Risk management system

The existing corporate risk management system is integratedFor risk management to be effective, process risk management should be fully integrated into the organisation’s risk management framework and processes (GOST R 51901.7‑2017). into the Company’s business processes and enables effective risk‑based decisions at various organisational levels to achieve strategic and operational goals.

The risk management system is based on the principles and requirements set forth in Russian laws, as well as professional standards, including the Corporate Governance Code recommended by the Bank of Russia, GOST R ISO 31000‑2019 Risk Management. Principles and Guidelines, COSO Enterprise Risk Management – Integrating with Strategy and Performance, and Recommendations for Public Joint Stock Companies to Organise Risk Management, Internal Controls, Internal Auditing, and the Work of Auditing Committees Under Boards of Directors (Supervisory Boards) (Appendix to the Bank of Russia’s Letter No. IN‑06‑28/143 dated 1 October 2020).

To manage production and infrastructure risks, Nornickel develops, approves, updates, and tests business continuity plans to maintain operations and take recovery steps in case of emergency.

Nornickel has set the following key risk management objectives:

Increase the likelihood of achieving the Company’s goals

Improve resource allocation

Boost Nornickel’s investment case and shareholder value

Risk management framework

Board of Directors

Audit Committee of the Board of Directors

  • Approving the Corporate Risk Management Policy
  • Supervising the development of the risk management system
  • Approving the Corporate Risk Appetite Statement (annually)
  • Managing strategic risks on an ongoing basis
  • Reviewing and approving the risk management development roadmap and assessing its implementation status (annually)
  • Reviewing reports on strategic and key risks (annually/quarterly)
  • Assessing risk management effectiveness at Nornickel (annually)

Management Board

Risk Management Committee of the Management Board

  • Reviewing strategic risks and reports on key risks
  • Reviewing materialised risks and lessons learned
  • Reviewing risk appetite metrics
  • Making decisions related to key risk management
  • Reviewing business continuity plans
  • Reviewing the strategy and development plans for the corporate risk management system (CRMS) and internal control system (ICS)
  • Reviewing the performance of dedicated risk management committees within business verticals

Internal audit

  • Making independent assessments of the effectiveness of risk management, internal controls, and corporate governance (annually)

Internal control

  • Providing methodological support and participating in risk assessment of business processes

Risk Management Service

  • Developing and updating the risk management methodology
  • Preparing reports on Nornickel’s top risks (quarterly)
  • Preparing reports on strategic risks (annually)
  • Enhancing quantitative risk assessment with simulation modelling tools
  • Improving the Company’s business continuity management system
  • Introducing the practice of using risk appetite
  • Ensuring employee training in practical approaches to risk management
  • Preparing the CRMS Development Roadmap, including based on regular maturity assessments

Risk owners

  • Providing day‑to‑day risk management within the integrated risk management model, including risk identification, analysis, assessment, and/or prioritisation, as well as development and execution of response plans and mitigation measures
  • Risk‑based decision making

In 2024, the Company completed the following projects and initiatives to develop, improve, and maintain the maturity of its risk management system:

  • Further improved automation tools for investment project risk management as well as integration between risk management and budget planning processes through an existing GRC system
  • Updated the quantitative assessment of the cumulative impact of risks on functional strategies
  • As part of risk culture fostering initiatives, provided training for Company employees, prepared an e‑course on investment project risk management, and developed a risk culture self‑diagnostic tool
  • Maintained regular activities of the Management Board’s Risk Management Committee and dedicated function‑level risk management committees
  • Ran a quantitative assessment of the cumulative impact of key risks on the Company’s 2025 budget as well as an analysis of the budget sensitivity to key risks, with follow‑up risk management measures included in the budget
  • Monitored Company‑level and division‑level risk appetite metrics
  • Further improved quantitative assessment tools for operational risks
  • Ran regular quantitative assessments of investment project risks
  • Had the ESG risk management system independently assessed by a third party, confirming its high effectiveness

In line with risk management system improvement plans, the following areas have been prioritised for 2025:

Enhancing the methodology to analyse, assess, and manage various categories and types of risks

Further automating risk management system functionality

Expanding the scope of quantitative risk assessment in strategic and operational planning

Applying and enhancing the concept for assessing long‑term climate‑related risks in line with TCFDTask Force on Climate‑related Financial Disclosures. requirements

Key strategic risks

The Company’s strategic risks were updated in 2024. Nornickel sees the following groups of risks as its key risks:

Increase in the Company’s staffing shortage

Lower demand for the Company’s products

Lower productivity and disruptions of operations

Failure to achieve targets to reduce environmental footprint

Insurance

Insurance is an essential tool used to manage risks while protecting the property interests of Nornickel and its shareholders against any unforeseen losses related to operations, including due to external effects.

Nornickel has centralised its insurance function to ensure the consistent implementation of its uniform insurance policy and standards. The Company annually approves a comprehensive programme that defines key parameters by insurance type, key business area, and project. Nornickel has developed and implemented a corporate insurance programme that covers assets, equipment failures, and business interruptions across the Group as well as enterprises in the core production chain, all on the same terms. The directors’ and officers’ liability, freight, information risks, construction and installation, various vehicles, and other types of liability insurance programmes of the Company are also centralised and promote continuity.

The Company applies industry best practice and leverages insurance market trends to negotiate the best insurance and insured risk management terms.

Risk map

Risk

Price risk

Market risk

Financial risks

Technical and production risk

Investment project risks

Health and safety risks

Permafrost degradation

Supply chain risks

Compliance risk

Information security risks

Environmental risks

Low water levels in rivers

Social risk

Year‑on‑year

Risk increased year‑on‑year

Risk decreased year‑on‑year

Risk has not changed year‑on‑year

Risk: effect of uncertainty on objectives (ISO / GOST R 31000).

Risk source: element which alone or in combination has the potential to give rise to risk (ISO / GOST R 31000). The assessment takes into account the predominance of external or internal factors.

The Effect on Nornickel’s Objectives scale shows the relative impact of risks.

A high‑level map of Nornickel’s material risks leverages global best practices in risk management. The risk map ranks material risks by effect on the Group’s objectives and by source.

Changes in risk status in 2024 mainly reflect the effect of mitigating measures and changes in multiple external factors on the Company as it adapted to a new normal.