The key parameters of the Risk Management System annually approved by the Board of Directors of the Company serve as the basis for classifying a risk as critical. During the prioritisation, each risk is assessed according to two scales, the damage assessment scale and the risk probability assessment scale. Damage assessment implies that a risk is evaluated by its possible financial consequences and by its potential industrial safety impact, with the worst-case scenario taken as the risk impact score. The resulting estimates are then compared with the matrix for classifying risks as critical.
The 2018 list of critical risksApproved by the resolution of the Board of Directors of Transneft dated 27 December 2017 (Minutes No. 20). was approved by the Board of Directors of Transneft. In 2018, the register of risks was updated for further prioritisation and adoption of the list of critical risks for 2019. The risks were prioritised by the resolution of the Risk Management Council dated 10 October 2018 (Minutes No. 6). The list of critical risks for 2019 was approved by the resolution of Board of Directors of Transneft dated 11 December 2018 (Minutes No. 19).
Appointed for each of the Transneft critical risks is a risk owner who determines and authorises a business unit to manage the given risk, decides on the key risk indicators to monitor the risk dynamics and approves an action plan to manage the critical risk developed by the authorised business unit. The register of risks is revised annually, with special reporting on critical risks being generated.
|Critical Risks in 2018||Critical Risks in 2019|
| || |
|Possible consequences||Measures taken to reduce risk materialisation probability and mitigate the consequences of materialised risks||Actual materialisation of risks in 2018|
|1. Currency exchange and interest rate risks Changes in interest rates on loaned funds and changes in currency exchange rates|
|Unbudgeted costs related to foreign currency loan services|| || The partial risk materialisation in 2018 did not substantially affect the Company’s financial performance. |
Full early repayment of the debt on the Loan provided by the China Development Bank (CDB) and timely repayment of Eurobonds in 2018 resulted in a significant reduction in currency exchange and interest rate risks
|2. State regulation of oil and petroleum products transportation tariffs Restrictions on oil and petroleum products transportation tariffs below the level required for the development of the Transneft system or below the level required to ensure reliable operation of the Transneft system in the long term. Dependence of petroleum products transportation tariffs upon the Russian Railways tariffs and the changes in them for the same transportation routes, which, in its turn, affects the tariff-based revenue of the Company|
|Project schedule slips. Reduced efficiency on certain transportation routes. Insufficient revenue to cover the costs required for maintenance of the reliability of the Transneft system|| ||The risk partially materialised in 2018: pumping tariffs were set below the expected level. The impact on the revenue of the Company does not exceed the preferred risk level|
|3. Fiscal risks Changes to tax, customs, social security, and pension insurance laws and regulations|
|Unbudgeted costs, claims by tax authorities|| ||The partial risk materialisation in 2018 did not substantially affect the Company’s financial performance|
|4. Unlawful interference including terrorist attacks or attempts Wrongful action (inaction) threatening safe operation of a fuel and energy sector (FES) facility. Threat of attack (or actual attack) on the line facilities of Transneft and its subsidiaries. Threatening calls (“telephone terrorism”) and other acts that may entail significant disruption of the operation of the Company's security facilities. Illegal tapping into oil trunk pipelines and petroleum products pipelines. (Except cybersecurity issues related to risk 2017-24)|
|Disruption of oil and petroleum products pipeline transportation facilities and power supply, control, automation and communications systems|| ||The partial materialisation of the risk had no impact on implementing the plan in the field of oil / petroleum products pumping|
|5. Shutdown of external power supply to Transneft’s facilities Interruption of external power supply to the Company’s facilities through no fault of “in-house” reasons|
|Pipeline downtime. Unbudgeted costs. Emergency|| ||The partial materialisation of the risk in 2018 had no impact on implementing the plan in the field of oil / petroleum products pumping|
|6. The risk of changes in regulatory documents and legal acts setting and regulating technical requirements Changes in the statutory and regulatory requirements in the field of technical regulation (including environmental requirements and requirements to operation of hazardous operating facilities)|
|Unbudgeted costs. Suspension of operations. Project schedule slips|| ||The risk did not materialise in 2018|
|7. The risk of a partner bank’s license being revoked Suspension of operations or revocation of a partner bank’s license|
|Financial and reputational losses, delayed contract settlements|| ||The risk did not materialise in 2018|
|8. International sanctions Foreign economic restrictions, embargoes, freezing of accounts and settlements, US extraterritorial sanctions|
|Ban on the import of necessary equipment into the Russian Federation. Disruptions in supply of imported components; Restrictions on settlements with foreign counterparties; Restrictions on access to international markets|| ||In 2018, there were no changes to the sanctions regime with respect to Transneft|
According to the results of prioritisation, the prospects for 2019 have not changed for most of 2018 critical risks, except the Currency Exchange and Interest Rate Risks. Its estimated damage decreased substantially, which led to its removal from the 2019 Critical Risks List. Such a change is attributable, first of all, to a reduced foreign currency exposure of the Company, due to early repayment of the debt on the loan provided by the China Development Bank, among other things. This also resulted in mitigated impact of floating interest rates pegged to LIBOR on the Company.
Specific Risks. Cybersecurity Risks
Cybersecurity is one of the priorities of Transneft’s and Transneft subsidiaries’ activities. Transneft is guided by a long-term Programme for Combating Threats to Information Technology Resources. The programme provides for improvement of detection, prevention and mitigation of computer attacks including those aimed at facilities belonging to the critical information infrastructure and response to information security incidents, as well as for the introduction of a package of cybersecurity solutions.
According to Russian laws, Transneft Group companies are critical information infrastructure (CII) subjects.
One of the priorities at Transneft Group is to ensure safe and uninterrupted operation of the information infrastructure and the information technologies used in the automation of technological and business processes, protection of trade secrets and other confidential information.
Transneft Group implements the Information Security Policy, which defines the key objectives in the field of information security, including:
- Protecting Transneft’s and Transneft subsidiaries’ personnel from pain, suffering and loss of amenity and other damages resulting from unlawful use of information relating to them, including personal data
- Protecting and maintaining Transneft’s and Transneft subsidiaries’ positive image and business reputation
- Ensuring continuity of technological and business processes
- Supporting innovation-based and boosted development of information security and information technologies
- Minimising possible damage from realised information security threats.
- Federal Law No. 98-FZ dated 29 July 2004 On Commercial Secrets
- Federal Law No. 149-FZ dated 27 July 2006 On Information, Information Technologies, and Information Protection
- Federal Law No. 187-FZ dated 26 July 2017 On the Security of the Critical Information Infrastructure of the Russian Federation and regulations thereunder
- Decree of the President of the Russian Federation dated 15 January 2013 No. 31s On Establishing of a State System for Detection, Prevention, and Response to Computer Attacks on Information Resources of the Russian Federation
- Decree of the President of the Russian Federation dated 5 December 2016 No. 646 On Adoption of the Information Security Doctrine of the Russian Federation
- Transneft’s Information Security Policy approved by the Board of Directors, Minutes No. 21 dated 28 December 2017
- Programme for Combating Threats to Information Technology Resources (implementation period: 2017 to 2020)
Countering Cyber Threats
Transneft’s information technology resources are target of an increasing number of hacker attacks. In 2018, about 7 million emails with inappropriate content allowing for malicious software installation were processed. During the reporting year, there was an increase of the share of emails labeled as “virus” in the mail traffic. This fact partially testifies to the growing phishing activity recorded in the world. The number of attempted computer attacks on Transneft’s data processing centre also increased.
In 2018, measures were taken under the Programme for Combating Threats to Information Technology Resources of Transneft (hereinafter, the Programme) and the IT resources of Transneft subsidiaries, aimed at:
- Providing for and supporting of the activities of the Computer Security Centre
- Providing for interaction with the Russian State System for Detection, Prevention, and Mitigation of Computer Attacks (GosSOPKA)
- Establishing a centralised system for monitoring and controlling information security events, allowing for taking stock of IT resources, collection and correlation of information security events and response to information security incidents
- Providing for interaction with consumers of oil and petroleum products transportation services for mutual informing about computer attacks
- Conducting R&D activities in the field of cybersecurity
A regulatory and methodological framework for classification of CII facilities was developed at Transneft in order to comply with the requirements of Russian laws governing the security of CII facilities, and relevant events were implemented.
Plans for 2019
In 2019-2020, implementation of the Programme will be focused on ensuring secure interaction between Transneft’s and Transneft subsidiaries’ corporate computer network and the Internet, and on raising the information security awareness of the personnel.
Completion of measures for classification of CII facilities, identification of significant CII facilities, and ensuring the implementation of the procedures required for their protection.