Risk management and internal control

Through risk management, the Company prevents risk events from occurring, such events affecting the achievement of strategic and operational goals, and mitigates their impact if they occur. Risk management is an integral part of the Company’s strategic planning, corporate governance and financial stability.

KMG has integrated the Corporate Risk Management System (CRMS) in its key business and management processes. The purpose of the CRMS is to ensure an optimal balance between the Company’s growth in value, its profitability and risks. The CRMS is a key element of the corporate governance framework, supporting timely identification, assessment and monitoring of all material risks, as well as timely and adequate mitigation measures. The CRMS established at KMG and its subsidiaries and dependent companies covers all areas of their business.

Risk management process

The CRMS is designed to provide a consistent and clear framework for managing the risks associated with KMG’s operations. The Company uses a top-down risk management approach, with risk management embedded across all management levels from top (KMG) to the line level (an operating structural unit of a subsidiary or dependent company). Each officer is responsible for ensuring risks are properly assessed when making decisions. Risks are assessed using a range of qualitative and quantitative assessment tools factoring in risk probability and potential impact.

The CRMS operates through seven interrelated CRMS processes integrated into KMG Group’s management business processes:

Goal setting (alignment of strategic, medium- and short-term planning goals);
Identification of risks/risk factors (whether any of KMG Group’s activities and business processes are exposed to risks that may adversely affect the achievement of set goals and objectives);
Risk/risk factor assessment and analysis (to determine the degree of risks/risk factors’ impact on the achievement of the Company’s KPIs Operational and non-operational risks and associated risk factors are analysed in terms of probability of occurrence (probability) and degree of impact (potential for business losses);
Risk management (the process of developing and implementing measures to mitigate the adverse consequences and (or) reduce the probability of occurrence for inherent risks and associated risk factors);
Monitoring and reporting (to control the dynamics of changes in risk profiles and the effectiveness of risk management activities and control procedures. Monitoring is carried out by KMG’s Risk Management and Internal Control Service, with a quarterly risk report submitted to the Board of Directors;
Information and communication (to provide the participants of the risk management process with accurate and timely risk information and raise awareness about the risks and risk response methods and tools);
The establishment of internal environment (the implementation of the above components of the risk management process at KMG Group fosters a group-wide risk culture driven by the appropriate “tone at the top”, strong risk awareness and knowledge, and the accountability of risk owners/risk factor owners, as well as active risk management and timely reporting.

Interactions with the Board of Directors

The following documents are submitted for review to KMG’s Board of Directors at least once a year:

Proposals on the Company’s risk appetite;
Consolidated Risk Register;
Risk map;
The Company’s Risk Management Action Plan;
Risk Tolerance Levels;
Key Risk Indicator Register

In addition, a risk report (consolidating KMG subsidiaries and dependent companies) is submitted on a quarterly basis to the Board of Directors for consideration with the Board duly reviewing and discussing it in full. The Board of Directors takes appropriate measures to bring the existing risk management and internal control system in line with the principles and approaches determined by the Board of Directors.

Improving risk management

KMG Group’s efforts to improve its CRMS and drive a robust risk culture are guided by KMG’s Corporate Governance Plan for 2019 –2020. The Plan outlines key initiatives supporting the Company’s CRMS and ICS goals.

KMG has been continuously improving its CRMS and consistently enhancing its risk management framework. The Company remains fully committed to the continuous development and improvement of the Company’s CRMS.

In 2020, KMG conducted a comprehensive analysis on the impact of the COVID-19 pandemic risks on its operations. The analysis and response measures taken were provided to the KMG Board of Directors. As the Company continues to foster a robust risk culture, it provided online employee training to improve risk management skills following the shift to remote work due to the COVID-19 pandemic.

On the planned improvements to risk management in 2021 and beyond, the Company intends to foster cross-functional interactions in risk management as part of project management, enhance information security, sustainability, compliance, strategy and KPIs. KMG continuously improves CRMS by updating the CRMS policy and standard rules for establishing a risk management process, regulatory and methodological documents.

Risk appetite

The Company’s risk appetite shows its level of risk retention under which the Company is able to achieve its strategic goals and operational targets. It affects resource allocation, the establishment of processes and creation of an infrastructure within the organisation to support effective monitoring and responses to risk events.

Selected excerpts from KMG’s 2021 risk appetite statement, as approved by KMG’s Board of Directors

Financial activities	Operations	Investment activities
Compliance with covenants set by lenders Ensuring that the targeted dividend flow from subsidiaries and dependent companies to the Company falls no more than 10% (except when impacted by a significant drop in market oil prices) Ensuring that the Company’s credit rating is not downgraded (except when impacted by a downgrade of Kazakhstan’s sovereign rating)	Zero tolerance of negative impact on reputation, health, safety and environment Ensuring social stability in the operating regions No transactions leading to violation of sanctions In managing its information security and cyber risks, the Company: ensures service availability in case of information and communication infrastructure failure ensures the integrity of the information resources, software and hardware prevents confidential information from leaking or other unauthorised disclosure Zero tolerance of corruption in any form and violations of business ethics	Compliance with the requirements of JSC Samruk-Kazyna’s investment policy Financing of investment projects primarily with equity. In case of borrowing, ensure that the Group’s financial stability is not undermined Implementation of subsoil use projects with strategic partners primarily under carry financing

Corporate insurance

Insurance is central to ensuring robust risk control and financial management across KMG Group as it serves to protect the property interests of the Company and its shareholders against unexpected losses that may result from operations, including as a result of external factors.

The Group’s insurance function is centralised to ensure the enforcement of the group-wide Corporate Standard for obtaining and maintaining insurance cover, which ensures a comprehensive approach to managing continuous coverage.

KMG’s Corporate Insurance Programme includes the following key types of insurance coverage:

Insurance of core operating assets of the Company
Public liability insurance
Energy risk insurance

A reinsurance company is only considered for reinsurance when holding a financial credit rating of at least “A–” on the Standard & Poor’s scale. Best industry practice is applied in negotiating the best insurance and risk coverage terms for the Company.

Internal Control System (ICS)

The ICS is an integral part of the CRMS. The system uses the COSO framework and includes five interrelated elements: control environment, risk assessment, controls, information and communication, and monitoring procedures. It is designed to achieve reasonable assurance that KMG will reach its goals across three key areas:

Improving operational efficiency
Preparing complete and reliable financial statements
Complying with Kazakhstan’s laws and KMG’s internal documents

COSO

KMG’s Internal Control System Policy outlines the objectives, operating principles and elements of the ICS. In order to implement the Internal Control System Policy, the Company has put in place the Internal Control System Guidelines detailing related roles, responsibilities, operating procedures, organisation and performance criteria.

In 2020, to match KMG’s business needs, internal regulations on the ICS were updated with a detailed description of the risk identification and assessment process, scale and criteria for internal controls maturity assessment for a business process, improved risk culture, ICS maturity assessment and interactions among ICS actors.

KMG annually approves a schedule based on the criticality ranking of business processes as well as recommendations by external and internal auditors. The schedule specifies when business processes will be formalised and design of controls tested (analysed). Formalisation means the design and update of the existing risk flowcharts and matrices, and business process controls. Improvement recommendations are prepared based on the results of design testing (review). Similar activities are performed by subsidiaries and dependent companies. The results of these ICS activities are communicated to business process owners, IAS, external auditor, Management Board, and the Board of Directors.

ICS-related meetings and trainings for employees of KMG and its subsidiaries and dependent companies take place annually, with workshops, experience sharing, discussions of issues and their solutions.

The internal control system model from the perspective of hierarchy levels, roles and powers of the key actors of the internal control process:

Level 1, Organisation and Function, is about how the internal control system is organised, the interfaces between its actors, and “the tone at the top”.
Level 2, Corporate Controls, is related to the management mechanisms established at the level of KMG or its structural units to facilitate the achievement of KMG’s goals, directly or indirectly impacting the risks inherent to its operations. These controls enable better structuring of the internal control system by shaping the overall control environment and optimising the effectiveness and number of control procedures. Corporate-level controls impact KMG as a whole, and each business process in particular. They are linked to monitoring key metrics and reliability criteria, as wee as maturity levels to ensure they meet the targets. Such metrics, criteria and maturity levels are set out in KMG’s policies, its long-term development programme, and a number of KMG’s other conceptual and regulatory documents.
Level 3, Process Controls, is about the implementation of control procedures embedded in business processes and day-to-day activities of employees, such procedures not impacting KMG’s overall control environment

Key risks

KMG operates in a constantly changing environment. Some risks can evolve over time, while their potential impact and likelihood can change in response to internal and external factors. KMG manages, tracks and reports key risks and uncertainties that can affect its strategy’s implementation.

During the reporting period, a number of risks materialised, but their negative impact was managed and minimised through risk mitigation measures. Below are the Company’s key risks.

Key risks of the Company

Trend (over the year)	Risk description and likely impacts	Mitigation and management
	Production decline risk Declines in production from mature fields is KMG’s key operational risk. Production decline due to lower oil prices driven by the challenging global energy markets (due to pandemic) and commitments under the OPEC+ agreement. For more details see the Upstream section.	To maintain production rates at mature fields, KMG: implements measures to increase time between well repairs and ensure timely execution of well services, workovers and well interventions implements upgrade programmes for obsolete equipment implements upgrade programmes for obsolete equipment Diversification of production assets. Cutting and optimising costs’ replanning; reviewing scenarios to revise targets (subject to production profitability). Liaising with the competent authorities of the Republic of Kazakhstan on the OPEC+ agreement to curb oil supply
	Work-related injury risk Employee non-compliance with the established health and safety rules, and breaches of operational discipline may pose a threat to the life and health of employees.	To prevent industrial accidents, KMG implements organisational and technical measures that ensure: safe work execution and prevention of work-related injuries and occupational diseases timely training and knowledge testing internal health and safety controls; deployment of new technologies and mechanised techniques, and improvement of industrial safety for production facilities Implementing the near miss reporting programme through the Korgau Card project. The following Corporate Standards were approved: KMG Group’s corporate standard for engaging contractors on HSE KMG Group’s corporate standard for building HSE capabilities KMG Group’s corporate standard for occupational health
	Risk of emergencies or man-made disasters at production facilities The Company’s operations are potentially hazardous. KMG is exposed to the risk of damage to property, third parties or the environment caused by accidents or emergencies, man-made disasters at production facilities or third party misconduct	To mitigate operational risks, the Company: ensurews timely maintenance and repair of equipment as required by relevant regulations performs timely retrofits and upgrades performs timely diagnostics and identification of potential hazards, as well as industrial safety assessments of production facilities. improves the technical expertise and qualifications of operating personnel. The Company is phasing in advanced protection, safety and security technology and solutions. In accordance with statutory HSE requirements, KMG takes out annual mandatory liability insurance for facility owners whose operations have an inherent risk of damage to third parties, as well as mandatory environmental insurance. In addition, annual voluntary property insurance is taken out (against the risk of accidental destruction, loss or damage) for insured events.
	Environmental risk and climate change risk The Company is exposed to the risk of adverse environmental impact and the risk of tougher responsibility for non-compliance with environmental laws, as well as risks related to climate change. For more details see the Ensuring sustainable development section.	The Company’s priorities in environmental protection: Greenhouse gas management and flaring reduction Water management Production waste management Land reclamation; Energy efficiency improvement. To mitigate the environmental risk, the Company: ensures preventive management of significant environmental aspects, based on project management and a risk-based approach, to improve environmental performance follows up the implementation of the Emissions Management Policy and the Corporate Standard for Water Resources Management quarterly assesses and analyses the flaring rate in the upstream sector under IOGP requirements engages stakeholders on environmental issues implements the Memorandum of Cooperation in Environmental Protection signed with a competent authority to dispose of and recycle waste from its subsidiaries and dependent companies comprehensively develops the corporate environmental function and aligns KMG’s activities with green economy principles The Company takes an active part in the working group of the authorised body tasked with developing the new environmental code. Climate change risks: In August 2020, the Company published its Climate Change 2019 Questionnaire on the CDP’s (Carbon Disclosure Project) website within the required timelines The Company assessed the forecast balance between shortage and surplus of quotas for the National Allocation Plan for GHG Emissions for 2018–2020
	Risk of gas shortages Gas export volumes might decrease due to higher domestic gas consumption, given the gas chemical projects launched in the domestic market; a decrease in gas production due to gas re-injection to maintain the oil production plateau and/or caused by the lack of gas processing capacities; and due to immature gas production resource base.	The company has envisaged the implementation of a number of projects to increase the resource base of marketable gas by expanding the capacity for processing associated petroleum gas, reducing gas re-injection and burning associated petroleum gas in the fields. We are implementing activities to develop new promising fields and increase gas production at existing fields.
	Geological risk The implementation of new exploration projects is always associated with geological risks arising from the uncertainty of geology: lack of hydrocarbon discoveries; failure to confirm or low recoverable oil and gas reserve estimates.	To address this risk, the Company: collects, analyses, synthesizes and updates the geological and geophysical data from the operating area and similar nearby fields plans geophysical surveys and exploration for hydrocarbons, applies effective study techniques and data processing and interpretation methods runs high-resolution 2D/3D seismic surveys conducts regional surveys with international companies (Equinor, LUKOIL, BP) and pilot refining projects involving advanced technology and expertise from foreign companies (Eni) building sedimentary, geology and basin models of the region and fields based on qualitative analyses and advanced methods of geochemical and lithology analyses attracting strategic partners for joint exploration and development of new fields, including under carry financing arrangements to reduce the financial impact of geological risks.
	Social unrest in operating regions The Company is exposed to the risk of unauthorised strikes.	To mitigate social risks, the Company: runs awareness raising activities across operations, including management holding reporting meetings directly with representatives of the workforce and trade unions; implements the Regulations on Interactions between subsidiaries and dependent companies and Contractors Working on the Sites of JSC NC KazMunayGas in order to deliver on its labour commitments to contractor employees has in place and maintains a unified internal communications system, holds mandatory meetings between the management and employees at all the Company’s facilities to discuss social, day-to-day and operational matters as well as to develop solutions together builds an integrated youth policy system to drive engagement among young employees and encourage them to participate in social activities and be part of the corporate team runs regular surveys, analyses and monitors employee satisfaction in its operating regions, with corresponding Action Plans to minimise the areas of concern identified by the studies and enhance social stability based on their findings
	Liquidity and financial stability risks Liquidity and financial stability risks are KMG’s key risks. For more details see the Strategic priorities section.	To overcome these risks, along with debt management activities and efforts to prevent liquidity shortages, the Company is focused on improving operational efficiency, clear prioritisation of capital expenditures, commitment to financial discipline, rationalisation of the Company’s asset and project portfolios, and transition to portfolio-based project management.
	Compliance risk Intentional corruption for personal or material gain, including for the benefit of third parties. The Company has zero tolerance towards any fraudulent actions regardless of the amount of monetary damage.	The Company consistently implements and reinforces internal controls, embedding group-wide policies to prevent unlawful or wrongful acts by third parties or by its employees, and maintaining the procedure for conducting internal investigations of unlawful or wrongful acts of its employees. The Company has adopted policies and standards, as well as committed itself to: improving and consolidating its internal and compliance controls conducting anti-corruption monitoring analysing corruption risks promoting an anti-corruption culture, taking preventive steps and informs employees on potential violations and enforcement establishing an organisational and legal framework to foster accountability and transparency of decision-making procedures implementing and complying with business ethics standards holding anti-corruption workshops and trainings analysing drafts of internal documents to identify corruption factors preventing conflicts of Interest handling whistleblowing reports via the hotline, respective reporting to the Audit Committee and the Board of Directors.
	Volatility of crude oil prices The Company is exposed to the risk of energy price volatility For more details see the Market overview and the Impact of COVID-19 and response sections.	To secure its financial position, the Company developed the Crisis Response Strategy which sets forth measures to mitigate the impact of the crisis in the oil and gas industry by end-2021. In 2020, the Company: approved the amended KMG’s Development Plan with updated macroparameters, cost cuts and optimisation optimised its 2020 investment portfolio, started rolling out a project management system cancelled bonuses, optimised business processes approved corporate KPIs following the digitisation of the Crisis Response Programme, the motivational KPI scorecard for executives and their 2020 targets optimised KMG’s headquarters staff approved a new organisation comprising fewer management levels, reviewed the Employee Pay Table following a reduction in top managers’ and executives’ salaries approved the Risk Management Programme outlining additional downside risks/risk factors. KMG continuously monitors and analyses price and demand dynamics for crude oil and oil products and also considers purchasing financial tools to be protected in case of a significant fall in oil prices. KMG continuously monitors and analyses price and demand dynamics for crude oil and oil products and also considers purchasing financial tools to be protected in case of a significant fall in oil prices.
	Country risks and the risk of sanctions The Company operates internationally. Any significant adverse change in the economic and political situation in a recipient country could affect the Company’s operations. Sanctions against certain countries, including sectoral sanctions, can affect the Company’s operations and its prospective projects.	The Company mitigates country risks by setting country-specific limits based on the analysis of the recipient country (from the economic, political, strategic, social and other perspectives). The Company analysed the impact on its operations from economic sanctions, along with potential response measures. Joint projects/material transactions with Russian entities were reviewed, with relevant potential operational and financial risks explored. The Company monitors existing sanctions to minimise negative impacts and implications, considering the potential widening of sanctions, which may have a targeted impact on the Company’s prospective projects. To reduce risks, the Company provides for mechanisms to exit projects or implement them independently in the event of a tougher sanctions regime
	Cyber risks Shifting to work from home, remote connection and increased impact of digitalisation on production and management processes at KMG lead to increased risks of attacks on the Company’s ICT system aimed at compromising its integrity, accessibility and security.	To address this risk, the Company: introduces specialist information security hardware/software at KMG to ensure automated monitoring of external and internal threats, as well as control over organisational and practical measures to protect the ICT system runs tests to check its ICT system for vulnerability to external attacks, analyses of IT infrastructure security, audits of network elements, monitoring of operating systems security on a regular basis, identification and blocking of violators maintains its security management system to meet the current international standards for information security (ISMS) provides information security training to units responsible for ISIS keeps up cyber security hygiene.
	Reputational risk The Company is exposed to reputational risk which affects its business reputation and relationships with investors, counterparties, partners and other stakeholders.	The Company implements a range of measures to manage this risk including publications in the media, holding of briefings, press conferences and management presentations highlighting various aspects of the Company’s activities and raising awareness among stakeholders. The Company daily tracks press mentions of its activities and promptly responses to unreliable information (rumours) published in media and social networks. In 2020, KMG developed and implemented a Communications Plan to Provide Information Support on the Crisis Response Strategy to timely inform the community on KMG’s performance and prevent negative press mentions. Under the Plan, the Company’s management paid working visits to the regions of presence to implement the crisis response strategy and check the measures taken to curb and prevent the coronavirus infection at enterprises. KMG published press releases and held respective briefings, and the measures were widely covered in mass media (TV, newspapers, internet publications, corporate websites). The Company maintains a speak-up hotline and a procedure ensuring prompt responses to complaints and claims to eliminate their root causes.
	FX risk Currency risk is a potential negative change in the Company’s financial performance due to exchange rate fluctuations	Given the currency mix of its revenues and liabilities, the Company is also exposed to FX risk in its operations. The strategy for managing this risk involves the use of a holistic approach that considers natural (economic) hedging options. KMG ensures the optimal balance of assets and liabilities denominated in foreign currency, and calculates earnings considering the FX risk.
	Tax risk The Company is exposed to the persistent risks of changes in tax laws and lack of clear interpretation, as well as the risk of increased tax burden and loss of entitlement to tax benefits.	The Company continuously monitors changes in tax laws, evaluates and forecasts the extent to which they can potentially impact its operations, as well as follows trends in law enforcement practice and considers the implications of regulatory changes for its operations. The Company’s specialists regularly take part in various working groups responsible for drafting tax legislation. To mitigate tax risks, the Company improves its tax administration processes and conducts tax audits.
	Interest rate and commercial bank liquidity risk Higher interest rates and lower financial stability of the banking sector can have a negative impact on the cost of borrowing, as well as the placement of idle cash.	To mitigate these risks, the Company diversifies investments in financial instruments in accordance with the treasury portfolio’s pre-defined limits and regularly monitors how idle cash is placed across KMG Group. Most of KMG’s earnings are generated in US dollars, while the main source of borrowing is the international lending market. For these reasons, KMG’s debt portfolio is largely denominated in US dollars. The interest rates for servicing a portion of these loans are based on and interbank lending rates, and their growth may lead to additional debt servicing costs.
	Investment (project) risk The Company is implementing a number of projects in hydrocarbon exploration, production, transportation and processing, which could be exposed to significant risks associated with external and internal factors. The materialisation of such risks can significantly affect the success of these projects.	The Company regularly monitors the status of project implementation in the regions in which it operates, making timely adjustments to project implementation plans as necessary. Where risk can arise affecting the timing, budget or quality of projects, mitigation measures may include negotiations with stakeholders, reduction of operating costs, optimisation of the investment programme, etc.
	Risk of changes in applicable laws, and litigation and arbitration risks The Company’s performance can be impacted by changes in applicable laws, including subsoil use, tax, currency, customs regulations, etc., as well as the risk of negative court decisions on court or arbitration disputes involving the Company.	The Company continuously monitors changes in laws, as well as evaluates and forecasts the extent to which they can potentially impact the operations of the Group entities. The Company regularly takes part in working groups to develop and discuss draft laws in various areas of the law. The Company continuously monitors judicial and law enforcement practices, and actively applies best practices in resolving legal issues and disputes arising in the course of the Company’s operations.
	Risk of pandemic (COVID-19) The outbreak of COVID-19 had a negative impact on the health of employees and their family members, caused temporarily disability, deaths and suffering, inflicted restrictions and lead to an economic shock, changing fundamental demand and production factors globally. For more details see the Impact of COVID-19 and response section.	The Company continues all possible measures to mitigate the negative pandemic-related risk factors, particularly: continuously monitors the epidemiological situation imposed travel restrictions for employees (business trips, conferences, training), social distancing, shifted employees to remote work introduced special rules relating to employee residence, catering, transporting and shift rotation to minimise contacts ensures strict compliance with sanitary requirements and mask mandate for facilities and offices (including contractors), including temperature screenings before work and employee COVID-19 screening questionnaires engages emergency response and crisis management teams, cooperates with state authorities and medical assistants implemented the comprehensive measures in line with approved comprehensive business continuity plans of KMG and its subsidiaries and dependent companies to be ready in case of deteriorating epidemiological situation provided seasonal vaccination against the flu, ensured preparedness of first-aid facilities, with due preparations for a potential increase in laboratory examinations and coronavirus infection vaccination prepared reserves of PPE (medical masks, respirators, gloves), dispensers, sanitisers and disinfecting solutions as well as minimum life-support packages necessary to maintain life and health, including medicine and medical equipment. To be prepared for further potential pandemic waves, prevent disease and the spread of COVID-19, the Company continues to: follow previously introduced algorithms (as amended on the first-wave experience) to mitigate the risk of coronavirus infection spread and maintain the anti-epidemic measures, sanitary and disinfection measures identify critical business processes and options for the emergency recovery of the processes as well as essential personnel, suppliers, materials and equipment, develop business continuity and recovery plans for critical business process and IT systems.