TRUSTED AND RESILIENT MARKET INFRASTRUCTURE
103-1 103-2 103-3 102-15 102-30
Moscow Exchange Group has successfully established an integrated risk management system that complies with Russian regulatory requirements, as well as with leading international standards and best practices.
Role of management bodies in risk management
ESG risk management is handled by the Supervisory Board and other management bodies, such as participants in the Group’s integrated risk management system. They perform monitoring and control procedures.
The Supervisory Board of Moscow Exchange is responsible for establishing principles and approaches of the risk management system, including approving the risk management strategy, internal documents, and policies that stipulate actions to prevent the materialization of risks and minimize their consequences.
The Risk Management Committee of the Supervisory Board reviews risk management reports and develops recommendations for managing individual risk profiles, analyzes internal procedures and proposes measures for improving them, and monitors reports submitted. Similar structures have been established within the Group’s companies, including the Risk Committee of NCC Supervisory Board and the Risk Committee of NSD Executive Board. Moscow Exchange has also created a separate business unit that is responsible for managing the risks of the market operator.
ESG risks and their potential impact on the Group’s operations are identified annually within the Group’s integrated risk management system. Risk acceptance and pre-approval of risk management issues are submitted for discussion at Supervisory Board meetings. The Executive Board is responsible for defining an acceptable level of risk.
The Group has been conducting regular training sessions for its employees to improve their risk identification skills. The sessions are part of the Risk Management System Development Strategy. Risk-management-related KPIs are included in the criteria used by management for assessing employee performance.
Key risk profile
Each of the Group’s companies faces different types of risk, depending on the specific nature of their activities. As the parent company of the Group, Moscow Exchange faces risks associated with the organization of trading, as well as with transactions involving its own assets. NSD, as a core element of Russia’s financial market infrastructure, faces risks in its depository activities. The key risk bearer in the Group is NCC, which acts as a clearing house and central counterparty for all major markets of the Group, and as a commodity delivery facility for the commodities market.
The Group’s financial and non-financial risk map is updated annually following the results of the risk identification procedure. Non-financial risks are classed into several categories, as described in the table below Detailed information on risk management is presented in the 2021 Annual Report. .
Risk management activities
Risk of expenses (losses) resulting from (1) erroneous assumptions made by management in preparing, approving and executing strategic plans; (2) inadequate execution of decisions made by management; (3) the impact of changes caused by external factors and that affect or could affect the Group’s performance
Risk of losses due to failure to comply with legislation, internal regulations and standards issued by self-regulatory organizations (if such standards and rules are obligatory) or as a result of sanctions and other enforcement measures taken by oversight agencies
The Internal Control and Compliance Department is responsible for managing compliance risk.
Information security Risk
Risk of the security (confidentiality, integrity, accessibility) of information assets being compromised as a result of the materialization of information security threats.
Risk of expenses (losses) or any other adverse effects resulting from a negative perception of Moscow Exchange Group by its counterparties, traders and their clients, shareholders, the Central Bank of Russia, and others, which may adversely impact the Group’s ability to maintain its existing relationships and/or to establish new ones and provide access to sources of financing on an ongoing basis.
Risk of expenses (losses) incurred by MOEX Group as a result of the lack of alignment between HR policy and business objectives, as well as the significant loss of key personnel or expertise.
Risks of financial losses as a result of reduced demand for listing services and investment prospects of issuers in a number of industries; physical damage or loss of property, as well as malfunctions in equipment and in the availability of services to clients; additional expenditures due to regulatory changes and the need to introduce new technologies, which may adversely affect the Group companies’ revenue and reputation
For more information on climate-related risk management, see the Climate Agenda subsection.
Internal audit and internal control
Moscow Exchange’s risk management system is based on the COSO principles COSO — Committee of Sponsoring Organizations of the Treadway Commission. and structured on the ‘three lines of defense’ model, which stipulates that risk management and internal control responsibilities be distributed among management bodies, business units responsible for control and coordination, and the internal audit function. The Group continues to improve its internal control system to maintain a high level of performance.
Line of defense
First line of defense
Identifying, assessing and managing risks, and developing and implementing policies and procedures governing business processes
Second line of defense
Ongoing risk monitoring and risk management by units as part of their functions.
Infrastructure resilience issues include:
Third line of defense
Overseeing the efficiency of business activities, the management of assets and liabilities, and the effectiveness of the risk management system
Compliance with international standards
The Group conducts an annual audit of its compliance with the CPMI-IOSCO Principles for Financial Market Infrastructures, the COSO Enterprise Risk Management Framework, and the Basel Committee on Banking Supervision risk management guidelines.
In 2020, NCC successfully underwent an operational audit by PwC (an international audit and consulting company) to check compliance with the requirements of the Central Bank of Russia Central Bank of Russia Regulation No. 556-P, dated 11 November 2016, On the Procedure Whereby the Central Counterparty Conducts an Operational Audit. . The audit covered the following components: management of risks of the central counterparty, assessment of the accuracy of the central counterparty model, stress-testing of risks of the central counterparty, determination of the allocated capital of the central counterparty, and recovery of financial stability of the central counterparty. The operational audit is conducted every two years, and the most recent was conducted in March 2022.
NCC also undergoes a certification audit every three years in accordance with ISO 9001 Quality management systems (the most recent audit was conducted in 2019).
Risk management and internal control services
Business and operational units
The Group’s companies have developed risk and capital management strategies. As part of its risk management strategy, Moscow Exchange Group reviews its risk appetite and risk tolerance annually in the context of the Group’s strategic objectives.
As a market operator, Moscow Exchange applies a transparent investor- and bidder-oriented information policy regarding its activities. This ensures that stakeholders can exercise their rights to reliable information to the fullest possible extent. As per the information policy, the purpose of disclosing information about Moscow Exchange as an issuer of securities is to reach all stakeholders so that they can make balanced decisions on holding Moscow Exchange equity or performing other actions.
Moscow Exchange complies with the following principles of disclosure regarding its activities:
- regularity and promptness of reporting;
- availability for stakeholders, reliability and completeness of disclosures;
- neutrality, namely the avoidance of prioritizing certain groups of recipients over others;
- accountability for information disclosure.
Moscow Exchange does not evade disclosure of adverse information if such information is material for shareholders and other stakeholders.
Disclosure at the request of government agencies
Moscow Exchange Group is obliged under Russian law to disclose information on market participants (issuers and bidders By virtue of Federal Law No. 325-FZ. ) to competent government agencies, including law enforcement agencies, for the prevention or investigation of potentially unlawful activities. Such disclosures may cover insider trading, market manipulation (Federal Law No. 224), and anti-money laundering (Federal Law No. 115).
Information security (IS) means the protection of information and the equipment used to process it from accidental or deliberate interference, whether natural or artificial.
The main goal of ensuring IS is to appropriately protect the company’s business processes, as well as to minimize IS risks when organizing trading and clearing services, and when providing services on the Equity, Derivatives, FX, and Money Markets. This goal is achieved by ensuring and continuously maintaining the confidentiality, integrity and accessibility of the company’s protected information assets.
Moscow Exchange has implemented an information security management system that meets the requirements of Russian law and complies with ISO 27001. Organizational and technical activities are continuously conducted to ensure information security and manage IT infrastructure and information security incidents. The Security Operations Center is responsible for monitoring and responding to information security incidents. The Group regularly conducts information security audits, intrusion tests, and anti-phishing tests to manage risks. To protect against malicious attacks, Moscow Exchange uses its own equipment or a provider’s.
In October 2021, following an independent audit, the Group underwent recertification for compliance with ISO 27001:2013 (Information technologies. Security techniques. Information security management systems. Requirements) and ISO 22301:2012 (Societal security. Business continuity management systems. Requirements). This certification is voluntary and covers 100 measures aimed at ensuring information security and business continuity.
Employees are required to comply with information security measures and are provided with training and information, including the following activities:
- including employees’ compliance with information security requirements in KPIs;
- online training on information security, and introductory briefings during onboarding;
- regular newsletters on information security and protection of confidential information;
- workshops on preventing phishing attacks.
The implementation of technology development processes at Moscow Exchange Group is regulated under the Group’s Information Technology Development Strategy. IT systems are regularly updated with new products and services, and new platform solutions are developed and implemented. The Development Strategy focuses on:
- implementing business and technology initiatives;
- accelerating the incorporation of new technologies while maintaining reliability;
- creating an innovative IT environment;
- boosting synergy within the Group;
- implementing an IT management model;
- controlling cost-effectiveness.
Uninterrupted and fault-tolerant systems are supported by “hot” and “warm” back-up technology that facilitates rapid restoration of the trading and clearing systems in case of failure. Server equipment that performs critical trading and clearing operations is no more than three years old, while network equipment is no more than five years old and is regularly upgraded by installing the most up-to-date models. With due consideration for targets for reduced energy consumption, older and less energy-efficient servers are taken out of service.
Privacy of personal data
The principles, terms and measures that ensure the security of personal data processing are set out in the Personal Data Processing Policy of Moscow Exchange.
Moscow Exchange Group conducts regular human rights risk assessments associated with data privacy. To assess this risk, the Group uses its own risk appetite methodology for assessing risk appetite. In accordance with the Methodology for Determining Risk Appetite Benchmarks of Moscow Exchange. Moscow Exchange discloses the process for evaluating and responding to law enforcement or government data requests in accordance with Russian law.
All employees can express their concerns regarding the handling of personal data via the Speak Up! hotline. The Group companies consider the concerns raised and take appropriate action.
Market access and customer experience
Moscow Exchange offers its clients information and technology services that provide real-time market data, as well as information on trading results and indices.
It works to increase the appeal of its services on organizing trade on the commodity and financial markets for investors and issuers.
Moscow Exchange’s technology infrastructure provides market participants with a safe and reliable environment that supports uninterrupted trading, clearing, and settlement operations. Reliability is ensured by the following factors:
- high-quality risk management;
- capitalized central counterparty and settlement infrastructure;
- high standards of listing and information disclosure by issuers.
Moscow Exchange spares no efforts to ensure convenience for its customers:
- develops new products, services, and ways of trading;
- extends trading hours;
- implements new technologies for access to trading and market data;
- strengthens cooperation with other markets and exchanges.
Providing additional world-class exchange services beyond traditional exchange products
Creation of uniform infrastructure for the entire Russian market, including traditional over-the-counter segments, based on a single set of post-trading services with integrated settlement, collateral and risk management systems.
Development of central counterparty and central depository institutions
Process reliability and efficiency
Creation of new services for individuals and corporate clients