Annual Report / 2024
Energy of development

pdf Қаз Рус Eng
Cover 1

05

Corporate governance

Management structure of the KEGOC JSC Compliance with the Corporate governance code General meeting of shareholders Dividend policy Report on the activities of the Board of Directors Conflict of interest Management Board Corporate ethics Anti-corruption Feedback mechanisms Risk management and internal control system Internal audit service Information policy and security

Risk management and internal control system

KEGOC JSC has successfully implemented and maintains a risk management system based on generally accepted conceptual risk management models developed by the Committee of Sponsoring Organizations of the Treadway Commission — COSO ERM “Enterprise Risk Management — Integrated Framework” and the requirements of Samruk-Kazyna JSC.

The corporate risk management system is a key component of corporate governance, aimed at timely identification, assessment, and control of risks that may adversely affect the achievement of KEGOC JSC’s strategic and operational goals.

The primary objective of the existing Corporate Risk Management System (CRMS) is to ensure continuity and stability of operations by limiting the impact of internal and external negative factors on KEGOC JSC’s activities.

The core principles of the risk management system include:

  • engagement of the Company’s management in the risk management process;
  • continuous improvement of the risk management system;
  • ongoing training and knowledge-sharing in risk management among employees;
  • transparency and honesty in risk reporting and escalation.

The tasks of the risk management system are:

  • development and application of uniform and consistent approaches to identifying, assessing, and managing KEGOC JSC’s risks, simplifying vertical (management) and horizontal (experience sharing) risk communication processes;
  • prompt response to emerging risk events, tracking changes in external and internal environments;
  • targeted risk management activities to reduce risks to an acceptable level or to transfer them to third parties (outsourcing, insurance, hedging) or avoid them altogether;
  • systematization and accumulation of risk data at KEGOC JSC to enhance the Company’s manageability;
  • improving KEGOC JSC’s competitiveness and achieving its strategic goals by enhancing the efficiency of the CRMS.

The CRMS serves as a tool to support managerial decision-making and day-to-day operational activities at KEGOC JSC.

The risk management process at KEGOC JSC is continuous, cyclical, and multidirectional, and includes the following components:

  • internal environment;
  • objective setting;
  • risk identification;
  • risk assessment;
  • risk response;
  • control activities;
  • information and communication;
  • monitoring.

KEGOC JSC Risk Management Process

Implementation of the above components of the risk management process contributes to the development of risk management culture (risk culture), which is the basis of risk management. It comprises beliefs, understanding and knowledge in the field of risk management, shared and applied by all officers and employees in the performance of their duties.

Risk culture is part of the corporate culture. The level of risk culture determines how risks are identified, assessed and managed from the development of the Development Plan through to its implementation and performance monitoring.

The risk culture is based on the following principles:

  • Tone at the top: Decision-making is based on an optimal balance between long-term value, profitability and the risks associated with both making and not making decisions, and management encourages risk-oriented behavior in subordinates.
  • Corporate Governance: KEGOC JSC activities are aimed at creating a control environment that ensures that employees understand that the Policy and all IRDs are binding. All officers and employees of KEGOC JSC clearly recognize their area of responsibility and authority for risk management and internal control. Risk Owners, within the scope of their competence, understand and manage risks and properly communicate risks in accordance with KEGOC JSC INEDs.
  • Decision-making: The internal environment is characterized by open communication and transparency of risk information, which facilitates open and constructive discussion of associated risks and potential opportunities between employees and management, allowing for joint effective decision-making in response to external challenges.
  • The remuneration system at all levels uses financial and non-financial incentives for management and employees to form the right attitude to risk in the process of making managerial decisions. With a well-developed risk culture, decisions are clearly defined by the Risk Appetite.
  • Competence: KEGOC JSC organizational structure is based on the ‘three lines of defense’ model. The Risk Unit effectively fulfils the role of the second line of defense, thereby increasing Management’s confidence in achieving KEGOC JSC objectives.

One of the sources of information on the level of risk culture for the Management Board and the Board of Directors are documents on assessment of CRMS efficiency, reports on diagnostics of corporate governance in the Company.

In order to improve risk culture, the Company provides briefing/seminars for newly hired employees in the area of the Company’s CRMS, and the Company’s senior management takes part in specialised risk management seminars and trainings aimed at senior executives.

To control the level of risk culture development in the Company, in 2023, a questionnaire (survey) of employees/testing of knowledge in the field of CRMS was conducted to assess the effectiveness of risk management at the workplace. Based on the results of the survey, seminars for employees of structural divisions are planned for 2024. In addition, KEGOC JSC employees were tested on their knowledge of risk management and internal control systems, which was successfully passed by all tested employees.

Organizational structure of the CRMS

Functions and responsibilities of CRMS participants:

  • The Board of Directors is responsible for the effective operation and development of the CRMS as a whole, setting the tone for risk management, and is responsible for implementing mechanisms to ensure that this tone is reflected throughout the Company and the subsidiary organizations and approves key CRMS documents;
  • The Audit Committee acts in the interests of the shareholder(s) and its work is designed to assist the Board by making recommendations to monitor the robustness and effectiveness of the CRMS. Documents submitted for approval by the Board of Directors are preliminarily reviewed by the Audit Committee of the Board of Directors.

The IAS is responsible for regularly auditing the CRMS and providing an independent opinion to the Board of Directors/Audit Committee:

  • audits and analyses the effectiveness of risk management procedures and methodology in the area of CRMS, and prepares proposals to improve the effectiveness of risk management procedures;
  • submits the Report on CRMS efficiency to the Board of Directors;
  • provides information to the structural unit responsible for risk management on realized risks identified during audits;
  • fulfils other functions in accordance with the approved regulatory documents of KEGOC.

The Management Board is responsible for establi­shing, maintaining, and applying risk identification, assessment and management procedures, organi­zing the effective functioning of the CRMS, supporting structural units in implementing/improving risk management processes in their activities, and ensuring that employees of the structural unit responsible for risk management have professional qualifications.

KEGOC JSC structural subdivisions, branches and subsidiaries are risk owners and are responsible for risk identification, analysis, risk assessment, risk management, preparation of proposals for mitigation of key risks, reporting on KEGOC JSC key risks and timely informing about the realized risks.

The Compliance Service is responsible for the development and implementation of a compliance programme aimed at managing the risks of violation of the Code of Conduct, anti-corruption legislation and other regulatory requirements applicable to KEGOC JSC.

The Risk Committee, whose task is to make decisions on KEGOC JSC risk management issues and prepare recommendations to KEGOC JSC Management Board on the Company’s risk management issues. In 2024, the Committee held 8 meetings.

The structural subdivision responsible for risk management, for development of CRMS, clarification of internal and external requirements, provision of consulting assistance, develops IRDs on CRMS, monitoring of implementation of risk management measures and preparation of quarterly reporting on risks for the Risk Committee, Management Board and Board of Directors.

In performing their functions, the Board of Directors and the Management Board rely on the ‘Three Lines of Defence’ model, which interacts within the framework of the CRMS.

The first line of defence is represented by structural subdivisions represented by each employee within their competence.

The second line of defence is represented by structural subdivisions performing monitoring functions.

The third line of defence is represented by the Internal Audit Service, which independently assesses the effectiveness of and contributes to the improvement of risk management and internal control, supports the Audit Committee and the Board of Directors by providing them with an independent assessment of the effectiveness of CRMS and internal control.

On a regular basis, KEGOC JSC analyses existing risks and identifies new risks that may adversely affect the achievement of goals, objectives, indicators, and fulfilment of the KEGOC JSC Development Plan (Strategy), Action Plan (Business Plan) of KEGOC JSC.

The following methods are used for risk identification:

  • analysing business processes;
  • collection and analysis of statistical data;
  • individual expert methods (questionnaires, interviews);
  • group methods (brainstorming, business game);
  • monitoring of publications and speeches.

Risks may also be identified when considering issues submitted to the meetings of the Management Board, Board of Directors, changes in the external environment, changes in KEGOC JSC processes, procedures, organisational structure, etc.

Risks are identified on the basis of existing goals (KPIs) of the Management Board members, management employees, heads of structural divisions of the current year, which are formed on the basis of strategic goals of KEGOC JSC.

In the process of risk inventory, a risk assessment is carried out in parallel with the determination of approaches to risk management.

Within the framework of risk assessment the following risk parameters are assessed:

  • the impact (size) of the risk;
  • probability of realisation (frequency) of risk;
  • impact time.

When assessing risks, qualitative or quantitative analyses or a combination of both are used.

Assessment of risk realisation probability, impact, impact time is carried out in accordance with the risk assessment criteria established in KEGOC JSC. The results of the risk assessment process are plotted on the Risk Map, which visually reflects the relative importance of each risk. Risks are ranked into low, medium, large and critical risks.

Preventive and reactive measures are developed for all identified risks and approved by the Board of Directors. Key risk management measures are aimed at preventing risks and/or minimising the consequences in the event that risks materialise.

All identified risks with their assessment and measures are approved by the Board of Directors.

The results of risk identification and assessment are summarized in the Company’s Risk Register for 2024, which includes 49 risks. Measures for their management have been developed for each risk, and risk owners have been identified. The Company continuously monitors the dynamics of key risks and the implementation of mitigation measures by sending quarterly risk reports to the Management Board and the Board of Directors of the Company.

Classification of KEGOC JSC risks

Risk map of KEGOC JSC

The most significant and relevant risks for KEGOC JSC in the reporting year include:

  • risk of a work-related accident;
  • production asset failure;
  • decline in the Company’s share price below the SPO placement price;
  • risk of increased overdue accounts receivable for system services rendered.

More detailed information on the management of key risks is disclosed in the relevant sections of this report by business areas and implementation of the Company’s strategic goals.

In addition to the main risks, the Company has considered emerging risks that are at the identification stage and/or may significantly increase in the future and are capable of having a material impact on the Company’s operations and potentially have a long-term (3–5 years) material impact on its activities. Currently, the following are considered emerging risks: climate change; cyber risks; global pandemics affecting international trade or global supply disruptions; as well as geopolitical risks.

Основные мотивационные КПД

Emerging risk 1 Emerging risk 2
Supporting Evidence According to the Climate Program of KEGOC JSC, an analysis of climate risks was conducted using climate scenarios and models, which confirmed the high vulnerability of the Company’s infrastructure to extreme weather events. IT is becoming a key factor in achieving the Company’s goals and implementing its strategy. With the development of technology and the widespread use of the Internet, new cybersecurity risks are emerging.

The number and complexity of attacks targeting all types of digital devices are increasing, and incidents involving attacks on the IT infrastructure of large corporations and critical industrial facilities have become more frequent.
Name of Emerging Risk Climate risk (transition and physical) Information security risks
Category Operational risk Operational risk
Description Climate change may lead to rising temperatures, increased frequency of droughts and floods, hurricanes, which affect the reliability of MES facilities, reduce the efficiency of energy transmission, and increase costs for network repair and modernization. Risk associated with disruption of digital systems, leakage of confidential information, hacking of SCADA systems and IT infrastructure. Given the scale and significance of KEGOC JSC in managing the UPS, attacks on information resources may lead to disruptions in dispatch control and electricity transmission.
Impact Potential power transmission disruptions, infrastructure damage, increased recovery costs, reduced operational efficiency and energy supply reliability, especially under conditions of increasing share of RES. Loss of confidential information, disruption of operations, possible outages or power supply interruptions, reputational damage, regulatory fines, decreased trust from investors and consumers.
Mitigating Actions 1. Implementation of a climate monitoring system and vulnerability analysis of facilities.
2. Development of Smart Grid and digital technologies.
3. Modernization of 220–500 kV transmission lines.
4. Investment in resilient infrastructure and green bonds to finance adaptation project 		1. Implementation of cybersecurity and threat monitoring systems.
2. Updating internal regulations on information security.
3. Staff training on methods for countering cyber threats.
4. Conducting system stress testing.
5. Cooperation with national cybersecurity centers.

In 2024, a climate risk was identified and included in the Risk Register for 2025, which may arise due to climate change extreme temperature increases, floods, strong wind loads (physical risks), and the implementation of measures to mitigate its consequences political and regulatory measures related to climate change, non-compliance with technological innovations supporting the transition to a low-carbon economy, stricter requirements from stock exchanges and financial institutions regarding disclosure of non-financial information on climate (transition risks).The internal control system of KEGOC JSC (ICS) is based on the COSO model and includes five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring.

The internal control system policy of KEGOC JSC defines internal control as a process carried out by the participants of the internal control system in order to achieve the set objectives in three key areas:

  • operational activities;
  • financial reporting preparation;
  • compliance with regulatory and legal requirements.

The ICS provides for the creation of a management system capable of promptly responding to process risks, controlling main and auxiliary business processes and daily operations, as well as promptly informing the relevant management level of any significant deficiencies and areas for improvement.

According to the Regulation on the organization and execution of work on the internal control system of KEGOC JSC, the competence of the ICS participants is delineated depending on their role in the processes of development, approval, implementation, and assessment of ICS effectiveness.

The Board of Directors and the Management Board of the Company rely on the “Three Lines of Defense” model in carrying out their functions. ICS participants include the Board of Directors, the Management Board, the Audit Committee, the Internal Audit Service, structural units — owners of business processes and subprocesses, control procedure performers, and the unit responsible for risk management and internal control.

The Company regularly conducts an assessment of the design of control procedures, which includes the analysis of existing business processes.

This work includes the identification and assessment of process risks, analysis of internal regulations and flowcharts, as well as assessment of the effectiveness of control procedures. Based on the design assessment, the risk and control matrix is approved by the business process owner, and recommendations are provided for business process improvement.

The Internal Audit Service is responsible for directly assessing the effectiveness of the ICS, testing the operational effectiveness of control procedures, and preparing and presenting the respective report to the Audit Committee and the Board of Directors.

Annually, based on the Company’s business process register, a control procedure design assessment plan is approved. Under this plan, the effectiveness of control procedure design is analyzed. Based on the analysis results, recommendations are developed for improvements and areas for development.

The Company has implemented a business continuity management system, which identifies business processes/subprocesses requiring the development of BCPs (Business Continuity Plans). In 2024, work was conducted to identify the Company’s critical business processes/subprocesses for which BCPs were developed and tested, particularly for providing system operator services for technical dispatching, ensuring occupational safety and equipment reliability, providing and supporting ITC services, managing information security incidents, and ensuring KEGOC JSC’s operations in the event of emergencies.

The Internal Audit Service of KEGOC JSC annually evaluates the effectiveness of the CRMS and ICS, and the results are submitted to the Company’s Board of Directors. Based on the 2024 evaluation conducted by the Internal Audit Service, the internal control and risk management systems are functioning in an acceptable manner, providing reasonable assurance of achieving the Company’s goals. For all identified non-conformities, corrective action plans were developed based on IAS recommendations, and their implementation is monitored on an ongoing basis.