Corporate controls

Risk governance and internal control

Organisational structure of the risk management and internal control framework

GRI 2‑12

The risk management and internal control framework is a set of organisational measures, methods, practices and standards of corporate culture. It also embraces actions taken by the Company to strike the right balance between value growth, profitability and risks, support sustainable development, and ensure efficient operations, protection of its assets, compliance with applicable laws and internal documents, along with timely and accurate reporting.

The Board of Directors defines the key principles of, and approaches to, risk management and internal controls, oversees the Company’s executive bodies, and performs other key functions, including setting the overall risk appetite and reviewing material risks and ways to manage them.

The Board’s Audit Committee focuses on assessing and making proposals to improve the risk management and internal controls. On top of that, its members supervise the preparation of accounting (financial) statements and the measures taken to prevent fraudulent behaviour of the Company’s employees or third parties.

The Review Committee elected by the General Meeting of Shareholders exercises control over the financial and business operations of the Company.

The Annual General Meeting of Shareholders held in June 2024 elected the following members to the Review Committee:

  • Lusine Agabekyan, Deputy Head of Group Financial Control and Management Reporting at PhosAgro;
  • Ekaterina Viktorova, Deputy Head of Treasury at PhosAgro;
  • Olga Lizunova, head of unit (functional in other areas), budgeting office, Economics Department at Apatit.

The Review Committee’s goals, objectives and powers are outlined in the Regulations on the Review Committee of PhosAgro as approved by the General Meeting of Shareholders on 12 May 2011.

The Committee endorsed PhosAgro’s financial statements for 2024, with its report dated 4 March 2025 included in the materials for the shareholders to prepare for the Annual General Meeting of Shareholders.

The executive bodies establish and maintain an efficient risk management and internal control framework. To this effect, they have set up a Risk Commission that monitors the status and effectiveness of risk management initiatives. The monitoring results serve as a basis for the relevant proposals issued by the Commission to executive bodies and the Board of Directors.

Following the audits, the Internal Audit Department provides the Board of Directors and executive bodies with recommendations and reports, including, among other things, the assessment of the current status, reliability and effectiveness of the corporate governance, risk management and internal control framework.

The Risk Management and Internal Control Department is charged with the general supervision of risk management, including related activities, and consolidated reporting to the executive bodies and the Board of Directors.

As part of their duties, heads of other organisational units are responsible for building, documenting, implementing, monitoring and developing the risk management and internal control framework in their respective functional areas. The framework requires the Company’s employees to identify and assess relevant risks and efficiently implement the controls and risk management initiatives.

Risk management

In 2024, PhosAgro’s risk management and internal control framework performed strongly thanks to timely identification and assessment of risks, as well as development and implementation of risk management measures. On a quarterly basis, the Board of Directors reviewed reports on the management of PhosAgro’s key risks. PhosAgro’s executives paid special attention to managing these key risks. The Risk Commission continuously monitored the status of risk management activities and, when necessary, initiated changes to improve those related to key risks.

Development of the risk management and internal control framework in 2024

The Company is making a consistent effort to develop its risk management and internal control framework. In February 2025, the Board of Directors reviewed the results of the framework’s assessment, which showed that it was on par with those adopted by the industry’s leading companies, including:

  • compliance with applicable regulatory requirements;
  • adoption of most of the leading risk management practices such as alignment with the Company’s development strategy, risk appetite, key risk indicators, automation and robotisation in risk management, as well as integration into the Company’s incentive system and governance framework.

The reporting year saw both the production sites and PhosAgro Group as a whole complete a full‑year cycle of risk management and internal control, including:

  • ongoing risk monitoring;
  • analysis of key risk indicators;
  • development of corrective actions;
  • follow‑up control and review.

In 2024, the Company sustained its focus on addressing risks across certain business areas, including the continuity of procurement, logistics, and software and IT infrastructure operation, in response to geopolitical developments. We also continued work to develop risk management competencies among managers at different levels, alongside further implementation of a risk‑oriented approach within certain functions and business units.

Plans for 2025

PhosAgro Group looks to maintain and further develop the existing elements of its risk management framework based on best practices, while also taking into account the changing external and internal factors.

Internal audit

PhosAgro’s Internal Audit Department assists the Company’s governance bodies in improving the management of business processes and enhancing the risk management and internal control framework. In doing this, it uses a risk‑oriented approach and works closely with the Risk Management, Internal Control and Economic Security Departments, and the Company management.

The Company’s internal audit procedure is defined by the Internal Audit Department’s management.

Audits

Audit of business processes

The audit plan for the calendar year is subject to review, discussion and approval by the Audit Committee and the Board of Directors. Audits are performed at the Group level, as well as at specific subsidiaries and their standalone business units. In addition, the Internal Audit Department monitors the effectiveness and efficiency of corrective actions taken by the management following the audit, and reports to the Audit Committee on a quarterly basis and to the Board of Directors annually.

In 2024, the Internal Audit Department fully met the annual action plan, conducting audits of business processes related to the management of logistics, repairs, health and safety, IT, and insider information handling. Based on the audit findings, recommendations were issued to improve the efficiency of logistics and repair management and enhance health and safety. The management developed and approved corrective action plans, with the progress monitored by the Internal Audit Department.

The 2025 audit plan covers business processes related to managing production capacity expansion, procurement of materials and equipment, review of repair efficiency, IT, and corporate governance.

Team development

In order to achieve the strategic goals in internal audit, we continue working to develop and diversify the competencies of our team by holding regular training sessions, which focus on sourcing data from information systems and further processing and visualising it. Training initiatives addressing this focus area are scheduled for 2025.

Self‑assessment and external assessment

The internal audit quality is assured through regular external independent assessments and self‑assessment.

External audit

A key element of the Audit Committee’s operations is ongoing interaction with external auditors and development of recommendations for the Board of Directors regarding the choice and approval of auditors. When selecting an auditor, we evaluate the following factors in addition to the cost of their services:

  • composition of the audit team (in terms of experience and qualifications), which should ensure that the statements are audited within acceptable deadlines and with adequate quality;
  • the auditor’s independence evaluated based on a variety of factors, including assessment of the scope of non‑audit services provided to us by the candidate company during the relevant periods. Each offer from the current auditor for non‑audit services requires confirmation by the audit partner to make sure there is no risk to independence and is submitted to the Company’s Audit Committee for consideration and approval. The Committee consents to the contract only if the scope of the non‑audit services does not call into question the ability to perform the audit service independently and impartially. The Committee’s assessment of the auditor’s independence is also significantly influenced by the auditor’s internal procedures for controlling the impartiality and professional ethics of the auditor’s staff, including requirements for periodic rotation of the audit partner, training arranged in this area and the use of specialised software to perform the respective audits;
  • balance between the benefits of long‑term cooperation with the auditor and the need for a fresh look at the Company’s financial statements and preparation procedures;
  • the auditor’s performance over the previous period. The Committee may form its opinion on the quality of the external auditor’s work during in‑person Committee meetings, where the external auditor’s mandatory participants are a manager and a partner, as well as during meetings between the audit team and the Chairman of the Audit Committee held prior to the Committee meetings.

PhosAgro’s auditor performs the audit of its financial and business operations in compliance with Russian laws and regulations and the agreement signed with the Company. The auditor is approved by the Company’s General Meeting of Shareholders. The Company engaged JSC Technologies of Trust – Audit (14/3 Krzhizhanovsky street, bldg. 5/1, Moscow, Russia) to audit its 2024 IFRS financial statements, while the Company’s 2024 RAS accounting statements were audited by JSC Unicon (8 Preobrazhenskaya Ploshchad, Preo 8 Business Centre, Moscow, Russia).

The approach to assessing external audit’s independence and efficiency, as well as appointment and re‑appointment of the external auditor is set out in the External Auditor Selection and Cooperation Policy of PhosAgro as approved by the Board of Directors on 30 August 2023.

Insider information

PhosAgro has adopted an Insider Information Regulations compliant with the Russian laws and the EU Market Abuse Regulation (MAR).

In accordance with its provisions, the Corporate Secretary’s office keeps a list of insiders, persons discharging managerial responsibilities (PDMR) and persons closely associated with them (PCA). The Regulations define the scope of responsibilities for each insider group, which the Corporate Secretary Office from time to time communicates to respective persons.

First and foremost, these include the limitations on the use of insider information and trading in the Company’s securities. Depending on the group, an insider may be prohibited from such transactions or obliged to notify the Company or obtain its consent for such transactions. Every quarter, the Corporate Secretary Office checks the list of shareholders to identify transactions that may have been executed in breach of such limitations.

In 2024, the Internal Audit Department held an audit to evaluate the Company’s insider information practices, which revealed the following:

  • there are no regulatory fines and complaints;
  • the Company fully discloses material developments;
  • the Company put in place all the necessary insider information regulations.

Information security

GRI 3‑3

The Information Security Policy is the Company’s fundamental document defining the general provisions and principles for ensuring information security. Its adoption ensues from the risks and hazards faced by the Group companies in their operations and the respective need to respond to the hazards and minimise the risks.

The Policy states high priority of information security activities and sets up its key principles. They cover the target setting and planning of information security activities, as well as their implementation, quality management and process improvement. The above principles define the contents of the lower‑level documents such as the Information Security Framework and other internal documents covering respective issues. This set of documents reflects modern solutions and best practices in information security.

Information security issues are submitted for consideration by the Board of Directors every six months.

2024 highlights

In 2024, the Company implemented the following initiatives to enhance information security:

  • recording of around 3.6 million events and avoiding some 1.3 thousand information security incidents;
  • performance monitoring and support of 15 security equipment items;
  • raising employee awareness of information security;
  • improving processes to comply with legal requirements: a total of 59 internal regulations were issued, with measures taken to ensure their implementation;
  • enhancing protection of the automated process control system: replacement of foreign firewalls with domestically developed ones, organising drills for employees responsible for the operation and support of the system;
  • improving the management of access to information resources, transition to the shared system for access rights management;
  • improving processes for managing security events and incidents, establishing a 24/7 service at the operations centre;
  • assessing the security of the Group’s information resources, putting into action plans to enhance security safeguards;
  • identifying and blocking 39 fraudulent IT resources linked to the generation of fake commercial offers on behalf of the Group.

GRI 410‑1

All employees of the Economic Security Department receive training in terrorism prevention and the main goals and principles of PhosAgro Group Code of Ethics.

Security personnel who completed human rights training, %

Stakeholder engagement in information security

Ensuring information security is the responsibility of each employee. To this end, the Group regularly holds events to raise employee awareness of information security issues and develop practical skills to deal with modern threats.

In 2024, the Company held drills on responding to computer incidents for production staff and employees in charge of the automated process control system.

Over 13 thousand employees completed courses and testing on the corporate platform. Corporate media published 23 materials on various aspects of information security.

The counterparties of the Group companies that are engaged in an electronic information exchange and whose employees have access to the Group’s internal information resources contribute to information security. Dedicated regulations apply to interactions with external parties, and contracts contain provisions on personal data processing, confidential information, and penalties in case of violations.

Counterparty employees take part in training, testing and drills in information security.

Today information protection goes beyond workplaces. The Group pays special attention to creating a stable social environment in the cities of operations, and works with local residents to enhance information security and cyber hygiene. To that effect, we conduct regular classes and interactive events for school students of various ages and their parents, organise lectures for regional administrations, teachers and non‑governmental organisations, and publish articles in corporate and local media.

This, together with the use of modern information security tools and well‑coordinated work of the department, helped avoid information security incidents in 2024 and in previous periods that could have caused tangible material or reputational damage.