Risks are a normal part of doing business, but they can adversely and materially impact legal compliance, trading competitiveness, profitability and liquidity. To manage risks, the Management Board of X5, supported by the Executive Board and the Risk Management Team, is responsible for designing, implementing and operating an adequately functioning risk management system, which needs to be capable of identifying, assessing and monitoring the principal risks that may affect the Company’s objectives.
Risk management and internal control
The Management Board of X5, supported by the Executive Board, continued in 2018 to pay special attention to strengthening the design and effectiveness of the risk management and internal control system:
Strengthen the design. Significant progress has been made in applying risk models to be able to better quantify risk. Efforts in this area will continue in 2019 to apply a cost-benefit analysis of risk mitigation activities in the financial budgeting and risk monitoring processes; and
Increase effectiveness. The reporting lines of the Compliance, Internal Control and Risk Assessment Teams were changed in 2018. In the revised structure, the Risk Assessment Team and Internal Control Team now report to the Chief Financial Officer, the Compliance Team reports to the General Counsel, and the Forensic Team reports to the Head of Corporate Security.
To constantly strengthen the risk management system:
a comprehensive review of both internal and external risks is carried out at least annually;
risk appetite is reviewed and reconfirmed;
annual quantitative risk impact assessments complement a qualitative risk appetite;
risks of X5’s strategic and short-term objectives are assessed;
risk-mitigating activities are put in place.
Management teams at all levels of the organisation are continuously engaged in identifying, managing and monitoring relevant risks. The Risk Assessment Team, supported by the Internal Control Team, facilitates a company-wide view of risk-relevant issues, helps develop risk management activities in both business and functional divisions and ensures that the Management Board is continuously and promptly informed of material risk and risk management developments.
During the annual strategy review and budgeting process, Company management reassesses Company risks and develops action plans to mitigate risks and allocate appropriate resources for risk mitigation. The results of risk mitigation actions are regularly monitored and reported on a quarterly basis to the Audit Committee. X5 is committed to mitigating its risks to within acceptable levels.
To ensure the effectiveness and completeness of the Company’s internal control system, X5 employs a three-tier model to establish and maintain control:
The first tier of control requires each business unit to establish, operate and monitor the necessary controls for each of their specific business processes.
The second tier of control oversees the development and improvement in first-tier controls as the business evolves. This work is co-ordinated by the Risk Assessment and Internal Control Teams across various central functions that design and develop changes to X5’s internal control system.
The third tier of control is the Internal Audit function. The role of Internal Audit is to regularly assess, and recommend improvements to, the Company’s first and second control tiers. Internal Audit reports directly to the Management Board and has direct access to the Audit Committee.
Ethics and compliance culture
Values and business principles are crucial elements of the internal environment for risk management. X5 is committed to practices that contribute to a culture of integrity and long-term value creation. X5 has established and internally communicated rules and policies that outline these values and principles, including X5’s:
Code of Conduct and Ethics
Policy on Countering Misconduct, Including Fraud and Corruption
Declaration on Human Rights
These policies are available on X5’s public website .
Monitoring and assurance
Internal Audit provides independent and objective assurance of the impact of X5’s control processes. Systematic and disciplined evaluations of risk management, internal controls and governance activities are performed, guided by X5’s Controls Heat Map, which assesses the latest recorded strength of each function or process’s controls. Following a risk-based audit planning approach, Internal Audit performs evaluations of operational, financial and information system controls on key business processes that reveal control issues. Internal Audit provides recommendations to improve controls to the executives responsible. Action plans that address control issues raised by Internal Audit are prepared by business process owners and approved by the director of the business area owning that control. The timely implementation of the action plans is monitored and followed up on a monthly basis, and the status of address ing these control issues is regularly reported and discussed with the CEO and the Audit Committee.
Internal Audit is periodically subject to independent and external evaluation to maintain and improve audit standards. In 2018, Internal Audit identified two areas for development:
a more agile approach to audit projects (allowing for a wider scope but shorter duration of audit projects);
enhanced auditing of controls in the area of IT, IT infrastructure and data security.
The Company’s principal risks
Market and our customer value propositions (CVP)
If the customer value propositions of X5’s retail formats fail to meet customer needs and preferences, this can lead to low sales densities, slower revenue growth, lower profits and returns. The risk can be caused by:
Failure to promptly respond to changes in customer preferences or behaviour patterns and lifestyle
Failure to promptly respond to new business models, services and technologies used by competitors in retail and related markets
Failure to properly understand local consumption and regional economic potential
Over-investment in unproven retail formats and new business streams
Minimal to Cautious
Constantly monitor retail and consumer trends in Russia and internationally to spot changes in behaviours and needs
Regularly monitor trends in operating performance indicators and Net Promoter Scores
Continually invest in improving the format CVPs while at the same time improving operating cost-efficiencies
Revise the target CVP on an annual basis and embed business improvement plans into the heart of the annual operating plan reviewed by the Supervisory Board
Explore, test and roll out new retail technologies and expand range in emerging category areas
Major changes in the economic environment may challenge the existing business strategy, have a material impact on financial performance and lead to a competitive disadvantage. Such changes include:
A sharp drop in consumer demand (structural changes and shrinking consumer demand in money and absolute terms), depending on real income, consumer confidence and the unemployment level
Social and demographic developments
Excessively low or high product inflation
Unexpected decline in national or regional economic activity leading to suppressed growth, higher unemployment and lower personal incomes
Political events with a negative impact on trade practices or consumer demand
Cautious to Open
Rely on a multi-format model that enables the Company to respond to changes in customer demand and meet the needs of customers with various lifestyles and income levels (all groups of customers in Russia)
Monitor the economic environment, manage the product mix and pricing policy and identify geographies for further expansion based on local customer demand
Develop direct imports, partner with direct suppliers and develop private labels to drive expansion of the product mix and bring purchase prices down
Work to ensure the robust growth of retail formats in regions that demonstrate the strongest potential
The principal risks that may impede the achievement of X5’s objectives with respect to strategy, operations, compliance and reporting matters are described below. It should be noted that there are additional risks that management believes are less material or otherwise common to most companies.
The operational efficiency of the logistics network, stores and back office units determine the operating performance of existing and new stores and the Company’s overall profit margins.
Operating activities are subject to the following risks:
Operational disruptions and delays in implementing the CVP
Lower productivity of the logistics network
Lower efficiency of inventory management at the DCs and stores (reduced availability of goods, increase in inventories and write-offs)
Lower productivity in stores resulting in either staff cost overspends or poor operating standards
Lower productivity in the back office resulting in higher operating costs or reduced service standards
Minimal to Cautious
Gross Profit, Operation Cost
Ensure an optimal level of management on key business processes
Ongoing management of the product mix across the retail formats
Develop the logistics capability in line with expansion strategy and closely manage supply chains within the existing logistics network
Improve and automate processes in the back office, DCs and stores
Monitor the operating performance of stores and DCs based on defined KPIs and performance standards
Monitor the operations of national and regional competitors on an ongoing basis and ensure a prompt and appropriate response
The Company’s operating model and scale of business depends on the capabilities and reliability of its IT systems. The inability to harness IT to improve productivity can limit expansion and decrease profitability.
IT management is subject to the following risks:
Failure to match IT capabilities, scalability and reliability in relation to business requirements
Disruptions of business continuity due to IT failures
Minimal to Cautious
Revenue Operation Cost
Ensure the IT development roadmap is integrated within the overall business operating plan
Employ a mix of external and internal expertise to ensure an agile response to business opportunities
Ensure IT change projects are sponsored by business owners and professionally managed to keep within scope and budget
Ensure good governance of IT architecture and the integration of IT systems
Ensure sufficiently close monitoring and speedy fault rectification of IT infrastructure
Implement policies and procedures to ensure cybersecurity protection is maximised
As X5’s success depends to a significant extent on brand recognition, the brand names Pyaterochka, Perekrestok, Karusel and X5 and their associated reputations are key long-term assets of X5’s business.
As a market leader, X5 is fully aware of its social responsibility and is committed to managing social aspects involved in its operations, thus building a foundation for sustainable development. In terms of reputation and social responsibility, the following risks can arise:
Unethical conduct, unscrupulous practices by X5 management and employees in their relations with customers, counterparties, government authorities, non-profit associations, investors and other stakeholders
A mismatch between the Company’s social responsibility standards and the expectations of communities, market players and stakeholders based on X5’s role, scale of business and growth potential
Abuse by third parties using X5’s trademarks and brands
Misleading information about X5 in social and mass media that may damage the reputation of the Company and its retail formats
Leakage of critical (sensitive) information onto the Internet or to competitors
Averse to Minimal
Use X5’s Code of Business Conduct and Ethics; X5’s Policy on Countering Misconduct, Including Fraud and Corruption; X5’s Charity Policy
Raise awareness, train employees and develop the corporate culture to make sure unethical behaviour is seen as unacceptable and that there is zero tolerance for any fraudulent activities
Use the X5 Retail Group Code of Interaction with Business Partners, review complaints filed by counterparties and engage the Conciliation Commission to look into any incidents that take place
Take disciplinary action in cases of unethical behaviour
Record, arrange and process reports received from the Company’s employees via the hotline
Use the Customer Service Standards and the hotline for customers, and work with reports and complaints
Engage in external and in-house social and charity projects
In emergencies, use dedicated channels of communication and rely on the Crisis Response Team to mitigate financial and non-financial damage to X5
Ensure accessibility for special-needs customers and employees
While most human rights laws concern relationships between the state and individuals, non-state organisations also impact individuals’ human rights, and they have a responsibility to respect them.
In its operations, X5 addresses the following human rights violations:
Discrimination against employees, customers and representatives of the Company’s partners on the grounds of age, gender, sexual orientation, social status, nationality or ethnicity, cultural or political beliefs, etc.
Unethical employee behaviour in violation of human rights (e.g., forced or unpaid labour, workplace bullying, harassment, use of offensive language or humiliation)
X5’s involvement in human rights violations by third parties
Averse to Minimal
X5’s Declaration on Human Rights (available on the Company’s website)
Use the X5 Code of Business Conduct and Ethics, provide training to employees and develop the corporate culture
Use the Internal Labour Rules and the Compensation and Benefits Policy and communicate them to employees
Receive complaints from the Company’s employees via the hotline and investigate and take necessary disciplinary actions
Improve the Company’s business processes to eliminate the root causes of complaints received through the hotline
Use the Customer Service Standards and the hotline for customers, and investigate and remedy complaints
Ensure accessibility for special-needs customers and employees
The health and safety of our employees and customers is our primary responsibility. Injuries or fatalities would have a negative impact on the trust and loyalty of our customers and X5’s business reputation.
The Company addresses the following risks:
Accidents causing injuries, including fatal injuries, to employees or individuals at X5 facilities and in adjacent areas
Injuries to employees due to an unsafe and uncomfortable working environment
Failure to provide the necessary first aid on a timely basis
Averse to Minimal
Provide a safe working environment (premises, equipment, uniforms) at the Company’s offices, DCs and stores, and carry out regular workplace assessments
Ensure compliance with employees’ working hours and holiday schedule (work and rest schedule)
Provide employees with life and health insurance programmes and seasonal vaccinations
Arrange regular medical examinations for employees and health screening assessments to confirm that they are fit to work
Product safety and quality are important criteria for our customers. Products of poor quality and with little shelf life remaining can lead to high wastage and potentially damaged customer relationships.
This risk may be triggered by:
Selling products that fail to meet safety standards and representations about quality
Violations of operational process rules that may lead to spoilage and contamination
Accepting from suppliers products that fail to meet safety standards, representations about quality or that have insufficient shelf life
Averse to Minimal
Audit suppliers by carrying out laboratory tests of product samples before adding the products to the assortment. Remove suppliers from our assortment who fail to meet our standards
Ensure inspection of incoming products at DCs and stores
Comply with all rules for product transportation, storage and sale
Comply with sanitation and personal-hygiene rules
Provide training for employees on quality assurance
Handle complaints and requests from customers and investigate root causes
X5’s activities are governed by a wide range of laws and regulations. By complying with these, the Company maintains its reputation and manages operating expenses. Unfavourable legislative developments may affect X5’s strategy and margins. Contractual terms that are unfavourable for X5, failure of counterparties to fulfil their obligations and court action against X5 due to contract violations may have a negative impact on the Company’s performance and reputation.
Risks related to legislation and protection of X5’s interests can include:
Non-compliance with applicable laws, including failure to change or adjust the Company’s activities on a timely basis in line with new developments
Unfavourable changes in retail laws (e.g., market share limitation, sales restrictions introduced for certain types of products) and obsolete requirements
Unfavourable changes in legislation that result in higher operating expenses for the Company
Risk of legal action against X5 initiated by regulators and counterparties
Counterparties taking advantage of laws and contractual provisions that fail to properly protect X5’s interests
Issues related to violations of data protection compliance
Averse to Minimal
Interaction with government agencies as prescribed by applicable laws, participation in public organisations, representation of interests
Monitoring of draft laws, timely initiation of internal projects to alter and adjust X5’s activities to legislative developments
Implementation of X5’s Compliance Policy
Assessment of compliance risks, rollout and improvement of compliance procedures to integrate them into the Company’s processes, consistent efforts to identify violations and non-compliance with laws, and disciplinary action
Personnel training to ensure compliance with laws
Legal support, auditof contracts, development and use of contract templates
Fraud and corruption
Like many other industries, the retail sector is exposed to risks of fraud and corruption. The scale of X5’s activities and the diversity of its business operations can result in fraud risks and potential for corruption.
These risks include:
Theft, fraud, acts of corruption and abuse on the part of X5 employees
Hidden conflicts of interest
Fraud, commercial bribery and theft by third parties (customers, counterparties)
Averse to Minimal
Use the Code of Business Conduct and Ethics and X5’s Policy on Countering Misconduct, Including Fraud and Corruption
Promote among employers zero tolerance of abuse, and provide personnel training and information about our codes and policies
Implement segregation of duties of sensitive roles to reduce risk, and closely manage access rights to our systems
Conduct background checks on counterparties and employees
Identify abuses, fraud and theft by internal departments (Security, Audit, Finance and IT). Carry out internal checks, take disciplinary action, initiate administrative or criminal proceedings againstemployees, counterparties or customers
Record, arrange and process reports received from the Company’semployeesvia the hotline, from counterparties in the Conciliation Commission and from the Security Department
Require declaration of conflicts of interest for allemployees
Compliance with taxation regulations is often complex, open to differing interpretations and depends on the Company’s risk appetite.
Tax risks may be related to:
Unfavourable changes in tax calculation rules, introduction of new taxes and fees
Federal and regional authorities interpreting tax laws in a way that is adverse for X5
Developments in case law involving tax disputes
Attempts to challenge previous transactions and amounts of associated tax payments
Averse to Minimal
See Financial Statements
Monitoring of taxation-related legislative initiatives and case law, changes to business processes
Tax planning with preliminary reviews and advisory sessions
Tax risk assessment before executing transactions and signing contracts
Tax budgeting, provisioning for tax risks
Tax control during transactions
Reliability of financial reports
The reliability and completeness of financial reports is a critical element when it comes to maintaining the trust of shareholders and other stakeholders.
The integrity of financial reporting is exposed to the following risks:
Non-compliance with statutory requirements on financial reporting
Misrepresentation of management accounts and financial statements
Ambiguity of management accounts and financial statements
Disclosure levels not in line with shareholder, lender or market expectations
Averse to Minimal
Annual audit by professional external auditors
Monitoring and prompt adoption of legislative initiatives regarding financial statements and changes in reporting methodologies
Management controls over the methodologies adopted and consistent application in preparing management reporting
Internal controls for the preparation of financial statements
Internal audit to assess the effectiveness of the internal controls used for the preparation of financial statements
Expected risk tendency
For the designated risk groups, X5 analysed the actual risk impact in 2018 and made predictions about the expected future impact, taking external conditions and trends into consideration.
Statement of the Management Board
The Management Board reviewed and analysed the strategic, operational, compliance and reporting risks to which the Company was exposed, as well as the effectiveness of the Company’s internal risk management and control systems over the course of 2018. The outcome of this review and analysis has been shared with the Audit Committee and the Supervisory Board and has been discussed with X5’s external auditors.
The Management Board reviewed the effectiveness of X5’s internal risk management and control systems based on:
internal audit reports on reviews performed throughout the year; observations and measures to address issues were discussed with management and the Audit Committee;
a systematic review of scoping, control execution and control assessments in the context of an internal control strategy for 2017-2020;
periodic risk reports reported by the management of corporate functions and the three main business segments (retail formats);
ongoing monitoring of key risk management initiatives aimed at mitigating risks and keeping risks at an acceptable level;
the external auditor’s ongoing reflections on the control framework, and the management letter from the external auditor with observations and remarks regarding internal controls.
For more information on X5’s risk management activities, internal control, risk management systems and key risks, see the section “How we manage risk” above. The purpose of X5’s internal risk management and control systems is to adequately and effectively manage the significant risks to which the Company is exposed. Such systems can never provide absolute assurance as to the realisation of operational and strategic business objectives, nor can they prevent all misstatements, inaccuracies, errors, fraud and non-compliance with legislation, rules and regulations. These systems do not provide certainty that the Company will achieve its objectives. Based on the annual evaluation and discussion of X5’s internal control and risk management systems and identified risk factors, the Management Board confirms that, according to the current state of affairs and to the best of its knowledge:
X5’s internal risk management and control systems provide reasonable assurance that the Company’s financial reporting does not contain any material inaccuracies;
there have been no material failings in the effectiveness of X5’s internal risk management and control systems;
there are no material risks or uncertainties that could reasonably be expected to have a material adverse effect on the continuity of X5’s operations in the coming 12 months;
based on the current state of affairs, it is appropriate that the financial reporting is prepared on a going concern basis (notes 30 (c) and 32 to the consolidated financial statements).
In view of all of the above, the Management Board confirms that, to the best of its knowledge, the financial statements give a true and fair view of the assets, liabilities, financial position and profit or loss of the Company and its consolidated subsidiaries, and the management report includes a fair review of the position on the balance sheet date and of the development and performance of the business during the financial year together with a description of the principal risks and uncertainties that the Company faces.