MEGAFON Annual Report 2016

Risk Management


MegaFon’s success and strength in the market is underpinned by an effective risk management framework. In 2016, we continued to improve our risk management system in line with the international risk management standards ISO 31000:2009 “Risk management – Principles and guidelines”, ISO 31010:2009 “Risk management – Risk assessment techniques”, the Russian national standards GOST R ISO 31000:2010 “Risk management – Principles and guidelines”, and GOST 31010:2011 “Risk management – Risk assessment techniques”.

The risk management structure consists of the following elements:

  • The Risk Management Unit at MegaFon’s Head Office, is responsible for the following:
    • the development and implementation of risk management procedures;
    • the development of, and support for, the risk management process;
    • the development of a risk culture;
    • the review of risks in terms of their potential impact on the Company’s objectives;
    • the development of plans to mitigate risks and supervise the implementation of risk mitigation measures;
    • interaction with all business units as part of the risk identification process, interviews and questionnaires;
    • staff training;
    • the submission of risk management reports to the Risk Committee and the Audit Committee.
  • Risk owners, who are the Heads of different functions (departments and divisions), are responsible for all aspects of risk management: identification, risk assessment, development of risk management activities, monitoring of a risk and status of activities, and/or provision of information for the purposes of monitoring for a risk and status of activities.
  • The Risk Committee at MegaFon’s Head Office, a permanent collegial body, which includes various top managers, led by the Chief Executive Officer. The Committee is responsible for key decision making on risk management and is governed by the Regulations on the Risk Committee. In 2016, the Risk Committee held two meetings, taking important decisions on the management of key risks.

The Audit Committee, under MegaFon’s Board of Directors, considers reports on risks and the performance of the overall risk management framework, and monitors the effectiveness of the system.

Risks are identified and analysed at three levels:

  • discussions with each unit by means of interviews and questionnaires;
  • cross-functional discussions and brainstorming sessions;
  • meetings of the Risk Committee at the Company’s Head Office and in branches.

At all three levels, risks are regularly reviewed in terms of their potential impact on the Company’s objectives. Monitoring of the risk mitigation process is conducted via an electronic system, which helps improve our risk management performance.

Our risk management process is periodically reviewed by our Internal Audit and the Audit Committee. The Audit Committee evaluates the effectiveness of our overall risk management system and makes recommendations for improvement.



Development of the risk management system in 2016

In 2016, the Risk Management Unit continued its efforts to deploy a corporate automated risk management solution, based on the Oracle Hyperion platform, to make the risk management process more efficient and better structured. The Company also decided to manage operational risks as part of its SAP re-engineering initiative. It was decided to separate our compliance risk capabilities into a separate dedicated function. As a result, compliance risks are now being reviewed by a specific Compliance Committee. In 2016, we continued to improve our risk culture.

In 2016, we updated the dedicated information section on risks on our MegaNet intranet portal to increase awareness about the risk management process among employees.

Further development of the risk management system

In 2017, we plan to continue the development of our risk management system and risk culture, and improve compliance with ISO 31000:2009, focusing on the following areas:

  • Staff training.
  • Updating the Risk Management Methodology guide.
  • Embedding risk management in the Company’s operations and decision-making process.
  • Rolling-out an automated risk management solution based on the Oracle Hyperion platform.
  • Improving ex-post risk analysis and risk management performance.
  • Implementing business continuity management in line with ISO 22301.
  • Integrating risk assessment into strategic planning.
  • Implementing the strategy to improve risk culture.

Key aspects of risk culture development

Tone at the Top The senior managers of the Company act as role models in the discussion, identification and assessment of risks and actively participate in risk management.
Corporate governance Risk responsibilities are included in employees’ job descriptions and targets. Timely communication about risks is encouraged and all risks are regarded as opportunities to further improve and develop the Company.
Competency A separate unit is responsible for the development of the risk management system, assisted by the Company’s management and Risk Committee. All key employees are trained in risk management. The Risk Management Unit has started developing an internal training course. In 2017, we plan to make it mandatory for all employees in managerial positions.


MegaFon conducts its business taking into account a wide range of risks which may have an adverse impact on the Company’s performance, if not properly mitigated. The Company takes into consideration geopolitical, macroeconomic, operational, regulatory, financial, tax and compliance risks. In 2016, new risks emerged, related to the regulation of the telecoms industry. For instance, the Russian Government’s adoption in 2016 of new legislation intended to counter terrorism could, if fully implemented, require that capital expenses on infrastructure may have to be increased to bring the Company in line with the new requirements.

Operational risks are driven both by growing competition and changing customer behaviours in the Russian telecoms market, which, on the one hand, have an adverse impact on our revenue growth, and on the other hand, require additional investment in customer service and network excellence.

In 2016, we saw an escalation of risks arising from the entry into the telecoms market of new players from other industries, as well as risks relating to the emergence of new market segments such as Big Data. To mitigate the latter risks, in 2016 we engaged in a sustained effort to grow our Big Data capabilities.

The Company has made information security a top priority. To prevent and mitigate risks in this area, we have developed a new information security strategy and are focusing on improving the competencies and capabilities of units that face information security risks.

Sanctions Risk Description
Several MegaFon is registered and conducts its business in the Russian Federation; therefore, it is exposed to certain country risks.

The year 2014 saw rising economic and geopolitical risks and the imposition of a sanctions regime by the United States, European Union and other countries against certain Russian companies. There is a risk that new sanctions may be imposed or the list of designated entities subject to existing sanctions may be expanded.
Risk mitigation
MegaFon is registered and conducts its business in the Russian Federation; therefore, it is exposed to certain country risks. The year 2014 saw rising economic and geopolitical risks and the imposition of a sanctions regime by the United States, European Union and other countries against certain Russian companies. There is a risk that new sanctions may be imposed or the list of designated entities subject to existing sanctions may be expanded.
Effect upon relationships with counterparties (vendors and suppliers) Risk Description
Further sanctions might be imposed on supplies of equipment, software or services from the EU and the US.
Risk mitigation
To minimise this risk, the Company has done a thorough analysis of all counterparties that might be at risk, evaluated the possible impacts, explored alternatives and developed a list of potential substitutes and other measures to mitigate the possible impacts of such sanctions.
Risk of credit rating downgrade Risk Description
MegaFon’s credit ratings are constrained by Russia’s sovereign credit rating, as the Company’s business is concentrated almost entirely in Russia.

In January 2015, S&P Global downgraded Russia’s sovereign credit rating to speculative grade BB+ with a negative outlook, which affected the ability of certain groups of international investors to invest in Russia’s sovereign bonds, as well as shares and bonds of Russian companies. Following the downgrade of Russia’s sovereign credit rating, S&P Global lowered MegaFon’s foreign currency credit rating to BB+ with a negative outlook, and changed the outlook to negative on its ВВВ- local currency credit rating, which reflected the agency’s overall approach to assigning ratings to Russian corporate borrowers. S&P Global has subsequently revised upward its outlook on the sovereign credit rating of Russia, first changing it from negative to stable in September 2016, and then from stable to positive in March 2017. These changes in the outlook on the sovereign credit rating resulted in subsequent outlook revisions for MegaFon: as of the date of this Annual Report, MegaFon has a stable outlook on local currency debt and a positive rating outlook on its foreign currency debt.

In February 2015, Moody’s Investors Service downgraded Russia’s sovereign credit rating to Ba1 with a negative outlook. Following this action, the agency revised the Company’s credit rating from Baa3 to Ba1 with a negative outlook. The agency’s rating actions reflected its overall approach to assigning ratings to Russian corporate borrowers. In February 2017, Moody’s revised upward its outlook on Russia’s sovereign credit rating, changing it from negative to stable and affirming the rating at Ba1. This was followed by a similar rating action on MegaFon. Nevertheless, given that the risk of a deteriorating geopolitical situation remains, there still exists the risk of a downward revision of Russia’s sovereign credit rating by international rating agencies in the future.

A downgrade in Russia’s sovereign credit rating in the past caused a downward revision of MegaFon’s corporate ratings, with an effect on the borrowing costs of MegaFon.

The Federal Law On Activities of Credit Rating Agencies, which came into effect in July 2015, introduced a new requirement that rating agencies obtain accreditation from the Central Bank of Russia in order to be able to assign ratings under the national rating scale. Moreover, starting from July 2017, only ratings assigned by accredited rating agencies will be considered for the purposes of state regulation, in particular to govern investment decisions by sovereign wealth funds and state-run pension funds or decisions on keeping bonds in the Bank of Russia Lombard List.

In the absence of a rating assigned to MegaFon by an accredited rating agency under a national rating scale, such restrictions would have a material adverse effect on the value of the Company’s outstanding bonds and on MegaFon’s ability to raise debt in the future through placement of exchange-traded bonds.
Risk mitigation
Despite the fact that MegaFon’s ratings are tied to and track all revisions to Russia’s sovereign credit rating, the Company’s ratings among the highest among Russian corporates, which along with the Company’s financial strength ensures that the Company has adequate access to funding.

Furthermore, the Company’s existing credit facilities do not contain any terms that are tied to changes in its credit ratings.

The Company believes that it has the necessary resources in place to ensure uninterrupted access to finance to support its economic activities.
Bank accounts of systemically important companies Risk Description
Pursuant to Federal Law No. 213-FZ On the Opening of Bank Accounts and Letters of Credit certain strategic companies are required to open and close accounts and deposit accounts only at, or purchase securities only from, the Russian banks specified by the Central Bank of Russia and/or the Russian Government. Furthermore, when engaging in such transactions with foreign banks, such companies are required to notify the competent authorities accordingly. Additionally, such strategically important companies are required to maintain their securities registers only with registrars that meet certain requirements specified in Law No. 213-FZ.

If further sanctions are imposed, there is a possibility that Law No. 213-FZ, which currently applies to entities in the national defence-industrial complex, may be extended to cover systemically important companies in other sectors as well, including MegaFon, which has already been identified as a company strategically important to the economy under Federal Law No. 57-FZ “On the Procedure for Making Foreign Investments in the Companies of Strategic Importance for the Defence and State Security”. Application of Law No. 213-FZ to MegaFon could have an adverse effect on the Company’s results and prospects.
Liquidity risk Risk Description
Deterioration of Russian corporates’ access to Western capital markets and the increased key rate in Russia may limit our access to capital and affect our borrowing costs.

Further sanctions could lead to restrictions on access to clearing systems or prohibition on certain transactions, which would affect the Company’s international payments.
Risk mitigation
To date, a large portion of the Company’s deposits has been denominated in foreign currencies, which mitigates the Company’s liquidity position revaluation risk arising from adverse changes in FX rates.

Moreover, MegaFon has had access to adequate funding through the credit facilities it has opened with both Russian and foreign banks. This reduces the liquidity risks and the risk of having to refinance its existing debt in the short and medium term.
Risk of a macroeconomic slowdown Risk Description
Falling oil prices and the depreciation of the national currency have negatively impacted the Russian economy, leading to reduced consumer purchasing power and a decrease in household consumption. If this situation continues, this could result in lower revenues from telecoms services. A macroeconomic decline might also lead to the withdrawal of investment in Russian projects, which could slow down the Company’s network roll-out.

Risk mitigation
The wireless market is more resilient in an economic slowdown as consumers tend to be dependent on mobile and Internet services, and as a result do not consider spending less on these services.

The Company has long-term contracts with Huawei, Ericsson and Nokia Siemens Networks, and access to adequate long-term equipment financing, which together should ensure the continued construction and modernisation of its network.
Risk of increased competition Risk Description
The mobile telecom business, which provides the bulk of the Company’s revenue, is one of the most developed areas of the Russian telecommunications sector. The mobile market in Russia is characterised by high penetration rates and slowing subscriber base growth, which intensifies competition as operators try to retain existing subscribers and attract new customers.

According to the Company’s analysis, as of now, this very competitive landscape is one of the most important factors that may continue to impact the mobile telecommunications industry over the long term.

MegaFon’s key direct competitors include MTS, VimpelCom, and Tele2. Additionally, MegaFon may face competition from various MVNO operators in the medium term. In 2016, Sberbank continued the implementation of its MVNO project with various mobile operators including Tele2 and MTS. Should the launch of Sberbank’s MVNO project be successful, it may lead to more intense competition and subsequently additional pricing pressure in the market.

Evolving business models in the market may lead to changes in market structure and dynamics. Failure to anticipate and respond to these developments, and to make consequent adjustments to our own business model, may affect our customer relationships, service offerings and market position and result in a negative impact on our operating results.
Risk mitigation
MegaFon is a fully integrated nation-wide communications operator offering a diverse range of fixed and mobile services, enhanced data capabilities, broadband, and other value-added services throughout Russia. The Company has licences to provide GSM, 3G, and 4G services throughout the country.

The Company also benefits from its well-developed retail network comprising about 2,000 owned-andoperated stores and roughly the same number of franchised stores, which allows it to control distribution channels and provide a wide range of highquality services to customers.

The Company seeks to keep up with the pace of technological advances and new industry standards by maintaining its focus on integration of emerging technologies and development of new and more effective and innovative products and services.

We believe that our extensive backbone networks, unrivalled spectrum advantage, leadership in 4G/ LTE mobile data services, extensive distribution network, diversified portfolio of products and services, and smart approach to CAPEX allocation and cost optimisation should enable the Company to maintain its competitive edge.

The Company is investing in the development of innovative infrastructure to consolidate its leadership in high-tech segments, including IoT and M2M.
Risks associated with possible changes in the prices of materials and services used by the Company Risk Description
The Company imports a high proportion of the equipment and materials needed to support its network expansion and telecommunications infrastructure development. Most payments made to foreign equipment suppliers are required to be made in euros or US dollars. Further depreciation of the rouble may result in increases in the prices of equipment, materials and services used by the Company, and may accordingly have an adverse impact on the performance of its securities-related obligations.
Risk mitigation
To mitigate foreign currency risks, the Company uses forward foreign currency exchange contracts, diversifies its credit portfolio and cash assets in bank accounts, and makes effort to negotiate better equipment supply terms with its counterparties.

As a result, the Company believes that it can control the risks associated with possible changes in the prices of materials and services purchased in foreign markets, and that there will not be a material adverse effect on the Company’s ability to comply with the terms of existing agreements. Risk Management (continued)
Risk of not keeping pace with technological advances Risk Description
As MegaFon further deploys its telecommunications network, it is exposed to certain risks that may delay launches of advanced services in certain areas and increase the costs of constructing the necessary infrastructure. Apart from the risk of failure to ensure timely supplies of telecommunications equipment to the Company on commercially attractive terms, other risks include the tightening of the rules regulating the use of telecommunications equipment in public communications networks and the commissioning of new facilities. In particular, all equipment is now subject to mandatory state certification.
Risk mitigation
The Company has successfully manages the risk of not keeping pace with technological advancements in the telecommunications market through implementing a range of measures. Specifically, the Company continues to improve its supply chain and has introduced stronger controls to ensure compliance with all rules, regulations and standards regulating the use of telecommunications equipment in public communications networks and commissioning of new facilities. It also maintains an ongoing dialogue on the relevant issues with regulators and the Government. During 2016, MegaFon signed a number of agreements with leading global producers of telecommunications equipment and software vendors to join their efforts in the development of the next generation communication standard. As a result, in 2016 the Company became Russia’s first mobile operator to demonstrate, through a joint project with Nokia, a mobile data transfer speed of 4.95 Gbit/s in an existing network. These tests represent an important step towards formation of the next generation communication standard.
Information security risks Risk Description
Given the fast-paced development of information technology and cryptographic analysis, there is a risk of failure to ensure the appropriate levels of information security for our software, subscribers’ personal data protection tools, and equipment and it may result in illegal dissemination and use of subscribers’ personal information in fraudulent transactions. There is also a risk of intrusion into the Company’s internal networks, including IT systems, which may result in malicious applications being introduced onto the equipment of the Company’s employees, unauthorised access to customers’ personal data or confidential information, with such data being compromised, or the spread of malware (viruses).
Risk mitigation
The Company takes all necessary measures to ensure the appropriate levels of security for its IT systems, software, technologies and equipment, including continuous monitoring for potential threats and the use of Security Intelligence platforms across its IT and telecommunications infrastructures, as well as the use of the latest software ensuring higher levels of security.

Ensuring information security and protection of subscribers’ personal data are among MegaFon’s top priorities. The Company acts to serve its interests, the rights of its subscribers and other third parties with whom we interact, and complies with the requirements of the following regulations: the law “On communications” (126-FZ), the law “On protection of personal data” (153-FZ) and the law “On information, information technologies and information protection” (149-FZ).

In 2016, the Company’s was working on further development of the telecommunications security strategy to conduct an in-depth analysis of approaches and projects aimed at ensuring full monitoring of potential threats and before-the-fact risk prevention. In February 2017, the Company’s Management Committee approved an updated telecommunications security strategy, which is being currently implemented by MegaFon. In addition, in the reporting year, we updated local documents regulating protection of personal data.

MegaFon has in place a strong information security policy and provides training and certification of employees in this field.
Telecommunications fraud risks Risk Description
The Company may incur losses as a result of wilful misconduct of unscrupulous counterparties or subscribers. It is also exposed to the risk of losing subscribers who become victims of fraud, and also reputational damage as a result of the fraud.
Risk mitigation
The Company has a dedicated unit responsible for the prevention of fraud and associated financial or reputational losses, and for the protection of the Company’s customers against fraud. Its activities are carried out in accordance with all applicable laws and regulatory requirements of the Russian Federation, and are aligned with MegaFon’s business targets.

To support these activities, the Company uses a number of specialist, automated anti-fraud solutions which enable near real-time detection of fraud threats to its business and the elimination of such threats. Monitoring for the more critical fraud threats is carried out 24/7.

In 2016, further efforts were made to prevent fraudrelated losses, by improving the existing business processes, systems and services and developing new ones.
Risk of new business acquisitions or strategic alliances having an adverse impact on our business Risk Description
MegaFon may continue to expand its business through acquisitions and strategic alliances. Should the Company be unsuccessful in integrating or managing any acquired company or in making a strategic alliance work, remediation of the situation may require that management’s attention is diverted away from other business concerns. In addition, any unsuccessful acquisition or alliance could negatively affect the Company’s financial position or credit ratings or dilute the value of its shares subject to the asset acquisition deal structure, possible deferred payments, FX exposure in the transaction price, etc.
Risk mitigation
The Company’s aim is to increase its market value by effectively integrating any new acquisitions or assets to achieve maximum synergies, and to ensure further growth for the acquired assets.

Any asset acquisition or strategic alliance is always preceded by extensive due diligence of the asset, evaluation of the viability of acquiring the asset, verification of ownership and other legal due diligence, and a thorough financial analysis of the proposed transaction.

MegaFon has a successful track record of acquisitions and alliances, and post-transaction integration; its management consists of experienced professionals who have the necessary expertise and qualifications to achieve this.
Transfer pricing Risk Description
In 2012, significant amendments were made to transfer pricing legislation, providing for monitoring of prices used in controlled transactions to make sure they are in line with the market. The amended legislation expanded the range of methods used to monitor prices to make sure they are in line with the market, extended the list of transactions treated as controlled transactions, and imposed on taxpayers the duty to prepare documentation related to controlled transactions and to notify the tax authorities about the execution of such transactions.

The tax authorities may impose additional tax liabilities if prices applied under a controlled transaction are found to be not at “arm’s length”.

Since the practice of enforcement of transfer pricing legislation is still in its infancy, it is possible that the approaches used to justify the market level of prices under controlled transactions will be challenged by the tax authorities, which may lead to additional tax liabilities being imposed.
Risk mitigation
The Company has implemented a number of measures to monitor the compliance of its pricing practices with the transfer pricing rules.

In particular, since 2012, MegaFon has had in place and continuously improves internal procedures to ensure compliance with transfer pricing legislation requirements, including an internal system for the identification of controlled transactions and monitoring of prices used in related party transactions to make sure they are in line with the market.

In addition, a consolidated group of taxpayers was formed within the MegaFon group of companies, so that transactions within this consolidated group are not subject to transfer pricing control.

We believe that the Company’s transfer pricing policy and practices comply with the requirements of transfer pricing legislation.
Controlled foreign companies Risk Description
In 2014, Federal Law No. 376-FZ On Amendments to Parts 1 and 2 of the Tax Code of the Russian Federation (with Regard to Taxation of Profits of Controlled Foreign Companies and Income of Foreign Organisations) (the “CFC Rules”) was enacted to provide tax incentives for de-offshorisation of the Russian economy. The law introduced new rules, with effect from 1 January 2015, according to which undistributed profits of foreign companies controlled by Russian tax resident legal entities and individuals may be subject to taxation in Russia. The law makes Russian tax residents who control foreign companies liable for payment of relevant tax amounts and submission of relevant CFC notifications.

To date, there has been limited relevant court practice relating to the CFC Rules and few clarifications by competent authorities on the application of these rules.
Risk mitigation
To ensure compliance with the CFC Rules, the Company has developed internal procedures to identify companies that may be treated as controlled foreign companies. A step-by-step action plan was also developed in relation to such companies and a schedule was set up for preparation and filing of the required documents with the tax authorities.

MegaFon continues to improve its internal procedures in accordance with official directives and instructions provided by the competent authorities; to ensure timely filing of all required reports to tax authorities; and to monitor and analyse new regulatory initiatives related to CFC legislation.
Risks of changes in customs regulations Risk Description
A significant portion of the telecommunications equipment purchased by the Company is either imported or produced using foreign-made components; therefore, changes in customs regulations or in the rates of, or payment procedure for, customs duties (introduced, in particular, by Decisions of the Eurasian Economic Community’s Interstate Council, Decisions of the Customs Union Commission, Resolutions of Government of the Russian Federation, and Decrees of the Federal Customs Service of the Russian Federation) may expose the Company ’s business to certain risks associated above all with lengthier customs procedures.
Risk mitigation
Legal risks associated with changes in customs regulations or in the rates of, or payment procedure for, customs duties in foreign markets do not have a material effect on the Company’s business due to insignificant volumes of operations the Company carries out in foreign markets.
Risk of revocation, suspension or non-renewal of our licences Risk Description
Since MegaFon’s principal activity is providing telecommunications services, revocation, suspension or non-renewal of its licences could have a significant adverse impact on its business. The Company also uses resources which are considered finite, including frequency spectrum and numbering capacity, and their unavailability for any reason could adversely affect its operations.
Risk mitigation
The Company holds GSM, 3G, and 4G/LTE licences with different expiry dates. The Company pays close attention to tracking licence expiry dates and to ensuring that all steps required to ensure timely renewal of licences with the Federal Service for Supervision of Communications, Information Technology, and Mass Media of the Russian Federation (“Roskomnadzor”); nevertheless it is still exposed to minor risks associated with possible failure to secure licence extension or possible delays in obtaining a licence.

In the event of changes in the requirements for the Company’s core business licensing in foreign markets, the Company will act consistently with such new requirements, including steps to secure required licences.
Risk of the technological neutrality principle having an adverse impact on the Company’s business Risk Description
Technological neutrality can potentially increase competition for MegaFon in the future in spite of the significant investment requirements made by the State Commission for Radio Frequencies of the Russian Federation (SCRF).

In December 2013, the State Commission for Radio Frequencies of the Russian Federation (SCRF) approved the principle of technological neutrality for UMTS technologies in the 900 MHz frequency band and for LTE technology in the 1,800 MHz frequency band, and in 2014 for LTE technology in the 900 MHz frequency band. The stated objective of these measures is to stimulate the development of 3G and 4G technologies in Russia, as operators with 2G licenses for 900 MHz and 1,800 MHz frequencies may now use these frequencies to deploy 3G and 4G technologies. The SCRF plans to take these efforts further, extending the technological neutrality principle to allow LTE technology to be deployed in other frequency ranges.
Risk mitigation
The Company views technological neutrality not only as a risk but also as an opportunity, because it will enable provision of better quality services to customers as frequencies becomes available
Risk of changes in interconnection regulation Risk Description
The Russian Government continues to discuss the issue of amending existing traffic transfer and interconnection regulations.

Specific regulatory bodies continue to develop new regulations in the field of operator cooperation, including regulation of interconnection rates.

The implementation of these government-sponsored initiatives may result in lower rates for traffic transfer and call services, and thus a decrease in service revenue.
Risk mitigation
The Russian Government has been considering various options for amending the existing regulations regarding cooperation between mobile operators and fixed operators to assess their potential impacts on the telecommunications industry.

The Company is in the process of developing a set of measures to mitigate the potential negative consequences of this risk.
Risk of the introduction of minimum communications service quality parameters Risk Description
Legislation in the Russian Federation currently does not contain provisions specifically requiring compliance by communications service providers with minimum quality parameters. The regulator’s current philosophy is that the quality of communications services will be assured as long as subscribers have the right to select their communications operator, based on operators’ mandatory provision of information about service quality to subscribers.
Risk mitigation
The chances that compliance with minimum parameters for service quality will be required in the medium term are not significant. However, even if the regulators change their current approach, the Company believes it will be able to ensure its services comply with any such minimum parameters.
Risk of changes in the set-up of data communications network of federal government bodies (integrated communications network) Risk Description
On 24 November 2014, the Russian Government amended the procedure for setting up data communications networks for federal government bodies.

Such bodies may now connect to data communications networks that are part of the infrastructure of government services administered by one of the communications operators. In 2015, the Ministry of Telecom and Mass Communications issued a decree to support the implementation of this initiative, and guidelines were developed for the design of data communications networks for federal government bodies. The implementation of this regulatory initiative could result in the Company losing a share of the B2G segment of the data transfer and telematics services market. Currently, services that are rendered to federal government bodies represent a significant part of the services provided by the Company in the B2G market.

On 21 July 2016, the President of the Russian Federation instructed the Russian Government to develop and submit to the State Duma a new federal law on preferential use by state agencies of the e-government common infrastructure.

Currently the Ministry of Telecom and Mass Communications is also working on a draft law on an integrated communications network, which may lead to a single provider serving the communications needs of government bodies. The Ministry suggests that a legal framework be developed for the establishment, control and operation of an integrated communications network to support the national defence, state security and law-enforcement needs.
Risk mitigation
The Company is carefully monitoring possible changes to the procedure and developing measures to minimise possible market share losses.
Risk of new regulations requiring mobile operators to sign MVNO agreements Risk Description
At present, Russian law does not require a mobile network operator to grant virtual operators access to its infrastructure.
Risk mitigation
Although we consider the risk of sudden changes in the regulator’s approach to the regulation of MVNO arrangements in the Russian Federation as insignificant, the Company cannot entirely exclude the possibility of changes that could adversely affect the business of MegaFon and its subsidiaries.
Risk of additional costs relating to enhanced regulation of personal data on the internet and big data Risk Description
During 2015, significant changes took place in the regulation of the processing Internet users’ personal data. In particular, from 1 September 2015, Russian citizens’ personal data must be recorded, systematised, accumulated, stored, clarified and retrieved through databases located within the territory of the Russian Federation. Further amendments to the regulation of Internet users’ personal data and Big Data processing are expected to be introduced in the future. Specifically, in accordance with the list of instructions issued by the Russian President following the meeting with participants of the First Russian Internet Economy Forum that took place on 22 December 2015, federal executive authorities are to present their legislative proposals on regulation of the processing of online personal data of Russian citizens.
Risk mitigation
The Company fully complies with the current legislation, inasmuch as the personal data of all of our subscribers are processed within the territory of the Russian Federation. In addition, the Company believes that it will be able to fully comply with any additional requirements. However, the implementation of possible new requirements, including possible regulation of Big Data, may entail additional costs for the Company.
Risk of having to move overhead telecoms lines underground Risk Description
In recent years, the administrations of a number of major Russian cities have adopted or announced plans to adopt regulations requiring overhead telecoms lines to be buried underground.

For instance, the Moscow Government has approved the My Street programme, which sets out the list of streets where overhead telecoms lines must be removed, and has issued binding instructions to its subordinate organisations to remove such lines.
Risk mitigation
Given that operators’ relocation costs are not expected to be reimbursed from the applicable government’s budget, this initiative could result in significant expenses for operators, reduced connectivity, and increased costs of telecoms services. The Company has been developing integrated measures to mitigate the risk of additional costs relating to the reconstruction and relocation of existing overhead telecoms lines and to prevent breaches of network integrity or security. The Company also initiates proceedings in court to protect its rights and legitimate interests.
Net neutrality regulation Risk Description
In 2015–2016, a working group within the Federal Antimonopoly Service discussed the principles of net neutrality, which is defined as a framework for interaction between end users and content, application and service providers with telecom operators that ensures open and non-discriminatory use of the Internet to distribute and access information and services.
Risk mitigation
If a strict approach to net neutrality is adopted through legislation, operators will not be able to differentiate between Internet traffic in any way, which may lead to networks being overloaded at times of heavy content transfer. It should be noted, however, that the expert community is currently reluctant to endorse a strict approach on the issue.
Risks related to possible restrictions on website speeds in the Internet Risk Description
Currently a number of state agencies are discussing an initiative to impose mandatory requirements for the reduction of traffic speeds for online resources that are non-compliant with Russian regulations (e.g. do not follow the instructions of the Federal Antimonopoly Service ).

The implementation of lower traffic speed requirements will ultimately be the responsibility of telecom operators, which would require the deployment of additional equipment and software and, accordingly, entail additional costs for telecom operators.
Risk mitigation
MegaFon’s proposal is that the existing blocking tools be used instead to restrict webpage access, which would not entail any additional costs for telecom operators.
Risks associated with unreliability of data contained in subscriber database Risk Description
Proposals have been made by several state authorities to increase operators’ accountability for providing services to subscribers whose data has not been properly entered into the operators’ billing systems, and also to require operators to “cleanse” their customer databases.

The implementation of these initiatives will entail additional costs for telecom operators, principally related to verification of their customer databases, and expose them to the risk of being fined if there are discrepancies between actual service user data and data contained in the databases maintained by telecom operators.
Risk mitigation
MegaFon is proposing a number of measures to reduce this exposure for telecom operators. In particular, it proposes the introduction of remote customer authentication mechanisms and a set of measures to connect telecom operators to state-run information systems (Unified System of Interdepartmental Electronic Cooperation) to enable verification of databases maintained by telecom operators.

The Company’s representatives actively participate in working groups formed by authorized state authorities to develop constructive proposals that will meet the interests of the state and the business.

MegaFon’s internal procedures provide for checking the availability of all the required subscribers’ personal data, including when concluding contracts by dealers. Dealers are responsible for completeness and correctness of the provided data.
Risks associated with the implementation of additional requirements for telecom operators and Internet service providers introduced as part of counter-terrorism amendments to legislation Risk Description
On 6 July 2016, Federal Law No. 374-FZ On Amendments to Federal Law on Countering Terrorism and Individual Legislative Acts of the Russian Federation with regard to Establishing Additional Measures to Counter Terrorism and Ensure Public Safety was passed. Article 13 of the Federal Law stipulates that, starting from 1 July 2018, telecom operators must store within the territory of the Russian Federation all text messages to users of communications services, voice data, images, sound and video files, and all other communications from users of communications services, in each case for a period of up to six months from the date of their receipt, transmission, delivery and/or processing. The procedures for storing, timelines and storage volumes for the data specified in the Article are to be set by the Russian Government.

On 23 December 2016, the Ministry of Telecom and Mass Communications posted for public discussion draft resolutions expanding the requirements of the Law to oblige telecom operators to store traffic sent over data communications networks, starting from 1 July 2018, in the amount of 1 PB of storage per every 1 Gbit/s of capacity (throughput) of an operated communications node, and, starting from 1 January 2019, 2 PB of storage per every 1 GBit/s of capacity. Thus, the proposed amendments to the requirements covering the entire telecommunications industry are virtually infeasible in the current environment given the available technical and financial capabilities.

The President of the Russian Federation has directed that measures be taken to ameliorate the impact of the Law’s provisions. On 19 January 2017, Aleksey Volin, Deputy Minister of Telecom and Mass Communications, stated the Ministry’s willingness to reduce the amount of storage capacity required for redundant traffic and to introduce a phased approach to the implementation of the proposed rules.

On 31 January 2017, the Minister of Telecom and Mass Communications, Nikolai Nikiforov, promised amendments to improve the law thus showing support for telecom operators. Otherwise, if the strictest version of the policy is adopted, the implementations costs for MegaFon may amount to RUB 500bn - RUB 938bn.

No technical solution exists as of yet to implement requirements of the law, and the published draft resolutions have not been approved yet and are subject to significant revision.

It should also be pointed out that data to be stored is protected by secrecy of communication laws and may also potentially be covered by other secrecy legislation, including laws that protect information constituting: a state secret, trade secret, banking secret, business secret, credit history, insurance or tax secrets, attorney client privilege, etc. Therefore, to implement these legal requirements, special secrecy regimes and an overall confidentiality regime would have to be maintained in addition to establishing storage systems to store relevant data within Russia. Another consideration should be that the storage facilities to keep such data would potentially become a particularly tempting target for malicious users and various hacker groups. That said, we believe that ensuring high levels of security and privacy protection for the proposed data storage infrastructure is an enormous challenge, which can not be fully addressed by telecom operators without support from the Government.
Risk mitigation
MegaFon is in discussions with other telecom operators and federal executive authorities of the Russian Federation over the model of implementation of the requirements of the Law.
Regulation of critical IT infrastructure Risk Description
On 6 December 2016, the Government of the Russian Federation submitted to the State Duma draft legislation aimed at ensuring protection of Russia’s critical IT infrastructure. The proposed legislation seeks to establish a state-run system to detect cyberattacks, trace them back to their sources, and mitigate their effects at critical IT infrastructure facilities. The draft legislation would also require operators of critical IT infrastructure to deploy and maintain technical tools designed to detect signs of cyberattacks in their telecommunications networks, report cyber incidents to the competent authorities, and take steps to mitigate the effects of such cyber-attacks. In particular, the draft legislation contemplates the establishment of a National Coordination Centre for Cyber Incidents.

At the same time, the proposed legislation provides for criminal liability for non-compliance with regulations and operating instructions covering storage, processing or transfer of protected computer information contained in Russia’s critical IT infrastructure. We believe that the introduction of criminal liability for non-compliance with regulations and operating instructions would make the enforcement of the proposed legislation problematic. In a situation where 16 more regulations are envisaged to complement the proposed legislation, their absence makes elements of the offence quite vague, which leads to increased risks for business.
Risk Mitigation
The Company is closely monitoring the discussion of these initiatives.
Regulation of relations in the Russian national segment of the Internet Risk Description
The Ministry of Telecom and Mass Communications has posted for public discussion the Draft Federal Law On Amendments to Federal Law On Communications, which aims to regulate relations in the Russian national segment of the Internet. The draft federal law would impose significant responsibilities on telecom operators. In particular, the proposed legislation would require telecom operators to connect to Internet exchange points, which would deny them an opportunity to select the best routing options and thereby place a significant financial burden on such telecom operators.

The draft federal law also seeks to introduce an obligation for telecom operators to use data collected in the Russian national segment of the Internet. At the same time, analysis of the concept on which the proposed federal law is based, suggests that the Russian national segment of the Internet seeks to collect data about legal entities and individual entrepreneurs operating in Russia and using autonomous system numbers and/or IP address, Internet exchange point operators, etc. Therefore, the data that are actually intended for collection cannot be used as inputs for the policy of traffic routing and the development of a back-up reference system which would contain detailed information about autonomous systems to ensure support for the operation of the Internet in case of major incidents or emergencies.
Risk Mitigation
The Company is closely monitoring developments relating to the proposed legislation and is actively participating in discussions to promote regulations that would be more effective than the regime proposed in the draft Federal Law.
Interest rate risk Risk Description
Interest rate risk is the risk of loss arising from adverse movements in interest rates on liabilities and off-balance-sheet instruments. Rising interest rates could increase the cost to the Company of raising funds to finance its operations and CAPEX programmes.

In addition, where the Company’s existing debt carries a floating rate, the Company is exposed to the risk of higher costs of servicing such debt.

During 2014, the Russian economy saw a series of increases by the Central Bank of Russia in its key lending rate, which more than tripled the rate, from an initial 5.50% p.a. to 17.00% p.a. in an attempt to curb growing inflation in Russia. In 2015–2016, the CBR made a number of reductions in the key rate, setting it at 9.75% p.a. in March 2017. The level of the CBR key rate affects the costs of raising funds for borrowers in the Russian financial market.
Risk mitigation
The Company estimates the probability of further changes in the CBR key rate as moderate (in the Company’s view), while stating that reported figures may require possible adjustments to reflect changes in interest expense.

Currently the Company enjoys a high credit rating, which makes it well-positioned to raise funds at the most attractive terms available in the market.

Around 80% of the Company’s debt portfolio has fixed rates, while the Company has no rouble-denominated facilities with interest rates tied to the key lending rate of the Central Bank of Russia. The Company’s floating rate debt comprises credit facilities opened to finance equipment purchases.

In addition, a major portion of the Company’s debt portfolio is long-term (around 50% of the Company’s debt is due in five years or later) and carries attractive interest rates.
Risk of adverse changes in FX rates Risk Description
Some of the Company’s capital expenditures, liabilities and operating expenses (roaming and interconnect charges, frequency fees, etc.) are denominated in foreign currencies, mostly in US dollars or euros. A weaker rouble may lead to an increase in such costs in rouble terms, foreign exchange losses and lower net profit.

Since some of the Company’s debt is denominated in US dollars or euros, depreciation of the rouble against the US dollar and/or the euro could make it more expensive for the Company to repay or refinance such debt.
Risk mitigation
Some of the Company’s capital expenditures, liabilities and operating expenses (roaming and interconnect charges, frequency fees, etc.) are denominated in foreign currencies, mostly in US dollars or euros. A weaker rouble may lead to an increase in such costs in rouble terms, foreign exchange losses and lower net profit.

Since some of the Company’s debt is denominated in US dollars or euros, depreciation of the rouble against the US dollar and/or the euro could make it more expensive for the Company to repay or refinance such debt.
Risk of failure to protect inside information Risk Description
As a public company, MegaFon is obliged to ensure the security of inside information. Inside information is information, which is directly or indirectly linked to the Company’s operations and/or its securities, which has not been publicly disclosed and may have an impact on the share price. Under Russian and English laws, the Company and its employees have responsibilities to ensure proper usage and protection of inside information. Failure to discharge these responsibilities could result in claims by regulators and investors and financial and reputational damage.
Risk mitigation
To prevent this risk, the Company is implementing safeguards to protect inside information, making improvements every year to its data security framework. In 2012, the Board of Directors approved a number of regulations governing the use of inside information. In 2013–2015, the Company introduced a number of internal procedures restricting access to inside information and started implementing special technical tools for the protection of inside information, including protection of information on mobile devices. In addition, employees are regularly trained and tested to increase their awareness of inside information protection.

The Company’s Audit Committee oversees the execution of these measures, which are designed to ensure that all shareholders and potential investors are treated equally in their access to data and information.

In 2016, Regulation (EU) No 596/2014 on market abuse (MAR) came into force. To comply with MAR, the Company approved a new version of MegaFon’s Share Listing Policy and promptly deployed additional compliance procedures to monitor all of the Company’s significant transactions and projects requiring disclosure in the UK. In addition, to ensure compliance with the Regulation on Market Abuse, we amended our standard confidentiality agreements and maintain the procedure for automated collection of insider staff personal data in response to regulator requests (the UK Financial Conduct Authority, FCA).
Risks related to improper or inaccurate disclosure and other securities-related risks Risk Description
As a public company, we are exposed to the risk of claims against our Directors and officers from regulatory authorities and shareholders for improper and/or untimely disclosure of information affecting the Company’s business, operations or plans, of for disclosure of incomplete, confusing or contradictory information.
Risk mitigation
To limit the extent of potential losses or costs incurred by our Directors and officers or the Company as a result of legal claims related to improper or inaccurate disclosure, MegaFon has obtained and maintains a Directors’ and Officers’ Liability Policy. This policy not only protects the Company and its Directors against legal claims related to improper or inaccurate disclosure, but also against claims of third parties in respect of mistakes or omissions that could potentially occur in the course of regular management activity.