Risk Management

Amid constantly changing trends and an unstable external environment, every company needs a well‑designed risk management policy. Insufficient information and incorrect calculations can quickly lead to huge losses or even bankruptcy, but competent analysis of large amounts of data, unbiased conclusions and competent management decisions based on them can not only reduce negative trends in the external environment, but also take the company to a new level.

Therefore, identifying risks and making decisions in conditions of uncertainty are important elements of the management process at JSC FPC, the effectiveness of which depends entirely on the means and methods used to identify and assess risks. The conscious use of risk management tools has enabled FPC to withstand external fluctuations, maintain stability, ensure reasonable confidence in the achievement of its goals and, despite all the limitations, challenges and sanctions, confirm in practice its ability to reliably, efficiently and safely ensure transport accessibility for the population of the Russian Federation.

Risk management system

Risk management at JSC FPC is a continuous and systematic process embedded throughout the organisation levels, integrated with business processes and aimed at mitigating the exposure to risks and boosting confidence that the objectives and goals of the Company will be achieved.

All units and divisions of the Company are involved in the risk management process within their terms of reference.

Overall coordination and methodological support of the risk management process, preparation and submission of reports to JSC FPCs management, and organisation of risk management training for the Company's employees are provided by the Risk Management Department within the Strategic Development and Risk Management Department.

The following documents serve as the foundation for risk management at JSC FPC:

  • JSC FPC's risk management and internal control policies
  • Methodological recommendations for determining the acceptable risk profile (risk appetite)
  • Methodological recommendations on risk management and internal control
  • Regulations on interaction in the risk management and reporting process

In 2024, JSC FPC aligned the corporate‑wide risk management with the above‑listed documents. Lower‑level operational risks were handled with fewer steps and a more straightforward approach.

The Internal Audit Department is responsible for assessing the RM&ICS reliability and effectiveness.

Principles of risk management

In accordance with JSC FPC's Risk Management and Internal Control Policy (hereinafter referred to as the Policy), the main objective of the RM&ICS is to provide reasonable assurance the following will be achieved:

  • Strategic objectives
  • Operational objectives
  • Objectives in the area of compliance with the requirements of regulatory legal acts of the Russian Federation and (or) international legal acts and the Company's by‑laws (compliance)
  • Objectives in ensuring the reliability, timeliness and quality of all types of reporting

The Policy also stipulates that the organisation and functioning of the RM&ICS at JSC FPC shall be aligned with the following principles:

1. Integratedness and comprehensiveness

Internal control is an integral part of the risk management system, and the risk management and internal control system is part of corporate governance.At the same time, risk management is embedded in strategic and operational activities, process and project management and is an intrinsic part of the entire Company's activities (in part, through risk consideration in planning, organisation of activities, decision‑making, development and adoption of regulatory documents). In its risk management process, JSC FPC takes into account the best available information, the balance of opportunities and risks, risk management costs, expected benefits, and maintains stakeholder awareness and knowledge.

2. Structuredness

Risk management takes into account unified regulatory and methodological approaches to obtain an insight into the risk universe and risk portfolio to ensure comparability of information, including risk assessment and understanding of their impact on certain parameters (indicators).

3. Adaptability and dynamicity

Risk management shall factor in the Company's internal and external environment (including corporate culture and structure), current objectives, accumulated experience and respond flexibly to them, including in the process of continuous improvement of the RM&ICS.

Principles of risk management

Main tasks of the risk management and internal control system

The main tasks of the RM&ICS include:

  • To create infrastructure and regulatory and methodological framework for the implementation of the risk management process, including within the scope of strategic and operational activities, process and project management
  • To integrate risk management and internal control procedures into the Company's strategic and operational activities
  • To improve the sustainability and efficiency of the Company, projects, and business processes through risk management, including risk‑based goal setting and decision‑making

The Board of Directors and the General Director are JSC FPC's risk management decision‑making centres, for whom the Audit and Risk Committee of the Board of Directors and the Risk Management Committee develop recommendations in the area of risk management.

Improvement of the risk management and internal control system in 2024

In 2024, in accordance with the Risk Management and Internal Control Policy of OJSC Russian Railways, the Risk Management and Internal Control Policy of JSC FPC was updated and approved. Adopting this document will help the Company, as well as and its fundamental systems and processes, become more flexible while also supporting the accomplishment of JSC FPC's goals.

During 2024, the Programme for the Development of the Risk Management and Internal Control System at JSC FPC for 2024 was carried into effect, aiming to develop and improve the effectiveness of the RM&ICS. The programme's scope:

  • Approaches to identifying, analysing and assessing the Company's risks were upgraded
  • Advanced training of risk owners was provided through one of the country's leading educational institutions
  • Continued automation of the risk management process, including the development and implementation of an automated information panel for monitoring risk indicators

The Internal Audit Department assessed the reliability and effectiveness of the risk management and internal control process for 2023. The results of the assessment showed an improvement in the performance of the RM&ICS in 2023 compared to previous periods, while some weaknesses remained, limiting the rise in the RM&ICS efficiency and its development in line with the best practices. In this regard, a number of recommendations for development areas were prepared in 2024 and included in the Risk Management and Internal Control System Development Programmes of JSC FPC for 2024 and 2025.

In 2025, JSC FPC plans to implement the following concepts and measures (projects) in order to improve the RM&ICS:

  • To develop the RM&ICS in line with the delivery of the project to improve and develop the integrated risk management model of OJSC Russian Railways
  • To upgrade the skills and expertise of the staff involved at various levels
  • To continue the automation of the risk management process
  • To further improve approaches to identifying, analysing and assessing the Company's risks

Three lines of defence model

In the normal course of business, JSC FPC uses a three lines of defence model approach, which is based on the allocation of roles and responsibilities. Each of three lines increases the likelihood of JSC FPC successfully achieving its objectives.

Risk treatment methods applied

The following risk treatment methods are used at JSC FPC:

  • Risk avoidance – refraining from an activity or project associated with a particular (inherent) risk where other treatment strategies (risk mitigation, risk sharing, risk acceptance) are not economically viable or feasible. This strategy is applicable for managing certain specific risks and (or) new lines of business, projects
  • Risk mitigation – risk treatment involving activities to reduce the likelihood of a risk event and/or the potential impact of its occurrence to an acceptable level. Risk mitigation activities may include both the deployment and execution of control procedures and the implementation of other measures (e.g., creating provisions to cover losses caused by a risk event)
  • Risk acceptance – a risk treatment method utilising no active risk treatment. It is used when the a is at an acceptable level or when avoiding, minimising and transferring risk is not cost‑effective or possible (e.g., political or macroeconomic risks)
  • Risk transference – transfer of a risk where the Company’s risk mitigation is ineffective, while the level of risk is outside the risk tolerance scope (the risk is unacceptable), but the risk treatment process can use third‑party services. Risk transference is mainly aimed at mitigating the impact of consequences rather than reducing the likelihood of risk realisation.
Risk treatment methods applied

Organisational structure of JSC FPC's risk management

The organisational risk management structure is aligned with JSC FPC’s Risk Management and Internal Control Policy.

Board of Directors
  • Defines general principles and approaches to the organisation of the RM&ICS
  • Approves and revises the Risk Management and Internal Control Policy
  • Examines the organisation, functioning and efficiency of the RM&ICS
  • Approves the risk tolerance (risk appetite), including an approach to its determination
Audit and Risk Committee under the Board of Directors
  • Controls the reliability and efficiency of the RM&ICS, including assessment of the effectiveness of risk management and internal control procedures and preparation of proposals for its improvement
  • Reviews and assesses the implementation of the risk management and internal control Policy
Auditing Commission
  • Reviews and analyses the functioning of the internal control system and the financial and operational risk management system
  • Informs the shareholder, the Board of Directors and the General Director of the Company about proposals for improving the system and internal control
  • Prepares information on the main identified risks with an analysis of the reasons for their occurrence and recommendations on how to mitigate these risks
General Director
  • Ensures fulfilment of the Board of Directors' decisions in respect of the RM&ICS
  • Approves regulatory documents in the field of risk management and internal control
  • Ensures the establishment, maintenance and development of the RM&ICS
Deputy General Directors
  • Organise, within the their purview, work on the improvement and functioning of the RM&ICS
  • May act as a risk owner
Deputy General Director, who coordinates and supervises the activities of the business unit for coordinating risk management and building an internal control system
  • Coordinates the work on improvement and development of the RM&ICS
Business unit in charge of coordination of risk management and internal control system
  • Provides overall coordination and methodological support to the risk management process
  • Develops and updates the general corporate regulatory and methodological framework of the RM&ICS
  • Provides methodological support within the RM&ICS, monitors the application of unified methodological approaches in the field of risk management and internal control in the Company
  • Organises the automation of processes for generating corporate‑wide risk reports
  • Co‑ordinates the procedure of self‑assessment (analysis) of the RM&ICS
  • Prepares summarised information on the Company's risk tolerance (risk appetite)
  • Consolidates information provided by subdivisions and prepares consolidated reporting on the Company's risks, including for submission to management bodies, and analyses the risk portfolio
  • Checks and controls the preparation of the Company's risk reports for compliance with regulatory documents in the field of risk management and internal control
  • If necessary, provides proposals for adjustments, develops and updates the RM&ICS development programme, organises training in the field of RM&ICS
Units in charge of coordination of individual risk management
  • Develop and update the regulatory documents on management of certain types of risks
  • Provide methodological support to the Company's employees as to managing certain types of risks
  • Coordinate the procedure of assessment (self‑assessment) analysis of management efficiency for certain types of risks
  • Analyse and report on the management of certain types of risks (including measures to influence them)
  • Organise (coordinate) training in the management of certain types of risks
Business unit of internal audit
  • Conducts systematic and successional assessment of reliability and effectiveness of the RM&ICS
  • Provides independent and objective information to the Board of Directors and executive bodies of the Company on the reliability and efficiency of the RM&ICS
  • Develops proposals and recommendations to improve reliability and effectiveness of the RM&ICS
  • Monitors and controls that the Company's units undertake the measures to eliminate violations and deficiencies identified in the course of internal audit to improve the RM&ICS
  • Provides information to the risk management and internal control unit on risks identified as a result of audits and measures to improve the RM&ICS
Business unit in charge of organising and carrying out subsequent internal control
  • Organises and conducts follow‑up internal control aimed at achieving economic stability and financial transparency of the Company and its S&As
  • Informs the Company's management about the state of financial and economic activities, violations, deficiencies and risks identified in the course of control measures
  • Controls over timely elimination of identified violations and deficiencies in financial and economic activities, fulfilment of instructions and decisions taken following the control measures taken
Other units carrying out verification activities
  • Carry out verification activities (including inspections, audits, reviews) and monitoring of the elimination of identified violations (deficiencies), including in terms of the effectiveness of risk management and internal control for certain types of risks, areas (areas) of activity
Risk owners
  • Organise and ensure effective functioning of the RM&ICS (within the scope of their authority and responsibility)
Employees of the Company
  • Implement risk management and internal control procedures (within the scope of their responsibilities and authority), including the implementation of risk impact measures
  • Inform the line manager about identified risks, cases of risk realisation, effectiveness of impact on the risk
  • Provide the line manager with suggestions for improving the effectiveness of the RM&ICS

Risk management process stages

In line with the Policy, the risk management process at JSC FPC has the following stages:

  1. Risk identification
  2. Risk analysis and assessment
  3. Treatment of risks identified
  4. Monitoring and review
  5. Communication of information and consultation

These processes yield risk information that may be submitted to executive bodies, the Audit and Risk Committee of the Board of Directors, the Board of Directors, and other interested parties. Such information is also provided in documents, plans, programmes and reports, which may include materials for the financial plan, key performance indicators, investment programme, innovation development programme, annual reports, long‑term development programme and reports on its implementation, as well as other strategic documents of the Company.

Key risks

In 2024, JSC FPC's Risk Management Committee formed and approved a compliance risk register. A correlation analysis was conducted using the branch data array to identify risk factors affecting passenger satisfaction with the quality of travel, and the architecture for interaction between the Company's management and its branches in the area of the RM&ICS was determined.

JSC FPC's register of key risks was updated in terms of both quantitative and qualitative composition:

  • Number of risks in the register did not change and amounted to 23 risks
  • Number of key risks decreased from 12 to 7 risks
  • Number of risk owners remained at the same level and amounted to 15 risk owners
Register of key risks of JSC FPC
Business process Risk factors Risk treatment measures
Financial and economic management
  1. Infrastructural component
  2. Locomotive component
  3. Carriage component
  1. Cost saving due to increased utilisation of rolling stock capacity
  2. Involvement of ARPO RSS's students for summer and winter service
  3. Analysis of predicative risk indicators and prompt response to their changes
Marketing
  1. Lowed appeal of domestic tourism
  2. Competition with alternative modes of transport
  3. Shortage of rolling stock
  4. Emergencies, natural disasters
  5. Macroeconomic situation
  6. Capacity deficit not related to rolling stock deficit
  7. Changes in the amount of JSC FPC's traffic, preparation of the schedule
  8. Tariff policy
  9. Cancellation of the airport closure regime, as well as resolution of associated problems related to aircraft operations
  10. Quality of passenger service on trains
  11. Availability of staff to provide transport services
  12. Changes in passenger traffic due to restrictive measures taken during epidemics and pandemics
  1. Analysis of JSC FPC's passenger train performance indicators and subsequent management decision‑making based on the findings
  2. Implementation of marketing initiatives and tariff management
  3. Preparation of proposals for the development of passenger train schedules
  4. Preparation of proposals and approval of make‑up schemes for domestic passenger trains
  5. Development of proposals for optimising indicators based on the analysis of information on passenger traffic slack seasons
  6. Continued work on the introduction of non‑refundable railway tickets
Quality management
  1. Degradation of CSI by parameters
  2. Unsound nature of calculations
  3. Inaccurate information on the level of satisfaction of passengers
  1. Actions taken to raise the standard of service
  2. Encouraging passengers to participate in a questionnaire survey to assess the quality of services provided on long‑distance trains of JSC FPC
  3. Monthly monitoring of CSI level by constituent parameters
  4. More consistent response records in the database
IT control
  1. Failure of hardware and (or) software parts of automated systems, computing and peripheral equipment, communication and telecommunication devices
  2. Failure to provide services and goods by third‑party organisations
  3. Expiry of foreign software licences
  4. Inability to purchase or upgrade equipment
  1. Timely replacement of equipment with expired service life
  2. Redundancy of critical infrastructure nodes
  3. Development of regulations:
      • Printing of paper boarding lists for the recovering time of information systems (IS)
      • Utilisation of alternative ISs and coordination with regional office staff
      • Development of procedures for restoring IS operability to reduce downtime
  4. Replacement of foreign software with domestic analogues:
    • Search for or development of alternative software
    • Analyses whether licences are in place or have expired
Management of investment activities
  1. Violation of the planned contract term by suppliers (contractors) for the project facilities
  2. Failure of suppliers (contractors) to fulfil contractual obligations
  3. According to the results of the tender, the formed price was higher than the expected price (included in the project), the contract was not concluded
  4. Increase in the price of the contract
  5. Lack of competitors in railway engineering, passenger carriage building
  1. Negotiating with counterparties for timely delivery of rolling stock, agreeing on a schedule for replenishing the backlog (in case of late deliveries)
  2. Formation of action plans to compensate for the backlog
  3. Claims management with counterparties
  4. Setting of realistic deadlines in contracts, examination of the issue of concluding framework contracts
  5. Automation of the procurement process
  6. Negotiations with potential contractors to reduce the contract price, announcement of a repeated tender with a higher price
Oversight procedures:
  • Monitoring of delivered carriages in the planned period
  • Analyses of JSC FPC's existing carriage fleet to ascertain whether there is enough operational fleet to carry passengers during peak periods
Safety management
  1. Non‑fulfilment of contractual obligations by contractors
  2. Decrease in the quality of scheduled repairs and maintenance of passenger carriages in depot conditions
  3. Occurrence of transport accidents and other events due to the fault of the train crew
  4. Collision, derailment of railway rolling stock during shunting, handling or other movements through the fault of JSC FPC's employees
  1. Development of JSC FPC’s programme of measures to reduce the frequency of traffic incidents and accidents and the severity of their consequences, and to achieve the set targets for traffic safety for 2024
  2. Handling of claims
  3. Briefings for train crews on how to fulfil the requirements of regulatory and technical documentation, including how to act in emergencies while trains are en route
  4. Timely familiarisation of employees of JSC FPC's branches and their structural subdivisions with changes in the procedure for maintenance and operation of trains on non‑public railway track, as well as on railway track operated by a functional branch or structural subdivision of OJSC Russian Railways
  5. Analyses of cases of traffic safety violations, development of corrective action plans for the traffic safety violations
Oversight procedures:
  • Monitoring the fulfilment of target indicators for the reliability of technical facilities, reduction of process disturbances and train‑ hours lost due to them
  • Analyses of the reliability and quality of passenger carriages in JSC FPC's fleet
  • Control over the timing of scheduled repairs and maintenance, including through the use of the automated control system of passenger carriages
Violations of the requirements of anti‑corruption legislation and JSC FPC's anti‑corruption regulations by managers and employees of JSC FPC at all levels of corporate governance
  1. Measures of JSC FPC's anti‑corruption Plan for 2021–2024
  2. Plans of measures to minimise corruption risks in JSC FPC's divisions
Oversight procedures:
  • Monitoring and analyses of the implementation of measures set out in JSC FPC's anti‑corruption plan for 2021–2024, as well as action Plans to minimise corruption risks in divisions
  • Activities of the Plan of checks of compliance with the requirements of regulatory documents related to prevention and combating corruption for 2024
  • Monitoring and analyses of corruption‑related criminal cases
Map of key risks of JSC FPC for 2024
Sr. No. Name of business process
1 Financial and economic management
2 Marketing
3 Safety management
4 IT control
5 Management of investment activities
6 Quality management

Relations of key risks and the Company’s strategy

JSC FPC's Development Strategy until 2030 defines the following list of strategic benchmarks:

  • number of passengers dispatched
  • Revenues
  • EBITDA
  • Net debt/EBITDA
  • Carriage acquisition volume

In 2024, the following factors had the main impact on the achievement of key performance indicators of JSC FPC:

  • Improvement of the macroeconomic situation expressed in the above‑the‑target growth of GDP and increase in the real disposable household income
  • Changes in the structure of domestic traffic due to continued restrictions on flights in the south of Russia and reduction in the number of aircraft

The Strategy outlines a list of strategic projects that drive the achievement of the objectives set. The Company implements strategic initiatives while taking into consideration the macroeconomic conditions in the country and making the necessary adjustments to the pace, scale, and resources required.

Since key risks can have a significant negative impact on JSC FPC’s operations, the achievement of strategic goals, the Company pays due attention to risk management. The register of key risks is approved by the General Director based on the resolution of the Board of Directors (taken after the review of the register) and taking into account the opinion of the Audit and Risk Committee of the Board of Directors. The Board of Directors then supervises the treatment of key risks by JSC FPC’s business units.

Relations of key risks and the Company’s strategy

Sustainable development risks

JSC FPC also identified sustainability risks, determined the possible consequences for the Company in the event of their realisation and developed measures to influence them.

Register of sustainable development risks
Sr.No. Risk Possible consequences Risk treatment
1 Occurrence of transport accidents and other events related to violation of railway transport safety and operation rules
  1. Material damage
  2. Reputational damage
  3. Threat to the health and life of passengers
  1. Development of JSC FPC’s programme to reduce the rate of traffic incidents and events, to mitigate their severity, and to achieve the set traffic safety targets of JSC FPC for 2024
  2. Handling of claims
  3. Briefings for train crews on how to fulfil the requirements of regulatory and technical documentation, including how to act in emergencies while trains are en route
  4. Timely familiarisation of employees of JSC FPC's branches and their structural subdivisions with changes in the procedure for maintenance and operation of trains on non‑public railway track, as well as on railway track operated by a functional branch or structural subdivision of OJSC Russian Railways
  5. Analyses of cases of traffic safety violations, development of corrective action plans for the traffic safety violations
Oversight procedures:
  • Monitoring the fulfilment of target indicators for the reliability of technical facilities, reduction of process disturbances and train‑ hours lost due to them
  • Analyses of the reliability and quality of passenger carriages in JSC FPC's fleet
  • Control over the timing of scheduled repairs and maintenance, including through the use of the automated control system of passenger carriages
2 Decrease in the number of passengers dispatched
  1. Decrease in the level of passenger satisfaction
  2. Decrease in revenues from passenger service
  3. Decrease in income from other activities
  1. Analysis of JSC FPC's passenger train performance indicators and subsequent management decision‑making based on the findings
  2. Implementation of marketing initiatives and tariff management
  3. Preparation of proposals for the development of passenger train schedules
  4. Preparation of proposals and approval of make‑up schemes for domestic passenger trains
  5. Development of proposals for optimising indicators based on the analysis of information on passenger traffic slack seasons
  6. Continued work on the introduction of non‑refundable railway tickets
3 Failure to deliver investment projects
  1. Shortage of rolling stock for transport operations
  2. Decrease in the level of passenger satisfaction
  1. Negotiating with counterparties for timely delivery of rolling stock, agreeing on a schedule for replenishing the backlog (in case of late deliveries)
  2. Formation of action plans to compensate for the backlog
  3. Claims management with counterparties
  4. Setting of realistic deadlines in contracts, examination of the issue of concluding framework contracts
  5. Automation of the procurement process
  6. Negotiations with potential contractors to reduce the contract price, announcement of a repeated tender with a higher price
Oversight procedures:
  • Monitoring of delivered carriages in the planned period
  • Analyses of the existing carriage fleet to ascertain whether there is enough operational fleet to carry passengers during peak periods
4 Critical IT infrastructure disruption Inoperability of automated systems, computing and peripheral equipment, communication and telecommunication devices at JSC FPC's facilities
  1. Timely replacement of equipment with expired service life
  2. Redundancy of critical infrastructure nodes
  3. Development of regulations:
      • Printing of paper boarding lists for the recovering time of ISs
      • Utilisation of alternative ISs and coordination with regional office staff
      • Development of regulations for IS performance restoration to minimise downtime
  4. Replacement of foreign software with domestic analogues
Initiatives:
  • Search for alternative software
  • Development of alternative software
Oversight procedures:
  • Analyses whether licences are in place or have expired
5 Corruption risk
  1. Reputational damage
  2. Damages to the Company

Implementation of JSC FPC's anti‑corruption Plan for 2021–2024 and action plans to minimise corruption risks in JSC FPC's s divisions

Oversight procedures:
  • Monitoring and analyses of the implementation of measures set out in JSC FPC's anti‑corruption Plan for 2021–2024, as well as action plans to minimise corruption risks in divisions
  • Activities of the Plan of checks of compliance with the requirements of regulatory documents related to prevention and combating corruption for 2024
  • Monitoring and analyses of corruption‑related criminal cases
6 Decrease in passenger satisfaction with the quality of service Decrease in the number of passengers dispatched
  1. Analysis of JSC FPC's passenger train performance indicators and subsequent management decision‑making based on the findings
  2. Implementation of marketing initiatives and tariff management
  3. Preparation of proposals for the development of passenger train schedules
  4. Preparation of proposals and approval of make‑up schemes for domestic passenger trains
  5. Development of proposals for optimising indicators based on the analysis of information on passenger traffic slack seasons
  6. Continued work on the introduction of non‑refundable railway tickets
7 Increase in the passenger service cost (unit cost per 10 passenger‑km) relative to the plan Cost‑to‑rail traffic overrun
  1. Cost saving due to increased utilisation of rolling stock capacity
  2. Involvement of ARPO RSS's students for summer and winter service
  3. Reduction of education and training costs
  4. Analysis of predicative risk indicators