Risk management and internal control

The effective risk management and internal control system is one of the most important objectives of the Company in the near future. It aims to achieving the strategic and operational goals of the Group of companies of Samruk-Energy JSC. Compliance with the norms and principles of corporate governance allows us to effectively control the functioning of the company's management bodies, and reduces risks in their activities.

The Company's risk management system aims to accurate and timely risk identify, assess, monitor, and respond to risks. This allows the management makes decisions based on a comprehensive vision and considering the risks in the medium and long term.

The Company adheres to the COSO standard, using the model of Three Lines of Defense.

We regularly analyze key trends and risks in the context of the three pillars of sustainable development: economic, environmental, and social. We also study the experience of countries related to the low-carbon economy transition and regularly hold meetings engaging energy and ecology experts.

The current risk management system allows the Management Board and the Board of Directors of Samruk-Energy JSC to effectively manage and allocate resources by priority areas to ensure the level of risks acceptable for the Group of Companies of Samruk-Energy JSC and to obtain the highest return on such investments due to identification, assessment, management and monitoring of risks.

The internal control system provides for a quick response to risks and control over the main and auxiliary business processes and daily operations of the Company. This system ensures immediate informing of the management of any significant shortcomings and improvements.

The Board of Directors has set the Company's risk appetite in quantitative and qualitative terms, including restrictions on core activities. The Company monitors the risk appetite compliance on a quarterly basis.

The owners of key business processes regularly update the risk and control matrices, including those for the financial reporting process, and submit them for consideration and approval to the Board of Directors.

We annually form and submit for consideration and approval to the Board of Directors the Risk Register, the Risk Map, Key Risk Indicators (KRI) and the Key Risk Management Action Plan.

Based on the results of the risks identification for the Group of companies of Samruk-Energy JSC in 2023, the Company identified and assessed 34 risks inherent in its activities, and updated the KPI thresholds. The risk owners updated the risk factors and measures to reduce them.

According to the reassessment results, nine risks fell into the key zone of the Risk Map of the Group of companies of Samruk-Energy JSC for 2022 (in 2022, there were 9 key risks).

In 2023, we continued post-monitoring of the "Implementation of the New Risk Management Model" project. Internal regulatory documents were used in subsidiaries, such as the Rules for Organization and Conduct of Internal Control, Rules for Business Continuity, Business Continuity Plans, and Recovery Plans for subsidiaries and affiliates.

he Risk Management and Internal Control Department analyzes the effectiveness of the internal control system based on the existing Rules for the Organization and Conduct of Internal Control for key subsidiaries and affiliates.

Monitoring of the business continuity management system was conducted, internal regulatory documents related to ensuring business continuity were updated, the composition of the business continuity working group was expanded, and tests of the business continuity plans and recovery plans were carried out.