Risk Management System
Risk management is conducted at MTS Group in compliance with the generally accepted conceptual risk management framework1. The risk management activity aims to minimize unexpected losses from risks and to maximize capitalization, taking into account the relationship between risk and return on investments acceptable to the shareholders and the management of the MTS Group.
1 “Enterprise Risk Management. Integrated Model” of the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
The basic principles of the risk management process
Integration principle
provides for a systemic approach to management of all types of risks inherent in MTS business, across the entire organizational structure and geography of the MTS Group operation;
cross-functional collaboration and coordination of structural divisions is maintained to manage risks outside the framework of their specialization, as well as accounting for the mutual effect of risks from various units;
a single Company management notification channel is provided for the entire risk spectrum to guarantee the completeness, quality and comparability of the information provided for each level of decision-making.
Continuity principle
consists of implementing a set of ordered risk management procedures on a regular basis.
Justification principle
provides for an analysis of the ratio between the costs for risk assessment reduction and potential damage from their occurrence
The Integrated Risk Management Policy is approved in the MTS Group1. Integrated risk management is aimed at ensuring a reasonable guarantee of achieving the strategic goals of the Company and maintaining the MTS Group risk level within the limits acceptable to Company management.
1 Approved by the resolution of the Board of Directors of MTS PJSC on December 15, 2017, Minutes No. 265.
The system of integrated risk management makes it possible to resolve the following tasks:
- Identification and systematic analysis of the risks faced by the Company;
- Obligatory consideration of significant risks when making management decisions;
- Distribution of responsibility for risk management;
- Development of additional measures and plans for responding to significant risks and monitoring their execution;
- Monitoring risks and their management effectiveness;
- Accumulation of knowledge in the field of integrated risk management.
The Risk Management Team of the Corporate Center2 assesses the most significant risks on the basis of a long-term financial model and conducts regular imitation modeling to obtain key financial figures considering the risk and probability distributions of these indicators. The RMT CC applies econometric method to analyze individual risks.
2 CC/Finance Block / Department of Financial Planning and Analysis / Management Reporting Center / Risk Management Group.
A report on the status of the MTS Group risks is reviewed regularly by the Risk Committee, which discusses the key Company risks and makes collective decisions about generating mitigation measures. The Chairman of the Risk Committee is the CEO of MTS. The Committee includes members of the Management Board, the Vice President and other senior executives. The Committee’s powers and responsibilities include the review and approval of the following:
- the objectives of developing the MTS integrated risk management process;
- risk management methodologies;
- MTS risk portfolio and priorities of risk management measures taking into account the feasibility of their costs and limited resources;
- MTS risk portfolio management strategies, etc.
The MTS Group management is notified about the entire risk spectrum to ensure the completeness, quality and comparability of the information provided for each level of decision-making.
Based on the results of assessing the efficiency of the MTS Group’s internal control systems in 2024, the risk management process was deemed efficient.
Organizational Risk Management Support
The Board of Directors operates directly or through its committees within its competences and resolves the issues of assessing the political, financial and other risks affecting the Company’s operation. The MTS Board of Directors delegates monitoring of risk management efficiency to the MTS Audit Committee, and also reviews the reports submitted by the Audit Committee.
The Audit Committee monitors the risk management efficacy, as well as the assessment of procedures used by the MTS Group to identify the principal risks and evaluation of relevant control procedures (including the procedures for loss control and risk insurance) in order to determine their adequacy and efficacy.
The Risk Committee makes collective decisions in the field of integrated risk management. The efficacy of the risk management process is assessed by the Internal Control Block; this information is also presented to the Audit Committee for review.
Risk Management Team of the Corporate Center is responsible for developing a risk assessment methodology, regular collection of information and reporting the results of this assessment to the Risk Committee and the Company management. The Team also conducts operational control of the process and provides cross-functional interaction between the units within integrated risk management in the Company. Cross-functional interaction with the risk owners in subsidiaries is provided by the risk coordinators in such subsidiaries.
Risk owners are the heads of functional units, whose achievement of goals is affected by the risks. The owners are responsible for the analysis, assessment, execution of risk management measures and reporting on the activity within the process of integrated risk management.
Risk Management Integration into Decision-Making Processes
Risk management is an integral part of all processes of the Company: policy development, strategic, business, budget and investment planning, change management and purchasing procedures.
Strategic Planning:
- Identification of risks related to various environmental conditions.
- Analysis and accounting of key risks within the framework of the selected macro-scenario.
- Determination of substantial risks influencing strategic goals, but not resulting in their revision, and development of actions to manage such risks.
Business Planning and Budgeting:
- Analysis and accounting of risks related to failure to achieve the main financial KPIs.
Purchasing Procedures:
- Analysis and accounting of risks when selecting suppliers.
The risk management process passed all stages of introduction, automation and integration into the Company’s business processes (into strategic and investment planning, as well as into the cross-functional projects and the preparation of external reporting), which now makes it possible to identify and consider the risks when making key decisions for the guaranteed achievement of set goals and strengthening of business leadership.
2024 Key Activities
- Risk Committees of MTS, MGTS and RTK CCs were held based on the risk monitoring results in 2024. The risk reports for the first six months of 2024 and for 2024 were also submitted for consideration by the Audit Committee and the Board of Directors.
- An additional report was developed for the Audit Committee and the MTS Board of Directors reflecting the company’s exposure to the most significant risks. Monitoring and assessment of risks related to the geopolitical situation were carried out.
In 2025, there are plans to update the risk section for external reporting (Reports of the issuer for the Central Bank of the Russian Federation) and hold regular Risk Committee meetings. Continuous monitoring of the situation related to the geopolitical situation is also planned in order to identify, assess and further mitigate the risks.
Key Risk Factors
The most significant risk factors that may potentially impact MTS PJSC business results are provided below. See more detailed information about these and other risks in the MTS PJSC Reports.
Strategic risks
The category of strategic risks includes risks that, if realized, may threaten the sustainability of the company’s business and operations and that may affect the company’s ability to achieve its long-term goals. These risks depend on many internal and external factors and, due to the serious potential damage if they occur, are taken into account when compiling the company’s strategic plan.
| Risk description | Probability of risk occurrence | Activities | |
| 2023 | 2024 | ||
| Risks of failure to fulfill infrastructure development plans | Very low | Very low | We adapt previously approved rules for prioritizing building and distributing critical facilities, taking into account the quantity and rates of warehouse stock balances. An in-house Technical Support Center is used and local suppliers were found to maintain the network performance. MTS continues to make scarce equipment available by replacing it with equipment that is available for purchase. Purchases are being made from domestic suppliers. Core — search for domestic suppliers or technical solutions (virtualization). Discussions of industry support measures for carriers with the Ministry for Digital Technology, Communication and Mass Media of the Russian Federation |
| The risk of increasing sanctions pressure, as well as strengthening counter-special economic measures | Partially occurred | Partially occurred | Support for risk management processes (KYC, verification of the subject matter and conditions of transactions, transferred goods, software, technologies, etc.). Risk assessment and development of measures for their mitigation. Obtaining the required permits. Raising awareness among management and employees regarding applicable restrictions |
| Risk of business loss / business suspension for MTS in other countries | Low | Low | MTS is monitoring the political situation in the markets of operation of the Group of Companies and strives to respond promptly to changing conditions in the markets |
Environmental Risks
Environmental Risks include those that are caused by factors such as exchange rate fluctuations or trade restrictions. Such risks are not related directly to the company’s activities or its deliverables, however, if they occur, they can have significant consequences for any enterprise, including affecting its internal processes.
| Risk description | Probability of risk occurrence | Activities | |
| 2023 | 2024 | ||
| Risks of increased costs, including capital expenditures, may be denominated in rubles, US dollars, euros and/or yuan | High | High | A number of portfolio structuring measures have been taken in order to reduce dependence on exchange rate fluctuations, including there is a currency risk hedging program using swaps as instruments |
| Growth in the cost of debt due to the key rate growth | Medium | High | Reinvestment of part of free liquidity and attraction of new liquidity into instruments with higher yield for replacement. Participation in concessional lending programs. Use of current assets as a liquidity instrument (trust management, derivatives). Consolidation of cash in the parent company for effective liquidity management of the MTS Group. Taking cost optimization measures (rejecting some unprofitable businesses in favor of areas with quick returns) |
| Rising costs due to high inflation | Medium | Medium | Cost control. Adjustment of rates to compensate for increased costs. |
| Risk of increased costs due to shutdown of CDN caching servers of global platforms and potential difficulties in interaction with international partners | High | High | Compensation for reduced traffic volumes. Setting up procurement of Internet access services to maintain access to the international segment of the Internet through alternative providers |
| Blocking foreign licenses and software | High | High | Entering into framework agreements with alternative providers. Finding temporary solutions. Development of alternative software including in-house |
Operational Risks
The category of operational risks includes risks arising as a result of erroneous or imperfect internal processes of the company, low reliability of controls, technical failures, errors by company employees and other factors. The consequences of occurrence of such risks may be a decrease in the efficacy of business operations, an impairment in the quality of services provided, or lag in technology as compared to the demand.
| Risk description | Probability of risk implementation | Measures | |
| 2023 | 2024 | ||
| Risk of revenue loss due to downtime of base stations | Very high | Very high | Organizing incident management on a mobile network |
| Risk of technological failures on the network and information resources | High | High | Redistribution of capacity and power used by the base stations to maintain network continuity. Use of backup telecommunications equipment. Use on a continuous basis of quality assurance processes and systems for monitoring, change management, etc. |
| Risk of damage due to a restricted-access information security breach in the information systems | Very high | Very high | Conducting scheduled and unscheduled audits (analyses of security of ICT1 infrastructure and access to corporate information systems). In order to implement the Decree of the CEO dated 01.05.2022 No. 250, import substitution of the following systems was arranged in the Russian Federation: — Monitoring and managing information security events and incidents; — Mirroring and managing traffic copies; — Filtering signal traffic on the MTS technological network |
| Disruption in system continuity due to lack or insufficient geographic redundancy | – | High | Geographic redundancy of a product in another region. |
1 ICT — information and communication technologies
Compliance with regulatory requirements
Compliance Risks
The compliance risk category includes risks arising from the failure of the company or its employees to comply with the legislation or to meet regulatory requirements, which may result in imposition of significant fixed or turnover-based fines, or restrictive impacts on individual business processes of the company or its activities as a whole.
Such risks, inter alia, shall be managed within the framework of the Unified Compliance System that includes risk management programs in the areas of corruption, insider trading, protecting intellectual property, violating antitrust laws, CML/TF, protecting personal data, labor protection, observing human rights, and the environment.
| Risk description | Probability of risk implementation | Measures | |
| 2023 | 2024 | ||
| Portfolio of risks of violating antitrust legislation | Very high | Very high | Antitrust risk management in accordance with the company’s internal policies, including: Participation of antitrust compliance in developing commercial initiatives; Interaction with FAS in terms of preparing positions and preventing injunctions |
| Risks associated with amendments made to the RF Federal Law “On Communications” (533-FZ, 303-FZ) | Very high | Very high | Daily automated upload of the B2B and B2C database to Roskomnadzor1, request and correction of inaccurate client data, reconfiguration of processes for entering into contracts to provide communication services, as a result of which, before entering into the contract, the accuracy of the subscriber/user data is verified through the Unified System of Identification and Authentication (USIA), the State Information System for Monitoring the Verification of the Accuracy of Subscriber Information (SIS IMSMS), the Unified Biometric System (SIS UBS), including for the purpose of checking the limits of issued SIM cards per individual. B2C events: Communication to subscribers about the need to confirm data. Measures to encourage verification of personal data Validation via T-ID and Alfa ID has been introduced; a launch via Sber ID and Mos ID is planned, for foreign persons and stateless persons — via the SIS UBS. Verification by passport and recognition using a commercial bio-platform for which accreditation has been received. B2B events: Personal communication with non-validated clients. |
| Violation of requirements of the law and state regulation (SORM) | High | High | Timely and sufficient allocation of funding for the purchase of SORM equipment. Timely commissioning of a number of data centers in 2025. Strengthening control over deadlines and quality of work performed by contractors, increasing the liability of contractors for project interruptions. Updating and correcting the personal data of the MTS PJSC subscriber base, strengthening sanctions imposed on dealers if incorrect data is provided. Modernization of traffic aggregation systems in order to prevent information loss in SORM systems |
| Risk of losses due to the Federal Anti-Monopoly Service (FAS) order to increase subscriber rates | Low | Occurred | Participating in meetings of the FAS of Russia, providing evidence on the validity of the price for subscriber rates. MTS is in the process of court action against the FAS decision. The preliminary hearing is scheduled for December 2024 |
| Violation of legal requirements for personal data storage | – | Medium | Reengineering of business processes with personal data processing. Control over the amount of annual expenses of the operator for information security measures (not less than 0.1% of the annual total amount of revenue received from the sale of all goods (work, services)) |
1 Roskomnadzor — Service for Supervision of Communications, Information Technology and Mass Media
Risks associated with violations in the field of OH&S
Risks associated with violations in the field of OSH include risks related to non-compliance with the provisions of the legislation, regulations and internal rules on OSH, which can lead to serious consequences for the company, including financial losses, damage to reputation and legal liability, as well as pose a threat to the health of the company’s employees.
| Risk description | Probability of risk implementation | Measures | |
| 2023 | 2024 | ||
| Possible risks of violations in the OSH field associated with training employees, medical examination, providing personal protective equipment, compliance with sanitary and epidemiological requirements, special assessment of working conditions, etc. | High | High | The functioning OSH management system1 includes the following: organizational structure; planning; distribution of responsibility; procedures; processes and resources for developing, implementing goals, analyzing the efficiency of OSH policies and measures. A number of local regulatory documents have been developed and are being implemented that regulate the main issues in the field of OSH and employee health. The procedure for conducting internal control over the state of working conditions is being established. MTS has introduced a program to automate routine OSH processes. The goal of the program is to increase the transparency of OSH processes, reduce the burden on employees in terms of paperwork and bureaucracy, and switch to processing documents in EDM |
1 Certified according to GOST R ISO 45001-2020 (ISO 45001:2018).
Risks of human rights violations
The human rights violation risk category includes risks arising from actions by the company or its employees that may result in violations of regulatory standards relating to human rights. The occurrence of these risks may entail significant legal and reputational consequences, and therefore, the organization needs to adhere to policies aimed at preventing violations in this area.
| Risk description | Probability of risk implementation | Measures | |
| 2023 | 2024 | ||
| Possible risks of human rights violation related to compliance with labor legislation, non-discriminatory and ethical conduct, public statements, insurance deductions, observance of the rights of socially vulnerable groups, etc. | Low | Low | During the year, the ESG Committee regularly discussed issues related to developing the corporate inclusion culture and its significance for the company’s future. Educational programs on diversity, equity, inclusion, including observance of human rights, were conducted. 1050 MTS executives and HR attended the educational programs. On the Pulse portal, an educational campaign on various aspects of inclusive culture and human rights was arranged for MTS ecosystem employees — reaching 20,000 people. Research and surveys on diversity and inclusion were conducted among ecosystem employees. Tools have been created to develop an inclusive culture within the ecosystem: the test “Inclusivity — a Fashionable Trend or New Business Ethics” makes it possible to determine the level of tolerant attitude towards representatives of inclusive groups, the “Bullying in the Workplace” test makes it possible to identify bullying in the corporate environment. The Abilympics MTS National Championship of Professional Skills among People with Disabilities and Special Needs became one of the leaders in employing people with disabilities — 50 championship participants became members of the 2024 ecosystem team. |
Risks of environmental violations
Risks of environmental violations include the risks of the company’s failure to comply with environmental regulations, standards and legislation, which may lead to a negative impact on the environment and human health, as well as a range of negative consequences for the company, including reputational, financial and legal risks.
| Risk description | Probability of risk implementation | Measures | |
| 2023 | 2024 | ||
| Failure to meet the requirements for providing environmental reporting | High | High | Ongoing monitoring of changes in environmental legislation requirements is conducted. MTS regularly makes the payment stipulated by the legislation for adverse impact on the environment, bears the costs associated with waste management and atmospheric air protection, as well as with the reduction of risks associated with government regulation in the field of environmental protection and maintaining the image of the company’s environmental sustainability. MTS regularly reports according to state reporting forms and also prepares non-financial reports on the activities of the MTS Group of Companies in the area of environmental responsibility and safety |
Heat map
See below a heat map of all risks of MTS PJSC. All risks were divided into 25 groups.
Our risk allocation methodology includes 2 parameters: 5 groups of significance by probability (1 — very low probability, 2 — low, 3 — medium, 4 — high, 5 — very high probability) and 5 groups of significance by VAR1 (1 — very low damage, 2 — low, 3 — medium, 4 — high, 5 — very high damage).
1 VaR (Value at Risk) — the cost estimate of risk that losses will not exceed in 95% of cases of risk occurrence.
The heat map shows that the main risks are concentrated in a non-hazardous area for the company with low significance; whereas 42 risks have a very low probability of occurrence and, accordingly, an insignificant cost estimate.
The company has only 11 risks with high probability and high potential damage in the “red zone” that are given increased attention.