E | ENVIRONMENTALLY FRIENDLY AND TRUSTED MARKET INFRASTRUCTURE

Risk management

Moscow Exchange Group has successfully established an integrated risk management system that complies with Russian regulatory requirements, as well as with leading international standards and best practices.

Key documents:

Responsible bodies:
  • Risk Management Committee of the Supervisory Board
  • Risk Management Unit
  • Internal Audit Service
  • Internal Control Service

Role of management bodies in risk management

3-3 2-24

ESG risk management is handled by the Supervisory Board and other management bodies, such as participants in the Group’s integrated risk management system. They perform monitoring and control procedures.

The Supervisory Board of Moscow Exchange is responsible for establishing the principles and approaches of the risk management system, including approving the risk management strategy, internal documents, and policies that stipulate actions to prevent the materialisation of risks and to minimise their consequences.

The Risk Management Committee of the Supervisory Board reviews risk management reports and develops recommendations for managing individual risk profiles, analyses internal procedures and proposes measures for improving them, and monitors the reports submitted. Similar structures have been established within the Group’s companies, including the Risk Committee of the NCC Supervisory Board and the Risk Committee of the NSD Executive Board. Moscow Exchange has also created a separate structural unit that is responsible for managing the risks of the market operator.

ESG risks and their potential impact on the Group’s operations are identified annually within the Group’s integrated risk management system. Risk acceptance and pre-approval of risk management issues are submitted for discussion at Supervisory Board meetings. The Executive Board is responsible for defining the acceptable level of risk.

The Group has conducted regular training sessions for its employees to improve their risk identification skills. The sessions are part of the Development Strategy for the Risk Management System. Risk-management KPIs are included in the criteria used by management for assessing employee performance.

Key risk profile

2-24

Each of the Group’s companies faces different types of risk, depending on the specific nature of their activities. As the parent company of the Group, Moscow Exchange faces risks associated with the organisation of trading, as well as with transactions involving its own assets. The NSD, as a core element of Russia’s financial market infrastructure, faces risks in its depository activities. The key risk bearer in the Group is the NCC, which acts as a clearing house and central counterparty for all major markets of the Group and as a commodity delivery facility for the commodities market.

The Group’s financial and non-financial risk map is updated annually following the results of the risk identification procedure. Non-financial risks are classed into several categories, as described in the table below.

Risk (level) significance

Description

Risk management activities

High

Operational Risks

  • Ensuring that operational risk is identified using various operational risk management tools.
  • Ensuring operational reliability and protection against information threats.
  • Ensuring the collection and registration of information about operational risk events and losses from its implementation.
  • Determining losses and compensation for losses from the implementation of operational risk events.
  • Determining quantitative and qualitative assessment of the level of operational risk.
  • Determining the choice and application of methods to respond to operational risk.
  • Ensuring operational risk monitoring

Strategic risk

High

Risk of expenses (losses) resulting from

  • erroneous assumptions made by management in preparing, approving, and executing strategic plans;
  • inadequate execution of decisions made by management;
  • (the impact of changes caused by external factors and that affect or could affect the Group’s performance
  • Developing transformation projects in organised trading or related activities, including providing additional services and access to organised trading for new financial instruments, foreign currency, goods, and other organisational or technology changes in a uniform and structured manner
  • Conducting feasibility studies for transformation projects, including analysing the following variables: investment feasibility, potential economic benefits, mitigation of identified risks, and potential operational improvements
  • Analysing the effectiveness of implemented transformation projects, including post-project (post-investment) monitoring
  • Planning the development of strategic activities (e.g., by designing strategic plans). As part of this process, Moscow Exchange creates a five-year strategic plan, prepares a roadmap to guide the execution of strategy, assesses the resources needed to successfully execute the strategic plan, and receives final approval of the strategic plan from the Supervisory Board, which may decide to amend certain aspects
  • Evaluating the strategic plan in terms of feasibility and amending it, if needed. This process may also involve the assessment of related risks, as well as the evaluation of whether the strategic plan is consistent, aligned with market conditions, acceptable to stakeholders, and likely to generate a competitive advantage for Moscow Exchange Group

Compliance risk

High

Risk of losses due to failure to comply with legislation, internal regulations and standards issued by self-regulatory organisations (if such standards and rules are obligatory), or as a result of sanctions or other enforcement measures taken by oversight agencies

  • Monitoring legislative developments
  • Coordinating with regulatory authorities on the development of new regulations
  • Identifying regulatory risk in existing and proposed internal procedures
  • Analysing best practices in internal control
  • Obtaining preliminary approval and performing background checks when onboarding clients, signing contracts with counterparties, admitting securities to trading, launching new products or services, etc.
  • Setting up automated controls, including controls to run parties (stakeholders) through compliance checklists
  • Ensuring that the necessary policies and procedures are in place
  • Conducting mandatory training

The Internal Control and Compliance Department is responsible for managing compliance risk.

Information security Risk

High

Risk of the security (confidentiality, integrity, accessibility) of information assets being compromised as a result of the materialisation of information security threats

  • Ensuring the accessibility, integrity, and efficient use of information assets
  • Ensuring information confidentiality and preventing harm from the disclosure of confidential information, including personal data
  • Building an effective system for monitoring and protecting the Group’s information infrastructure
  • Increasing protection and optimising the cost of ensuring information security via a risk-based approach
  • Raising awareness of information security risks among Group employees

Reputational risk

High

Risk of expenses (losses) or any other adverse effects resulting from a negative perception of Moscow Exchange Group by its counterparties, traders and their clients, shareholders, the Bank of Russia, or others which may adversely impact the Group’s ability to maintain its existing relationships and/or to establish new ones and provide access to sources of financing on an ongoing basis

  • Collecting and analysing coverage of Moscow Exchange Group in the media
  • Conducting regular analysis of information that may pose a reputational risk which has been obtained from media and other sources, including analysis of the impact of reputational factors on Moscow Exchange’s financial position, the impact of the reputation of other Group companies on the Group’s reputation, and the impact of Moscow Exchange Group’s corporate charitable and marketing activities on its business reputation
  • Performing ongoing assessments and monitoring of PR through regular assessment of Moscow Exchange’s performance and monitoring the number of complaints and claims from clients and counterparties and positive and negative coverage of shareholders and related parties in the media
  • Regularly monitoring the business reputation of shareholders, related parties, and management
  • Overseeing the fair presentation of information in the financial statements and any other published information provided to shareholders, clients and counterparties, regulatory and oversight bodies, and other stakeholders, including for advertising or promotional purposes
  • Preventing persons with access to certain information from using that information for their personal benefit
  • Providing management and employees with data on negative and positive coverage of Moscow Exchange Group in the media and other sources and considering and analysing the completeness, credibility, and objectivity of such information in a timely manner
  • Taking disciplinary action against employees whose misconduct may create a risk of damage to Moscow Exchange Group’s reputation

HR risk

Moderate

Risk of expenses (losses) incurred by MOEX Group as a result of a lack of alignment between HR policy and business objectives, as well as the significant loss of key personnel or expertise

  • Review of the parameters of the long-term incentive programme for key management of the Group
  • Management of the performance evaluation system and review of the compensation structure
  • Revision of the ratio between components of remuneration
  • Employee engagement surveys
  • Annual planned training programme for mid-level managers
  • Succession planning
  • Cross-functional internship programme
  • Internal coaching programme
  • Talent management programme to identify high-potential employees and facilitate their individual development

Climate risks

[TCFD]

High

Risks of financial losses as a result of reduced demand for listing services and a decrease of investment prospects for issuers in a number of industries; physical damage or loss of property, as well as malfunctions in equipment and in the availability of services to clients; additional expenditures due to regulatory changes and the need to introduce new technologies, which may adversely affect the revenue and reputations of Group companies

  • Technological, informational, and organisational solutions for the protection of equipment and data
  • Diversification of financial risk hedging instruments
  • Introduction of ESG requirements in listing rules for issuers
  • Development and implementation of a greenhouse gas emissions accounting system by the Group’s organisations

See the Climate Agenda subsection for more information on climate risk management

Internal audit and internal control

Moscow Exchange’s risk management system is based on the COSO principles and is structured on the ‘three lines of defence’ model, which stipulates that risk management and internal control responsibilities be distributed among management bodies, business units responsible for control and coordination, and the internal audit function. The Group continues to improve its internal control system to maintain a high level of performance.

COSO Internal Control System

Line of defence

Responsibility

Units

First line of defence

Identifying, assessing, and managing risks and developing and implementing policies and procedures governing business processes

  • All holders of business functions and employees of the operating units of Moscow Exchange

Second line of defence

Ongoing risk monitoring and risk management by units as part of their functions

Infrastructure resilience issues include:

  • Information security
  • Compliance with legislation and internal documents
  • Prevention of corruption and unlawful and fraudulent activities
  • Prevention of improper use of inside information and/or market manipulation
  • Prevention of conflicts of interest
  • Operational Risk, Informational Security, and Business Continuity Department
  • Internal Control and Compliance Department
  • Internal Control Service
  • Security Department
  • Legal Department
  • Individual employees and business units of the Finance division

Third line of defence

Overseeing the efficiency of business activities, the management of assets and liabilities, and the effectiveness of the risk management system

  • Internal Audit Service
  • Management Bodies of Moscow Exchange

Compliance with international standards

3-3

The Group conducts an annual audit of its compliance with the CPMI-IOSCO Principles for Financial Market Infrastructures, the COSO Enterprise Risk Management Framework, and the Basel Committee on Banking Supervision risk management guidelines.

In 2020, NCC successfully underwent an operational audit to verify its compliance with the requirements of the Bank of Russia. The audit covered the following components: management of risks of the central counterparty, assessment of the accuracy of the central counterparty model, stress-testing of risks of the central counterparty, determination of the allocated capital of the central counterparty, and recovery of financial stability of the central counterparty. Operational audits are conducted every two years. The most recent audit was conducted in March 2022.

The NCC also underwent a certification audit in accordance with ISO 9001 Quality management systems in 2022.

Distribution of risk management responsibilities

Management bodies

  • Approval of core risk management principles and approaches
  • Control and oversight of the risk management system
  • Key decisions to manage the most significant risks

Risk management and internal control services

  • Monitoring of risk management processes and reporting to management bodies
  • Compliance with standards and requirements
  • Improvement of the internal control and risk management systems
  • Risk assessment
  • Development and implementation of risk management measures
  • Development and improvement of internal policies and procedures

Business and operational units

  • Risk identification
  • Risk assessment

The Group’s companies have developed risk and capital management strategies. As part of its risk management strategy, Moscow Exchange Group reviews its risk appetite and risk tolerance annually in the context of the Group’s strategic objectives.

Disclosure

Information policy

3-3

As a market operator, Moscow Exchange applies a transparent investor- and bidder-oriented information policy regarding its activities. This ensures that stakeholders can exercise their rights to reliable information to the fullest possible extent. As per the information policy, the purpose of disclosing information about Moscow Exchange as an issuer of securities is to reach all stakeholders so that they can make balanced decisions on holding Moscow Exchange equity or performing other actions.

Moscow Exchange complies with the following principles of disclosure regarding its activities:
  • regularity and promptness of reporting
  • accessibility to stakeholders and reliability and completeness of disclosures
  • neutrality, namely the avoidance of prioritising certain groups of recipients over others
  • accountability for information disclosure

Moscow Exchange does not evade the disclosure of adverse information if such information is material to shareholders or other stakeholders.

Disclosure at the request of government agencies

Moscow Exchange Group is obliged under Russian law to disclose information on market participants (issuers and bidders) to competent government agencies, including law enforcement agencies, for the prevention or investigation of potentially unlawful activities. Such disclosures may cover insider trading, market manipulation (Federal Law No. 224), or money laundering (Federal Law No. 115).

Information security

3-3 FN-EX-550a.3

Information security (IS) entails the protection of information and the equipment used to process it from accidental or deliberate interference, whether natural or artificial.

The main goal of ensuring IS is to appropriately protect the business processes and to minimise IS risks when organising trading and clearing services or when providing services on the Equity, Derivatives, Foreign Exchange, and Money Markets. This goal is achieved by ensuring and continuously maintaining the confidentiality, integrity, and accessibility of the Company’s protected information assets.

Key documents:

Responsible bodies:
  • Operating Risk, Information Security, and Business Continuity Department
  • Technical Policy Committee

Moscow Exchange has implemented an information security management system that meets the requirements of Russian law and complies with ISO 27001. Organisational and technical activities are continuously conducted to ensure information security and to manage IT infrastructure and information security incidents. The Security Operations Centre is responsible for monitoring and responding to information security incidents. The Group regularly conducts information security audits, intrusion tests, and anti-phishing tests to manage risks. Moscow Exchange uses its own equipment or that of a provider to protect against malicious attacks.

Market access and customer experience

FN-EX-550a.3

Moscow Exchange offers its clients information and technology services that provide real-time market data and information on indices and the results of trading.

It works to increase the appeal of its services in organising trade on the commodity and financial markets to investors and issuers.

Key documents:

Responsible departments:
  • Customer Service Department
  • Customer Support Department
  • Technical Access Department
Moscow Exchange’s technology infrastructure provides market participants with a safe and reliable environment that supports uninterrupted trading, clearing, and settlement operations. Reliability is ensured by the following factors:
  • high-quality risk management;
  • well-capitalised central counterparty and settlement infrastructure;
  • high standards of listing and information disclosure by issuers.
Moscow Exchange spares no efforts in ensuring convenience for its customers:
  • develops new products, services, and methods of trading;
  • extends trading hours;
  • implements new technologies for access to trading and market data;
  • strengthens cooperation with other markets and exchanges.

To continue developing Moscow Exchange as a trusted market participant, the Group has set the following objectives.

Category

Key objectives

Provision of additional world-class exchange services beyond traditional exchange products

Offer a wider range of exchange products and services beyond those currently available on traditional exchange markets (stocks, bonds, and derivatives)

Creation of uniform infrastructure for the entire Russian market, including traditional over-the-counter segments, based on a single set of post-trading services with integrated settlement, collateral, and risk management systems

Continue to enhance access for market participants and their customers to global OTC markets, offer better prices thanks to the exchange infrastructure, and further expand new tailored mechanisms for liquidity takers/makers that are recognised globally among OTC FX platforms

Development of central counterparty and central depository institutions

  • Ensure the operational reliability of depositary and clearing services
  • Modernise equity accounting infrastructure: consolidation of records, collateral management, and segregated record keeping
  • Maintain the high share of central counterparty repo transactions in the total volume of inter-dealer repo
  • Develop a market for standardised derivative financial instruments with centralised clearing and make it easier for market participants to sign long-term derivatives contracts

Reliability and efficiency of processes

  • Ensure the uninterrupted operation of trading and information systems and promptly respond to potential disruptions
  • Implement measures to mitigate dependence on services provided by foreign vendors to better manage sanctions-related technological risk and account for macro-political factors

Creation of new services for individuals and corporate clients

  • Develop the Finuslugi.ru personal finance platform for retail investors, a one-stop shop for all financial products and services offered on the market
  • Develop a single marketplace interface for corporate clients, including a wide range of treasury services (asset and liability management) and division of services by trading, clearing, and settlement