Home 8. Corporate governance report Risk management and internal controls

Risk management and internal controls

Risk management system

Following the JRUN Strategy for 2023-2032, Kazakhtelecom JSC implements the most advanced risk management practices. Development of the corporate risk management and internal controls system (hereinafter — CRMS and IC) is aimed at achieving maximum efficiency of assets utilization, minimizing losses when adverse events occur, identifying opportunities and stimulating innovation, which in turn contributes to creating and protecting the Company’s value for shareholders, creditors, and other stakeholders.

Properly designed and applied risk management structure ensures its implementation in all activities of the Company, including the decision-making process and proper accounting for changes in the external and internal business environment.

Participants in the risk management process

The organizational structure of the Company’s CRMS is presented on several levels and includes the following participants in the risk management process:

Organizational structure of the corporate risk management system

Board of Directors

as a management body that has key responsibility to the shareholder (s) for risk management issues at the Company

Management Board

is the executive body of the Company and is responsible for implementing the Company’s Risk Management Policy

Risk committee

is a consulting and advisory body under the Management Board whose main goals and objectives are to ensure high-quality information on risk management issues and the appropriate communication channels between the structural divisions of the Company, as well as working discussion of issues that require agreement/approval at the level of the Management Board

Risk Management and Internal Controls Department

is a key structural division in the CRMS, which ensures coordination, necessary analytics and methodological support on risk management issues for all participants in the CRMS at the Company level. Is responsible for implementing and maintaining an effective system of internal controls and process management adequate to the scope and complexity of the Company’s business

Business units

are important members of the CRMS, since they are responsible for risk management within the limits of their authorities and competencies

Risk coordinators and risk teams

are appointed to ensure the effective functioning of the risk management system in the first line of defense in the structural divisions of the Company

Internal audit service

is a service that provides the Board of Directors with independent and objective recommendations aimed at improving the Company’s operations through a systematic and consistent approach to assessing and improving the effectiveness of risk management, internal control, and corporate governance systems

Risk management in 2022

The Company annually identifies the Company’s risks, the results of which are reflected in the risk register approved by the Board of Directors. The register includes risks capable of affecting the achievement of long-term strategic goals and key performance indicators of the Development Plan.

In 2022, the list of risk events for compliance risks has been expanded. The list for 2021, which consisted of two risk events “Presence of conflicts of interest in the performance of official duties” and “Presence of corrupt practices”, was supplemented by the risk event “Non-compliance with the code of ethics”.

According to the Company’s Risk Register and Risk Map at the end of 2022, the Company has 23 risks:

Risk map of Kazakhtelecom JSC for 2022

Key risks of 2022

The Risk Management Service constantly monitors the dynamics of key risks and monitors the implementation of measures aimed at mitigating risks. The results of monitoring are sent quarterly in the form of risk reporting to the Board of Directors of the Company.

The Company is implementing measures to proactively manage key risks to reduce their impact on the objectives of the period:

Key risks Measures taken by the Company to mitigate risk
Safeguarding physical assets
  • Daily maintenance of security and technical protection systems of the Company’s facilities;
  • Development of the “Fire Safety” BP.
 4/3
Innovation risk
  • A partnership agreement was signed between Kazakhtelecom JSC and Nursat+LLP;
  • A document was approved (Decree No. 19 of 18.02.2022) on providing the possibility of applying discounts to tariffs for new businesses in a highly competitive environment;
  • updated information on product pages;
  • Promo was held (Order No. 309 of 30.09.2022) “On holding a campaign to promote the service “Cloud Video Surveillance for Entrances”.
 5/1
Legal risk
  • Registration of property rights to unregistered cable conduit sections and land plots, prolongation of property rights to facilities with expired terms of validity.
 5/2
Regulatory risk
  • A number of measures are being taken to ensure the functionality of SOIM switching stations.
 4/3
Fraud
  • Prevention and suppression of violations in the field of fraud by the employees of the Company are carried out;
  • reviews of structural divisions of the Central Administration and the Company’s branches are performed.
 5/1
HR risk
  • During the year, the Comprehensive Action Plan to ensure social stability in the group of companies of Kazakhtelecom JSC was implemented (Order No. 81 as of 25.04.2022);
  • During the year, the Action Plan for work on disturbing zones for 2022 was completed (Order No. 45 as of 05.03.2022).
 4/3
Quality risk
  • Prevention of the provision of services that do not comply with contractual obligations to corporate clients (non-compliance with the declared parameters, quality standards).
 4/4
Information security violation
  • Implementation of the project “Modernization of information security protection tools”.
 4/3

Emerging risks

To ensure preventive risk management measures, emerging risks have been identified that are not yet on the risk map. However, subject to their further development, they may enter the risk map in the future. Kazakhtelecom JSC does not exclude the existence of other risks of which nothing is currently known or which Kazakhtelecom JSC considers immaterial:

  • Geo-economic confrontations;
  • Rapidly rising and/or persistent inflation;
  • Geopolitical struggle for resources;
  • Interstate conflict;
  • Price hikes on products and goods.

Internal controls system

Developed based on recommendations of the Committee of Sponsoring Organizations of the Tradeway Commission (COSO) and other international best practices in the field of risk management and internal control in Kazakhtelecom JSC, the ICS is based on the model of three lines of defense, and responsibility for its operation in the Company is distributed among participants as follows:

Model of the three lines of defense

1
First line of defense

Management (process owner) has the primary responsibility for managing the risks associated with day-to-day operations. In addition, the responsibility of the first line includes the development, maintenance, and implementation of controls.

2
Second line of defense

Identifies emerging risks in the day-to-day activities of the organization. To this end, it ensures that the necessary concepts, policy documents, tools and technologies are in place.

3
Third line of defense

Evaluation of the effectiveness of the ICS, responsibility for reporting to the Board of Management and the Audit Committee, and providing audit evidence to regulators and external auditors that demonstrates the effectiveness of the structure and functioning of the control culture in the organization.

In order to increase the overall effectiveness of control functions in the Company, ensure timeliness of actions and fruitful interaction, the structural units of the second and third lines of defense constantly exchange information about the identified shortcomings of the ICS, errors and violations in the Company’s activities and in the performance of their duties by its employees, as well as coordination activity in its direction in Kazakhtelecom JSC’s subsidiaries/affiliates.

The key objective of the internal control system is to ensure the transparency and reliability of the Company’s financial statements. In Kazakhtelecom JSC, the main principles and stages of building an internal control system over the process of preparing financial statements are defined as follows:

  • identification and description of significant business processes for the preparation of financial statements;
  • identification and assessment of risks at the level of business processes (affecting the reliability of reporting), as well as delineation of responsibility for managing these risks, considering possible conflicts of interest.

When describing, evaluating, and implementing control procedures aimed at reducing risks at the level of business processes, the possibility of automating controls is provided, as well as establishing controls of various types: preliminary, subsequent, key and compensating.

Also, Kazakhtelecom JSC practices evaluation of the operating efficiency of controls on an ongoing basis.

Development of the CRMS and IC in 2022

In the reporting year, the Company implemented the measures provided for by the Main directions for development of RMS and IC of Kazakhtelecom JSC Group for 2022-2024 approved by the Company’s Management Board, namely:

RCSA — Risk and Control Self-Assessment (self-assessment of risks and the control environment) practice was introduced. Department of Risk Management and Internal Controls conducted target interviewing of heads of structural subdivisions of CBDs and SFs.

During the year, Department of Risk Management and Internal Controls carried out preparations for introducing amendments and additions to methodological and regulatory documents on risk management.

To ensure the proper implementation of internal control over the activities of the Company and increase the importance of internal control, the Internal Control Policy of Kazakhtelecom JSC was developed.

One of the strategic goals in the field of ESG is ecology. As part of the implementation of the Action Plan to improve corporate governance in Kazakhtelecom JSC for 2022–2024, the Department of Risk Management and Internal Controls included an environmental risk in the Risk Register of Kazakhtelecom JSC, the risk events of which are:

  • Exceeding emission limits;
  • Non-compliance with the requirements of legislation in the field of environmental protection;
  • The spread of epidemics of influenza and other infectious diseases.

Improving the database of realized risks and incidents.

According to the requirements of the Code of Corporate Governance, on an annual basis, employees are tested for knowledge of internal regulatory documentation adopted by Kazakhtelecom JSC on the risk management system, internal controls, and process management. The total number of employees tested was 1,879 people.

In the IV quarter of 2022, the Internal Audit Service of Kazakhtelecom JSC assessed the effectiveness of the corporate risk management system and the internal control system of Kazakhtelecom JSC in accordance with the Methodology for diagnosing the corporate governance of legal entities, more than 50% of the voting shares of which are directly or indirectly owned by Samruk-Kazyna JSC. Based on the results of the events, the overall rating was — A.

In 2022, in accordance with the Methodology for diagnosing risk management and internal control systems in subsidiaries and affiliates of Kazakhtelecom JSC, diagnostics of systems were carried out in VOSTOKTELECOM LLP and QazCloud LLP.

The list of the Group’s risk appetite has been revised.

Areas of development of the CRMS and IC

Given the uncertainties caused by new challenges, the high volatility of the business environment, the constantly increasing expectations of consumers of products and services, the dependence on the geopolitical picture of the modern world and the strengthening of the regulatory role of the state in the economy, there is a need to change attitudes to the system of risk management and internal controls.

The Company intends to improve the current risk management and internal control model by applying the fundamental concepts and standards and based on their criteria:

  • corporate governance and culture;
  • strategy and goal setting;
  • қperformance;
  • monitoring and implementation of changes;
  • information, communications, and reporting.