RISK MANAGEMENT

KEY RISKS

Moscow Exchange Group has built an integrated risk management system, however each of the Group company faces its own inherent risks associated with the specific field of its activities. Thus, Moscow Exchange, being the parent company of the Group, assumes the risks of a market operator, risks related to operations in its assets as well as risks of a financial platform operator.

That said, the Group’s principal risk taker is none other than Non-banking credit institution - Central Counterparty National Clearing Centre (short name “CCP NCC”) on the grounds that it operates as clearing house, a central counterparty for all main markets of Moscow Exchange Group, and an operator of deliveries in the Commodities Market.

The Group’s comprehensive risk management system extends to the NSD, the infrastructure powerhouse of the Russian financial market, whose priorities lie in the reliable operation and stable development of the following key areas:
  • Central securities depository;
  • Settlement and clearing system;
  • Trade repository;
  • Tripartite services;
  • Corporate actions center.

SYSTEM FOR MANAGING RISKS TO THE CURRENT STRATEGY

The principles and approaches employed by the Group in installing and operating the risk management system (RMS) are based on best international practices implemented in compliance with national and international risk and capital management standards. The Group holds an annual audit of its compliance with the CPMI-IOSCO Principles for Financial Market Infrastructures, the COSO Enterprise Risk Management Framework, and the guidelines of the Basel Committee on Banking Supervision on procedures to be employed by credit institutions in the sphere of risk and capital management.

In 2021, the Exchange was reaffirmed under the ISO/IEC27001:2013 (Information Security Management Systems) and ISO 22301:2012 (Business Continuity Management Systems) certification covering the organization of on-exchange trading, clearing and other services on the Equity and Bond, Derivatives, FX and Money Markets. This certification ensures that the Ex-change and NCC fully meet over 100 technical and administrative requirements in the area of information security and business continuity.

In 2021, Moscow Exchange renewed insurance contracts covering Electronic and Computer Crime and Personal Indemnity to mitigate operational and information security risks.

The integration of risk management functionality in business processes makes it possible to identify risks and assess their materiality in a timely manner, and to ensure an efficient response by mitigating potential adverse effects and/or by reducing the probability that they will materialize. Tools for mitigation include insurance, hedging, limit requirements and transaction collateral requirements.

The Group’s Risk Management System operates on the principles of comprehensive coverage, continuity, transparency, independent assessment, paper trail, prudence and materiality:

Comprehensive Coverage is premised on identifying risk factors and risk objects, determining risk appetite based on a comprehensive analysis of existing and proposed business processes (products), implementing universal RMS working procedures and elements, consistently applying methodological approaches in resolving similar risk assessment and risk management tasks, and assessing and managing key operational risks in close connection with the non-key operational RMS.

Continuity is premised on regular, coherent, target-driven procedures, such as assessment of existing risks, including monitoring risk parameters, review of key RMS parameters and how they are determined, including limits and other restrictions in respect of clearing members’ transactions, analyzing RMS technologies and operational rules, holding stress tests and preparing reports for management.

Transparency is manifested in providing relevant information regarding the RMS to clearing members / counterparties. Clearing members, including potential members, have access to methodological documents describing the RMS, including approaches to risk assessment, as well as to key aspects of the procedures employed in monitoring their financial stability. At the same time, the assessment results of a specific clearing member or counterparty, as represented in the form of internal ratings, or limits, as well as other restrictions established in respect of treasury or administrative operations, are never made public and are never subject to disclosure.

Independent Assessment means that a comprehensive assessment and review of each risk is undertaken by separate divisions / employees who are independent from the divisions responsible for taking on risks or counterparties. These divisions / employees cannot be charged with any responsibilities that may give rise to a conflict of interest.

Paper Trail means that RMS guidelines, procedures and rules are negotiated with the divisions involved in risk assessment and management procedures, and approved by the relevant governing bodies.

Prudence suggests that the Group bases its decision-making on a prudent combination of RMS reliability and profitability in choosing methods of risk assessment and management, and in deter-mining the acceptable level of risk (risk appetite).

Materiality means that, in implementing various RMS elements, the Group is guided by the relationship between the costs that implementation of risk analysis, control and management mechanisms will require, and the potential outcome of such implementation, as well as the costs of the development and implementation of products, services or tools carrying the relevant exposure.

As part of the risk management strategy, and with a view to achieving strategic objectives, in 2021, companies of the Group revised the risk appetite of the Moscow Exchange Group set by the Supervisory Board of Moscow Exchange in 2020. The Group’s risk appetite is designed to help the Supervisory Board of Moscow Exchange, as the Group’s parent company, manage the Group’s overall risk level taking into account all intragroup effects and to set a target risk/return ratio for the Group.

The Group’s risk appetite is set in relation to risks recognised as significant at the Group level, and inherent to all Group companies and equally measurable. The risk appetite of each company within the Group consists of a decomposed part of the Group’s risk appetite and individual indicators reflecting the specific risks of a particular company.

These priority areas serve as the basis for calculating threshold values for specific target indicators. Compliance with these indicators is regularly reviewed and communicated to the Supervisory Board.

RISK MAP

The risk map is based on an annual risk identification procedure.

Financial risks

Risk

Description

Actions

Credit risk

(incl. CCP risk and concentration risk)

The risk of possible losses caused by failure of a Group’s counterparty to perform or properly perform its obligations to it.

The Group controls credit risk by employing the following procedures:
  • establishing single or group counterparty limits, subject to a comprehensive assessment of their financial position, the analysis of the macroeconomic environment they are operating in, the level of their information transparency, business reputation, as well as other financial and non-financial factors;
  • using an internal rating system providing a weighted assessment of the counterparty’s financial position, and the level of the credit risk assumed in its respect;
  • controlling the credit risk concentration in accordance with the current regulatory requirements;
  • establishing strict requirements for the types and quality of the acceptable collateral, including liquid securities, as well as cash in Russian rubles and in foreign currency.

In order to reduce the credit risk associated with the CCP’s operations, the Group has implemented a multi-level safeguard structure triggered upon a clearing member’s failure to perform or properly perform its obligations, in compliance with regulatory requirements and strict international standards.

Market risk

Market risk may emerge from a defaulting clearing member’s need to close major positions / sell collateral, which in case of low market liquidity may adversely affect the price at which such position will be closed, or the collateral can be sold.

The market risk management upon investing idle cash is aimed primarily to improve the risk/profitability correlation, and to minimize any losses should any adverse events occur. With this view the Group:
  • diversifies its securities portfolio (by maturity, issuer’s industry profile);
  • sets up maximum expiration periods for investments in securities;
  • sets up maximum volumes of investment in securities (by the total volume, by types of investments, and issuers);
  • classifies debt obligations and securities by risk groups;
  • establishes provisions for potential losses under securities should they be not marked to market.
The market risk emerging as part of trading or clearing operations, is primarily managed by:
  • identifying, monitoring, and timely reviewing risk parameters, taking into account regular stress test results;
  • establishing individual collateral rates taking into account concentration limits, profiles of the instruments traded at each of the markets, and possible volatility change scenarios;
  • back testing collateral rates and controlling collateral adequacy.
In managing the market risk emerging as part of trading or clearing operations, the Group:
  • devises mechanisms permitting to close positions of defaulting clearing members within two trading days;
  • sets discounts for the assets accepted as collateral, with the view to covering possible changes in their values in the period from their most recent re-evaluation until the time of their sale;
  • sets concentration limits that define clearing member’s position volume, upon reaching which the underlying collateral is subject to heightened requirements;
  • evaluates clearing members’ collateral adequacy subject to market liquidity;
  • develops procedures for resolving a situation, when a terminated obligation of a clearing member is secured by property other than the subject of the underling obligation;
  • maintains a system of additional financial collateral meant to cover losses not secured by clearing member’s clearing or any other collateral.

Liquidity risk

Risk of potential losses following an adverse change in the value of the instruments comprising the bank book, caused by changes in interest and/or yield rates.

The liquidity management system includes the following elements:
  • distribution of powers in managing liquidity;
  • specific liquidity management and control procedures;
  • information system to accumulate and review liquidity-related information;
  • a set of guidelines, performance indicators, and plans of initiatives designed to ensure efficient liquidity management and control;
  • internal management accounts underlying any decision adopted with respect to the liquidity efficient control and management.

Bank book interest risk

Risk of potential losses following an adverse change in the value of the instruments comprising the bank book, caused by changes in interest and/or yield rates.

In order to measure the impact of the interest risk over the fair value of financial instruments, the Group holds regular assessment of potential losses, which may be caused by negative change of the market terms. The risk management division regularly monitors the financials of the Group and its principal members, assesses the sensitivity of the market value of the investment portfolio and of the proceeds to the interest risk.

Non-financial risks

Risk

Description

Actions

Operational risk

Risk of potential losses caused by inconsistency of internal operational procedures to the nature and scope of the business, and/or statutory requirements, their nonobservance by employees, lack of functionality, inadequacy of information, technological and other systems and/ or their failure, as well as by external events.

The principal operational risk management (mitigation) methods include:
  • development of organizational structure, internal operational rules and regulations, distribution of powers, approval (negotiation) and reporting of undertaken operations, all of which will assist in avoiding (minimizing) the probability of operational risk factors;
  • development of control measures following the analysis of statistical data undertaken with the view to identifying typical operational risks on the basis of recurrent events;
  • monitoring compliance with the adopted rules and procedures;
  • technological automation of undertaken operations, and development of information protection systems;
  • insurance, including both traditional property and personal insurance (insuring buildings, other property against destruction, damage, loss caused by a natural disaster and other accidents, as well as by actions of third parties or employees; insuring employees against accidents and personal injuries), as well as insurance of specific professional risks, both on a comprehensive basis and against separate types of risks;
  • development of the system of business continuity measures to apply in the operational cycle, including emergency plans (business continuity and/or disaster recovery plans).

Continuity risk

Risk of discontinued critical services.

With the view to ensuring normal operations in emergency situations:
  • the Group has put together a reserve complex including reserve office and firmware capabilities located at a safe distance from the principal office;
  • the Group has developed business continuity and disaster recovery plans (BCDR Plans) that define critical business processes, priority actions in an emergency situation, timing and volumes of recovery operations, and business processes to enjoy priority recovery, as well as mandatory steps to be taken after the emergency situation subsides.

Legal risk

Risk of losses caused by breach of contractual obligations, litigations, criminal and administrative liability of Group members and/or their governing bodies acting in their official capacity.

Legal risk management procedures include:
  • regular monitoring of laws, and verification of internal procedures as to their compliance with actual regulations;
  • establishing quantitative and volume restrictions for claims, and controlling compliance with the established restrictions;
  • analyzing the legal basis for new products and services;
  • updating internal regulations with the view to avoiding fines.

Losses associated with legal risks shall be reflected in the operational risk database.

Custody risk

Risk of loss of Group’s assets posted on it as collateral caused an action or omission of a counterparty responsible for safe custody and recordkeeping of the asset.

The custody risk is estimated within the credit risk as the custody risk occurrence may cause the credit risk event; and the custody risk is managed as part of the operational risk which may be the trigger the custody risk event.

The custody risk management methods include:
  • evaluation of financial position of a third-party custodian;
  • the multi-level admission scheme for elevators and warehouses including accreditation and storage limits establishment processes;
  • verification of compliance with the established requirements for technical facilities and regular audits of assets in the depositories and vaults of precious metals;
  • insurance of commodities at stock;
  • verification of custodians; confirmation of qualitative and quantitative measures of a commodity by a surveyor upon storage and transfer of the commodity to a bailor;
  • monitoring of actual location of the asset;
  • monitoring of the asset’s availability by the time a claim is made.

Compliance (regulatory) risk

Risk of losses caused by non-compliance with the laws, internal regulations, self-regulating organizations’ standards (if mandatory), as well as by sanctions and/or other actions taken by regulatory authorities

The compliance risk is managed by the Group’s responsible business units within the Group’s unified compliance structure. As part of the activities of the Compliance Committee managed by the Chairman of the Executive Board of Moscow Exchange, Group companies seek to unify their approaches and implement best Russian and global practices in compliance risk management.

Reputational risk

Risk of losses caused by a negative public opinion of the Group’s operational (technical) stability, quality of its services and its activities in general

In order to avoid losses associated with the realization of the reputational risk, the Group continuously monitors media space for information about the Group and analyses its internal processes applying the impact assessment methodology to each identified event or factor The primary source of the reputational risk is the realization of the operational risk, especially when such information becomes public. Thus, all actions taken to prevent and to mitigate the operational risk work simultaneously towards the reduction of the reputational risk.

Strategic risk

Risk of expenses (losses) sustained by the market operator as a result of mistakes (defects) made in deciding on the operator’s business and development strategy.

Principal methods of strategic risk management include:
  • building up a process for strategic planning and management commensurate with the Exchange’s caliber and operations;
  • preventing any decisions, including strategic, to be taken by an inappropriate body from the hierarchic point of view;
  • exercising general control over the performance of the risk management system;
  • determining the process for major transactions, for development and implementation of prospective projects as part of the general concept of Moscow Exchange Group’s development;
  • controlling the consistency of the risk management parameters with the Exchange’s current condition and its development strategy

Tax risk

uncertainty regarding the achievement of a business goal as a result of factors related to the taxation process, which may manifest itself as financial losses or other negative consequences resulting from current or future events and processes in the area of tax legal relations and tax accounting, or events or processes affecting tax legal relations and tax accounting.

Tax risk may arise in all areas of the Exchange’s activities without exception, as well as have different causes (factors): both related to the Exchange activities and under its control (internal tax risks), and caused by external factors beyond the Exchange’s control (external tax risks).

The Exchange’s main goal in managing tax risks is to limit the negative consequences of tax risks (reputational, financial, personal liability for the Exchange’s management and others) for the Exchange. This goal is achieved through the use of effective tax risk management methods and mechanisms compliant with the requirements of regulators and best practices, including raising awareness of the Exchange’s management bodies of the level of risk taken when making management decisions, as well as ensuring a common understanding of tax risk and acceptable level of tax risk for the Exchange.

Information security risk

risk associated with the potential loss of the security properties (confidentiality, integrity, availability) by the Company’s information assets as a result of the occurrence of information security threats.

Information security is understood as the protection of information and means of its processing from accidental or intentional impacts of natural or artificial nature.

The main objective of the measures aimed to ensure information security is to achieve adequate protection of the Company’s business processes and minimize information security risks when organizing trading and providing services on the Equity & Bond, Derivatives, FX and Money Markets.

This goal is achieved by ensuring and constantly maintaining the confidentiality, integrity and availability of the Company’s protected information assets.

RISK MANAGEMENT STRATEGY

In 2021, the following Exchange and Group strategies approved by decisions of the Supervisory Board continue in force:
  • Moscow Exchange’s Information Technology Strategy through 2024 (approved on 1 October 2020);
  • Moscow Exchange Group’s 2024 Risk Management Strategy (approved on 29 October 2020);
  • Moscow Exchange Group’s Information Security Strategy for 2021-2024 (approved on 10 December 2020).

In 2021, the roadmaps developed earlier under the 2024 Risk Management Strategy continued to be implemented.

The Information Security Strategy sets out measures aimed at reducing the likelihood of actual threats to the information security of Moscow Exchange and defines key performance indicators for the implementation of the Strategy.

All principal risk takers among the companies of the Group have developed a risk and capital management strategy. The principles and processes of the strategy seek to build, use and develop a comprehensive system of capital and risk management to ensure business continuity both in normal and stressed economic conditions, to enhance transparency of the risk and capital management processes, as well as to identify and assess significant risks in a timely manner, support capital planning and take due account of risks in the decision-making process.

With a view to maintaining efficiency of the regular risk management processes:
  • the following committees operate: the Risk Committee of the NCC Supervisory Board, Risk Management Committee of Moscow Exchange, Risk Management Committees of NCC Management board and Moscow Exchange and Risk Commit-tee of NSD Executive Board;
  • a system of distribution of powers and responsibilities is in place to implement key risk management principles;
  • risks are regularly identified and mitigation measures;
  • financial resilience recovery plans and plans for engagement of additional resources have been developed.

At the end of 2021, the Supervisory Board also developed and approved a Financial Stability Recovery Plan for Moscow Exchange, taking into account the interaction with other companies from the Group.

The Exchange is constantly developing and improving its risk management system to reduce the vulnerability of business pro-cesses and their recovery time, to improve system redundancy based on spacing and duplication of resources, and to improve the reliability of communication systems between traders, the Exchange and depository and settlement organizations.

Moscow Exchange has also established a separate market operator’s risk management subsystem that enables it to identify and assess risks in a timely manner and to develop mitigation measures. This system incorporates continuous monitoring of emergencies and assessment of their potential impact on the technical processes of the Exchange’s markets, as well as updating the integrated operational and financial risk management system in line with adopted decisions and procedures.

The Exchange has developed and approved the Regulations on Managing the Risks of a Market Operator and the Regulations on Managing the Risks of a Financial Platform Operator. In addition, the Exchange has also set up a separate structural unit aiming to identify and assess risks in a timely manner and to develop mitigation measures.

In addition, the Group’s Risk Management Development Strategy through 2024 was developed and, as a follow-up, roadmaps were approved that include a description of specific objectives in such areas as risk management development, risk culture, deepening of core markets, balance sheet management, treasury and capital management. In particular, in pursuance of this Strategy, the Supervisory Board of Moscow Exchange approved the Group’s risk appetite indicators and their thresholds.

SHORT-TERM RISK OUTLOOK

Given that the Group’s strategy calls for the development of new products, formation of new trading markets and the expansion of the investor base, the management of financial risks will be key for the Company.

Entering a new market and receiving the status of a Financial Platform Operator by Moscow Exchange entail new risks, in particular information security risks and reputational risks came from the arrival of a new category of customers - individuals.

HR risks will remain neutral, given that most ongoing activities are long-term; however, staff turnover remains low. Given that the Exchange’s strategic objectives include the financial platform and balance management, regulatory and legal risks will continue to have a high impact on the Exchange’s activities; however, taking into account ongoing activities, we do not expect a significant increase in regulatory and legal risk.

Stabilization 3.0 programs being implemented results in the re-duction of operational and compliance risks; however, the full effect will be visible only in the long term.

Plans to upgrade the Exchange’s key information systems will keep information security risks elevated.

Strategic risks are analysed and assessed for the possibility of achieving strategic objectives, as well as substantial delays and/or negative variances in implementation of the budget for strategic projects and initiatives considering the Group’s strategy through 2024.