Risk Management Policy of JSC NC KazMunayGas for the period until 2013

Transcription

1 Endorsed by Resolution of the Management Board, JSC NC KazMunayGas of _4 _March_ 2011 Minutes No._36 Approved by Resolution of the Board of Directors, JSC NC KazMunayGas of _31 May 2011 Minutes No._4/2011_ Risk Management Policy of JSC NC KazMunayGas for the period until General Provisions The activities of JSC NC KazMunayGas (hereinafter KMG) and its subsidiaries (hereinafter together referred to as Company) is subject to risks. KMG perceives the importance of risk management as a key component of the corporate governance system, aimed at timely identification and taking actions to mitigate the risks that may influence the Company s value and reputation. This Risk Management Policy of JSC NC KazMunayGas for the period until 2013 (hereinafter Policy) determines the goals, objectives and basic principles of risk management and the functions of the participants of the enterprise risk management system. The Policy is based on the best practices of risk management, and takes into account the provisions of the COSO ERM risk management conceptual framework. The Policy shall be mandatory for familiarization and use by all KMG s employees. Taking into consideration KMG s primary objectives as of the managing entity, and consolidation of the subsidiaries financial performance, KMG supervises the process of introduction and improvement of the risk management system in the materials subsidiaries, which includes determining common methods and procedures on risks, common risk language, common forms and order for presenting risk reporting. The subsidiaries are following the policy in the sphere of risk management, taking into consideration their activity factor, but complying with the provisions of this Policy. For the duration of this Policy, the enterprise risk management system cover s the activities of KMG and 6 material subsidiaries: KazMunaiGas Exploration Production JSC (for the group of companies), JSC Refining & Marketing KazMunayGas (for the group of companies), JSC KazTransOil (for the group of companies), JSC KazTransGas (for the group of companies), JSC KazMunayTeniz (for the group of companies), JSC NMSK Kazmortransflot (for the group of companies). The company carries out continuous improvement of the Company s enterprise risk management system, including actualization of the regulatory documents in the

2 sphere of risk management for ensuring their alignment with the Company s objectives and range of activity, new regulatory requirements, and recoding the accumulated experience and best practices in risk management. 2. Key Terms, Definitions and Abbreviations Within the framework of the enterprise risk management system, the following terms mean: risk the possibility of occurrence of an undesired event that will have an adverse effect on the Company s capacity for achievement of its strategic and operational objectives; operational level risks risks emerging in the Company s daily operations, the residual level of which does not impact the achievement of the Company's strategic objectives; strategic level risks risks whose emergence results in a material divergence from the Company s strategic objectives; key risk the Company s risks marked by high/medium values of the probability and/or the extent of damage; undesired event an event when the Company incurs damage, loss of profit, infliction of damage to the life or health of its employees, third parties, disclosure of confidential information, image loss, and infliction of damage to the environment; risk appetite a degree of risk which the Company is ready to accept for the achievement of its strategic objectives; risk management (RM) a continuous process effected by the Company s Board of Directors, Management Board, management and employees in order to identify potential events that may affect the Company, and manage them to be within the limits acceptable (established) for the Company, and applied in strategy setting and across the entity to provide reasonable assurance regarding the achievement of the strategic and operational objectives; enterprise risk management system (ERMS) an aggregate of the principles, methods and procedures ensuring organization and conduct of the risk management process at all levels of the Company; own retention capacity (ORC) is the amount of non-budgeted losses as a result of occurrence of risks for one year, that the Company may incur in case of the risk occurrence, and which will not exert material effect on the Company's activities and the Company's ability to be liable for its obligations; effect time the time period between the occurrence of the risk and occurrence of the loss resulting from it; extent of damage the projected extent of the maximum possible damage in case of the risk occurrence; risk register structured list of the Company s risks, containing complete information on the risks, including: identified risks, their descriptions, causes of risks and description of the risk occurrence consequences, risk owners, their responsibility, results of the quantitative and quantitative estimates, 2

3 agreed risk response measures, residual risks remaining after the planned risk response; risk map a matrix where not more than 30 of the Company s most substantial risks, depending on the extent of possible damage and probability of occurrence; inherent risk (IR) - a risk in the absence of actions to change the probability and extent of effect of this risk; residual risk (RR) a risk remaining provided that the risk response measures have been implemented; pure risks connected only with loss occurrence; speculative risks connected both with the possibility of gain and possibility of loss; assessment period the period of time, for which a risk assessment is carried out; risk limit a means for managing specific types of the risk accepted. A limit constitutes the maximum tolerable extent of one-time losses when the risk realizes. A risk limit may not exceed the Company s risk appetite; risk owner the Company's employee who, by authority and job duties is able to and must manage this risk; risk portfolio the aggregate of risks considered in conjunction and related to a single subsidiary or business area. 3. Company s Goal and Objectives in Risk Management The goal of risk management is to provide reasonable assurance of the achievement of strategic objectives. The objectives of risk management are as follows: timely identification, analysis, assessment and response to the risks in order to reduce the probability of their occurrence and/or mitigation of the negative consequences; ensuring protection of the Company s assets through implementation of the corporate insurance programme; integration with the Company s key business processes and involvement of every employee in the risk management process; implementation of risk management system in the subsidiaries in compliance with common approaches to the risk management methods and procedures; development of the internal environment (risk culture) through carrying out risk management training; regular provision of KMG s Board of Directors with the information on the current risk level; increasing the level of responsibility for risk management through designation of the risk owners both for individual risks and for the risk portfolio, and stipulation of the responsibility in the job descriptions, provisions on the structural subdivisions, KPIs and other internal documents; use of the modern information technology, in order to automate the risk management system processes, making it possible to identify, analyze, assess, manage 3

4 and control the risks on a timely basis with material reduction of the time and labour costs. 4. Basic Principles of Risk Management In pursuing this Policy, the Company is committed to the following basic principles: risk recognition principle - the Company recognizes the presence of the risks associated with its activity, and assesses their influence on the Company's activity; awareness the risk management process involves every employee of the Company, and is accompanied by the availability of objective, reliable and up-to-date information; continuity of the risk management process the Company continuously identifies and assesses the risks associated with its activity, form the risk management system, assesses the efficiency of operation of such a system, adjusts the risk management system taking into account identification and assessment of new risks, and an updated assessment of the risks identified earlier; principle of complex approach to risk management the Company considers and manages risks in the aggregate. To improve the efficiency of the enterprise risk management system, KMG determines lists of risks managed by KMG together with its subsidiaries, and risks managed at the level of the subsidiaries, based on the corporate level of the risk appetite and priority of the risks for the Company; rationality principle the Company rationally uses the resources for taking risk management measures; active participation of the management the Company s management takes an active hand and renders support in the implementation and improvement of the risk management system in the Company. 5. Procedure for Determining the Company's Own Retention Capacity and Risk Appetite. The own retention capacity (ORC) is defined as the amount of the aggregate loss whose realization will not result in the violation of the Company s covenant in regard to the Company s debt to EBITDA ratio, where this proportion should not exceed 3.5:1. ORC for the planning year is calculated as the EBITDA s portion meeting the condition: ORC=K 1 * EBITDA, where K 1 =1- Debt/(3.5*EBITDA). Debt and EBITDA are determined in accordance with KMG s Borrowing Policy. The risk appetite is the value of the aggregate risk accepted by the Company based on the expected income level. Risk appetite is defined as the probability (K 2 %), in which the aggregate potential income level will not exceed the set level of the aggregate damage. The tolerable level of aggregate damage is determines by the ratio to the ORC: K 3 %*ORC. When the level of risk appetite is set, all identified and managed risks of the Company (the Company s risk profile) should meet the following condition: 4

5 LD ( =K2%) (K 2 % percentile of the aggregate risk level distribution) + Limits i (the sum of the set risk limits) <= K 3 %*ORC Unless otherwise established, the risk appetite for the validity term of this Policy shall be determined with the following ratio: K 2 =95%, K 3 %=90%. The Company s own retention capacity shall be approved by KMG s Board of Directors on an annual basis. The risk appetite may be revised and approved by KMG s Board of Directors in case of a material change in the business and business environment. Decisions on managing the strategic risks shall be made by the Company s Board of Directors or Sole Shareholder. Decisions on managing operations risks within the Company's risk appetite shall be made by KMG's Management Board. 6. Mechanism for Implementation and Control over the Policy Operation. Functions of KMG s Sole Shareholder within the competence, based on and in compliance with the procedure established in the internal documents: forming a common (among other things, by industry of the companies) financial, investment, production-and-economic, research-and-development and other policy in respect of the Company, during approval of the development strategies and plans; exercise of other rights related to the participation in KMG s management. Functions of KMG s Board of Directors within the competence, based on and in compliance with the procedure established in the internal documents: ensures the availability of KMG s enterprise risk management system, among other things, through the approval of this Policy and the internal control system Policy; approves the Company s level of the risk appetite and own retention capacity, among other things, through the approval of this Policy; approves the Company s risk register, in case of the aggregate residual level of risks exceeding the Company s risk appetite; approves the performance indicators of the risk management system and ensures annual assessment of the efficiency of KMG's risk management system. Functions of KMG s Management Board within the competence, based on and in compliance with the procedure established in the internal documents: exercises control over the pursuance of this Policy, bears responsibility for maintaining the risk appetite level and efficient operations of the internal control and risk management systems in KMG; approves documents establishing the procedure for organizing the risk management process, methodology for risk identification and assessment, the criteria for selection of risk management methods, and other documents on the internal risk management procedures arising from this Policy; approves the Company s risk register; 5

6 basis. advises the Board of Directors of the status of KMG s key risks on a timely Functions of KMG s Internal Audit Service within the competence, based on and in compliance with the procedure established in the internal documents: carries out assessment of the efficiency of the risk management processes, advises the Board of Directors of the material deficiencies in KMG s risk management system, and produces recommendations for improving the risk management processes. Managing Directors and General Managers, as the risk portfolio owners, shall bear responsibility within the competence, based on and in compliance with the procedure established in the internal documents, for: observing the principles of this Policy in the implementation of the risk management system in the supervised subsidiaries; providing efficient operation of the risk management system in the supervised subsidiaries; furnishing timely and complete information on the risk status and implementation of the risk management measures to KMG s risk subdivision. Functions of KMG s risk subdivision, based on and in compliance with the procedure established in the internal documents: ensures development and actualization of the methodological documents on KMG s risk management; renders advisory support to KMG s structural subdivisions and subsidiaries on the matters of the enterprise risk management system operation; traces external factors that may exert material effect on the Company s risks; interacts with the regulatory authorities on the matters of risk management (in accordance with the competence); provides training events on the matters of risk management; considers, coordinates risk registers prepared by structural subdivisions/ business areas/ subsidiaries covered by the Policy, ensures consolidation and analysis of information, including analysis of risk correlation, in order to prepare the Company s risk register, and preparation of the reporting on the current risk status and risk management for KMG's Management Board and Board of Directors; performs monitoring of observation of the risk limits; exercises control over the implementation of risk management measures, control over the Company s risk status; interacts with KMG s Internal Audit Service and KMG s structural subdivisions in the sphere of risk management; administers the Company s corporate insurance coverage programme; provides organization of the process of interviewing KMG s risk owners and methodological support in the application of expert methods for identification and assessment of the Company s risks (as required); 6

7 bears responsibility for the timely identification, assessment, management and control of risks in the conduct of the subdivision's activity and furnishing timely and complete information for KMG's Management Board and Board of Directors on the status of the risks, including key risks, and on the implementation of the measures for management of the Company's risks. Leaders of KMG s structural subdivisions, depending on their functional duties, shall bear responsibility based on and in accordance with the procedure established in KMG s internal documents for: timely identification and assessment of the risks in the conduct of the structural subdivision s activities, and for proper management and control over the risks associated with exercise by the business areas of their processes supervised by such structural subdivisions; furnishing timely and complete information on the risk status and implementation of the risk management measures to KMG s risk subdivision. 7