Integrated Annual Report 2023
ҚАЗ
РУС
ENG
Home Corporate governance report Risk management and internal controls

Risk management and internal controls

Today’s emerging risks in telecommunications include cybersecurity threats, legislative and regulatory changes, and technological challenges such as the introduction of 5G and the Internet of Things (IoT). Cyberattacks on telecommunications networks are increasing. This can  lead to confidential information  leaks, network disruptions and serious consequences for businesses and society as a whole.

Being the  largest telecommunications operator in Kazakhstan, Kazakhtelecom plays an important role in contributing to the development of telecommunications infrastructure and ensuring the communications security in the country. The Company actively introduces modern technologies and endeavours to strengthen cyber security of its networks to protect the information of its customers and ensure uninterrupted functioning of telecommunications services. Inter alia, functioning of our corporate risk management and internal control system (CRMS and IC) ensures asset protection, business processes improvement, activity efficiency enhancement and compliance with regulations of the applicable  legislation.

Timely identification of inconsistencies and sources of inefficiency, analysis and forecasting of various scenarios, development of measures for timely prevention or mitigation of risks make a significant contribution to the achievement of the Company’s operational and strategic goals.

Model of risk management and internal control system

The Company’s CRMS and IC functioning model involves all levels of corporate governance in the timely identification and management of risks and non-conformities, and includes building CRMS and IC components at the strategic and tactical management  levels as well as ensuring independent assessment and oversight of its functioning.

Main tasks aimed at achieving the objectives of the Internal Control System

Forming and updating the main areas of development of the Internal Control System (ICS) in accordance with the Company’s needs and the stakeholders’ requirements

Risk assessment of business processes, development, implementation and execution of control procedures, including unified methodological support for the organisation and effective functioning of ICS in the Company

Identification of deficiencies in existing control procedures, development and implementation of measures to eliminate them, typification and regulation of control procedures

Development and implementation of mechanisms for interaction and exchange of information on internal control between CRMS and IC subjects to build a preventive system for identifying operational risks, including through the information systems use

Transparency and reliability of the Company’s financial statements also is one of the key tasks of the internal control system.

To formalise the system of internal control over the financial reporting process, the Company

  • identified and described material business processes affecting the preparation of financial statements;
  • introduced and delineated responsibility for control procedures and their effective fulfilment;
  • periodically updates the elements of ICS;
  • permanently monitors and regularly assesses the control procedures effectiveness.

The Company has developed the main regulatory documents governing the procedure and principles of the internal control system functioning: Internal Control System Policy, Rules for the Internal Control System Management. The documents define:

  • objectives and principles of building the internal control system;
  • distribution of functions of internal control subjects;
  • the main steps and procedures of the internal control process, responsible persons and deadlines for their fulfilment (functioning, improvement and diagnostics);
  • updating the description of business processes of the internal control system;
  • diagnostics (efficiency assessment) of the internal control system and the procedure for preparing and submitting reports on the internal control system condition.

As part of the above tasks, the Company works to identify business process risks, develop and implement control procedures which helps to improve the efficiency and manageability of business processes, ensure the reliability of financial reporting, compliance with legal requirements and  local regulatory documents of the Company.

Organisational structure of the corporate risk management system

The Company recognises that risk management is effective only when every employee is in the process. Therefore, we are constantly developing a risk-oriented culture with the following key aspects:

Tone on top
The Company’s management sets an example for employees in discussing, identifying and assessing risks, and is actively involved in risk management.
Cultural spectrum
Timely provision of risk information is encouraged. Acceptance of risks is allowed if they are not critical but may contribute to business development. The risks themselves are viewed not only as a potentially negative event, but also as an opportunity to improve the Company’s processes.
Involvement
Risk management training is organised for employees, accessible guidance materials are developed, and communication and support channels are organised.

Internal controls system

The Company developed its internal control system based on the recommendations of a number of international best practices in risk management and internal control, including the Committee of Sponsoring Organisations of the Treadway Commission (COSO), TMForum, and ISO series standards. The Company’s internal control system is based on the model of the three  lines of defense (for more details on the model of the three  lines of defense, please see our Annual Report 2021).

The Company distributes responsibility for the model functioning as follows:

First  line of defense
Management (process owner) has the primary responsibility for managing the risks associated with day-to-day operations. In addition, the responsibility of the first  line includes the development, maintenance, and implementation of controls.
Second  line of defense
Identifies emerging risks in the day-to-day activities of the organisation. To this end, it ensures that the necessary concepts, policy documents, tools and technologies are in place.
Third  line of defense
Evaluation of the ICS effectiveness, responsibility for reporting to the Board of Management and the Audit Committee, and audit evidence provision to regulators and external auditors demonstrating the effectiveness of the structure and functioning of the control culture in the organisation.

Integration of risk management with the Company’s cross-functional processes

Interrelation of risk management with strategic planning, budgeting, implementation of investment projects and products and other processes:

Strategic planning
When developing strategic plans, risks affecting the achievement of strategic goals are identified and analysed.
Budgeting
Analysing and accounting for risks associated with failure to achieve key financial KPIs.
Implementation of investment projects and products
Analysis and accounting of project and product risks associated with failure to achieve NPV and other indicators, followed by the formation of measures to mitigate risks.
Training
Professional development programmes are regularly held for employees involved in risk management. The training course On Risk Management and Internal Controls is available to all employees of the Company.

Risk management in 2023

The Company’s identifies its risks on the annual basis ande reflects the results in the Risk Register and Risk Map approved by the Board of Directors. The Risk Register includes risks that may affect the achievement of long-term strategic goals and key performance indicators of the Development Plan.

According to the Company’s Risk Register and Risk Map at the end of 2023, the Company has 23 risks:

Company’s Risk Map

Key risks of 2023

The Risk Management and Internal Controls Department continuously monitors the dynamics of key risks and controls the implementation of measures aimed at mitigating risks. The results of monitoring are sent to the Company’s Board of Directors on a quarterly basis in the form of risk management and internal control reports.

The Company implements measures to proactively manage key risks to reduce their impact on the Company’s objectives:

Key risks and risk mitigation measures taken in 2023:
Safeguarding physical assets

Measures taken by the Company to mitigate risk

  • Maintenance of security and technical protection systems of the Company’s facilities
  • Implementation of the Fire Safety 2023 business plan
Legal risk

Measures taken by the Company to mitigate risk

  • Registration of property rights to unregistered cable sewerage sections and  land plots, prolongation of property rights to expired objects
Fraud

Measures taken by the Company to mitigate risk

  • Prevention and suppression of fraud offences by the Company’s employees
  • Inspections of structural subdivisions of the Central Administration and Company’s branches
Quality risk

Measures taken by the Company to mitigate risk

  • Replacement of obsolete equipment to subscribers under the Tsunami pilot project
  • Development of the reporting to control and monitor compliance with the parameters of the services provided as specified in the technical specification (tender documentation)/contracts and subscriptions in CRM 2.0.
  • Implementation of automated recalculation functionality for downtime of services due to the Company’s fault in CRM 2.0 SERVICE and customer support software packages
Innovation risk

Measures taken by the Company to mitigate risk

  • Updated product pages for new businesses
  • Development and modernisation of Blockchain product
Regulatory risk

Measures taken by the Company to mitigate risk

  • Approval of the Roadmap to ensure 100% coverage of fixed telephony by SOIM
  • Provision of data transmission network in 10 cities with SOIM functionality
  • Provision of FWA service with SOIM functionality
HR risk

Measures taken by the Company to mitigate risk

  • Implementation of the Comprehensive Action Plan on ensuring social stability in the Kazakhtelecom JSC’s Group of companies within the year
  • Implementation of the Action Plan for work on alarm zones for 2023 within the year
Information security breach

Measures taken by the Company to mitigate risk

  • Implementation of the project on Modernisation of information security protection tools

Emerging risks and opportunities

To ensure preventive risk management measures, the Company identified the following emerging risks not yet reflected in the risk map but may enter therein in the future.

There is currently an increased focus on cyber risks being seen as a major global risk to the financial sector and the wider economy. The information and communications technology risks to which businesses being exposed are steadily increasing in both frequency and severity of cyber attacks. Data breaches to steal personal information occur every day around the world, but only the  largest ones make media headlines.

However, the use of artificial intelligence (AI) also offers a wide range of positive impacts:

  • Process automation and optimisation: AI enables the automation of routine tasks, speeding up processes and improving efficiency in areas ranging from manufacturing to customer service.
  • Advances in security technology: AI improves security systems, enabling them to detect anomalous behaviour and prevent cyberattacks and other threats to data security.
Emerging risks
Internal
  • Disruption to the procurement process;
  • Risks of frequency  loss;
  • Geo-economic confrontation;
  • Untimely fulfilment of 5G project implementation obligations by mobile operators.
External
  • Interstate armed conflict;
  • Shortage of natural resources;
  • Negative consequences of artificial intelligence technologies.

Development of the CRMS and IC in 2023

Continuous development and improvement of the CRMS and IC allows the Company to timely respond to changes in the external environment and internal business processes, improve the efficiency of its operations, and contribute to increasing shareholder value of the Company.

Main results of CRMS and IC development activities in 2023
CRMS and IC development activities Result
Development and improvement of the CRMS and IC methodology
  • The Risk Management Policy of Kazakhtelecom JSC was updated.
  • The Rules on management of the internal control system of Kazakhtelecom JSC were updated.
  • The Methodology of calculation and cascading of Kazakhtelecom JSC’s risk appetite was updated.
Development and implementation of an employee training programme
  • To develop professional competences of employees, training seminars on risk management and internal controls were improved.
Development of risk assessment apparatus using economic-mathematical models and expert opinions
  • Models for quantitative assessment of individual risks have been developed.
  • Methodology for risk assessment of investment projects has been updated.
Improvement and maintenance of the Internal Control System
  • The Kazakhtelecom JSC’s Guarantee Card and the Methodology of its formation were approved.

Areas of development of the CRMS and IC

In the context of an unpredictable business environment where we face new challenges and high volatility, we recognise the need to continuously improve our risk management model and internal controls. We have clearly defined our objectives and direction based on fundamental concepts and standards. We are active to implement improvements and recognise where we are going and how to achieve our risk management and internal controls objectives.

Based on the following criteria:

  • Corporate Governance and Culture
  • Strategy and goal setting
  • Operational Effectiveness
  • Monitoring and implementation of change
  • Information, communication and reporting
  • Control procedures
Glossary
Contacts
© 2023 Kazakhtelecom JSC