Control system

The Company has in place an internal control system (ICS) covering key business processes and all management levels across the Group.

The internal control system integrated into the Company’s corporate governance processes is geared towards achieving the goals related to accurate financial reporting and operational efficiency as well as compliance goals.

Audit Commission

Audit Commission’s performance

In 2023, the Audit Commission audited Nornickel’s business operations for 2022, with the auditors’ report presented to the shareholders as part of materials for the Annual General Meeting of Shareholders. Results of the audit of the Company’s business operations for 2023 will be reported to the Annual General Meeting of Shareholders in 2024.

The Annual General Meeting of Shareholders on 6 June 2023 elected the Audit Commission as follows: Alexey Dzybalov, Anna Masalova, Georgy Svanidze, Eduard Gornin, and Elena Yanevich.

Internal audit

Internal audit at the Company is performed by the Internal Audit Department, which was set up to assist the Board of Directors and executive bodies in better managing the Company and improving its financial and business operations through a systematic and consistent approach to the analysis and evaluation of risk management and internal controls as tools providing reasonable assurance that Nornickel will achieve its goals.

The Internal Audit Department conducts objective and independent audits to assess the effectiveness of the ICS and the corporate risk management system (CRMS). Based on the audits, the Department prepares reports and proposals for senior management on improving internal controls and monitors the development of remedial action plans.

In order to ensure independence and objectivity, the Internal Audit Department functionally reports to the Board of Directors through the Audit Committee and administratively to Nornickel’s President. The Company has in place an Internal Audit Policy approved by the Board of Directors.

In 2023, the Audit Committee:

• updated the Guidelines for Assessing the Corporate Risk Management System
• discussed the Department’s performance in 2022, 6M 2023, and 9M 2023, including the results of completed audits, gaps identified, and remedial actions designed by management to improve internal controls and minimise risks
• reviewed the results of internal audit self‑evaluation
• reviewed the annual audit plan of the Internal Audit Department
• approved KPI scorecards of the Internal Audit Department Director.

The Audit Committee commended the work of the Internal Audit Department in the reporting period.

In 2023, the Internal Audit Department audited the following areas:

• Operation of automated process control systems (APCS) at the Company’s production facilities
• Progress on the Company’s strategic investment projects
• Shipping the Company’s cargoes by sea and river
• Corporate governance processes
• Controls over IT assets and IT projects

The Internal Audit Department is strongly focused on driving the adoption of digital data processing methods. For instance, in 2023, the Department leveraged data analysis tools to audit procurement processes, processing significant data volumes and presenting them graphically – the capabilities unlocked by advanced‑analytics approaches.

In the reporting year, the Internal Audit Department also performed an annual performance evaluation of the Company’s CRMS and ICS and concluded that CRMS and ICS are generally functioning effectively, there are some comments. The evaluation results were reviewed by an Audit Committee meeting.

Based on the recommendations issued during the audits, management developed corrective actions and implemented a total of 214 such actions over 2023. The actions included updating regulatory documents, developing new or amending existing control procedures, communicating them to  employees, training employees, and identifying and assessing risks.

The Internal Audit Department uses the SAP AM solution to continuously monitor the implementation of initiatives developed by management, with the resulting insights on types and number of initiatives regularly reviewed by the Audit Committee.

Internal control

The Internal Control Department ensures uniform approaches to ICS building, operation, and development as well as to building a control environment and a system for assessing business process risks, implementing control procedures, and segregating duties and access rights in information systems.

The Internal Control Department regularly monitoring the Company’s high‑risk business processes:

• Procurement and investing activities;
• Capital construction and corporate insurance transactions
• The existing systems of accounting for metal‑bearing products.

The Company also continuously monitors compliance with regulatory requirements to combat the unlawful use of insider information and market manipulation, as well as money laundering, terrorist financing, and proliferation financing.

The performance and maturity of internal control system elements are evaluated annually as part of an external financial statement audit and ICS self‑evaluation. Reports containing the ICS evaluation results are reviewed by Nornickel’s management and the Audit Committee of the Board of Directors.

The Company maintains data on its ICS in a SAP GRC PC information system, runs procedures to assess its effectiveness, and prepares relevant reports.

Corporate Trust Line

Nornickel runs its Corporate Trust Line (CTL) speak‑up programme established to respond promptly to:

• any irregularities
• embezzlement or misuse of Company property
• any actions that may be viewed as corruption, abuse of power, bribery, or fraud
• violation of  employees’ rights
• breach of ethical standards or rules of conduct by  employees.

Employees, shareholders, and other stakeholders can report any actual or potential actions that cause financial or reputational damage to Nornickel.

All reports submitted via the line are registered, assigned a unique number, and thoroughly investigated.

Nornickel will in no circumstances retaliate against a whistleblower who raises a concern via the CTL, meaning that no disciplinary action or sanction will be taken (including employees’ dismissal, demotion, forfeiture of bonuses, etc.). If pressure on a whistleblower is reported, the Company conducts mandatory investigations of such reports and thoroughly reviews their findings. Whistleblower status is regularly monitored at all levels to identify cases of undue pressure. In 2023, the Company introduced mechanisms to provide feedback to whistleblowers and collect satisfaction data from them through a feedback form for comments on complaint/report investigation and handling.

Complaints/reports about violations of ethical standards or rules are considered at meetings of commissions established by the head of the Company’s division or Group entity requested to investigate the complaint/report. If a report about employees violating corporate ethical standards or unresolved personal conflicts is confirmed, management takes steps to resolve conflict situations, once again explains the need for employees to comply with ethical business standards, and holds town‑hall meetings. Employees can be disciplined over violating ethical standards and principles.

Anti‑corruption

Nornickel believes that honest, transparent, and ethical business conduct, as well as a strong culture, helps strengthen the Company’s business reputation and build trusting relations with investors, partners, employees, and other stakeholders.

In its day‑to‑day operations, Nornickel has zero tolerance for any corrupt practices, complying with anti‑corruption laws of Russia and other countries in which it operates and recognising the importance of implementing and complying with procedures to prevent corruption.

Members of Nornickel’s Board of Directors and Management Board role model a zero‑tolerance approach to corruption in any form or manifestation at all levels across the organisation.

To ensure compliance with legal requirements and rules of ethical and transparent business conduct, Nornickel has put in place and is continuously improving an anti‑corruption compliance system focussed primarily on preventing and mitigating corruption risks and strengthening the commitment of Company employees to high ethical standards. Anti‑corruption standards have been approved across the Group

The Company takes regular steps to identify and analyse corruption risks and manages them within its overall risk management system, including control and monitoring of anti‑corruption measures and procedures, and uses a wide range of tools to assess and eliminate potential corruption risks when engaging with counterparties.

Nornickel strives to maintain respectful, strong business relations with its partners and does not prohibit giving and receiving business gifts, which is common business practice. The requirements and criteria concerning business gifts are set out in the Regulations on Business Gifts applicable to all Company employees.

The Company is committed to minimising corruption risks of the current and new business processes, so its internal documents are subject to regular anti‑corruption due diligence to ensure that they present no potential for corruption. If such potential is identified, the document owner is advised to amend the paragraph or section in question as necessary.

Once every two years, we submit a declaration to the Anti‑corruption Charter of the Russian Business to prove our compliance with anti‑corruption requirements.

Nornickel annually publishes statistics on recorded corruption incidents in its Sustainability Report, demonstrating its commitment to openness and transparency to stakeholders.

Compliance with the Company’s anti‑corruption principles is achieved when each employee feels a strong sense of personal ownership. When recruited, all Company employees take an induction briefing in compliance with anti‑corruption laws, familiarise themselves with anti‑corruption documents, and sign an agreement setting out their anti‑corruption responsibilities, on a mandatory basis.

Nornickel also provides employees with regular training in anti‑corruption, involving them in anti‑corruption programmes. The Company delivers effective training culminating in tests and tailored to different target audiences: for example, all employees take an annual anti‑corruption training course online, all HR employees – a course on anti‑corruption compliance for HR services, and members of the Board of Directors and of the Management Board – an online course on anti‑corruption for managers. As of the end of 2023, 100% of employees were trained to be familiar with the Group’s anti‑corruption policies and methods. Over the year, the training on statutory requirements and provisions of corporate anti‑corruption regulations covered about 26 thousand people.

One of the focus areas in anti‑corruption compliance is managing conflicts of interest, which are the most common cause of corruption. The Regulations on the Prevention and Management of Conflicts of Interest in place require any pre‑conflict situations to be disclosed and timely measures to be taken to prevent any potential appearance of conflict of interest. The Company set up standing conflict of interest commissions across the organisation to enhance the effectiveness of preventing, identifying, and resolving conflicts of interest, as well as to ensure legal compliance and improve corporate culture.

The Company strives to uphold and promote a culture of zero tolerance for corruption. To do this, the Company maintains various channels to report corruption. All employees of the Group and its partners have free and convenient access to information about the documents and current measures to combat corruption, available on the Company website in the dedicated Anti‑corruption section.

In order to mitigate potential risks associated with contractor engagement, Nornickel evaluates business standing, integrity, and solvency of its potential counterparties. To prevent procurement misconduct and maximise value capture through unbiased selection of best proposals, Nornickel’s procurement owner, customer, and secretary of a collective procurement body adhere to the following rules:

• Procurement relies on the principle of division of roles
• Commercial proposals submitted by suppliers are compared using objective and measurable criteria approved prior to sending a relevant request for proposal
• The selection results and the winning bidder in the material procurement process are approved by the collective procurement body comprised of representatives from various functions of Nornickel
• A Master Agreement containing an anti‑corruption clause is signed with each supplier or updated on an annual basis the anti‑corruption clause outlines the course of action to be taken between the supplier and Nornickel with respect to risks of abuse. Moreover, by signing the Master Agreement, suppliers acknowledge that they have read the Company’s Anti‑corruption Policy

In 2023, to develop and improve its anti‑corruption compliance system, the Company:

• approved a uniform approach to assessing corruption risks when engaging with counterparties
• updated and launched Anti‑corruption and Anti‑corruption for Managers, remote learning courses across the Group
• surveyed employees on the effectiveness of its anti‑corruption measures
• delivered a training campaign on managing conflicts of interest for the Group employees responsible for implementing anti‑corruption procedures
• revised and updated its anti‑corruption procedural documents.

The Anti‑corruption section on the Company website provides information on its anti‑corruption regulations and measures taken to combat and prevent corruption.

Over the past three years, the Corporate Trust Line (CTL) has not received any reports classified as “corrupt practices”.

Antitrust compliance

The antitrust compliance system in place at the Company since 2017 establishes the processes for the timely prevention, identification, and elimination of causes and conditions facilitating antitrust violations and ensures compliance of the Company and its corporate entities with applicable laws.

Federal Law No. 135‑FZ On Protection of Competition, dated 26 July 2006, was amended in 2020 to set requirements for internal antitrust compliance regulations of organisations and establish the right of organisations to submit these regulations to the Federal Antimonopoly Service and obtain its opinion upon confirmation of compliance. The Company was the first in Russia to use the new statutory procedure to obtain a confirmation of the Federal Antimonopoly Service that its antitrust compliance system meets legal requirements, issued on 25 March 2021.

Nornickel carried out an internal assessment and identified business units whose activities are exposed to antitrust risks. At such units, the Company designated antitrust compliance owners and briefed them on the applicable prohibitions and restrictions stipulated by antitrust laws. Management decisions in the Company are made taking into account the requirements of the antitrust regulations.

Corporate security

Nornickel’s corporate security system management is based on a set of programmes to ensure corporate and economic security.

In furtherance of the Corporate Fraud Policy approved by the Company’s Board of Directors, the Company is building consistent measures to prevent, identify, and combat abuses, corporate fraud, and corrupt practices. The Company deploys the following measures to shore up economic security:

• Incorporating signs of price fixing, conflict of interest, lobbying for bidders, unreasonable restrictions, etc. as red flags into the procurement system
• Optimising the counterparty due diligence methodology
• Developing a corporate fraud training course and incorporating it into the framework of training courses for Group employees

In 2023, we deployed a comprehensive corporate security solution for the Group’s strategic investment projects, shoring up economic protection for the Company’s legitimate interests in its engagements with contractors, staff security, and site security.

The operation of a dedicated unit, the Centre for Forensic Chemistry Research and Examinations featuring a range of modern analytical equipment, was taken to a fundamentally new level to address essential tasks of ensuring the economic security of production assets. This has significantly expanded the Centre’s functions and unlocked a wide range of research aimed at providing technical assistance to production units as well as control and analytical teams in quality assurance, investigation of the root causes of shop‑floor emergencies, in‑depth chemical, mineralogical, and structural studies of materials and substances when developing new technologies for concentration and metallurgical facilities or when running special external quality control processes and verifying the reliability of non‑ferrous and precious metal analysis. The Comprehensive Methodology for Analysis and Identification of Metal‑Containing Materials developed by the Centre was praised by members of the International Platinum Group Metals Association.

Measures to protect production, transport, and energy sector facilities against terrorism and to prevent unlawful interference in their operations are implemented on a scheduled basis.

Information security

In 2023, the Company revised its approach to information security to reflect external challenges and the Russian market’s specific profile. The information security function was reorganised, and a strategy for its further development was designed and approved. Among other things, it envisages continued efforts around import substitution of information security solutions as well as the transition to a service‑based model.

The Company took extra steps to protect its enterprises’ technological infrastructure and mitigate risks, as the number and complexity of cyber attacks continued to grow and some of Company employees were still remote, which called for measures to shore up the information security of corporate resources and infrastructure.

The Company is continuously monitoring the security of its systems to promptly identify and address vulnerabilities as well as prevent cyber intrusions.

Programmes

The Company has in place relevant information security processes, including:

• identification and classification of data assets
• managing access to data assets
• security analysis
• risk management
• information security incident management
• information security architecture management
• monitoring and using data protection tools
• review of information technology and automated process control system (APCS) projects for compliance with information security requirements.

In 2023, as part of an ongoing process of identifying and classifying data assets, the Company continued to actively implement plans to bring its data assets in line with corporate information security standards by rolling out the necessary solutions and information security tools.

APCS protection

In 2023, Nornickel revised its approach to process protection relying on domestic solutions. The Company’s priority remains unchanged: to roll out basic protection measures (tools and systems) to the maximum number of enterprises and production sites using APCSs. Particular attention is paid to compliance with regulatory requirements for the protection of industrial automation systems.

As previously planned, the Company has completed the deployment of basic process safeguards across major production sites of the Norilsk Division as well as at the gas industry enterprise producing and transporting energy to the Norilsk Industrial District.

In 2023, the Company ran an internal audit to evaluate how process safeguards are managed at Nornickel as well as the overall approach to protecting automated process control systems, and the effectiveness of technology infrastructure security measures. The audit gave the information security function good marks:

• The Company runs projects to create systems that protect production/industrial processes; a procedure has been established to deploy APCS safeguards in line with global best practice
• Procedural documents regulating information security and technical support for APCSs are in place at the Company‑wide level.

Audit recommendations will be implemented in 2024 to boost the overall security of our APCSs.

Import substitution

Since many foreign suppliers of information security solutions have left the Russian market, as well as to comply with new legal requirements, Nornickel continues to drive the import substitution process, including for industrial automation systems. The Company has compared and selected 100% of information security solutions for first‑priority data protection tools and 65% of solutions for second‑priority data protection tools. In 2023, Nornickel launched projects to deploy the selected data protection tools. The Company plans to replace imported basic data protection tools with domestic alternatives across the Group’s most critical enterprises no later than in 2026 while complying with all legal and regulatory requirements. This import substitution process is expected to be completed no later than in 2028 across all Group enterprises.

Cyber incident response system

The Company’s cyber incident response unit operating as part of the Company’s information security function uses a range of advanced technical solutions and leverages best practices in managing cyber defence. Nornickel continues to scale its seamless information security processes and procedures that have been previously developed and documented to boost the function’s resilience in the event of incidents and emergencies. These procedures are tested for relevance at least once a quarter.

Any Nornickel employee detecting any suspicious content or activity on company devices can send an alert to the information security team for investigation. Experts assess the possible negative impact on the Company’s information systems and take measures to prevent and eliminate the consequences of incidents. Over 6 thousand investigations into incidents reported by Nornickel employees were conducted over the year.

During the year, the information security team handled over 1 thousand incidents and over 18 thousand information security events in total.

The information security function has traditionally worked closely with industry partners and regulators. The Company has maintained its positive partnership with the National Coordination Centre for Computer Incidents, with a relevant cooperation agreement already in its second year.

Vulnerability management

In 2023, the Company maintained its focus on the practical aspects of information security by managing vulnerabilities and analysing the security of corporate resources in order to minimise risks and ensure their resilience against existing cyber threats in a fast‑changing digital environment.

The use of advanced security analysis methods helped identify and promptly address weaknesses in 57 existing systems. Regular penetration testing helped the Company assess its preparedness for advanced cyberattacks. New vulnerability management strategies were developed and deployed over the year to address new manipulation techniques used by cyber attackers and ensure the continuous security of the Company’s systems.

In an effort to continuously improve its information security, the Company has been successfully delivering on its DevSecOps strategy (Development, Security, and Operations: a process that ensures security throughout the entire software development life cycle), which integrates security elements directly into software development and operation, driving more effective and transparent security management throughout the app life cycle.

The Company has committed to driving the secure development of three key mining projects as part of the Metallurgy Industrial Competence Centre (ICC) to actively engage in cutting‑edge technology and best practice sharing while also delivering unique industry‑specific solutions. The process being deployed has shown that DevSecOps principles and practices are effective in early detection and rapid responses to potential cyber threats.

Training and communication

The Company is strongly focused on improving employee awareness about information security principles and digital hygiene. In 2023, the Group set a global goal to enhance information security culture among all of its employees.

Employees are trained on an annual basis, including on newly emerging cyber threats and risks. A total of 95 scheduled and 19 unscheduled trainings (including e‑courses and face‑to‑face lectures) were held in 2023, where 34,104 Group employees were trained.

Furthermore, the Company runs regular drills including simulations of phishing attacks and other unlawful practices that affect users. Following the drills, instructions for employees are updated.

In addition, the Company uses regular dedicated newsletters to improve employee awareness about current information security threats and digital hygiene.

Certification

In line with international best practices, Nornickel enterprises have in place information security management systems (ISMSs) compliant with ISO/IEC 27001:2013 requirements. An ISMS compliant with international standards helps systematise and structure information security support processes while building an effective matrix of controls and ensuring timely risk identification and mitigation.

Strong management engagement in ISMS processes and preparedness of the enterprises to respond to new threats and challenges earned praise from an external auditor following the audits conducted at Nornickel’s sites in 2023. Employees involved in the operation of the ISMS showed excellent knowledge of information security.

Thanks to the continuous improvement effort around information security management processes, Nornickel’s projects to develop and implement advanced cyber security solutions for industrial assets have been repeatedly recognised by the professional community and industry associations.

To further maintain information security processes at a high maturity level, Nornickel’s enterprises have planned a series of audits for 2024 to transition to ISO/IEC 27001:2022.

Top management engagement

Nornickel’s Information Security Policy applies to all employees and includes the engagement boundaries and responsibilities of the Board of Directors and the Management Board in this regard. Their responsibilities include, among other things, reviewing information security risks and budgets for relevant programmes and projects. Risks are monitored on a regular basis through dedicated committees and corporate reporting.

Cross‑functional collaboration

In 2023, Nornickel put its Supernika corporate application into commercial operation. The app is a single space for digital services and communications within the Company. Built on a commercial platform, the application is available to any Nornickel employee anytime from any company or own device. As part of the project, the Company placed a particular emphasis on the app’s information security aspects. Nornickel initiated significant updates to the application to bring it into compliance with internal regulations. As a result, many updates were migrated to the publicly available version of the platform, making a valuable contribution to stronger information security of corporate communications across the country on the whole.

Partnerships and best practice sharing

For more than six years now, the Information Security in Industry Club initiated by Nornickel has been one of the most respected associations for information security and IT managers of major Russian industrial holding companies. The Club has become a recognised platform for sharing experience and best practices in protecting information systems as well as for maintaining public‑private dialogue, including on topical matters such as industry‑specific legislation and import substitution in information security.

Prompted by changes in the external environment and emerging new digital challenges and threats, the Club updated its agenda in 2023, including by moving into new corporate security areas. The Club has doubled its membership to over 70 Russian businesses now, including flagship companies from key industries.

In international information security, Nornickel cooperates with the Security Council and the Ministry of Foreign Affairs of the Russian Federation, contributing to the development and discussion of position papers in this area. The Company also participates in the National Association for International Information Security.

Nornickel is committed to contributing to the development of the information security market for the industrial segment. The Company actively engages with providers of information security solutions in this area.

In 2023, the Company was the first among other customers to run a public meeting with developers and vendors of information security products and services. At the meeting, Nornickel’s information security team members shared information on their approaches and requirements, customer expectations, and outlooks for productive collaboration under the import substitution programme. Over 200 Russian companies (information security market players and industry partners) took part in the meeting.

The parties plan to jointly develop proposals to improve, test, and implement information security solutions for industrial systems, including those ensuring an uninterrupted production cycle and business process integrity at Nornickel.

Personal data protection

The Company has implemented and put in practice a set of organisational and technical measures to protect the personal data (including third parties’ personal data) of different types of owners and ensure compliance with Russian laws. Technical protection involves anti‑virus protection, leak prevention, monitoring of removable devices, and analysis of security incidents.

The Company places a heightened emphasis on maintaining legal compliance of its personal data processing. The Company has developed and continuously updates its Personal Data Compliance Guidelines. In 2023, in line with these Guidelines, 13 Group enterprises brought their personal data processing procedures into compliance with legal requirements and the Company’s local regulations.

Independent audit

An independent auditor for Nornickel’s financial statements is selected through competitive bidding in accordance with the Company’s established procedure. The Audit Committee of the Board of Directors reviews the shortlist and makes a recommendation to the Board of Directors on the proposed auditor to be approved by the Annual General Meeting of Shareholders of MMC Norilsk Nickel.

In 2023, on the recommendation of the Board of Directors, the General Meeting of Shareholders approved Kept as the auditor for RAS and IFRS financial statements for 2023.

The Audit Committee of the Board of Directors recorded no comments to the auditor’s reports, praised the quality of materials supporting financial statement reconciliation, and described Kept’s performance as the Company’s auditor in 2023 as effective.