2015 Annual Report


The internal control and risk management system

The Internal Control System is the total system of bodies and areas of internal control that ensure compliance with the procedure for meeting and implementing objectives stipulated by the laws of the Russian Federation and the constitutional and internal documents of the Group.

The Supervisory Board is responsible for defining the principles of and approaches to the organisation of internal control and risk management systems at the Group.

The executive bodies create, maintain the correct functioning of efficient internal control and risk management systems at Sberbank and are responsible for implementing Supervisory Board decisions in these areas.

The internal control and risk management systems of Sberbank are built by using Three Lines of Defense, a model where:

  • The First Line is the business units responsible for the daily effective implementation of internal control and taking ongoing measures to manage risks associated with their activities. These measures are part of the everyday activities of the business units; therefore, they ensure continuous processes for identifying, assessing, and monitoring risks.
  • The Second Line is the responsible business units of Sberbank that are in charge of elaborating and implementing the rules and procedures for internal control, determine risk management standards, guidelines, limits, and restrictions, monitor the risk levels, prepare reports, verify the conformity of risk level to risk appetite, advise, simulate, and aggregate the total risk profile.
  • The Third Line is internal auditing tasked with the independent evaluation of the effectiveness of internal control and risk management systems.

The Structure of the Internal Control System

The Structure of the Internal Control System

Organisation of the Risk Management Process

The risk management system we use is based on standards and tools recommended by the Basel Committee on Banking Supervision and conforms to the requirements of the world’s best practices. The main objectives of the system of integrated risk management as an integral part of the process of bank management are the introduction of risk management standards, principles, limits, and restrictions, monitoring of the level of risk and the generation of reporting on risks, provisions for the level of conformity of assumed risks to risk appetite limits, and the modelling and creation of a common risk profile.

To ensure the effective planning and control of accepted risks, risk management functions are distributed among the Supervisory Board, the Chairman of the Executive Board, the Group CEO, the Executive Board, the supervisor of the Group’s Risks Unit (Head of the Risk Management Office of the Bank), specialised Committees of the Executive Board, departments of the Risks Unit, and other business units of Sberbank and members of the Group.

The distribution of authority in the risk management system meets the requirements and recommendations of Bank of Russia and international financial institutions.

Internal Audit Service

The Internal Audit Service is intended to support Sberbank governing bodies in achieving goals, ensuring the efficiency and high performance of the Group’s activities, and operating in compliance with the principles of stability of activities, independence, impartiality, fairness, objectivity, and professional competence. The Internal Audit Service is an independent structural unit that performs inspections of the entire system of internal control, is accountable to the Supervisory Board, and is administratively subordinate to the CEO, Chairman of the Executive Board. The Head of the Internal Audit Service is appointed to and removed from office by the Supervisory Board.

We shall take the necessary measures to ensure the independence and fairness of the Internal Audit Service and the seamless and efficient performance of the Internal Audit Service’s functions.

The Internal Audit Service conducts audits in all areas of Sberbank’s activities and monitors the effectiveness of measures taken by departments and governing bodies to reduce identified risks following audit results.

The Head of the Internal Audit Service provides the Supervisory Board with the Service’s reports on the implementation of the yearly plan of audits as approved by the Supervisory Board and on the results of audits of the Group for the respective periods.

As part of its operations, the Internal Audit Service uses the best internal audit practices, including international fundamentals of professional internal audits.

Oleg Chistyakov

Head of the Internal Audit Service

Date of birth: 22 October, 1964

Year of appointment: 2014


1986: Ordzhonikidze Moscow Management Institute, majoring in Engineering Economics

Work experience:

From 2009 to present, Director of the Internal Control, Inspection and Audit Administration of Sberbank. On 12 September, 2014, appointed to the office of Head of the Internal Audit Service of Sberbank.

Internal Control Service

To implement internal controls, assist the Sberbank management bodies in ensuring the compliance of Sberbank’s activities to laws, regulations, and best practices, and to create and apply effective methods and mechanisms for managing the risk of losses incurred by Sberbank as a result of noncompliance with the laws of the Russian Federation, internal documents of the Bank, standards of self-regulatory organisations, and/or sanctions, and/or other enforcement measures on the part of the supervisory authorities, Sberbank established its Internal Control Service that includes the aggregate of structural business units and employees of the Group acting in accordance with the Regulations on the Internal Control Service.

The Internal Control Office acts in accordance with the principles of independence, continuity, objectivity, impartiality, and professional competence.

The Internal Control Service is accountable to the Supervisory Board, the CEO, Chairman of the Executive Board, and the Executive Board of Sberbank. At least once a year, the Internal Control Service provides reports on work completed to the Sberbank’s executive bodies and (in certain cases) to the Supervisory Board.

Larisa Zalomikhina

Head of the Internal Control Service

Year of Birth: 4 January, 1973

Year of appointment: 2014


1996: Moscow Institute of Physics and Technology (MIPT), majoring in Applied Mathematics and Physics

Work experience:

From 2004 to December 2012, CEO of Troika Dialog Financial Broker CJSC and part-time Deputy Director of Sberbank’s Compliance Division. From December 2012 to present, Director of the Compliance Division. Since September 2014, Head of Sberbank’s Internal Control Service.

Risk Management Service

To manage risks, Sberbank established the Risk Management Service, which is a combination of structural units and Committees of the Group whose main function is to manage risks.

To avoid any conflict of interest, Sberbank ensured the independence of business units responsible for risk management from business units engaged in operations/transactions exposed to risks.

Alexander A. Vedyakhin

Head of the Risk Management Service

Year of Birth: 20 February, 1977

Year of appointment: 2015


1999: Volgograd State Technical University, majoring in World Economics

2001: Candidate of Economic Sciences

2010: Academy of the National Economy under the Government of the Russian Federation, Bank MBA Programme

Work experience:

From 2008 to 2012, First Deputy Chairman of the Executive Board of SBERBANK PJSC (Ukraine). From December 2012 to July 2015, Executive Director of the Risk Department, Managing Director of Sberbank’s Risk Unit Administration. From June 2015 to the present, Senior Vice President.