1.3. Management plan for mineral supply chain risks

Action plan following risk confirmation and risk management strategy

At this step, responsible parties, including the management team, use the Risk Decision Matrix to decide whether to cooperate with the respective supplier going forward. The decision depends on the level of confirmed risk.

The next step is to develop a Risk Management Plan (the “Plan”) should the risks be confirmed at the previous risk identification and assessment steps. The Plan is required for the supplier to eliminate the risks confirmed.

The risk management procedure and development of the Plan begin with notifying Nornickel’s management of the risk confirmation following an enhanced due diligence.

Then, the Group develops the Plan in cooperation with suppliers and, where necessary, other stakeholders, such as representatives of local communities. The Plan should clearly specify the risk mitigation goals, timelines, and performance indicators, as well as the responsibilities of all the parties involved and possible corrective actions. The Plan needs to be approved by the Company’s management.

Based on the level of risk exposure and the cooperation decision made, the responsible parties determine the response timelines and reporting procedures for management to follow up on the Plan, as well as develop a list of risk mitigants. Each risk mitigant implies specific actions to be taken and relies on the required internal resources. The Plan prioritises the most efficient solutions, taking into account suppliers’ human, logistical, and financial resources.

The choice of an approach to developing the Plan depends on the risk exposure established during an enhanced due diligence and affects the deadlines for supplier notification and risk mitigation, the type (remote or in‑person) and frequency of progress assessments, and whether Nornickel’s internal resources are required.

The overall success of the Plan hinges on stakeholder engagement, which requires the mandatory involvement of the supplier’s management throughout its implementation. Under the Plan, the supplier must submit progress reports to the responsible sustainability manager at Nornickel.

Where critical risks need to be addressed, suppliers must continuously report to the respective business units at divisions and, where necessary, to the Sustainable Development Department at Nornickel’s Head Office, the Board of Directors, and the Management Board.

Upon the expiration of the deadlines set out in the Plan, Nornickel reviews the supplier’s progress. If the supplier fails to achieve the approved targets, the Group may either continue cooperation, provided that a new risk management plan is developed, or reconsider its relationship with the supplier.

Since no confirmed risks were identified for mineral suppliers, the Company did not initiate the above action plan procedure in 2024.

In supply chain risk management, the System standards allow for the engagement of external stakeholders. The decision to involve them depends on the nature, severity, and specifics of the identified risks and is aimed at improving the effectiveness, adequacy, and measurability of relevant risk management measures.