Risk management and internal control

1. Corporate Risk Management System (CRMS) principles

Through risk management, the Company prevents the occurrence of risk events, which affect the achievement of strategic and operational goals, and mitigates their impact if they occur. Risk management is an integral part of the Company’s strategic planning, corporate governance and financial stability.

KMG has integrated the Corporate Risk Management System (CRMS) in its key business and management processes. The purpose of the CRMS is to ensure an optimal balance between the Company’s growth in value, its profitability and risks. The CRMS is a key element of the corporate governance framework, supporting timely identification, assessment and monitoring of all material risks, as well as application of timely and adequate mitigation measures. The CRMS established at KMG and its subsidiaries and associates covers all areas of their business.

The Company’s Risk Management Policy relies on the following principles:
principle description
methodological consistency processes are based on unified methodological approaches
continuity functioning on an ongoing basis
comprehensive nature covering all business lines and all types of risks arising from operations
accountability organisational structure of the CRMS establishes competence of risk management decision-making and control at all levels of KMG Group
informed and timely communication the risk management process is supported by objective, reliable, and up-to-date information
rational approach to implement risk management measures, the Company uses resources rationally, ensuring economic efficiency of risk management activities
reasonable assurance reasonable assurance of delivering on the Company’s strategic and operational objectives, but not absolute assurance due to limitations inherent in the external and internal environment
adaptability regular improvement to identify all possible business risks and ensure the most effective application of risk control and management methods
clear regulation all operations comply with the procedures stipulated by internal regulations
active involvement of the management team the management team is actively involved in, and supports the implementation and improvement of the CRMS

2. Risk management process

The CRMS is designed to provide a consistent and clear framework for managing the risks associated with KMG’s operations. The Company has a vertical risk management process and risk management system in place at all governance levels. Each officer is responsible for ensuring that risks are properly assessed during decision-making. Risk assessment involves a range of qualitative and quantitative tools factoring in risk probability and potential impact.

Implementation of the above components of the risk management process at KMG Group fosters a group-wide risk culture driven by the appropriate “tone at the top”, strong risk awareness and knowledge, and the accountability of risk owners / risk factor owners, as well as active risk management and timely reporting.

3. Risk appetite

The Company’s risk appetite shows its level of risk retention under which the Company is able to achieve its strategic goals and operational targets. It also caps the level of critical risks / risk factors that the Company is willing to accept.

Selected excerpts from KMG’s risk appetite statement
Financial activities Operations Investment activities
  • Compliance with covenants in debt instruments.
  • Ensuring that the Company’s credit ratings are not downgraded.
  • Maintaining sufficient liquidity and positive consolidated free cash flow.
  • Ensuring that the targeted dividend flow from subsidiaries and associates to the Company does not go down.
  • Minimising tax risks and preventing misstating business transactions in accounting and tax accounting and financial statements.
  • Zero tolerance of negative impact on reputation, health, safety and environment.
  • Ensuring social stability in the operating regions.
  • No transactions leading to violation of sanctions.
  • In managing its information security and cyber risks, the Company ensures service availability, integrity of the information resources, software and hardware, and prevents unauthorised disclosure of confidential information.
  • Zero tolerance towards any form of corruption and fraud, as well as violations of business ethics.
  • Zero tolerance approach to losses and harm caused by environmental pollution.
  • Ensuring that the carbon footprint reduction targets are met.
  • Compliance with the requirements of JSC Samruk-Kazyna’s investment policy.
  • Financing of investment projects primarily with equity. In case of borrowing, ensuring that the Group’s financial stability is not undermined.
  • Implementation of subsoil use projects with strategic partners primarily under carry financing.
  • Considering new investment projects with due regard to their compliance with the required PI (profitability index), as well as their contribution to reducing the carbon footprint and carbon intensity of products.

4. Improving risk management

Initiatives to develop and improve the CRMS

KMG has been continuously improving its CRMS and consistently enhancing its risk management framework. To reaffirm its commitment to the continuous development and improvement of the CRMS, the Company took a number of measures and steps in 2021:

  • was assigned a BBB rating for the Risk Management, Control and Audit component as part of an independent corporate governance diagnostics (for reference: in 2018 – BB);
  • ensured interaction with the Company’s Board of Directors on certain matters (cyber risks, climate risks, carbon border regulation risks and other matters);
  • developed and approved by the Board resolution a credit risk management methodology;
  • implemented the weekly reporting format and organised the provision of data on the Company’s key events and risks to the Fund;
  • enhanced interpretation of risk assessment results for investment projects based on simulation modelling (stress-testing) of project KPIs;
  • RMICS staff held online trainings on the implementation of the risk management system as requested by subsidiaries and associates;
  • ensured continuous improvement of professional competencies of RMICS’ risk managers and obtained international certificates in 2020–2021, in particular: PRM from PRMIA, CFA and PMP, as well as ISO 31000:2009/2018.
Plans to develop the risk management system
  • Developing the CRMS (updating the CRMS Policy and standard rules for establishing a risk management process, regulatory and methodological documents).
  • Implementing an action plan for corporate governance improvement in terms of CRMS, ICS, and BCMS based on the results of corporate governance diagnostics.
  • Launching and rolling out an updated version of the automated risk management system (ARMS) across subsidiaries and associates: organising trainings for KMG’s risk coordinators and risk managers of subsidiaries and associates on the use of the updated ARMS, ensuring technical support of the ARMS.
  • Developing the risk culture.
  • Ensuring cross-functional cooperation to manage risks in project management, information security, sustainable development, compliance, strategy, and KPIs.

5. CRMS participants

CRMS structure:
Functions and responsibility of CRMS participants
Board of Directors
  • is responsible for having an effective CRMS and ICS in place;
  • approves strategic, medium-term and short-term goals, risk appetite, tolerance levels, risk registers, risk map, key risk indicators (KRIs) and risk management action plan. Quarterly risk reports, RMS performance indicators, and business continuity plans.
Management Board
  • is responsible for the organisation and effective functioning of the CRMS, and timely submission of quarterly risk reports to the Fund and the Board of Directors;
  • ensures implementation of the CRMS Policy and improvement of internal documents on risk management of the Company and subsidiaries and associates;
  • approves registers of KMG’s risk owners, risk factor owners, and risk coordinators;
  • reviews quarterly risk reports and takes appropriate measures.
Risk Committee
  • endorses the risk appetite, risk register, risk map, risk management action plan, KRIs, risk tolerance levels, and quarterly risk reports for submission to the Board of Directors for approval;
  • reviews the Company’s risks and the effectiveness of risk management measures. Methodological documents on risk management, proposals to develop risk management policies, procedures, and structure. New approaches to risk management, action plans to improve the CRMS.
  • assesses the effectiveness of the risk management process, notifies the Board of Directors of material weaknesses in the CRMS, and develops recommendations to improve the risk management process;
  • assesses the effectiveness of preventive measures against the risk / risk factor (controls) and prepares recommendations to eliminate the identified deficiencies;
  • notifies the responsible unit of new risk factors identified in the course of audits not included in the register.
Internal Audit Service (IAS)
  • assesses the effectiveness of the risk management process, notifies the Board of Directors of material weaknesses in the CRMS, and develops recommendations to improve the risk management process;
  • assesses the effectiveness of preventive measures against the risk / risk factor (controls) and prepares recommendations to eliminate the identified deficiencies;
  • notifies the responsible unit of new risk factors identified in the course of audits not included in the register.
Responsible unit
  • ensures the operation of the CRMS, development and update of methodological documents on the CRMS;
  • provides advisory support to units on the CRMS operation, holds training events;
  • analyses the context (internal and external environment), monitors internal/external factors that may have a significant impact on the Company’s risks;
  • reviews and approves risk registers, consolidates risks for the Group and analyses information, is responsible for timely preparation of the Company’s risk register, risk map, risk management action plan, prepares quarterly reports on the Company’s risks for the Management Board and the Board of Directors;
  • exercises control over risk management measures, conducts timely monitoring of compliance with risk tolerance levels, KRIs;
  • interacts with the IAS, KMG’s units, external consultants, and other stakeholders on risk management within its competence;
  • organises the interviewing of KMG’s risk and risk factor owners and provides for methodological support in the application of expert methods of risk identification and assessment.
Goal owners
  • are responsible for the coordination of risk values in quantitative / qualitative terms affecting the achievement of the established KPIs (targets), and risk management action plan;
  • oversee timely implementation of the approved risk management action plan.
Risk owners / risk factor owners
  • are responsible for proper management and control of the risks associated with the processes overseen by the risk owner, for providing timely and complete information on the status of risks and performance of risk management measures;
  • develop and implement business continuity plans;
  • ensure the development of mechanisms for managing certain types of risks and controls associated with the processes overseen by the risk owner / risk factor owner (corporate standards, regulations, policies for managing certain types of risks) aimed at mitigating risk exposure.
Subsidiaries and associates
  • ensure timely organisation of the risk identification and assessment process in line with the methodological documents of the CRMS;
  • are responsible for proper management and control of risks associated with the processes of subsidiaries and associates, timely risk reporting, as well as providing complete information on the status of production/non-production risks and performance of measures for their management, reporting on materialised risk events;
  • develop and implement business continuity plans for subsidiaries and associates.
Each employee of KMG / subsidiaries and associates
  • is responsible for performing their risk management duties in line with their job descriptions;
  • notifies in a timely manner the responsible unit of KMG / subsidiaries and associates, their direct supervisor of any committed or possible errors, deficiencies that have led or may lead to potential losses, of potential and materialised risk events in the manner and within the time frames established by the internal documents of the CRMS;
  • receives risk management training under the approved training programme.

6. Internal Control System (ICS)

The ICS is an integral part of the CRMS. The system uses the COSO framework and includes five interrelated elements: control environment, risk assessment, controls, information and communication, and monitoring procedures. It is designed to achieve reasonable assurance that KMG will reach its goals across three key areas:

  • Improving operational efficiency
  • Preparing complete and reliable financial statements
  • Complying with Kazakhstan’s laws and KMG’s internal documents

The ICS focuses on analysing business processes, timely identifying and analysing process-level risks inherent in KMG’s operations, as well as defining and analysing controls for managing these risks.

The ICS is integrated into KMG’s core and supporting business processes and includes procedures for promptly notifying the appropriate governance level of any material weaknesses and control bottlenecks, together with details of corrective actions that have been or should be taken.

The ICS is organised in line with the Internal Control System Policy, which sets out the goals, operating principles and components of the ICS and the Control System Guidelines, which define powers and responsibilities, operating procedures, internal control structure, performance criteria and forms of records.

KMG annually approves the ICS work schedule based on the criticality ranking of business processes as well as recommendations by external and internal auditors. The schedule specifies when business processes will be formalised/updated and design of controls tested (analysed). Formalisation means the design and update of the existing risk flowcharts and matrices, and business process controls. Improvement recommendations are prepared based on the results of design testing (review). Similar activities are performed by subsidiaries and associates. The results of these ICS activities are communicated from time to time to business process owners, IAS, external auditor, Management Board, and the Board of Directors.

ICS-related meetings and trainings for employees of KMG and its subsidiaries and associates take place annually, with workshops, experience sharing, discussions of issues and their solutions.

In 2021, KMG Risk Management and Internal Control Service continued its work to further implement and improve internal controls. Efforts were made jointly with business process owners to formalise internal controls for 17 business processes. Areas for improvement were identified and recommendations for the improvement of controls were prepared. A self-assessment survey on the maturity of ICS and BCMS in subsidiaries and associates was conducted.

In 2022, and subsequent years, the Risk Management and Internal Control Service will continue to improve the ICS. It is planned to continue formalising and testing (analysing) the design of controls, providing recommendations on controls, updating the matrix of Company-wide risks and controls, assessing the maturity of KMG and its subsidiaries and associates, holding trainings and improving the risk culture.

It should also be noted that KMG is aware of the importance of the internal control system in relation to the process of preparing and reviewing financial statements. This process involves providing reasonable assurance about the accuracy of the financial statements and their compliance with applicable accounting standards. To this end, the KMG group companies, in addition to methodological documents that determine the approach to accounting for operations and the preparation of financial statements, have formalised and implemented an internal control process, including a matrix of risks and controls over the preparation of financial statements. The effectiveness of the internal control of the KMG group companies over the financial statements is regularly checked by independent audit companies. In addition, the current preventive measures in relation to possible risks in the preparation of financial statements are the following:

  • annual approval of the calendar for preparation of KMG's consolidated financial statements;
  • quarterly development of the schedule for closing and preparing financial statements and subsequent communication with the organisations of the KMG Group of companies;
  • quarterly analysis of questionnaires provided by the companies of the KMG group on non-standard situations;
  • quarterly evaluation of the chief accountants of the organizations of the KMG Group of companies (in terms of timely and accurate presentation of financial statements).

7. Business Continuity Management System (BCMS)

The Business Continuity Management System (BCMS) is a set of processes and procedures aimed at identifying potential threats/risks and assessing their impact on the activities of KMG and its subsidiaries and associates, which provides the basis for improving the Company’s resilience to incidents by implementing effective responses capable of restoring its operations and protecting stakeholders’ interests, the Company’s business reputation, brand and value-adding operations.

The Company recognises the importance of having the BCMS in place and manages business continuity by identifying the necessary conditions and resources to develop and improve measures and tools to ensure business continuity in the context of threats and risks leading to business interruption.

The BCMS is organised in line with KMG’s Business Continuity Management System Policy and the Rules for the Business Continuity Management Process. The BCMS Policy defines the scope, objectives, basic principles, and model of the business continuity management system, taking into account the recommendations of the international standard in business continuity management. The Rules for the Business Continuity Management Process define the procedures for determining BCMS’ scope of application, business impact analysis, developing and approving the Business Continuity Plan (the “BCP”), BCP testing, monitoring and improvement of the BCMS, training and raising awareness of employees.

In 2020, KMG’s Board of Directors approved a Comprehensive Business Continuity Plan for KMG’s critical business processes, which reflected the measures designed to ensure that KMG can continue to perform its critical activities at the established acceptable level.

In 2021, the Risk Management and Internal Control Service conducted work to identify critical business processes at KMG’s subsidiaries, tested KMG’s Business Continuity Plan and identified areas for improvement.

In 2022 and subsequent years, the Risk Management and Internal Control Service will continue to improve the BCMS. Efforts will be made to update critical business processes, refine and improve the Business Continuity Plan and similar work will be done at subsidiaries.

8. Corporate insurance

Insurance is central to ensuring robust risk control and financial management across KMG Group as it serves to protect the property interests of the Company and its shareholders against unexpected losses that may result from operations, including due to external factors.

The Group’s insurance function is centralised in order to enforce the unified corporate standard for obtaining and maintaining insurance cover, which enables the Company to apply a comprehensive approach to managing continuous coverage. Independent appraisal of reproduction cost / replacement cost new (RCN) and risk assessments are also coordinated through risk surveys conducted by independent risk engineers across KMG Group.

KMG’s Corporate Insurance Programme includes the following key types of insurance coverage:

  • Insurance of core operating assets of the Company
  • Public liability insurance
  • Energy risk insurance

A reinsurance company is only considered for reinsurance when holding a financial credit rating of at least “A–” on the Standard & Poor’s scale. Best industry practice is applied in negotiating the optimal insurance and risk coverage terms for the Company.

9. Key risks: updated table for the previous year.

KMG operates in a constantly changing environment. Some risks can evolve over time, while their potential impact and likelihood can change in response to internal and external factors. KMG manages, tracks and reports key risks and uncertainties that can affect its strategy’s implementation.

During the reporting period, a number of risks materialised, but their negative impact was managed and minimised through risk mitigation measures.

Below are the Company’s key risks.
Risk has reduced
Risk has increased
Risk does not change
Trend
(over the year) 		Risk description and likely impacts Mitigation and management
Production decline risk
Declines in production from mature fields is KMG’s key operational risk.
The main external risk factors are: failures of external electricity supply, severe weather conditions; and obligations to further cut oil production as part of the OPEC+ agreement.

Impact:
During 2021, there were instances of unscheduled decline in production that had impact on the performance of the Company’s production programme.

For more details see the Upstream section. 		To maintain production rates at existing fields, KMG:
  • implements measures to increase time between well repairs and ensure timely execution of well services, workovers and well interventions
  • implements upgrade programmes for obsolete equipment
  • deploys new technologies to maintain production at mature fields
  • improves production efficiency (waterflood management, removal of restrictions on surface infrastructure, increase in oil recovery, commissioning of facilities for further exploration at production assets)
  • introduces automation
Control over the implementation of projects to modernise and upgrade the systems of energy suppliers is being strengthened. As part of reducing energy dependence and the cost of hydrocarbon production, projects to commission the Company's own power plants at the fields are running.
Diversification of production assets.
As oil production volumes will also depend on the terms of the OPEC+ agreement, on its part, the Company will continue the necessary interaction with Kazakhstan’s competent government bodies on the joint cuts of oil production by the OPEC+ countries.
Work-related injury risk
Employee non-compliance with the established health and safety rules, and breaches of operational discipline may pose a threat to the life and health of employees

Impact:
Violations of operational health and safety rules may lead to injuries as well as production disruptions, financial losses, and reputational damage.
In 2021, 28 lost-time accidents and 1 fatal accidents occurred. 		To prevent industrial accidents, KMG implements organisational and technical measures that ensure:
  • safe work execution and prevention of work-related injuries and occupational diseases
  • timely training and knowledge testing
  • internal health and safety controls
  • deployment of new technologies and mechanised techniques
  • improvement of industrial safety for production facilities.
  • Implementing the Near Miss Reporting Programme through the Korgau Card projectThe use of the Korgau Card is aimed at identifying and reporting an unsafe condition, unsafe behaviour, unsafe action, hazardous event or hazardous factor, as well as good practice and suggestions (initiatives)..
  • Implementation of the behaviour-based safety programme and behaviour-based driving safety programme in subsidiaries and associates continues.
The Company has Codes, Policies, Regulations, and corporate standards in place:
  • Policy on Safe Operation of Land Vehicles
  • Golden Rules code for employees
  • Corporate wellness programme
  • KMG Group’s corporate standard for engaging contractors on HSE
  • KMG Group’s corporate standard for building HSE capabilities
  • KMG Group’s corporate standard for occupational health
  • Rules for identifying occupational health, safety, and environmental threats and risks in hazardous operations
  • Occupational health, safety, and environmental awareness programme
  • Regulations on Safe Operation of Land Vehicles.
Risk of emergencies or man-made disasters at production facilities
The Company’s operations are potentially hazardous. KMG is exposed to the risk of damage to property, third parties or the environment caused by accidents or emergencies, man-made disasters at production facilities or third-party misconduct.

Impact:
  • 1) In the first half of the year, a T-101 air cooler ignited on the territory of KazGPZ LLP (Zhanaozen). The damage is estimated at USD 3.7 mln.
  • To settle the insured event, the payout (after deducting the proceeds from the sale of scrap metal and the deductible) is expected to be USD 1.7 mln.
  • 2) In the second half of the year, there was an incident at the Petromidia Refinery (KMGI) at the diesel hydrotreating unit which resulted in a fire. The damage is estimated at USD 45 mln.
  • To settle the insured event, the payout is expected to be USD 38 mln.
To mitigate operational risks, the Company:
  • ensures timely maintenance and repair of equipment as required by relevant regulations
  • performs timely retrofits and upgrades
  • performs timely diagnostics and identification of potential hazards, as well as industrial safety assessments of production facilities
  • improves the technical expertise and qualifications of operating personnel.
The Company is phasing in advanced protection, safety and security technology and solutions.
Annual voluntary property insurance contracts are executed (against the risk of accidental destruction, loss or damage) for insured events.
Environmental risk and climate change risk
The Company is exposed to the risk of adverse environmental impact and the risk of tougher responsibility for non-compliance with environmental laws, as well as risks related to climate change.

Impact:
Environmental risk materialisation may entail financial expenses in the form of fines, excess emissions charges, environmental remediation costs, as well as legal liability and escalating social and environmental tensions.

For more details, see section Ensuring sustainable development. 		The Company’s priorities in environmental protection:
  • Atmospheric emissions management and reduction of routine flaring
  • Water management
  • Production waste management
  • Land reclamation
  • Energy efficiency improvement
To mitigate the environmental risk, the Company:
  • ensures preventive management of significant environmental aspects, based on project management and a risk-based approach, to improve environmental performance
  • quarterly assesses and analyses the flaring rate in the upstream sector under IOGP requirements
  • engages stakeholders on environmental issues
  • implements the Memorandum of Cooperation in Environmental Protection signed with a competent authority to dispose of and recycle waste from its subsidiaries and associates
  • comprehensively develops the corporate environmental function and aligns KMG’s activities with green economy principles
  • develops and implements corporate documents (the Company’s updated Environmental Policy has been approved with due regard to the requirements of the new Environmental Code).
The Company actively participates in working groups with competent government bodies to develop by-laws for the new Environmental Code (effective from 1 July 2021) and industry-specific BAT (best available techniques) handbooks, and implements a set of measures to roll out BAT and AMS (automated monitoring systems).
In September 2021, a training session for the Company’s Board of Directors and Management Board on the requirements of Kazakhstan’s new Environmental Code was held as part of the HSE Forum of KMG Group’s CEOs.
Climate change risks:
  • carbon and water footprint calculations for the Group for 2020 were carried out and posted on the CDP website
  • discussion of the draft new 2022–2025 National Allocation Plan for Carbon Emissions continues.
Geological risk
The implementation of new exploration projects is always associated with geological risks arising from the uncertainty of geology: lack of hydrocarbon discoveries; failure to confirm or low recoverable oil (gas) reserve estimates.

Impact:
The Company’s operations are exposed to the risk that new projects and exploration drilling fail to discover commercially viable oil and gas reserves and/or that the discovered reserves will be lower than originally planned. There are many uncertainties and assumptions involved in estimating hydrocarbon reserves which, if changed, may require a recalculation of hydrocarbon reserves.
As a result, the Company may be forced to write-off the related expenses, which may have an adverse impact on its financial performance. 		To address this risk, the Company:
  • collects, analyses, synthesises and updates the geological and geophysical data from the operating area and similar nearby fields
  • plans geophysical surveys and exploration for hydrocarbons, applies effective study techniques and data processing and interpretation methods
  • runs high-resolution 2D/3D seismic surveys
  • conducts regional surveys with international companies (Equinor, LUKOIL, BP) and pilot refining projects involving advanced technology and expertise from foreign companies (Eni)
  • builds sedimentary, geology and basin models of the region and fields based on qualitative analyses and advanced methods of geochemical and lithology analyses
  • attracts strategic partners for joint exploration and development of new fields, including under carry financing arrangements to reduce the financial impact of geological risks
  • fosters professional development of personnel (training, experience sharing with international companies).
Social unrest in regions of operation
The Company is exposed to the risk of unauthorised strikes

Impact:
Adverse impact on the Company’s reputation, disruption to operations and higher OPEX and impact on CAPEX and project schedules. Rising commodity prices, accelerated domestic inflation or continued weakening of the national currency may affect negotiations over changes to wages and salaries.
There were a number of unauthorised strikes with a direct and/or indirect impact on the Company’s operations in 2021. 		To mitigate social risks, the Company:
  • runs awareness raising activities across operations, including management holding reporting meetings directly with representatives of the workforce and trade unions
  • implemented the Regulations on Interactions between subsidiaries and associates and Contractors Working on the Sites of JSC NC KazMunayGas in order to deliver on its labour commitments to contractor employees
  • has in place and maintains a unified internal communications system, holds mandatory meetings between the management and employees at all the Company’s facilities to discuss social, day-to-day and operational matters as well as to develop solutions together
  • a project for modular training of trade union leaders in subsidiaries and associates was launched – the Corporate School of Trade Union Activists
  • builds an integrated youth policy system to drive engagement among young employees and encourage them to participate in social activities and be part of the corporate team
  • launched Nysana, a 24/7 free hotline for calls on any social and labour violations
  • conducts regular surveys, analysis and monitoring of satisfaction across its footprint. Based on the results of the social stability rating survey, action plans are developed to minimise areas of concern and improve social stability.
In Q4, a decision was made to raise employee salaries and wages above the inflation range across the Group.
Climate risks and low-carbon development
In its operations, the Company faces risks related to climate change, including: In its operations, the Company faces risks related to climate change, including:
  • market risks – risks associated with changes in demand and consumer patterns
  • political, legal, and regulatory risks – risks associated with the transition of the global economy to low-carbon development and with the measures taken in the Company’s countries of operation to make regulations on GHG emissions more stringent
  • reputational risks – risks associated with perceptions by stakeholders of the Company’s participation in the transition to a low-carbon economy or refusal to do so
  • technological risks – risks associated with the accelerated transition of the global economy to low-carbon development due to the development and increased efficiency of low-carbon technologies
  • physical risks – risks associated with changes in weather and climate conditions and other characteristics of the natural environment in the Company’s regions of operation, which may affect equipment reliability and human health (including risks of natural disasters and permafrost thawing)

Impact:
These risks may have an adverse impact on operations of the Company as a major producer of fossil fuels and source of greenhouse gases in the form of higher costs, lower profits, and limited opportunities for further development.
An increase in renewable energy generation can be expected in individual partner countries. It may lead to decline in demand for products supplied by the Company. 		1. The Company has developed the 2022–2031 Low-Carbon Development Programme, which includes both existing opportunities to reduce our carbon footprint (higher energy and resource efficiency) and additional areas for decarbonisation (RES, CO2 capture, use, and storage, forest carbon projects, hydrogen production).
2. A low-carbon development unit and a competence centre for hydrogen energy have been set up.
3. We signed a number of memoranda with international companies (Eni, Total, Air Liquide) for the implementation of joint decarbonisation projects:
  • construction of a hybrid power plant
  • construction of a wind farm with a storage system
  • hydrogen mobility
  • expert support was provided for the development of project documentation for the CCUS pilot project (carbon capture, utilisation and storage technology) at the Embamunaigas GTU, and training seminars on CCUS were held by Shell.
Liquidity and financial stability risks
Liquidity, financial stability, and credit rating downgrade risks are KMG’s key risks.

Impact:
Need to immediately repay current borrowings and Eurobonds.
Inability to raise sufficient funds to finance the Company’s current and investment activities.
In 2021, the Company maintained an appropriate level of liquidity and demonstrated adequate financial stability 		To overcome these risks, along with debt management activities and efforts to prevent liquidity shortages, the Company is focused on improving operational efficiency, clear prioritisation of capital expenditures, commitment to financial discipline, rationalisation of the Company’s asset and project portfolios, and transition to portfolio-based project management.
The Company takes the following measures to prevent risks:
  • controlling leverage, preventing its growth to maintain financial stability, using free cash flow to repay debt
  • achieving an optimal balance between debt and internal sources of financing
  • cost cuts, budget control
  • repaying existing loans and providing financial aid to subsidiaries and affiliates
  • preventing deterioration of the Company’s solvency position in order to maintain access to debt capital markets and avoid increases in borrowing costs
  • deleveraging through early debt repayment.
Compliance risk
Intentional corruption for personal or material gain, including for the benefit of third parties. The Company has zero tolerance towards any fraudulent actions regardless of the amount of monetary damage.

Impact:
In 2021, there was no evidence of this risk being materialised 		The Company consistently implements and reinforces internal controls, embedding group-wide policies to prevent unlawful or wrongful acts of third parties or its employees, and maintaining the procedure for conducting internal investigations of unlawful or wrongful acts of its employees.
The Company has adopted policies and standards, as well as committed itself to:
  • improving and consolidating its internal and compliance controls
  • anti-corruption monitoring
  • analysing corruption risks
  • promoting an anti-corruption culture, taking preventive steps and informing employees on potential violations and enforcement
  • establishing an organisational and legal framework to foster accountability and transparency of decision-making procedures
  • implementing and complying with business ethics standards
  • holding anti-corruption workshops and trainings
  • analysing drafts of internal documents to identify corruption factors
  • preventing conflicts of interest
  • handling whistleblowing reports via the hotline, respective reporting to the Audit Committee and the Board of Directors.
Volatility of crude oil prices
The Company is exposed to the risk of energy price volatility.

Impact:
Oil price volatility may lead to significant changes in the Company’s performance, revenues, and cash flow.

Oil price fluctuations in 2021 had no negative impact on the Company’s revenue and cash flow.

For more details, see the Macroeconomics and Global Trends sections. 		In the event of high oil price volatility, recurrence of crises associated with a drop in the Brent price below projections, the Company will take steps to ensure financial sustainability, including but not limited to:
  • negotiating with the government to further optimise the tax burden on mature fields
  • introducing and taking anti-crisis measures in a timely manner
  • adjusting the Company’s Development Plan, optimising costs
  • prioritising and further optimising CAPEX and investment projects
  • developing targeted measures (e.g. obtaining creditors’ waiver; directing volumes to more favourable markets) to mitigate risks that may have an additional negative effect.
KMG continuously monitors and analyses price and demand dynamics for crude oil and oil products and also considers purchasing financial tools to be protected in case of a significant fall in oil prices (e.g. analysis of hedging benefits).

The Company cooperates with competent state bodies on matters related to OPEC+ deal, implementing measures to stabilise the internal market and stimulating oil exports, and has internal reserves to deliver on its commitments.
Country risks and the risk of sanctions
The Company operates internationally. Any significant adverse change in the economic and political situation in a recipient country could affect the Company’s operations. Sanctions against certain countries, including sectoral sanctions, may affect the Company’s operations and its prospective joint projects.

Impact:
Further international sanctions against Russia may affect the Company’s current and prospective investment projects, as well as the supply of certain goods and services to the Company’s existing facilities.
Under the existing anti-Russian sanctions, the Company has not experienced any suspension or restrictions of operations resulting from interactions with Russian counterparties in 2021. 		The Company mitigates country risks by setting country-specific limits based on the analysis of the recipient country (from the economic, political, strategic, social and other perspectives).
The Company analysed the impact on its operations from economic sanctions, along with potential response measures. Joint projects / material transactions with Russian entities were reviewed, with relevant potential operational and financial risks explored.
The Company monitors existing sanctions to minimise negative impacts and implications, considering the potential widening of sanctions, which may have a targeted impact on the Company’s prospective projects. To reduce risks, the Company provides for mechanisms to exit projects or implement them independently in the event of a tougher sanctions regime.
Cyber risks
Shifting to work from home, remote connection and increased impact of digitalisation on production and management processes at KMG lead to increased risks of attacks on the Company’s ICT system aimed at compromising its integrity, accessibility and security.

Impact:
No violation of the integrity, confidentiality, and availability of information resources or assets of computer networks was detected in 2021.
The Company protects against cyberattack risks not only the information in its possession and its hardware and software but also information provided to it by government bodies, shareholders, business partners, and personal data subjects. 		To address this risk, the Company:
  • introduces specialist information security hardware/software at KMG to ensure automated monitoring of external and internal threats, as well as control over organisational and practical measures to protect the ICT system
  • runs tests to check its ICT system for vulnerability to external attacks, analyses IT infrastructure security, audits network elements, monitors operating systems security on a regular basis, identifies and blocks attackers
  • prepares cyberattack emergency response plans to reduce the impact of a crisis situation and minimise its consequences
  • maintains compliance of the existing information security management system (ISMS) with international standards
  • organises training for persons responsible for ISMS in information security units
  • keeps up cyber security hygiene
  • monitors the availability of information systems and the adequacy of the required information and computing resources
  • investigates information security incidents.
Reputational risk
The Company is exposed to reputational risk that affects its business reputation and relationships with investors, counterparties, partners, and other stakeholders.

Impact:
In 2021, the Company faced various factors that could cause reputational risk to materialise.
No negative impact on the Company’s financial results has been identified.
This risk may materialise through internal and external factors, including non-compliance with legal requirements, arise from media publications, failure to fulfil contractual obligations, substandard quality of finished products, negative perception of the Company’s financial stability and financial position 		The Company implements a range of measures to manage this risk including publications in the media, holding of briefings, press conferences and management presentations highlighting various aspects of the Company’s activities and raising awareness among stakeholders. The Company daily tracks press mentions of its activities and promptly responses to unreliable information (rumours) published in media and social networks.
In 2021, a media plan for informational support of the vaccination progress in the Group was developed and implemented. Measures to combat COVID-19 at our sites and measures taken to contain its spread were widely covered in the media.
Responses to media enquiries were promptly prepared, and the Company’s relevant units were involved.
The Company maintains a speak-up hotline and a procedure ensuring prompt responses to complaints and claims to eliminate their root causes.
FX risk
Currency risk is a potential negative change in the Company’s financial performance due to exchange rate fluctuations.

Impact:
Appreciation of foreign currencies against the tenge may lead to higher KZT-denominated OPEX, lower margins and a negative impact on the Company’s financial results and performance.
In 2021, tenge fluctuation against foreign currencies had no material impact on the Company’s financial results and performance. 		Given the currency mix of its revenues and liabilities, the Company is also exposed to FX risk in its operations. The strategy for managing this risk involves the use of a holistic approach that considers natural (economic) hedging options. KMG ensures the optimal balance of assets and liabilities denominated in foreign currency, and calculates earnings considering the FX risk.
Tax risk
The Company is exposed to the persistent risks of changes in tax laws and lack of clear interpretation, as well as the risk of increased tax burden and loss of entitlement to tax benefits.

Impact:
Tax legislation in Kazakhstan is subject to frequent changes and varying interpretations. The tax authorities generally take a more conservative approach in their interpretation of the legislation and in tax audits. As a result, the management’s interpretation of tax laws applicable to the Company’s operations and activities may be challenged by the relevant tax authorities. The Company operates in a number of jurisdictions and is therefore required to follow complex transfer pricing rules, which may give rise to uncertainty and subjective interpretation.
In 2021, this risk materialised, resulting in higher tax expenses. 		The Company continuously monitors changes in tax laws, evaluates and forecasts the extent to which they can potentially impact its operations, as well as follows trends in law enforcement practice and considers the implications of regulatory changes for its operations.
The Company’s specialists regularly take part in various working groups responsible for drafting tax legislation. To mitigate tax risks, the Company improves its tax administration processes and conducts tax audits.
Interest rate and commercial bank liquidity risk
Higher interest rates and lower financial stability of the banking sector can have a negative impact on the cost of borrowing, as well as the placement of idle cash.

Impact:
Events of default of the Company’s counterparties may result in the failure to withdraw funds on their accounts, which may adversely affect the Company’s financial results and force KMG to raise additional financial resources to meet its obligations.
In 2021, no defaults, untimely or incomplete performance of financial obligations by banks were recorded. 		To mitigate these risks, the Company diversifies investments in financial instruments in accordance with the treasury portfolio’s pre-defined limits and regularly monitors how idle cash is placed across KMG Group.
Most of KMG’s earnings are generated in US dollars, while the main source of borrowing is the international lending market. For these reasons, KMG’s debt portfolio is largely denominated in US dollars. The interest rates for servicing a portion of these loans are based on interbank lending rates, and their growth may lead to additional debt servicing costs.
Investment (project) risk
The Company is implementing a number of projects in hydrocarbon exploration, production, transportation and processing, which could be exposed to significant risks associated with external and internal factors. The materialisation of such risks can significantly affect the success of these projects.

Impact:
When running investment projects, the Company faces the risks of rising costs, delays in the commissioning of production facilities, and failure to achieve design parameters. 		The Company regularly monitors the status of project implementation in the regions in which it operates, making timely adjustments to project implementation plans as necessary. Where risk can arise affecting the timing, budget or quality of projects, mitigation measures may include negotiations with stakeholders, reduction of operating costs, optimisation of the investment programme, abandonment of unprofitable investment projects.
We introduced a project management and investment decision-making system similar to standards adopted by global companies (Stage Gate Process).
Risk of changes in applicable laws, and litigation and arbitration risks
The Company’s performance can be impacted by changes in applicable laws, including subsoil use, tax, currency, customs regulations, etc., as well as the risk of negative court decisions on court or arbitration disputes involving the Company.

Impact:
In 2021, 6 lawsuits over USD 1 mln and no arbitration proceedings were initiated. Until the proceedings are completed, it is impossible to fully assess the impact of these events on the Company’s operations. 		The Company continuously monitors changes in laws, as well as evaluates and forecasts the extent to which they can potentially impact the operations of KMG Group entities.
The Company regularly takes part in working groups to develop and discuss draft laws in various areas of legislation.
The Company continuously monitors judicial and law enforcement practices, and actively applies best practices in resolving legal issues and disputes arising in the course of the Company’s operations.
Pandemic risk (COVID)
There are risks of getting infected for the Company’s and contractors’ employees, including outside the workplace due to ongoing pandemic outbreaks (new waves) of the coronavirus infection (COVID-19), low vaccination rates*, and the spread of more dangerous and contagious variants of the virus.

Impact:
For more details, see section Occupational health and safety. 		During the ongoing pandemic it is critical to continuously monitor the spread of COVID-19, to ensure safe workplaces, and to provide employees with the necessary support. To this end, the Company has taken all possible steps to minimise the negative risk factors associated with the pandemic, specifically:
  • deployed vaccination/revaccination facilities on the sites, provided access to and availability of vaccines, and screening stations for PCR testing
  • uses financial incentives and non-financial motivation of employees to vaccinate and revaccinate (e.g. giving at least two fully paid days-off for each vaccination and/or revaccination component on the day of vaccination and the following day, or on other days as agreed with the management)
  • as at 31 December 2021: more than 49,800 employees of KMG Group (76% of the total headcount) received the first component of the vaccine (2,800 employees (3%) have a contraindication to vaccination). Of these, more than 47,700 employees (73%) received the full course of vaccination (both components)
  • conducted awareness campaign for employees on the importance of vaccination for collective immunity, communicated the management’s message to employees on participation in the vaccination campaign, distributed posters and videos on vaccination and vaccine properties
  • continues to explore available options to increase vaccination rate among employees, including the supply of vaccines that employees wish to receive. When planning and conducting vaccination of employees, the Company adheres to the following principles: voluntary approach, individual choice, joint efforts, safety and prioritisation
  • imposed travel restrictions for employees (business trips, conferences, training), social distancing, shifted employees to remote work
  • introduced special rules relating to employee residence, catering, transporting and shift rotation to minimise contacts
  • extended rotation period (with reduced working hours), separation and isolation of facilities. Separation into shifts, groups for remote access and replacement opportunities as backup employees
  • ensures strict compliance with sanitary requirements and mask mandate for facilities and offices (including contractors), including temperature screenings before work and employee COVID-19 screening questionnaires
  • prepared reserves of PPE (medical masks, respirators, gloves), dispensers, sanitisers and disinfecting solutions as well as minimum life-support packages necessary to maintain life and health, including medicines and medical equipment.
To be prepared for further potential pandemic waves, prevent disease and the spread of COVID-19, the Company continues to:
  • follow previously introduced algorithms (as amended on the first-wave experience) to mitigate the risk of coronavirus infection spread and maintain the anti-epidemic measures, sanitary and disinfection measures
  • identify critical business processes and options for the emergency recovery of the processes as well as essential personnel, suppliers, materials and equipment, develop business continuity and recovery plans for critical business processes and IT systems.;
  • engage emergency response and crisis management teams, cooperate with state authorities and medical assistants
Risk of terrorism
Acts of terrorism and other violence against the Company’s and contractors’ personnel and assets

Impact:
The Company operates in a number of countries where acts of terror and other criminal wrongdoings against the Company’s assets are possible.
In 2021, there were no events when this risk materialised. 		The Company takes a set of preventive measures, some of which include:
  • checking the condition of security equipment, alarm systems, up-to-date status of evacuation plans, current status of exits and evacuation routes
  • training of security and maintenance personnel in counter-terrorist protection of facilities and personal safety in case of emergencies
  • physical security checks and counter-terrorist security inspections of facilities at subsidiaries and associates
  • interacting with law enforcement and special agencies on physical security and counter-terrorist security at facilities
  • participation in the interdepartmental working group on the industry's counter-terrorism instruction
  • training sessions are held for security, service, and technical personnel in the event of emergencies at facilities
  • control of the maintenance of video surveillance systems, routine maintenance of ISS, ACS, and boom barriers is ensured
  • regulations for access control and on-site security were developed and are kept up to date
  • IDs are issued for VT facilities in line with legal requirements for countering terrorism
  • as part of preventive measures, employees are informed about actions to be taken in the event of a terrorist attack, about measures for access control and on-site security, and counter-terrorism videos are shown.