Risk management and internal control
1. Corporate Risk Management System (CRMS) principles
Through risk management, the Company prevents the occurrence of risk events, which affect the achievement of strategic and operational goals, and mitigates their impact if they occur. Risk management is an integral part of the Company’s strategic planning, corporate governance and financial stability.
KMG has integrated the Corporate Risk Management System (CRMS) in its key business and management processes. The purpose of the CRMS is to ensure an optimal balance between the Company’s growth in value, its profitability and risks. The CRMS is a key element of the corporate governance framework, supporting timely identification, assessment and monitoring of all material risks, as well as application of timely and adequate mitigation measures. The CRMS established at KMG and its subsidiaries and associates covers all areas of their business.
|methodological consistency||processes are based on unified methodological approaches|
|continuity||functioning on an ongoing basis|
|comprehensive nature||covering all business lines and all types of risks arising from operations|
|accountability||organisational structure of the CRMS establishes competence of risk management decision-making and control at all levels of KMG Group|
|informed and timely communication||the risk management process is supported by objective, reliable, and up-to-date information|
|rational approach||to implement risk management measures, the Company uses resources rationally, ensuring economic efficiency of risk management activities|
|reasonable assurance||reasonable assurance of delivering on the Company’s strategic and operational objectives, but not absolute assurance due to limitations inherent in the external and internal environment|
|adaptability||regular improvement to identify all possible business risks and ensure the most effective application of risk control and management methods|
|clear regulation||all operations comply with the procedures stipulated by internal regulations|
|active involvement of the management team||the management team is actively involved in, and supports the implementation and improvement of the CRMS|
2. Risk management process
The CRMS is designed to provide a consistent and clear framework for managing the risks associated with KMG’s operations. The Company has a vertical risk management process and risk management system in place at all governance levels. Each officer is responsible for ensuring that risks are properly assessed during decision-making. Risk assessment involves a range of qualitative and quantitative tools factoring in risk probability and potential impact.
Implementation of the above components of the risk management process at KMG Group fosters a group-wide risk culture driven by the appropriate “tone at the top”, strong risk awareness and knowledge, and the accountability of risk owners / risk factor owners, as well as active risk management and timely reporting.
3. Risk appetite
The Company’s risk appetite shows its level of risk retention under which the Company is able to achieve its strategic goals and operational targets. It also caps the level of critical risks / risk factors that the Company is willing to accept.
|Financial activities||Operations||Investment activities|
| || || |
4. Improving risk management
Initiatives to develop and improve the CRMS
KMG has been continuously improving its CRMS and consistently enhancing its risk management framework. To reaffirm its commitment to the continuous development and improvement of the CRMS, the Company took a number of measures and steps in 2021:
- was assigned a BBB rating for the Risk Management, Control and Audit component as part of an independent corporate governance diagnostics (for reference: in 2018 – BB);
- ensured interaction with the Company’s Board of Directors on certain matters (cyber risks, climate risks, carbon border regulation risks and other matters);
- developed and approved by the Board resolution a credit risk management methodology;
- implemented the weekly reporting format and organised the provision of data on the Company’s key events and risks to the Fund;
- enhanced interpretation of risk assessment results for investment projects based on simulation modelling (stress-testing) of project KPIs;
- RMICS staff held online trainings on the implementation of the risk management system as requested by subsidiaries and associates;
- ensured continuous improvement of professional competencies of RMICS’ risk managers and obtained international certificates in 2020–2021, in particular: PRM from PRMIA, CFA and PMP, as well as ISO 31000:2009/2018.
Plans to develop the risk management system
- Developing the CRMS (updating the CRMS Policy and standard rules for establishing a risk management process, regulatory and methodological documents).
- Implementing an action plan for corporate governance improvement in terms of CRMS, ICS, and BCMS based on the results of corporate governance diagnostics.
- Launching and rolling out an updated version of the automated risk management system (ARMS) across subsidiaries and associates: organising trainings for KMG’s risk coordinators and risk managers of subsidiaries and associates on the use of the updated ARMS, ensuring technical support of the ARMS.
- Developing the risk culture.
- Ensuring cross-functional cooperation to manage risks in project management, information security, sustainable development, compliance, strategy, and KPIs.
5. CRMS participants
|Board of Directors|| |
|Management Board|| |
|Risk Committee|| |
|Internal Audit Service (IAS)|| |
|Responsible unit|| |
|Goal owners|| |
|Risk owners / risk factor owners|| |
|Subsidiaries and associates|| |
|Each employee of KMG / subsidiaries and associates|| |
6. Internal Control System (ICS)
The ICS is an integral part of the CRMS. The system uses the COSO framework and includes five interrelated elements: control environment, risk assessment, controls, information and communication, and monitoring procedures. It is designed to achieve reasonable assurance that KMG will reach its goals across three key areas:
- Improving operational efficiency
- Preparing complete and reliable financial statements
- Complying with Kazakhstan’s laws and KMG’s internal documents
The ICS focuses on analysing business processes, timely identifying and analysing process-level risks inherent in KMG’s operations, as well as defining and analysing controls for managing these risks.
The ICS is integrated into KMG’s core and supporting business processes and includes procedures for promptly notifying the appropriate governance level of any material weaknesses and control bottlenecks, together with details of corrective actions that have been or should be taken.
The ICS is organised in line with the Internal Control System Policy, which sets out the goals, operating principles and components of the ICS and the Control System Guidelines, which define powers and responsibilities, operating procedures, internal control structure, performance criteria and forms of records.
KMG annually approves the ICS work schedule based on the criticality ranking of business processes as well as recommendations by external and internal auditors. The schedule specifies when business processes will be formalised/updated and design of controls tested (analysed). Formalisation means the design and update of the existing risk flowcharts and matrices, and business process controls. Improvement recommendations are prepared based on the results of design testing (review). Similar activities are performed by subsidiaries and associates. The results of these ICS activities are communicated from time to time to business process owners, IAS, external auditor, Management Board, and the Board of Directors.
ICS-related meetings and trainings for employees of KMG and its subsidiaries and associates take place annually, with workshops, experience sharing, discussions of issues and their solutions.
In 2021, KMG Risk Management and Internal Control Service continued its work to further implement and improve internal controls. Efforts were made jointly with business process owners to formalise internal controls for 17 business processes. Areas for improvement were identified and recommendations for the improvement of controls were prepared. A self-assessment survey on the maturity of ICS and BCMS in subsidiaries and associates was conducted.
In 2022, and subsequent years, the Risk Management and Internal Control Service will continue to improve the ICS. It is planned to continue formalising and testing (analysing) the design of controls, providing recommendations on controls, updating the matrix of Company-wide risks and controls, assessing the maturity of KMG and its subsidiaries and associates, holding trainings and improving the risk culture.
It should also be noted that KMG is aware of the importance of the internal control system in relation to the process of preparing and reviewing financial statements. This process involves providing reasonable assurance about the accuracy of the financial statements and their compliance with applicable accounting standards. To this end, the KMG group companies, in addition to methodological documents that determine the approach to accounting for operations and the preparation of financial statements, have formalised and implemented an internal control process, including a matrix of risks and controls over the preparation of financial statements. The effectiveness of the internal control of the KMG group companies over the financial statements is regularly checked by independent audit companies. In addition, the current preventive measures in relation to possible risks in the preparation of financial statements are the following:
- annual approval of the calendar for preparation of KMG's consolidated financial statements;
- quarterly development of the schedule for closing and preparing financial statements and subsequent communication with the organisations of the KMG Group of companies;
- quarterly analysis of questionnaires provided by the companies of the KMG group on non-standard situations;
- quarterly evaluation of the chief accountants of the organizations of the KMG Group of companies (in terms of timely and accurate presentation of financial statements).
7. Business Continuity Management System (BCMS)
The Business Continuity Management System (BCMS) is a set of processes and procedures aimed at identifying potential threats/risks and assessing their impact on the activities of KMG and its subsidiaries and associates, which provides the basis for improving the Company’s resilience to incidents by implementing effective responses capable of restoring its operations and protecting stakeholders’ interests, the Company’s business reputation, brand and value-adding operations.
The Company recognises the importance of having the BCMS in place and manages business continuity by identifying the necessary conditions and resources to develop and improve measures and tools to ensure business continuity in the context of threats and risks leading to business interruption.
The BCMS is organised in line with KMG’s Business Continuity Management System Policy and the Rules for the Business Continuity Management Process. The BCMS Policy defines the scope, objectives, basic principles, and model of the business continuity management system, taking into account the recommendations of the international standard in business continuity management. The Rules for the Business Continuity Management Process define the procedures for determining BCMS’ scope of application, business impact analysis, developing and approving the Business Continuity Plan (the “BCP”), BCP testing, monitoring and improvement of the BCMS, training and raising awareness of employees.
In 2020, KMG’s Board of Directors approved a Comprehensive Business Continuity Plan for KMG’s critical business processes, which reflected the measures designed to ensure that KMG can continue to perform its critical activities at the established acceptable level.
In 2021, the Risk Management and Internal Control Service conducted work to identify critical business processes at KMG’s subsidiaries, tested KMG’s Business Continuity Plan and identified areas for improvement.
In 2022 and subsequent years, the Risk Management and Internal Control Service will continue to improve the BCMS. Efforts will be made to update critical business processes, refine and improve the Business Continuity Plan and similar work will be done at subsidiaries.
8. Corporate insurance
Insurance is central to ensuring robust risk control and financial management across KMG Group as it serves to protect the property interests of the Company and its shareholders against unexpected losses that may result from operations, including due to external factors.
The Group’s insurance function is centralised in order to enforce the unified corporate standard for obtaining and maintaining insurance cover, which enables the Company to apply a comprehensive approach to managing continuous coverage. Independent appraisal of reproduction cost / replacement cost new (RCN) and risk assessments are also coordinated through risk surveys conducted by independent risk engineers across KMG Group.
KMG’s Corporate Insurance Programme includes the following key types of insurance coverage:
- Insurance of core operating assets of the Company
- Public liability insurance
- Energy risk insurance
A reinsurance company is only considered for reinsurance when holding a financial credit rating of at least “A–” on the Standard & Poor’s scale. Best industry practice is applied in negotiating the optimal insurance and risk coverage terms for the Company.
9. Key risks: updated table for the previous year.
KMG operates in a constantly changing environment. Some risks can evolve over time, while their potential impact and likelihood can change in response to internal and external factors. KMG manages, tracks and reports key risks and uncertainties that can affect its strategy’s implementation.
During the reporting period, a number of risks materialised, but their negative impact was managed and minimised through risk mitigation measures.
| Trend |
(over the year)
|Risk description and likely impacts||Mitigation and management|
| Production decline risk |
Declines in production from mature fields is KMG’s key operational risk.
The main external risk factors are: failures of external electricity supply, severe weather conditions; and obligations to further cut oil production as part of the OPEC+ agreement.
During 2021, there were instances of unscheduled decline in production that had impact on the performance of the Company’s production programme.
For more details see the Upstream section.
| To maintain production rates at existing fields, KMG: |
Diversification of production assets.
As oil production volumes will also depend on the terms of the OPEC+ agreement, on its part, the Company will continue the necessary interaction with Kazakhstan’s competent government bodies on the joint cuts of oil production by the OPEC+ countries.
| Work-related injury risk |
Employee non-compliance with the established health and safety rules, and breaches of operational discipline may pose a threat to the life and health of employees
Violations of operational health and safety rules may lead to injuries as well as production disruptions, financial losses, and reputational damage.
In 2021, 28 lost-time accidents and 1 fatal accidents occurred.
| To prevent industrial accidents, KMG implements organisational and technical measures that ensure: |
| Risk of emergencies or man-made disasters at production facilities |
The Company’s operations are potentially hazardous. KMG is exposed to the risk of damage to property, third parties or the environment caused by accidents or emergencies, man-made disasters at production facilities or third-party misconduct.
| To mitigate operational risks, the Company: |
Annual voluntary property insurance contracts are executed (against the risk of accidental destruction, loss or damage) for insured events.
| Environmental risk and climate change risk |
The Company is exposed to the risk of adverse environmental impact and the risk of tougher responsibility for non-compliance with environmental laws, as well as risks related to climate change.
Environmental risk materialisation may entail financial expenses in the form of fines, excess emissions charges, environmental remediation costs, as well as legal liability and escalating social and environmental tensions.
For more details, see section Ensuring sustainable development.
| The Company’s priorities in environmental protection: |
In September 2021, a training session for the Company’s Board of Directors and Management Board on the requirements of Kazakhstan’s new Environmental Code was held as part of the HSE Forum of KMG Group’s CEOs.
Climate change risks:
| Geological risk |
The implementation of new exploration projects is always associated with geological risks arising from the uncertainty of geology: lack of hydrocarbon discoveries; failure to confirm or low recoverable oil (gas) reserve estimates.
The Company’s operations are exposed to the risk that new projects and exploration drilling fail to discover commercially viable oil and gas reserves and/or that the discovered reserves will be lower than originally planned. There are many uncertainties and assumptions involved in estimating hydrocarbon reserves which, if changed, may require a recalculation of hydrocarbon reserves.
As a result, the Company may be forced to write-off the related expenses, which may have an adverse impact on its financial performance.
| To address this risk, the Company: |
| Social unrest in regions of operation |
The Company is exposed to the risk of unauthorised strikes
Adverse impact on the Company’s reputation, disruption to operations and higher OPEX and impact on CAPEX and project schedules. Rising commodity prices, accelerated domestic inflation or continued weakening of the national currency may affect negotiations over changes to wages and salaries.
There were a number of unauthorised strikes with a direct and/or indirect impact on the Company’s operations in 2021.
| To mitigate social risks, the Company: |
| Climate risks and low-carbon development |
In its operations, the Company faces risks related to climate change, including: In its operations, the Company faces risks related to climate change, including:
These risks may have an adverse impact on operations of the Company as a major producer of fossil fuels and source of greenhouse gases in the form of higher costs, lower profits, and limited opportunities for further development.
An increase in renewable energy generation can be expected in individual partner countries. It may lead to decline in demand for products supplied by the Company.
| 1. The Company has developed the 2022–2031 Low-Carbon Development Programme, which includes both existing opportunities to reduce our carbon footprint (higher energy and resource efficiency) and additional areas for decarbonisation (RES, CO2 capture, use, and storage, forest carbon projects, hydrogen production). |
2. A low-carbon development unit and a competence centre for hydrogen energy have been set up.
3. We signed a number of memoranda with international companies (Eni, Total, Air Liquide) for the implementation of joint decarbonisation projects:
| Liquidity and financial stability risks |
Liquidity, financial stability, and credit rating downgrade risks are KMG’s key risks.
Need to immediately repay current borrowings and Eurobonds.
Inability to raise sufficient funds to finance the Company’s current and investment activities.
In 2021, the Company maintained an appropriate level of liquidity and demonstrated adequate financial stability
| To overcome these risks, along with debt management activities and efforts to prevent liquidity shortages, the Company is focused on improving operational efficiency, clear prioritisation of capital expenditures, commitment to financial discipline, rationalisation of the Company’s asset and project portfolios, and transition to portfolio-based project management. |
The Company takes the following measures to prevent risks:
| Compliance risk |
Intentional corruption for personal or material gain, including for the benefit of third parties. The Company has zero tolerance towards any fraudulent actions regardless of the amount of monetary damage.
In 2021, there was no evidence of this risk being materialised
| The Company consistently implements and reinforces internal controls, embedding group-wide policies to prevent unlawful or wrongful acts of third parties or its employees, and maintaining the procedure for conducting internal investigations of unlawful or wrongful acts of its employees. |
The Company has adopted policies and standards, as well as committed itself to:
| Volatility of crude oil prices |
The Company is exposed to the risk of energy price volatility.
Oil price volatility may lead to significant changes in the Company’s performance, revenues, and cash flow.
Oil price fluctuations in 2021 had no negative impact on the Company’s revenue and cash flow.
For more details, see the Macroeconomics and Global Trends sections.
| In the event of high oil price volatility, recurrence of crises associated with a drop in the Brent price below projections, the Company will take steps to ensure financial sustainability, including but not limited to: |
The Company cooperates with competent state bodies on matters related to OPEC+ deal, implementing measures to stabilise the internal market and stimulating oil exports, and has internal reserves to deliver on its commitments.
| Country risks and the risk of sanctions |
The Company operates internationally. Any significant adverse change in the economic and political situation in a recipient country could affect the Company’s operations. Sanctions against certain countries, including sectoral sanctions, may affect the Company’s operations and its prospective joint projects.
Further international sanctions against Russia may affect the Company’s current and prospective investment projects, as well as the supply of certain goods and services to the Company’s existing facilities.
Under the existing
| The Company mitigates country risks by setting country-specific limits based on the analysis of the recipient country (from the economic, political, strategic, social and other perspectives). |
The Company analysed the impact on its operations from economic sanctions, along with potential response measures. Joint projects / material transactions with Russian entities were reviewed, with relevant potential operational and financial risks explored.
The Company monitors existing sanctions to minimise negative impacts and implications, considering the potential widening of sanctions, which may have a targeted impact on the Company’s prospective projects. To reduce risks, the Company provides for mechanisms to exit projects or implement them independently in the event of a tougher sanctions regime.
| Cyber risks |
Shifting to work from home, remote connection and increased impact of digitalisation on production and management processes at KMG lead to increased risks of attacks on the Company’s ICT system aimed at compromising its integrity, accessibility and security.
No violation of the integrity, confidentiality, and availability of information resources or assets of computer networks was detected in 2021.
The Company protects against cyberattack risks not only the information in its possession and its hardware and software but also information provided to it by government bodies, shareholders, business partners, and personal data subjects.
| To address this risk, the Company: |
| Reputational risk |
The Company is exposed to reputational risk that affects its business reputation and relationships with investors, counterparties, partners, and other stakeholders.
In 2021, the Company faced various factors that could cause reputational risk to materialise.
No negative impact on the Company’s financial results has been identified.
This risk may materialise through internal and external factors, including non-compliance with legal requirements, arise from media publications, failure to fulfil contractual obligations, substandard quality of finished products, negative perception of the Company’s financial stability and financial position
| The Company implements a range of measures to manage this risk including publications in the media, holding of briefings, press conferences and management presentations highlighting various aspects of the Company’s activities and raising awareness among stakeholders. The Company daily tracks press mentions of its activities and promptly responses to unreliable information (rumours) published in media and social networks. |
In 2021, a media plan for informational support of the vaccination progress in the Group was developed and implemented. Measures to combat COVID-19 at our sites and measures taken to contain its spread were widely covered in the media.
Responses to media enquiries were promptly prepared, and the Company’s relevant units were involved.
The Company maintains a speak-up hotline and a procedure ensuring prompt responses to complaints and claims to eliminate their root causes.
| FX risk |
Currency risk is a potential negative change in the Company’s financial performance due to exchange rate fluctuations.
Appreciation of foreign currencies against the tenge may lead to higher KZT-denominated OPEX, lower margins and a negative impact on the Company’s financial results and performance.
In 2021, tenge fluctuation against foreign currencies had no material impact on the Company’s financial results and performance.
|Given the currency mix of its revenues and liabilities, the Company is also exposed to FX risk in its operations. The strategy for managing this risk involves the use of a holistic approach that considers natural (economic) hedging options. KMG ensures the optimal balance of assets and liabilities denominated in foreign currency, and calculates earnings considering the FX risk.|
| Tax risk |
The Company is exposed to the persistent risks of changes in tax laws and lack of clear interpretation, as well as the risk of increased tax burden and loss of entitlement to tax benefits.
Tax legislation in Kazakhstan is subject to frequent changes and varying interpretations. The tax authorities generally take a more conservative approach in their interpretation of the legislation and in tax audits. As a result, the management’s interpretation of tax laws applicable to the Company’s operations and activities may be challenged by the relevant tax authorities. The Company operates in a number of jurisdictions and is therefore required to follow complex transfer pricing rules, which may give rise to uncertainty and subjective interpretation.
In 2021, this risk materialised, resulting in higher tax expenses.
| The Company continuously monitors changes in tax laws, evaluates and forecasts the extent to which they can potentially impact its operations, as well as follows trends in law enforcement practice and considers the implications of regulatory changes for its operations. |
The Company’s specialists regularly take part in various working groups responsible for drafting tax legislation. To mitigate tax risks, the Company improves its tax administration processes and conducts tax audits.
| Interest rate and commercial bank liquidity risk |
Higher interest rates and lower financial stability of the banking sector can have a negative impact on the cost of borrowing, as well as the placement of idle cash.
Events of default of the Company’s counterparties may result in the failure to withdraw funds on their accounts, which may adversely affect the Company’s financial results and force KMG to raise additional financial resources to meet its obligations.
In 2021, no defaults, untimely or incomplete performance of financial obligations by banks were recorded.
| To mitigate these risks, the Company diversifies investments in financial instruments in accordance with the treasury portfolio’s pre-defined limits and regularly monitors how idle cash is placed across KMG Group. |
Most of KMG’s earnings are generated in US dollars, while the main source of borrowing is the international lending market. For these reasons, KMG’s debt portfolio is largely denominated in US dollars. The interest rates for servicing a portion of these loans are based on interbank lending rates, and their growth may lead to additional debt servicing costs.
| Investment (project) risk |
The Company is implementing a number of projects in hydrocarbon exploration, production, transportation and processing, which could be exposed to significant risks associated with external and internal factors. The materialisation of such risks can significantly affect the success of these projects.
When running investment projects, the Company faces the risks of rising costs, delays in the commissioning of production facilities, and failure to achieve design parameters.
| The Company regularly monitors the status of project implementation in the regions in which it operates, making timely adjustments to project implementation plans as necessary. Where risk can arise affecting the timing, budget or quality of projects, mitigation measures may include negotiations with stakeholders, reduction of operating costs, optimisation of the investment programme, abandonment of unprofitable investment projects. |
We introduced a project management and investment decision-making system similar to standards adopted by global companies (Stage Gate Process).
| Risk of changes in applicable laws, and litigation and arbitration risks |
The Company’s performance can be impacted by changes in applicable laws, including subsoil use, tax, currency, customs regulations, etc., as well as the risk of negative court decisions on court or arbitration disputes involving the Company.
In 2021, 6 lawsuits over USD 1 mln and no arbitration proceedings were initiated. Until the proceedings are completed, it is impossible to fully assess the impact of these events on the Company’s operations.
| The Company continuously monitors changes in laws, as well as evaluates and forecasts the extent to which they can potentially impact the operations of KMG Group entities. |
The Company regularly takes part in working groups to develop and discuss draft laws in various areas of legislation.
The Company continuously monitors judicial and law enforcement practices, and actively applies best practices in resolving legal issues and disputes arising in the course of the Company’s operations.
| Pandemic risk (COVID) |
There are risks of getting infected for the Company’s and contractors’ employees, including outside the workplace due to ongoing pandemic outbreaks (new waves) of the coronavirus infection (COVID-19), low vaccination rates*, and the spread of more dangerous and contagious variants of the virus.
For more details, see section Occupational health and safety.
| During the ongoing pandemic it is critical to continuously monitor the spread of COVID-19, to ensure safe workplaces, and to provide employees with the necessary support. To this end, the Company has taken all possible steps to minimise the negative risk factors associated with the pandemic, specifically: |
| Risk of terrorism |
Acts of terrorism and other violence against the Company’s and contractors’ personnel and assets
The Company operates in a number of countries where acts of terror and other criminal wrongdoings against the Company’s assets are possible.
In 2021, there were no events when this risk materialised.
| The Company takes a set of preventive measures, some of which include: |