Assessing and Managing Risk

The Group has developed a system for identifying risks, with a focus on risk management and mitigation to protect the Ferrexpo business. Risk management is a process overseen by the Ferrexpo Board of Directors.

Approach

The Group’s risk management processes provide a framework to support the identification, prioritisation and management of both emerging and principal risks involved in the Group’s activities. It is not, and cannot be, designed to eliminate risk, particularly in an emerging market economy. Ferrexpo’s risk management policies and procedures have been established to identify and analyse the risks faced by the Group, to set appropriate limits and controls and take relevant mitigating actions where considered by the Board of Ferrexpo and its executive management to be beneficial.

Risk assessment

The Group’s risk matrix is regularly reviewed and monitored by the Executive Committee and its sub-committee, the Finance, Risk Management and Compliance Committee (“FRMCC”), as well as the Audit Committee and the Board. This review process includes ensuring that any new risks are identified, their potential impact on the Group assessed and appropriate controls established. The risks identified are ranked based on the potential impact and the probability of occurrence in order to assess their impact on the Group’s operation and viability. The impact and the probability are assessed on a regular basis based on latest developments in the Group’s macro and micro environment. This includes assessing whether any emerging risks may have become principal risks. Ferrexpo considers an emerging risk to be newly developing or changing risks that are difficult to quantify. It is the responsibility of the Group’s Executive Committee to define appropriate actions to adequately monitor those risks and establish an effective control environment. The controls are generally conducted by the Group’s internal audit function or members of the Executive Committee and updates are provided to the Executive Committee and the Board.

Risk governance

The Board of Ferrexpo is ultimately responsible for defining the Group’s attitude to risk and ensuring that appropriate systems of risk management and internal controls are established and embedded across the Group, in conformity with its desired risk management culture. Its responsibility extends to ensuring that the emerging and principal risks faced by the Group are robustly assessed and that the Group’s exposure to such risks is aligned with its strategic objectives. The Audit Committee assists the Board in its regular monitoring of risk exposures and the Group’s risk matrix, and is responsible for evaluating the adequacy and effectiveness of the established risk management and internal control systems. It also oversees how management monitors compliance with risk management policies and procedures, with assistance from the Group internal audit function which conducts ad hoc reviews of risk management controls and procedures as part of its annual programme of work.

The FRMCC oversees the centralised financial risk management structures and monitors compliance risks, while the HSEC Committee monitors safety, environment and community risks. These two committees assist the Audit Committee and Board in the identification and analysis of both emerging and principal risks. Assurance on the internal control and risk management systems is provided in the form of management information, reports and updates from the Group internal audit function, external audits and oversight by the Executive Committee, Audit Committee and Board.