The Risk Management and Internal Control System

I. GOAL-SETTING AND CONTROL

The Board of Directors and the Audit Committee of the Board of Directors:

• approve RM&ICS focus areas, control of their implementation
• approve corporate reports on the financial and business risks
• approve risk appetite
• monitor the RM&ICS reliability and performance

II. RISK MANAGEMENT AND EXECUTION OF RESOLUTIONS

Chief Executive Officer

• validates RM&ICS focus areas
• validates RM&ICS reports
• validates risk appetite

Risk Management Committee

• validates the RM&ICS issues reported to the Chief Executive Officer
• resolves RM&ICS operational disputes

Management

• allocates powers and responsibilities among employees
• manages risks
• develops and executes controls
• conducts self-assessment of internal control

III. RISK MANAGEMENT AND DECISION-MAKING

JVCos Performing Separate RM&ICS Functions

• compile and consolidate reports on RM&ICS
• manage the rollout of RM&ICS elements and develop proposals for risk management methodology
• assist the Company’s management in conducting self-assessment of internal control

Rosneft’s Employees

• execute risk management controls and projects
• assist the Company’s management in managing risks
• help identify, assess, and report on risks and internal controls, conduct self-assessment of internal control

Risk and Internal Control Experts

• coordinate the risk management and internal control process in the business unit
• identify, assess, and develop risk management initiatives
• develop, implement, and update business process controls
• develop, monitor/implement projects to eliminate gaps identified in business process controls

IV. RM&ICS INDEPENDENT MONITORING AND PERFORMANCE ASSESSMENT

Internal Audit Service

• assesses the RM&ICS reliability and performance
• conducts audits
• monitors the incorporation of RM&ICS improvement proposals made by internal auditors
• assists the Company’s executive bodies in investigating wrongdoings / unlawful acts by the Company’s employees and third parties

Audit Commission

• audits the Company’s financial and business operations, verifies the accuracy and reliability of data included in the Annual reports and annual accounting (financial) statements

V. COORDINATION AND GUIDELINES

Risks and Internal Control Department

• plans RM&ICS focus areas
• develops, implements, and updates Company-wide RM&ICS guidelines
• prepares reports on risks and internal controls
• coordinates the RM&ICS rollout and operation across Rosneft’s units and Group Subsidiaries
• provides guidelines to key RM&ICS stakeholders, trains in risk management and internal control
• develops, implements, and supports insurance
• programs
• reinsures the Company’s risks in Russian and international insurance markets
• settles insurance claims on risks realized

Security Service

• develops, updates, and introduces local regulations and administrative documents on anti-corruption and prevention of corporate fraud
• enforces the compliance with the local regulations and the implementation of anti-corruption and corporate fraud prevention initiatives taken by the Rosneft’s executive bodies
• manages security Hotline
• conducts inspections / investigations of wrongdoings / unlawful acts of the Company’s employees and third parties

Consistent development and enhancement of the Company’s RM&ICS enable to promptly and adequately respond to changes in the external and internal environment, improve operational efficiency and effectiveness, and maintain and add value.

The Company has in place the RM&ICS holistic development plan for the short and medium terms. This plan sets goals, objectives, and key initiatives contributing to the achievement of the Company’s established goals for the RM&ICS.

THE INTERNAL CONTROL SYSTEM IS AN INTEGRAL PART OF THE RM&ICS

• Both systems have aligned goals.
• The ICS is organized as per the Company’s Policy on the Risk Management and Internal Control System, the Company’s Standard on the Internal Control System, and the Company’s Regulations on Development, Implementation, and Maintenance of the Internal Control System.
• The Company relies on these documents to reveal the risks inherent to business processes and implement controls so as to make business processes more efficient and manageable while ensuring the reliability of its financial statements and compliance with legislation and local regulations of the Company.

To achieve the ICS objectives, the Company needs to:

1. Define and update the ICS focus areas that have to be aligned with the Company’s needs and stakeholders’ requirements
2. Develop, adopt, and follow controls, including the development of uniform guidelines for the organization and high performance of the Company’s ICS
3. Identify shortcomings in existing controls, develop and implement measures to address them; streamline and ration the controls
4. Develop and implement tools to enhance communication and internal control information sharing among all RM&ICS stakeholders, including via information systems

The Corporate-Wide Risk Management System (CWRMS)

The risk management process at the Company is regulated by the Company’s Policy on the Risk Management and Internal Control System and the Company’s Standard on the Corporate-Wide Risk Management System (CWRMS).

The CWRMS is a combination of interrelated elements embedded into various business processes of the Company (including strategic and business planning processes) and implemented at all management levels by all employees of the Company.

All key risks of the Company are reported within the CWRMS, including the risks affecting the implementation of its Long-Term Development Program and the risks related to day-to-day financial and business operations. Risk reports are delivered for review / approval to the members of the Board’s Audit Committee / the Board of Directors and communicated to the management.

Heads of the Company’s businesses organize and coordinate risk management processes within the scope they are responsible for. When choosing a risk response and specific mitigation measures, risk owners seek to find an optimal trade-off while maintaining an acceptable risk level (risk appetite).

Rosneft’s Risks Details of the Rosneft’s basic risks are given in Appendix 2, Basic Risks.

INDUSTRY-WIDE RISKS

COUNTRY AND REGIONAL RISKS

FINANCIAL RISK

The Company’s Risk Appetite

IN 2018, THE ROSNEFT’S BOARD OF DIRECTORS APPROVED THE COMPANY'S RISK APPETITE FOR 2019

Financial and Economic Performance

The Company strictly complies with the covenants. The Company ensures that all its short- and long-term commitments are discharged as they fall due.

Health, Safety, and Environment

Recognizing the nature and scale of the footprint of its business, products, and services, the Company realizes the responsibility for safe operation and protects the health and safety of its employees and the local residents in the regions of operation.

To prevent potential adverse impacts, the Company makes relevant commitments and carries out all necessary activities focused on environmental safety and natural resource conservation and restoration.

Corporate Governance

The Company adheres to the principle of zero tolerance to corporate fraud and corruption of any kind and form.

Rosneft uses insurance as a risk management tool enabling it to pass financial losses caused by insured occurrence through to insurers.

The Rosneft’s corporate insurance program covers:

• the Company's fixed production assets;
• civil liability;
• business risks.

For its fixed main production assets, Rosneft has insurance coverage in place against the risk of damage to (loss of) property and potential losses resulting from business interruption due to accidents and other accidental emergencies, and liability insurance against the risk of legal action by third parties related to its onshore and offshore operations.

The most material risks are reinsured on the international market with companies having the reliability rating of at least A– by S&P, AM Best, and Fitch.

Rosneft insures its liability as required by federal legislation, including Federal Law No. 225 On Compulsory Insurance of Owners of Hazardous Facilities against Civil Liability for Damage Caused by Accidents at Hazardous Facilities. The compulsory insurance requirement under Federal Law No. 225 applies to property interests of the facility’s owner, which relate to its obligation to indemnify for damage caused to the affected party (Part 1 of Article 1 of the Federal Law).

The Company has in place the following local regulatory documents on internal audit:

• the Company’s Policy on Internal Audit No. P4-01 P-02;
• the Company’s Standard on the Organization of Internal Audit No. P4-01 S-0021;
• the Company’s Regulations on the Internal Audit Quality Assurance and Improvement Program No. P4-01 R-0038;
• the Company’s Regulations on the Procedure for Cooperation between the Internal Audit Service and Business Units of Rosneft and Group Subsidiaries when Performing Internal Audit No. P4-01 R-0041;
• Rosneft’s Instruction on the Procedure for Internal Assessment of Internal Audits No. P4-01 I-01014 YuL-001;
• Rosneft’s Instruction on the Procedure for Internal Audits No. P4-01 I-0013 YuL-001;
• Rosneft’s Instruction on the Annual Internal Audit Action Planning No. P4-01 I-01016 YuL-001;
• and other the Company’s local regulations governing internal audit operations.

The internal audit function assists Rosneft’s Board of Directors and the Company’s executive bodies in increasing the Company’s governance efficiency and improving overall financial and business performance, particularly through application of a consistent systematic approach to reviewing and assessing the Risk Management and Internal Control System (hereinafter - RM&ICS), as well as corporate governance, therefore providing reasonable assurance that the Company will achieve its goals. It also helps ensure:

• the accuracy, reliability, and integrity of information on the Company’s financial and business operations, including those of Group Subsidiaries;
• the efficiency and effectiveness of the Company’s operations, including those of Group Subsidiaries;
• identification of internal reserves for improving the Company’s financial and business performance, including that of Group Subsidiaries;
• protection of the Company’s assets, including those of Group Subsidiaries.

THE MAIN FUNCTIONS OF THE INTERNAL AUDIT SERVICE UNITS ARE:

• assessing the reliability and efficiency of the Risk Management and Internal Control System, its compliance with the scale and complexity of the Company's business;
• assessing corporate governance;
• conducting audits in line with the internal audit action plan approved by Rosneft’s Chief Executive Officer and endorsed by the Audit Committee of Rosneft’s Board of Directors;
• performing other inspections and tasks as instructed by Rosneft’s Board of Directors (the Audit Committee of the Board of Directors) and / or Rosneft’s Chief Executive Officer within the competence, including those based on the information received via the security hotline of Rosneft;
• carrying out comprehensive inspections (auditing) of the activities of auditees, which imply the documentary and physical verification of the legality of conducted financial and business transactions, their accurate and correct reporting in the accounting (financial) statements, subsequent control of the financial and business activities of the auditee;
• analyzing the auditees in order to study specific aspects of their activity and estimation of the state of an auditee’s certain sphere;
• consulting the Company’s executive bodies on risk management, internal control, and corporate governance (assuming the preservation of the independence and neutrality of the Internal Audit);
• monitoring the incorporation of RM&ICS and corporate governance improvement proposals made by internal auditors, addressing shortcomings and violations identified during inspections;
• assisting the Company’s executive bodies in investigating wrongdoings / unlawful acts by the Company’s employees and third parties, including negligence, corporate fraud, corrupt practices, abuses, and various improprieties that inflict damage to the Company;
• developing the Internal Audit action plan for the period prioritizing the internal audit activities (one year, within the three-year planning horizon);
• cooperating between the Internal Audit Service and Business Units of Rosneft and Group Subsidiaries on Internal Audit issues;
• conducting quality controls and evaluating the results obtained;
• performing the other functions essential in solving the tasks assigned to the Internal Audit Service by the Company.

Functionally, the Internal Audit Service reports to Rosneft’s Board of Directors. Functional management of the Internal Audit implies:

• approving the Policy-level local regulations on Internal Audit (the Regulations on Internal Audit governing the goals, objectives, and authorities of the Internal Audit);
• taking a decision on the appointment and dismissal of the Head of Internal Audit;
• reviewing the internal audit action plans and reports on the internal audit results;
• approving a budget of Rosneft's Internal Audit Service and the remuneration to the Head of Internal Audit;
• reviewing by the Audit Committee of Rosneft’s Board of Directors the significant limitations of authorities and other restrictions that could impinge upon the effective implementation of the internal audit function.

Administratively, the Internal Audit Service reports directly to Rosneft’s Chief Executive Officer. Administrative management of the Internal Audit implies:

• allocating the necessary funds within the approved budget;
• approving the internal audit action plans;
• reviewing reports on the internal audit results;
• facilitating the cooperation between Rosneft and joint venture companies of Group Subsidiaries;
• administering the internal audit policies and procedures (among them, approving local regulations on internal audit and amendments thereto, approving organizational documents of Rosneft’s Internal Audit Service, approving business trips, and validating the involvement of external experts to internal audits).

The existing reporting lines, by which the Vice President as the Head of Internal Audit reports to the Board of Directors and the Company’s executive bodies, provide sufficient independence for performing internal audit functions.

Heads of units within the Internal Audit Service do not participate in managing functional areas of the Company’s business that require management decisions on audited entities.

The Head of Internal Audit was appointed to Rosneft’s Management Board following a decision made by the Rosneft’s Board in July 2016. The Head of Internal Audit is not entitled to vote on matters requiring management decisions on audited entities.

The internal audit action plan is based on an audit model using information and requests received from Rosneft’s executive bodies and Board of Directors, as well as Rosneft’s risk evaluation results. The internal audit action plan comprises scheduled audits and other internal audit activities for the planned period (one year, within the three-year planning horizon) and is submitted to Rosneft’s Chief Executive Officer and the Audit Committee of Rosneft’s Board of Directors for approval. Details of the action plan are presented to the Board of Directors for review together with the internal audit report for the previous period.

The functions of the Head of Internal Audit include the following activities: preparing the internal audit report and submitting this report to Rosneft’s Board of Directors and executive bodies (this report includes information about material risks, violations and shortcomings, results and efficiency of internal audit proposals on eliminating identified violations or shortcomings, results of implementing the internal audit action plan, and assessment results on the actual condition, reliability, and efficiency of the Company’s RM&ICS and corporate governance). The 1H 2018 and 2018 internal audit reports were reviewed by the Audit Committee of the Board of Directors and the Board of Directors of Rosneft.

Based on the results from the risk management and internal control system (RM&ICS) efficiency assessment in 2018, the internal audit concluded that the RM&ICS ensured overall support of the risk management process and effective functioning of the internal control system, providing reasonable assurance that Rosneft would achieve its goals. The assessment results were reviewed by the Rosneft’s Board of Directors.

The internal auditors provide written confirmation of their personal objectivity to the heads of Internal Audit Service’s divisions and to the Head of Internal Audit at least once a year, thereby raising awareness among the Service’s employees of potential conflicts of interest and related factors, as well as response procedures to situations, which may influence the independence and objectivity of an internal audit.

The Head of Internal Audit provides Rosneft’s Chief Executive Officer, Board of Directors (its Audit Committee) with confirmation of the organizational independence of internal auditing and individual objectivity of internal auditors at least once a year, as part of the internal audit report.

The basic internal audit task for the reporting period is to improve the performance and increase the labor efficiency, including through:

• standardizing the audits and internal audit procedures;
• digitalizing the internal audits;
• training and developing the skills of the Internal Audit Service’s employees.

In the reporting period, the automated information system for managing internal audit, internal control, and risk management processes - AIS SAS - was launched. The system will significantly reduce the time spent on planning, preparing and recording audits, as well as monitoring the elimination of violations and shortcomings identified during internal audit inspections. All employees of the Internal Audit Service utilize the SAS AIS while executing their internal audit functions.

During 2018, more than 300 inspections were carried out, covering most of the risks related to the Company's critical business processes and the financial and business risks of its Key Group Subsidiaries.

Over 90% of the total number of inspections are thematic inspections and audits assessing the RM&ICS performance, improving the efficiency of the Company’s business processes in Key Group Subsidiaries, and assessing the business performance of Group Subsidiaries.

In cooperation with the heads of business units, the Internal Audit Service prepares proposals based on its inspection results aimed at improving business processes and RM&ICS optimization, as well as resolutions for eliminating the violations and shortcomings identified during inspections.

In the reporting period, the Internal Audit Service conducted the regular in-house self-assessment on its internal audit quality. This in-house regular self-assessment was aimed at ensuring and improving the performance and efficiency of both the internal audit, in general, and individual internal audit inspections. The self-assessment findings are as follows: internal audit operations generally comply with the requirements of the Company’s Policy on Internal Audit and local internal audit regulations, the International Standards for the Professional Practice of Internal Auditing, and the Code of Ethics of the International Institute of Internal Auditors. The Internal Audit Service developed and approved the Company's Policy on Internal Audit, local regulations on internal audit, and put them in practice.

The Internal Audit Service is involved in a range of activities, such as facilitating the effective interaction with the Audit Committee of Rosneft’s Board of Directors (and also in in-person meetings with the Audit Committee’s Chairman), Rosneft’s Chief Executive Officer (including through personal reports on substantial audit results), Rosneft’s management, and Group Subsidiaries’ management.

The Head of Internal Audit interacts with Rosneft’s Audit Commission, the external auditor, and the audit commissions of the Group Subsidiaries.