Risk management system
The development of the Corporate Risk Management System (CRMS) and Internal Control (ICS) is aimed at achieving maximum efficiency in the use of assets, minimizing losses in the event of unfavorable events, identifying opportunities and encouraging innovation, which in turn contributes to the creation and protection of the Company's value for shareholders, creditors and other interested parties.
A properly designed and applied risk management structure ensures its integration into all lines of business, including the decision-making process, as well as appropriate accounting of changes in the external and internal business environment.
Participants in the risk management process
The organizational structure of the Company's RMS is represented at several levels and includes the following participants in the risk management process:
- is a management body that has key responsibility to the shareholder (s) for risk management issues at the Company
- is the executive body of the Company and is responsible for implementing the Company's Risk Management Policy
- is a consulting and advisory body under the Management Board whose main goals and objectives are to ensure high-quality information on risk management issues and the appropriate communication channels between the structural divisions of the Company, as well as working discussion of issues that require agreement/approval at the level of the Management Board
- is a key structural division in the CRMS, which ensures coordination, necessary analytics and methodological support on risk management issues for all participants in the SDGC at the Company level
- is responsible for implementing and maintaining an effective system of internal controls and process management adequate to the scope and complexity of the Company's business
- are important members of the CRMS, since they are responsible for risk management within the limits of their authorities and competencies
- are appointed to ensure the effective functioning of the risk management system in the first line of defense in the structural divisions of the Company
- is a service that provides the Board of Directors with independent and objective recommendations aimed at improving the Company's operations through a systematic and consistent approach to assessing and improving the effectiveness of risk management, internal control and corporate governance systems
Internal controls system
The main goal of the system of internal controls (ICS) is to improve business organization processes by identifying and preventing process risks, including violations of internal documents and processes, in order to provide reasonable assurance that the Company will achieve its strategic and operational goals, as well as goals of complying with legislative requirements and internal documents and preparing financial and management reporting. The ICS management is based on the standards and practical recommendations of international professional organizations in the areas of risk management, internal control, process management, information and telecommunications technologies, including the COSO, TMForum and ISO standards.
The Company's ICS is based on the model of three lines of defense, and responsibility for its operation in the Company is distributed among participants as follows:
- Identification and assessment of process risks, development (design) and implementation of control procedures to mitigate identified risks;
- Testing of design and operating effectiveness of control procedures;
- Continuous monitoring of the implementation of controls by the process participants/employees of the division;
- Communication of the provisions of the Policy to employees of the reporting division, including the duties and responsibilities of employees;
- Ensuring compliance of the process and its control procedures (if any) with the requirements and provisions of internal documents;
- Organization of conditions for the implementation of the action plan to improve the ICS within the limits of its authorities and control over its implementation, including the elimination of identified violations;
- Exchange of information with the second line of defense.
- Supervising director/Chairman of the Management Board
- High-quality implementation and execution of controls in accordance with job descriptions and the requirements of internal documents;
- Participation in updating process documentation and existing control procedures to take into account changes in the business of the division;
- Participation in the process of identifying risks and assessing the effectiveness of control procedures;
- Preparation of proposals on eliminating deficiencies in the ICS within the framework of its competencies;
- Exchange of information with the second line of defense.
- Immediate Supervisor
- Development of risk assessment methods, recommendations on responding to them, methods for determining the acceptable level of risks;
- Collection and consolidation of risk assessment results;
- Critical analysis of the results of risk assessment by the first line of defense;
- Exchange of information with the third line of defense.
- Chairman of the Management Board
- Development of a methodology for assessing compliance risks;
- Monitoring and ensuring the Company's compliance with external regulatory anti-corruption requirements and internal documents of the Company;
- Ensuring the implementation and performance of integrity checks of third parties;
- Coordination of official audits and investigations.
- Board of Directors
- Development of internal control methodology;
- Support of ICS participants in identifying and documenting process risks to improve control procedures;
- Consolidation of the results of testing the design and operating effectiveness of control procedures;
- Ensuring the development and testing of design and operating effectiveness of control procedures;
- Ensuring RMS and ICS integration;
- Training of the Company's employees in the ICS methodology;
- Monitoring of the implementation of plans of corrective measures for internal control;
- Development of the Company's ICS and coordination of internal control at subsidiaries;
- Exchange of information within the second line and with the third line of defense.
- Chairman of the Management Board
- Assessment of effectiveness of the ICS;
- Exchange of information with the second line of defense.
- Board of Directors
Development of the SDGs in 2021
Measures stipulated by the Key Areas of RMS and IC Development of the Kazakhtelecom Group of Companies for 2019-2021, approved by the Management Board of the Company, were taken.
During the year, the Risk Management Service developed and approved methodological and regulatory documents on risk management. Implemented a database of implemented risks and incidents.
Pursuant to the requirements of the Corporate Governance Code, employees are tested annually for knowledge of the internal regulatory documents adopted by Kazakhtelecom JSC on the risk management system, internal controls and process management. The total number of employees tested was 2,162.
In the third-fourth quarter of 2021, an independent audit company PwC carried out a diagnostics of the corporate governance of Kazakhtelecom JSC. Based on the results of the measures taken, the overall rating for Risk Management, Internal Control and Audit was BBB.
In order to ensure that the Company complies with the requirements of corporate governance standards in terms of the existence of effective risk management and internal control systems at the Company and its subsidiaries, an internal document with a list of criteria for diagnostics of the SDWC and ICS at the Company's subsidiaries has been developed. In 2021, systems at JSC Kcell and TOO Center for Digital Economy Development were examined.
Risk management in 2021
The Company annually identifies the Company's risks, the results of which are reflected in the risk register approved by the Board of Directors. The register includes risks capable of affecting the achievement of long-term strategic goals and key performance indicators of the Development Plan.
According to the Company's Risk Register and Risk Map at the end of 2021, the Company has 21 risks.
Key risks of 2021
The Risk Management Service constantly monitors the dynamics of key risks and monitors the implementation of measures aimed at mitigating risks. The results of monitoring are sent quarterly in the form of risk reporting to the Board of Directors of the Company.
The Company takes measures to proactively manage key risks to reduce their impact on the goals of the period:
- Implementation of an Automatic Information System (a system for informing clients about new products, generating primary connection requests, and an additional sales channel);
- Training of personnel on new business;
- Testing of the vCSG software on the basis of white-box equipment (IP Infusion UfiSpace and software).
- The functionality of the ORM KS is ensured.
- The regulatory documents have been updated;
- Reviews of structural divisions of the Central Administration and the Company's branches are performed on an ongoing basis.
- The salaries of employees of mass professions have been revised upwards;
- Internal online conferences are held with the participation of the Chairman of the Board.
- Performance of internal control over occupational safety and safety by employees of the Occupational Safety and Safety Services of the Central Bank, divisions and branches of the Company.
- Research and development services in the area of communications and telecommunications;
- On the project "On the Procurement of Certain Entities of the Quasi-Public Sector" and "On the Introduction of Amendments and Addenda to Certain Legislative Acts of the Republic of Kazakhstan on Issues of the Procurement of Certain Entities of the Quasi-Public Sector".
- Security and technical protection systems of the Company's facilities are ensured.
Emerging risks
In order to ensure preventive risk management measures, emerging risks have been identified that are not yet on the risk map but are developing, and may enter the risk map in future. However, Kazakhtelecom JSC does not exclude the existence of other risks of which nothing is currently known or which Kazakhtelecom JSC considers immaterial:
- failure in climate action;
- extreme weather events;
- loss of biodiversity;
- erosion of social alignment;
- economic crisis;
- spread of contagious diseases;
- artificial environmental catastrophes (created by people);
- scarcity of natural resources;
- debt crisis;
- geoeconomic conflict.
Areas of development of the SDGs
Given the uncertainties caused by new challenges, the high volatility of the business environment, the constantly increasing expectations of consumers of products and services, the dependence on the geopolitical picture of the modern world and the strengthening of the regulatory role of the state in the economy, there is a need to change attitudes to the system of risk management and internal controls.
The Company intends to improve the current risk management and internal control model by applying the fundamental concepts and standards and based on their criteria:
- Corporate governance and culture;
- Strategy and goal setting;
- Performance;
- Monitoring and implementation of changes;
- Information, communications and reporting.