

Planning and implementation of investment projects of environmental significance (wastewater treatment facilities, carriage washing facilities, storm sewers).

Measures of the FPC Anti‑Corruption Plan for 2021–2024.

Analysis of the status and efficiency of the system for protecting information resources and software and hardware of JSC FPC.

Implementation of a unified technical policy in the field of information security with the parent company.

Orchestration of measures to protect personal data, confidential and insider information, information constituting a trade secret of the Company, and ensuring the information security of JSC FPC

Risk map

Risk map was designed to visualise the significance of risks in the Company. The Y‑axis of the risk map displays the magnitude (degree) of the impact of identified risks on JSC FPC’s operations, while the X‑axis shows the likelihood of their occurrence.

Map of FPC's key risks for 2023 (grouped by business processes)

Relations of key risks and the Company’s strategy

FPC's Development Strategy until 2030 defines the following list of strategic benchmarks:

Passenger departures
Revenues
EBITDA
Net debt/EBITDA
Carriage acquisition volume

In 2023, the following factors had the main impact on the key performance indicators:

Improvement of the macroeconomic situation expressed in the above‑the‑target growth of GDP, real disposable household income
Changes in the structure of domestic traffic due to continued restrictions on flights in the south of Russia (closure of airports) and a reduction in the number of aircraft

The Strategy outlines a number of strategic projects that drive the achievement of the objectives set. FPC implements strategic initiatives while taking into consideration the macroeconomic conditions in the country and making the necessary modifications to the pace, scale and resource requirements.

Since key risks may have a significant negative impact on JSC FPC’s operations, the achievement of strategic goals, and the implementation of the Strategy, the Company pays due attention to managing its key risks. The register of key risks is approved by the General Director based on a decision of the Board of Directors (taken after the review of the register) and taking into account the opinion of the Audit and Risk Committee of the Board of Directors. The Board of Directors then supervises the implementation of risk treatment measures by the divisions.

Sustainable development risks

JSC FPC also identified sustainability risks, possible consequences for the Company in case of their occurrence and developed measures to treat the same.

Sustainable development risk register

Sr.No.	Risk	Possible consequences	Risk treatment measures
1	Occurrence of transport accidents and other events related to violation of railway transport safety and operation rules	Material damage. Reputational damage. Threat to the health and life of passengers	Development of organisational and technical arrangements for the remit of the divisions involved. Claims handling work. Investigation of traffic safety violations, development of organisational and corrective action plans for identified cases
2	Decrease in passenger satisfaction with the quality of service	Decrease in revenues from transportation activities	Revision of JSC FPC's Catering Standard. Expansion of the menu based on modern trends in healthy eating, setting the frequency of menu updates (seasonality). Upgrading of dining carriages. Increase the share of e‑ticket sales. Improved usability of the application. Enhanced usability of the website. Introduction of children's compartments on trains. Organisation of hot meals for children. Elaboration of the issue of train escort by private security companies and the Ministry of Internal Affairs. Update of content on the Poputchik portal, improvement of the interface and quality of internet connection
3	Violation of environmental laws	Fines and penalties, reputational losses	Planning and implementation of investment projects of environmental significance (wastewater treatment facilities, carriage washing facilities, storm sewers). Training of managers and specialists responsible for environmental protection. Timely/unscheduled repairs of fixed assets and equipment
4	Risk of violation of industrial safety requirements	Causing harm to human life and health. Penalties imposed by supervisory authorities. Damage to property of third parties	Replacement of devices that are beyond their normal service life. Development/updating of internal regulatory documents. Training and certification of managers and specialists
5	Shortage of rolling stock	Decrease in revenues from transportation activities	Redistribution of the carriage fleet between branches to maximise its efficient use. Optimising the amount of traffic. Redistribution of repair volumes to third‑party car repair organisations
6	Work‑related injuries	Penalties in accordance with the Code of Administrative Offences, payments in accordance with the Collective Bargaining Agreement	Timely provision and control of the use of PPE by employees. Investigation of occupational injuries followed by development of corrective measures. Training of personnel in occupational safety requirements. Special assessment of working conditions at workplaces. Development of local regulations in the field of occupational safety
7	Illegal disclosure (loss, transfer) of information constituting a trade secret, personal data and insider information of the Company	Deterioration of business reputation. Material damage	Analysis of the status and efficiency of the system for protecting information resources and software and hardware of JSC FPC. Implementation of a unified technical policy in the field of information security with the parent company. Orchestration of measures to protect personal data, confidential and insider information, information constituting a trade secret of the Company, and ensuring the information security of JSC FPC