Risk management and internal control
Risk management at KMG relies on the corporate risk management system (CRMS) implemented at all levels across the Group. The CRMS is a key element of the corporate governance system, supporting timely identification, assessment and monitoring of all material risks, as well as timely and adequate mitigation measures.
The CRMS policy of KMG and its subsidiaries outlines the terminology, goals, tasks, main principles of design and operation, and organisational structure of the CRMS at KMG Group. The purpose of the CRMS is to ensure an optimal balance between the Company’s growth in value, profitability and risks.
The Company’s risk management is guided by the following principles:
- Single methodology: the CRMS processes across all KMG Group entities are based on unified methodological approaches;
- Continuity: the CRMS operates on an ongoing basis;
- Comprehensiveness: the CRMS covers all activities of the Company and all types of associated risks; KMG Group applies relevant controls to all business processes at all management levels;
- Accountability: the CRMS organisational structure defines roles in decision making and risk management control at all levels across KMG Group;
- Awareness and timely communication: the risk management process draws upon objective, reliable and relevant information;
- Efficiency: KMG Group makes smart use of the resources required for risk management activities, ensuring cost efficiency of risk management;
- Reasonable assurance: due to inherent internal and external constraints such as the human factor, appropriateness of controls, etc., the CRMS can only provide reasonable but not absolute assurance that the Company’s strategic and operational goals will be achieved;
- Adaptability: the CRMS is continuously improved to ensure the identification of all potential risks related to operations, as well as to maximise the effectiveness of risk control and management;
- Rigorous process: all activities are performed in line with the procedures outlined in the internal regulations of KMG and its subsidiaries;
- Leadership commitment: the Company’s management is actively involved in and provides support to, the implementation and improvement of the risk management system at KMG Group.
Improving risk management
KMG Group’s efforts to improve its CRMS and drive a robust risk culture are guided by the Detailed Plan for Improving Corporate Governance of KMG for 2019–2020. The Plan outlines key initiatives supporting the Company’s CRMS goals.
KMG has been continuously improving its CRMS and consistently enhancing its risk management framework. We remain fully committed to continuous development and improvement of the Company’s CRMS, and in 2019 KMG:
- refreshed KMG’s Risk Committee;
- invited the head of the Internal Audit Service to attend the Risk Committee meetings as a permanent invited non-voting expert;
- conducted a survey on risk management culture at KMG with the survey report reviewed by KMG’s Risk Committee;
- approved KMG’s Risk Culture Improvement Action Plan for 2020;
- had its Board of Directors approve the risk appetite statement, Risk Register, Risk Management Action Plan, a risk map, risk tolerance levels and KMG’s Key Risk Indicator Register for 2020;
- approved guidelines on the internal control system and business continuity management system;
- approved KMG’s Business Process Classifier for 2019, KMG’s Timetable for Developing and Updating Risk and Control Matrices and Flowcharts for 2019 and 2020, KMG’s Corporate-Level Risk and Control Matrix, and the roadmap for improving the ICS and BCMS across KMG and its subsidiaries;
- approved KMG’s Register of Risk Coordinators;
- expanded the Corporate Reinsurance Programme by including joint ventures, increasing coverage and sourcing new insurance products; and
- relocated Kazakhstan Energy Reinsurance Company Ltd. from the Islands of Bermuda to the Astana International Financial Centre (AIFC), Nur-Sultan, to exclude a controlled foreign company from the Group’s taxable base for local tax purposes.
The Company with Compliance Service and other units established a working group, outlined the corruption risk assessment guidelines, arranged training sessions and prepared the Register of Corruption Risks. KMG’s Board of Directors approved the Report on Assessment of Corruption Risks at KMG and the Action Plan to Minimise Corruption Risks under the Action Plan for Ensuring Compliance with the Law of the Republic of Kazakhstan On Anti-Corruption across Subsidiaries of Samruk-Kazyna JSC for 2019 approved by an order of the Chairman of the Management Board of the Fund.
The following decisions were made in 2019 to set limits for KMG’s counterparty banks:
- The Management Board approved internal limits on the balance sheet and off-balance sheet liabilities for ten counterparty banks of KMG;
- The Board of Directors set limits for two counterparty banks of KMG;
- Four reports on compliance with the limits set for KMG’s counterparty banks were approved (as part of KMG’s quarterly risk reports).
KMG assessed the impact of existing and potential US sanctions against Russia on KMG Group and designed initiatives to respond to external challenges. A report on the potential impact of the US-China trade conflict on KMG’s operations was also prepared.
Planned improvements to risk management in 2020 and beyond
- Automate CRMS processes via the automated risk management system across KMG Group;
- Develop risk and control matrices and flowcharts for 24 business processes and test (analyse) the design of controls, evaluate the current maturity levels of the ICS across subsidiaries, coordinate the ICS roll-out across subsidiaries, train employees;
- Develop and approve business continuity plans, test the plans and develop improvement recommendations, evaluate the current maturity levels of the BCMS across subsidiaries, coordinate the BCMS roll-out across subsidiaries, train employees;
- Develop and manage the operations of Kazakhstan Energy Reinsurance Company Ltd. at AIFC and extend the Corporate Reinsurance Programme to new companies;
- Explore and adopt cyber insurance across KMG and its subsidiaries;
- Further improve our score on Risk Management and Internal Control within KMG’s target corporate governance rating, implement initiatives under the Detailed CRMS Improvement Plan for 2020, foster a robust risk culture at KMG Group.
Risk management at KMG is an ongoing process embedded throughout the organisation including its Board of Directors, Management Board, managers and employees. Each officer is responsible for ensuring risks are properly assessed when making decisions. To provide reasonable assurance that strategic and operational goals will be achieved, all CRMS participants take steps to identify potential events that can impact the Company’s operations and to limit such exposure to the levels acceptable to the Company (set levels).
|Board of Directors||Audit Committee of the Board of Directors||Internal Audit Service (IAS)|
| || || |
|Management Board||Risk Committee of the Management Board||Risk Management Department|
| || || |
|Goal owners (Company employees – heads of KMG or its subsidiaries)||Risk owners (Company employees in positions not lower than deputy heads reporting directly to the chief officer)||Risk factor owners (Company employees in positions not lower than functional unit/business unit heads)|
| || || |
|Subsidiaries, including jointly controlled entities and joint ventures of KMG (KMG’s subsidiaries)||Risk Coordinator||Employee of KMG/subsidiary|
| || || |
Role of the Board of Directors within the CRMS
The following documents are submitted for review to KMG’s Board of Directors at least once a year:
- Proposals on the Company’s risk appetite;
- Consolidated Risk Register;
- Risk map;
- The Company’s Risk Management Action Plan.
In addition, a risk report (consolidated based on the coverage of KMG’s subsidiaries and associates) is submitted on a quarterly basis to the Board of Directors for consideration with the Board duly reviewing and discussing it in full. The Board of Directors takes appropriate measures to bring the existing risk management and internal control system in line with the principles and approaches determined by the Board of Directors.
Internal Control System (ICS)
The ICS is an integral part of the CRMS. The system uses the COSO framework and includes five interrelated elements.
KMG and its subsidiaries implement the ICS to achieve reasonable assurance that KMG will reach its goals across three key areas:
- Improving operational efficiency;
- Preparing complete and reliable financial statements;
- Complying with Kazakhstan’s laws and KMG’s internal documents.
The ICS is a key element of KMG’s corporate governance system and is defined as the totality of processes, procedures, behaviours and activities that support efficient and effective operations, drive progress towards KMG’s operational goals and minimise process-level risks.
KMG’s Internal Control System Policy outlines the objectives, operating principles and elements of the ICS. In order to implement the Internal Control System Policy, the Company has put in place the Internal Control System Guidelines detailing related roles, responsibilities, operating procedures, organisation and performance criteria.
KMG and its subsidiaries annually approve Timetables for developing respective business process flow charts and risk and control matrices, as well as test (review) the design of controls and prepare improvement recommendations. The results of these ICS activities are communicated to business process owners, the IAS, Management Board and Board of Directors.
Insurance is central to ensuring robust risk control and financial management across the Group as it serves to protect the property interests of the Company and its shareholders against unexpected losses that may result from operations, including as a result of external factors.
The Group’s insurance function is centralised to ensure the enforcement of the group-wide Corporate Standard for obtaining and maintaining insurance cover in implementing a comprehensive approach to managing continuous coverage.
KMG’s Corporate Insurance Programme includes the following key types of insurance coverage:
- Insurance of core operating assets of the Company;
- Public liability insurance;
- Energy risk insurance.
When taking out insurance policies for its core production assets, KMG covers the risks of damage to (loss of) property due to emergencies and other incidents and maintains business liability insurance.
A reinsurance company is only considered for reinsurance when holding a financial credit rating of at least “A–” on the Standard and Poor’s scale.
The Group applies industry best practice in negotiating the best insurance and risk coverage terms.
|Risk description and likely impacts||Mitigation and management|
|Production decline risk|
Declines in production from mature fields is KMG’s key operational risk.
To maintain production rates at mature fields, KMG:
|Work-related injury risk|
Employee non-compliance with the established health and safety rules, and breaches of operational discipline may pose a threat to the life and health of employees.
To prevent industrial accidents, KMG implements organisational and technical measures that ensure:
|Risk of emergencies or man-made disasters at production facilities|
The Company’s operations are potentially hazardous. KMG is exposed to the risk of damage to property, third parties or the environment caused by accidents or emergencies, man-made disasters at production facilities or third party misconduct.
To mitigate operational risks, the Company:
The Company is phasing in advanced protection, safety and security technology and solutions.
In accordance with statutory HSE requirements, KMG takes out annual mandatory liability insurance for facility owners whose operations have an inherent risk of damage to third parties, as well as mandatory environmental insurance. In addition, annual voluntary property insurance is taken out (against the risk of accidental destruction, loss or damage) for insured events (referenceto the insurance information in this Annual Report).
|Environmental risk and climate change risk|
The Company is exposed to the risk of adverse environmental impact and the risk of tougher responsibility for non-compliance with environmental laws, as well as risks related to climate change.
The Company’s priorities in environmental protection:
To mitigate the environmental risk, the Company:
The Company takes an active role in the working group of the authorised body tasked with developing new environmental laws.
|Risk of gas shortages|
Gas export volumes might decrease due to (1) higher domestic gas consumption, given the introduction of gas chemical projects in the domestic market, (2) a decrease in gas production due to gas re-injection, aimed at maintaining oil production plateau and/or driven by the lack of gas processing capacities, and also (3) due to insufficient development of the resource base gas production.
The company has envisaged the implementation of a number of projects to increase the resource base of marketable gas by expanding the capacity for processing associated petroleum gas, reducing gas re-injection and burning associated petroleum gas in the fields. Planned and ongoing work on the development of new perspective fields, as well as an increase in gas production at existing fields.
The implementation of new exploration projects is always associated with geological risks arising from the uncertainty of geology: lack of hydrocarbon discoveries, failure to confirm recoverable oil (gas) reserve estimates.
|Social unrest in operating regions|
The Company is exposed to the risk of unauthorised strikes.
To mitigate social risks, the Company:
|Liquidity and financial stability risks|
Liquidity and financial stability risks are key risks.
To overcome these risks, along with debt management activities and efforts to prevent liquidity shortages, the Company is focused on improving operational efficiency, clear prioritisation of capital expenditures, commitment to financial discipline, rationalisation of the Company’s asset and project portfolios, and transition to portfolio-based project management.
The Company has zero tolerance towards intentional corruption for personal or material gain, including for the benefit of third parties, or any other fraudulent or corrupt practices regardless of the amount of monetary damage.
The Company consistently implements and reinforces internal controls, embedding group-wide policies to prevent unlawful or wrongful acts by third parties or by its employees and maintaining the procedure for conducting internal investigations of unlawful or wrongful acts of its employees. The Company also maintains a speak-up hotline.
The Company has adopted policies and standards, as well as committed itself to:
|Oil price fluctuations|
The Company is exposed to the risk of energy price volatility.
KMG continuously monitors and analyses price and demand dynamics for crude oil and oil products. The Company’s strategic and current planning model is based on a scenario approach and can be adjusted as necessary. The Company has internal reserves and is capable of optimising its costs and capital investments to meet its obligations if prices of oil, gas or oil products fall. It also keeps open the option of purchasing financial instruments to hedge against a significant drop in oil prices.
|Country risks and the risk of sanctions|
The Company operates internationally. Any significant adverse change in the economic and political situation in a recipient country could affect the Company’s operations. Sanctions against certain countries, including sectoral sanctions, can affect the Company’s operations and its prospective projects.
The Company mitigates country risks by setting country-specific limits based on the analysis of the recipient country (from the economic, political, strategic, social and other perspectives).
The Company analysed the impact on its operations from economic sanctions, along with potential response measures. Joint projects/material transactions with Russian entities were reviewed, with relevant potential operational and financial risks explored.
The Company monitors existing sanctions to minimise negative impacts and implications considering the potential widening of sanctions, which may have a targeted impact on the Company’s prospective projects. To reduce risks, the Company provides for mechanisms to exit projects or implement them independently in the event of a tougher sanctions regime.
Growing global cybercrime and increased impact of digitalisation on production and management processes at KMG lead to increased risks of attacks on the Company’s ITC system aimed at compromising its integrity, accessibility and security.
The Company rolls out specialist information security hardware and software solutions to ensure automated monitoring of external and internal threats.
The Company runs tests to check its ICT system for vulnerability to external attacks, analyses its IT infrastructure security, audits network elements and monitors its operating systems security on a regular basis.
The Company’s information security management system is maintained to meet the current international standards.
The Company is exposed to reputational risk which affects its business reputation and relationships with investors, counterparties, partners and other stakeholders.
The Company implements a range of measures to manage this risk including publications in the media, holding of briefings, press conferences and management presentations highlighting various aspects of the Company’s activities and raising awareness among stakeholders.
The Company maintains a speak-up hotline and a procedure ensuring prompt responses to complaints and claims to eliminate their root causes.
Currency risk is a potential negative change in the Company’s financial performance due to exchange rate fluctuations.
Given the currency mix of its revenues and liabilities, the Company is also exposed to FX risk in its operations. The strategy for managing this risk involves the use of a holistic approach that considers natural (economic) hedging options.
KMG ensures the optimal balance of assets and liabilities denominated in foreign currency, and calculates earnings considering the FX risk.
The Company is exposed to the persistent risks of changes in tax laws and lack of clear interpretation, as well as the risk of increased tax burden and loss of entitlement to tax benefits.
The Company continuously monitors changes in tax laws, evaluates and forecasts the extent to which they can potentially impact its operations, as well as following trends in law enforcement practice and considers the implications of regulatory changes for its operations. The Company’s specialists regularly take part in various working groups responsible for drafting tax legislation.
To mitigate tax risks, the Company improves its tax administration processes and conducts tax audits.
|Interest rate and commercial bank liquidity risk|
Higher interest rates and lower financial stability of the banking sector can have a negative impact on the cost of borrowing, as well as the placement of idle cash.
To mitigate these risks, the Company diversifies investments in financial instruments in accordance with the treasury portfolio’s pre-defined limits and regularly monitors how idle cash is placed across KMG Group.
Most of KMG’s earnings are generated in US dollars, while the main source of borrowing is the international lending market. For these reasons, KMG’s debt portfolio is largely denominated in US dollars. The interest rates for servicing a portion of these loans are based on LIBOR and EURIBOR interbank lending rates. An increase in these interest rates may result in higher costs of servicing the Company’s debt while an increase in the cost of loans for the Company may have a negative impact on its solvency and liquidity.
KMG has implemented measures to significantly reduce the Company’s debt and improve operational efficiency to move the Company into the green zone of credit risk.
|Investment (project) risk|
The Company is implementing a number of projects in hydrocarbon exploration, production, transportation and processing, which could be exposed to significant risks associated with external and internal factors. The materialisation of such risks can significantly affect the success of these projects.
The Company regularly monitors the status of project implementation in the regions in which it operates, making timely adjustments to project implementation plans as necessary. Where risk can arise affecting the timing, budget or quality of projects, mitigation measures may include negotiations with stakeholders, reduction of operating costs, optimisation of the investment programme, etc.
|Risks of changes in applicable laws, and litigation and arbitration risks|
The Company’s performance can be impacted by changes in applicable laws including subsoil use, tax, currency, customs regulations, etc., as well as the risk of negative court decisions on court or arbitration disputes involving the Company.
The Company continuously monitors changes in laws as well as evaluating and forecasting the extent to which they can potentially impact the operations of Group entities. The Company regularly takes part in working groups to develop and discuss draft laws in various areas of the law.
The Company continuously monitors laws as well as judicial and law enforcement practices and actively applies them in resolving legal issues and disputes arising in the course of the Company’s operations.
|COVID-19 Pandemic Risk|
The outbreak of coronavirus COVID-19 had a negative impact on trade and the economy globally. The long-lasting impact from negative risk factors associated with the threat of the COVID-19 pandemic might lead to implication on the Company's performance:
The Company constantly monitors changes in the situation with the spread of COVID-19 in the world and also carries out all the necessary preventive measures, aimed at curbing the spread of COVID-19 at workplaces. The Company ensures preparedness for the potential deterioration of the epidemiological situation as well as the implementation of a number of measures in order to ensure business continuity in case of detection of COVID-19.