Control system

The Company has in place an internal control system covering key business processes and all management levels across the Group. The internal control system integrated into the Company’s corporate governance processes is geared towards achieving the goals related to accurate financial reporting and operational efficiency as well as compliance goals.

The system comprises the following control bodies:

Audit Commission

The Audit Commission is Nornickel’s standing internal control body that monitors its financial and business operations. The five members of the Audit Commission are elected annually at the Annual General Meeting of Shareholders.

Audit Commission’s performance

In 2022, the Audit Commission audited Nornickel’s business operations for 2021, with the auditors’ report presented to the shareholders as part of materials for the Annual General Meeting of Shareholders. Results of the audit of the Company’s business operations for 2022 will be reported to the Annual General Meeting of Shareholders in 2023.

The Annual General Meeting of Shareholders on 3 June 2022 elected the Audit Commission as follows: Alexey Dzybalov, Anna Masalova, Georgy Svanidze, Eduard Gornin, Elena Yanevich.

Internal audit

The Company has set up the Internal Audit Department to assist the Board of Directors and executive bodies in better managing the Company and improving its financial and business operations through a systematic and consistent approach to the analysis and evaluation of risk management and internal controls as tools providing reasonable assurance that Nornickel will achieve its goals.

The Internal Audit Department conducts objective and independent audits to assess the effectiveness of the internal control system and risk management system. Based on the audits, the Department prepares reports and proposals for management on improving internal controls, and monitors the development of remedial action plans.

In order to ensure independence and objectivity, the Internal Audit Department functionally reports to the Board of Directors through the Audit Committee and has an administrative reporting line to Nornickel’s President. MMC Norilsk Nickel has in place an Internal Audit Policy approved by the Company’s Board of Directors in 2022.

In 2022, the Audit Committee:

• reviewed the annual audit plan and internal audit development plans
• reviewed bonus-related performance targets (KPI scorecards) of the Internal Audit Department Director
• discussed the results of completed audits, including gaps identified and corrective actions designed by management to improve internal controls and minimise risks
• reviewed the results of internal audit self-assessment.

The Audit Committee commended the work of the Internal Audit Department in the reporting period.

In 2022, the Internal Audit Department audited the following areas:

• H&S and environmental risk management
• Progress on the Company’s major investment projects
• Corporate governance processes
• Control over IT assets and IT projects

During some audits, the Department made use of data analysis tools to process significant data volumes and present them graphically. For some business areas, the Department uses the continuous auditing method.

The Internal Audit Department performed an annual performance evaluation of Nornickel’s corporate risk management system (CRMS) and internal control system (ICS) for 2022 and concluded that the Company’s CRMS and ICS as a whole operate effectively, but there were some comments. The evaluation results were reviewed at an Audit Committee meeting and a meeting of the Company’s Board of Directors.

Based on the recommendations issued during the audits, management developed corrective actions and implemented a total of 270 such actions over 2022. The actions included updating regulatory documents, developing new or amending existing control procedures, communicating them to employees, training employees, and identifying and assessing risks. The Internal Audit Department uses SAP AM, an automated internal audit solution, to continuously monitor the implementation of initiatives developed by management, with the resulting insights on types and number of initiatives regularly reviewed by the Audit Committee.

Internal control

The Internal Control Department regularly monitors the Company’s high-risk business processes – procurement and investment activities, capital construction and corporate insurance transactions, as well as the reliability of the existing systems of accounting for metal-bearing products. The Company also continuously monitors compliance with regulatory requirements to combat the unlawful use of insider information and market manipulation, as well as money laundering, terrorist financing and proliferation financing.

The performance and maturity of internal control system elements are evaluated annually as part of an external financial statement audit and internal control system self-evaluation. Reports containing the internal control system evaluation results are reviewed by Nornickel’s management and the Audit Committee of the Board of Directors.

In May 2022, Nornickel rolled out an automated risk management and internal control system based on an SAP GRC solution. The system maintains data on the Company’s internal control system, runs procedures to assess its effectiveness and generates reports.

The Financial Control Service audits financial and business operations of Nornickel and its subsidiaries to make updates and recommendations for the President and members of the Board of Directors. The Head of the Financial Control Service is appointed by resolution of the Board of Directors.

Corporate Trust Line

Nornickel runs the Corporate Trust Line speak-up programme established to respond promptly to reports of non-compliance, wrongdoing or embezzlement, violation of employees’ rights, and breach of ethical standards or rules of conduct by employees. Employees, shareholders and other stakeholders can report any actual or potential actions that cause or may cause financial or reputational damage to Nornickel. All reports submitted via the line are registered, assigned a unique number and investigated. The key principles underlying the operation of the Corporate Trust Line include data privacy and guaranteed anonymity for whistleblowers who wish to remain anonymous, as well as timely and unbiased review of all reports. Nornickel will in no circumstances retaliate against an employee who raises a concern via the Corporate Trust Line, meaning that no disciplinary action or sanction will be taken (dismissal, demotion, forfeiture of bonuses, etc.). If pressure on a whistleblower is reported, the Company conducts mandatory investigations of such reports and thoroughly reviews their findings. Whistleblower status is regularly monitored at all levels to identify cases of undue pressure.

Reporting channels (24/7):

• Phone: 8 800 700 1941, 8 800 700 1945
• Email: skd@nornik.ru
• Reporting form on Nornickel’s website:Corporate Trust Line – Nornickel

Over the past three years, the Corporate Trust Line has not received any reports classified as corrupt practices. For more details on report statistics, please see the Sustainability Report.

Anti-corruption

Nornickel compiles with anti-corruption laws of the Russian Federation and other countries in which it operates, as well as with any applicable international laws and Nornickel’s internal documents. Nornickel openly declares its zero tolerance for corruption in any form or manifestation. Members of Nornickel’s Board of Directors / Management Board and senior management role model a zero-tolerance approach to corruption in any form or manifestation at all levels across the organisation.

In line with legal requirements and its voluntary commitments, Nornickel actively implements and improves anti-corruption measures. The Company has established uniform requirements for giving and receiving business gifts applicable to all employees, which are set forth in the Regulations on Business Gifts, with record keeping and tracking in place for entertainment expenses. Regular anti-corruption due diligence of internal documents ensures that they present no potential for corruption.

We perform annual assessment and quarterly monitoring of corruption risks.

Every two years, Nornickel submits to the Russian Union of Industrialists and Entrepreneurs a Declaration of Compliance with the Anti-corruption Charter of the Russian Business to confirm its compliance with anti-corruption requirements.

Nornickel annually publishes statistics on recorded corruption incidents in its Sustainability Report, demonstrating its commitment to openness and transparency to stakeholders.

When recruited, all Company employees familiarise themselves with anti-corruption documents, sign an agreement setting out their anti-corruption responsibilities and take an anti-corruption induction briefing.

Nornickel regularly trains its employees and involves them in implementing anti-corruption programmes. All Company employees take an annual online anti-corruption training course, while all HR Department employees take a course on compliance with anti-corruption laws. As of the end of 2022, 100% of employees were trained to be familiar with the Group’s anti-corruption policies and methods. Over the year, the training on statutory requirements and provisions of corporate anti-corruption regulations covered 31 people.

Timely identification and prevention of conflicts of interest are also key to our anti-corruption efforts. The Company has in place an approved standard reporting form to be filled by candidates applying for vacant positions at Nornickel and individuals signing an independent contractor agreement with the Company. The Company set up standing conflict of interest commissions across the organisation to enhance the effectiveness of preventing, identifying and resolving conflicts of interest, as well as to ensure legal compliance and improve corporate culture.

Nornickel maintains the dedicated Anti-corruption section on its website, providing information on its anti-corruption regulations and measures taken to combat and prevent corruption, offer legal education, and promote lawful behaviours among employees.

In order to mitigate potential risks associated with contractor engagement, Nornickel evaluates business standing, integrity and solvency of its potential counterparties. To prevent procurement misconduct and maximise value capture through unbiased selection of best proposals, Nornickel’s procurement owner, customer and secretary of a collective procurement body adhere to the following rules:

• Procurement relies on the principle of division of roles;
• Commercial proposals submitted by suppliers are compared using objective and measurable criteria approved prior to sending a relevant request for proposal;
• The selection results and the winning bidder in the material procurement process are approved by the collective procurement body comprised of representatives from various functions of Nornickel;
• A Master Agreement containing an anti-corruption clause is signed with each supplier or updated on an annual basis. The anti-corruption clause outlines the course of action to be taken between the supplier and Nornickel with respect to risks of abuse. Moreover, by signing the Master Agreement, suppliers acknowledge that they have read the Company’s Anti-Corruption Policy.

In 2022, to develop and improve its anti-corruption compliance system, the Company:

• approved a unified approach to adopting anti-corruption regulations and controls throughout the Group
• delivered training in the basics of anti-corruption compliance to Group employees responsible for implementing anti-corruption measures
• revised and updated its anti-corruption procedural documents.

The Company is also reviewing its approach to assessing corruption risks related to contractor engagement.

Antitrust compliance

An antitrust compliance system in place at the Company since 2017 establishes the processes for the timely prevention, identification and elimination of causes and conditions facilitating antitrust violations and ensures compliance of the Company and its corporate entities with applicable laws.

Federal Law No. 135-FZ On Protection of Competition dated 26 July 2006 was amended in 2020 to set requirements for internal antitrust compliance regulations of organisations and establish the right of organisations to submit these regulations to the Federal Antimonopoly Service and obtain its opinion upon confirmation of compliance. The Company was the first in Russia to use the new statutory procedure to obtain a confirmation of the Federal Antimonopoly Service that its antitrust compliance system meets legal requirements, issued on 25 March 2021.

In 2022, the Federal Antimonopoly Service and/or its territorial bodies did not find any antitrust violations by the Company or by Group enterprises; and no administrative action was taken against Group enterprises for such violations.

Corporate security

Nornickel’s corporate security system management is based on a set of programmes to ensure economic, corporate and information security.

In March 2022, the Board of Directors approved the Corporate Fraud Policy. It underlies the consistent measures implemented to prevent, identify and combat abuses and manifestations of corporate fraud, as well as signs of corruption. The policy requirements are aligned with the principles of fair and responsible business conduct, as well as with the Company’s commitment to improving its corporate culture and ensuring compliance with corporate governance best practice and high ethical standards.

Measures to protect production, transport and energy sector facilities against terrorism and to prevent unlawful interference in their operations are implemented on a scheduled basis.

In 2022, Nornickel conducted a total of 706 trainings, 46 general and 12 tactical and special drills.

The Company collaborates with external contractors to ensure the safety of its facilities, making sure that contractor activities respect human rights, including those of employees of private security organisations. Respect for human rights is incorporated in the regulations of the Corporate Security Unit.

Information security

In 2022, the Company’s information security strategy was adapted and adjusted as many foreign IT and information security companies withdrew from Russia and new legal requirements were introduced during the year.

In the reporting year, Nornickel established a subsidiary, Nornickel Sfera, to ensure information security across the Group. The company has extensive technical competencies across core information and process security areas and offers a full range of key services to Group enterprises. Going forward, Nornickel Sfera will expand the coverage and range of its services.

Nornickel has developed an import substitution plan covering information security solutions and took extra steps to protect its enterprises’ technological infrastructure and mitigate risks.

With some employees still working remotely, the Company is taking extra precautions to ensure the information security of its corporate resources and infrastructure. These include more stringent security requirements for remote computers and devices used in audio and video conferencing; remote work is monitored on a daily basis, with users guides and instructions updated as necessary. The Company has expanded the scope of systems security inspections and audits for compliance with information security requirements to timely identify and eliminate vulnerabilities that can be exploited by attackers.

Programmes

The Company has in place relevant information security processes, including:

• identification and classification of data assets;
• raising awareness;
• managing access to data assets;
• security analysis;
• risk management;
• information security incident management;
• review of projects’ information technology and automated process control systems (APCSs) for compliance with information security requirements.

In 2022, as part of an ongoing process of identifying and classifying data assets, the Company identified key business applications and is actively implementing plans to align them with corporate information security standards by embedding the required solutions and information security tools.

In view of new sanctions risks and the growing number of cyber threats to the technological IT infrastructure, Nornickel has developed approaches to, and plans for, implementing a suite of projects to create systems protecting the Company’s technological and operating processes. The Company’s priorities have shifted towards establishing a basic level of infrastructure security across its key enterprises and complying with the Russian President’s core executive orders on import substitution. The Company maintains a strong focus on complying with information protection requirements in APCS development and upgrade projects.

Nornickel has taken measures to ensure the provision of information protection tools, reviewed the procedure for updating system and application software, and ensured control over the updates.

In line with the plan, the Company has finished rolling out process protection equipment across its key production sites as well as at the gas facility transporting energy resources to the Norilsk Industrial District so as to improve process safety compared to 2020 and 2021.

Industrial automation systems across all production sites have been audited for compliance with internal information security standards, which enables the Company to develop effective plans and take measures to improve information security over the next two years.

Import substitution

Since many foreign suppliers of information security solutions have left the Russian market, as well as to comply with new legal requirements, Nornickel has joined the import substitution process as regards information and communication technologies, including industrial automation systems. The Company selects, tests and rolls out Russian technology solutions in close contact with its industry peers.

Cyber incident response system

The Company’s Information Security Incident Response Centre uses advanced technical solutions as well as Russian and global best practices in managing cyber defence. Seamless information security processes and procedures have been developed and documented to ensure business continuity in the event of incidents and emergencies. These procedures are tested for relevance at least once a quarter.

To prevent confidential information leaks, the Company has introduced special safeguards to detect unauthorised data retrieval through primary channels, including via email and file exchange platforms. If unauthorised attempts to retrieve confidential information are identified, an internal inspection and investigation procedure is initiated in accordance with the Company’s current regulations.

Suspicious activity reporting process

If users detect suspicious content or activities, the Information Security Incident Response Centre is notified accordingly via a corporate communication channel. The Centre assesses the potential disruptive impact on the Company’s IT systems and ensures the planning and implementation of measures to prevent and respond to incidents.

The Information Security Incident Response Centre operates across the Company’s key regions of operation. Over the year, the Centre’s employees processed over 1 thousand incidents, handling over 20 thousand information security events in total.

In 2022, the number of cyber attacks on Russian companies increased significantly. Additional comprehensive efforts were made to mitigate risks, including proactive measures to protect the Company’s IT infrastructure.

The Response Centre has always closely cooperated with similar units of private companies and regulators. The Company has maintained its effective partnership with the National Coordination Centre for Computer Incidents, with a relevant cooperation agreement already in its second year.

Training and communication

The Company is strongly focused on improving employee awareness about information security principles and digital hygiene.

New hires are introduced to corporate information security requirements and have an additional induction briefing. A total of almost 7 thousand new employees were introduced to information security requirements in 2022, and about 5 thousand had additional induction briefings on information security. Annual employee trainings also take account of current trends and newly identified risks and cyber threats. In 2022, 67 scheduled and three unscheduled e-learning courses were delivered, with almost 13.5 thousand Group employees trained in total.

Furthermore, the Company runs regular drills including simulations of phishing attacks and other fraudulent practices that affect users. Following the drills, instructions for employees are updated.

In addition, the Company uses regular dedicated newsletters to improve employee awareness about current information security threats and digital hygiene.

An information security bulletin is prepared for the Company's management on a quarterly basis, detailing measures to protect critical information infrastructure, project activities, cyber risks, anti-phishing efforts, as well as major information security incidents and trends.

Certification

In line with international best practices, Nornickel enterprises have in place information security management systems (ISMSs) compliant with ISO/IEC 27001:2022 requirements. In 2022, four of Nornickel’s enterprises had the high effectiveness of their information security management processes confirmed:

• Murmansk Transport Division
• Nadezhda Metallurgical Plant (Norilsk Division)
• Copper Plant (Norilsk Division)
• Talnakh Concentrator (Norilsk Division)

Despite the fast-paced external changes, Nornickel’s team has succeeded in maintaining continuous compliance with international standards. The certificates obtained are an international information security standard driving a consistent and structured approach and helping identify and mitigate relevant risks. The successful completion of the certification process testifies to the high level of maturity of Nornickel’s information security systems and approaches.

The preparedness of the Company’s enterprises to respond to new threats and challenges has been praised by an external auditor, who has also confirmed that previously identified issues have been addressed. Employees involved in the operation of the ISMS showed excellent knowledge of information security, and the Company as a whole demonstrated that it can control risks and is prepared for unexpected changes when achieving its goals relating to the security of production processes.

Nornickel’s efforts to develop and implement advanced cyber security solutions for industrial assets have been repeatedly acknowledged by the professional community and industry associations.

Management involvement in information security

Nornickel’s Information Security Policy applies to all employees and includes the engagement boundaries and responsibilities of the Board of Directors and the Management Board in this regard. Their responsibilities include, among other things, reviewing information security risks and budgets for relevant programmes and projects. Risks are monitored on a regular basis through dedicated committees and corporate reporting.

Partnerships and best practice sharing

At the national level, the Information Security in Industry Club, an industry association founded by Nornickel in 2017, has been successfully operating for five years now. Information security managers of major Russian industrial holding companies are involved in its activities. Over the years, the Information Security in Industry Club has become a recognised platform for discussing ongoing security issues dealing with the use of information and communication technologies, and for sharing experience and best practices in protecting industrial information systems.

In international information security, Nornickel cooperates with the Security Council of the Russian Federation and the Ministry of Foreign Affairs of the Russian Federation, contributing to the development and discussion of position papers in this area. The Company also participates in the National Association for International Information Security and cooperates with the International Information Security Research Consortium.

The development and international promotion of precious metal supply chain security is an important aspect of the Company’s engagement with its business partners: Nornickel participates in dialogues on this issue on international platforms, including the Security Committee of the International Platinum Group Metals Association. In September 2022, Nornickel also ran a session on cybersecurity at a meeting of the above committee in South Africa held in person for the first time after a long break, where the Company shared its experience of creating a distributed information security management system and highlighted key approaches to maintaining the continuity of IT-driven production processes.

For more details on the information security risk, please see the Key Risks in 2022 section of this Annual Report.

Personal data protection

The Company has developed, implemented and put in practice a set of organisational and technical measures to protect the personal data of different types of owners (including the protection of third parties’ personal data) and ensure compliance with Russian laws. Technical protection involves anti-virus protection, leak prevention, monitoring of removable devices, and analysis of security incidents.

Independent audit

An independent auditor for Nornickel’s financial statements is selected through competitive bidding in accordance with the Company’s established procedure. The Audit Committee of the Board of Directors reviews the shortlist and makes a recommendation to the Board of Directors on the proposed auditor to be approved by the Annual General Meeting of Shareholders of MMC Norilsk Nickel.

In 2022, the General Meeting of Shareholders approved Kept as the auditor for RAS and IFRS financial statements for 2022 on the recommendation of the Board of Directors.