'КАЗАХСТАНСКАЯ КОМПАНИЯ ПО УПРАВЛЕНИЮ ЭЛЕКТРИЧЕСКИМИ СЕТЯМИ' (KAZAKHSTAN ELECTRICITY GRID OPERATING COMPANY) 'KEGOC' JOINT STOCK COMPANY APPROVED by Minutes of KEGOC Board of Directors No. 9 dated 29 December 2010 Amended by Minutes of Meeting of KEGOC Board of Directors No. 6 dated 04 July 2014 COMPANY STANDARD KEGOC POLICY ON CORPORATE RISKS MANAGEMENT СТ KEGOC 00-202-10 Copy No. ___ Version 2 Effective date ___________ Astana СТ KEGOC 00-202-10 Version 2 Table of Contents 1 Scope of Application 2 Regulatory References 3 Terms and Definitions 4 Designations and Abbreviations 5 Responsibility and Authority 6 General Provisions 7 Goals, Tasks and Principles of Risk Management System 8 The Model of Risk Management System 9 Processes of Risk Management System 10 Reporting 11 Policy Management Appendix 1 Approval Sheet Appendix 2 Acknowledgement List Appendix 3 Amendments Record Sheet Appendix 4 Record of Periodic Checks This Company Standard may not be fully or partially reproduced, duplicated or distributed without permission of the Representative of KEGOC IMS Management. Unauthorized copying of the document is forbidden page 2 out of 13 СТ KEGOC 00-202-10 Version 2 1 Scope of Application 1.1 This Company Standard (hereinafter referred to as the Policy) establishes the Corporate Risks Management Policy for Kazakhstan Electricity Grid Operating Company - KEGOC (hereinafter referred to as KEGOC) to regulate processes and procedures of KEGOC Risk Management System. 1.2 This Policy shall be applied by all structural subdivisions, branches and employees of KEGOC. 1.3. KEGOC branches and affiliates shall independently elaborate the policy, procedures and instruments for risks management based on and subject to the provisions of this Policy. To ensure the unified approaches to the management of general risks inside the group of Companies, KEGOC coordinates the activity on development of Risk Management System in branches and affiliates. 2 Regulatory References This Policy refers to the following documents: KEGOC Long-Term Development Strategy until 2025; СТ KEGOC 00-101-10 Company Standard. Document Management. Р СУР KEGOC 00-200-14-СД Guidelines. Risk Management System. 3 Terms and Definitions This Policy uses terms in accordance with KEGOC internal documents as well as the following terms with respective definitions: 3.1 Risk shall mean any possible event or action that if occurred may affect the achievement of KEGOC goals and may infringe the successful implementation of its strategy. 3.2 Risk Owner shall mean an entity (employee/structural subdivision) which job duties envisage responsibility for all aspects of certain risk management, in particular for decrease of plausibility of risk occurrence and/or decrease of possible influence of consequences caused by risk occurrence on KEGOC. 4 Designations and Abbreviations This Policy uses the following abbreviations: KEGOC - Kazakhstan Electricity Grid Operating Company (KEGOC); B&A - Branches and Affiliates; CDD - Corporate Development Department; RMS - Risk Management System. Unauthorized copying of the document is forbidden page 3 out of 13 СТ KEGOC 00-202-10 Version 2 Sole Shareholder – Sovereign Wealth Fund ‘Samruk-Kazyna’ JSC. 5 Responsibility and Authority 5.1 This Policy shall be approved by the decision of KEGOC Board of Directors. 5.2 Control over implementation of the requirements indicated in this Policy shall be performed by the Deputy Chairman of Management Board - Corporate Governance. 5.3 Responsibility for compliance of the Policy requirements with the requirements of the legal acts of the Republic of Kazakhstan, regulatory documents shall be borne on the Head of CDD. 5.4 Responsibility for management of this Policy shall be borne on the Senior Manager of Risk Management and Internal Control Division, CDD. 5.5 Heads of KEGOC structural subdivisions, including branches and affiliates shall be responsible for performance of the requirements stated hereof. 6 General Provisions 6.1 This Policy of the Corporate Risks Management was elaborated in accordance with the legislation of the Republic of Kazakhstan, requirements of the Sole Shareholder, KEGOC Long-Term Development Strategy until 2025 and international best practices and risk management standards. 6.2 The Policy is aimed at minimization of adverse effect of the threats which may influence the achievement of goals and implementation of tasks stated in KEGOC Long-Term Development Strategy until 2025. Risk management process in KEGOC has a preventive nature, and shall be carried out in the whole company and under the control and with the direct participation of the top management of the company. 6.3 The Policy does not guarantee lack of losses and successful KEGOC’s activity, it ensures the strategic advantages allowing it to intensify the certainty in achievement of strategic and operational goals, defines responsibility, ensures transparency and feasibility of the made decisions, enables to track and timely respond to the changes and tendencies in the outer environment. 6.4 This Policy defines the directions for development of RMS, regulates the major processes of this system and maintains the adequate level risk-management structure. 6.5 Risk management is an essential part of doing business. Each structural subdivision, KEGOC employee and branches and affiliates when performing their functions and implementing the assigned tasks shall follow the requirements stated herein. Unauthorized copying of the document is forbidden page 4 out of 13 СТ KEGOC 00-202-10 Version 2 7 Goal, Tasks and Principles of Risk Management System 7.1 RMS goals: - The main goal of risk management in KEGOC is to ensure continuous activity through hedging the influence of inner and outer adverse effects on KEGOC’s activity. 7.2 RMS tasks: 1) elaboration and application of uniform and consequent approaches to risk identification, assessment and management in KEGOC, simplification of a procedure for risk information sharing vertically (management) and horizontally (experience exchange). 2) dynamic response to occurring risk events, tracking changes in inner and outer environment; 3) arrangement of goal-directed risk management activity to ensure their decrease down to the acceptable level or transfer to the third parties (outsourcing, insurance, hedging) or risk aversion; 4) systematization and further accumulation of information on risks in KEGOC, increase of KEGOC manageability; 5) improvement of KEGOC's competitive strength and achievement of the assigned strategic goals through RMS intensification. 7.3 Basic RMS Principles: - engagement of KEGOC’s executives in risk management process; - constant improvement of the risk management system; - continuity of learning and knowledge sharing by the company employees in risk management sphere; - transparency and fairness in submitting reports and risk escalation; 8 The Model of Risk Management System 8.1 Organizational Structure of RMS in KEGOC is given in picture 1. Unauthorized copying of the document is forbidden page 5 out of 13 СТ KEGOC 00-202-10 Version 2 Shareholders Internal Audit Service Board of Directors Audit Committee Management Board Risk Committee Structural Subdivision responsible for risk management Structural Subdivision 1 Branch 1 Structural Subdivision 2 Branch N Structural Subdivision 3 Structural Subdivision N Branches and Affiliates 1 Branches and Affiliates N Picture 1 - Organizational structure of RMS in KEGOC 8.2 To fix the roles and duties on timely risk identification and management there has been elaborated a cooperation model built on the concept of three levels of RMS: 8.2.1. KEGOC Board of Directors and the Internal Audit Service. The Board of Directors is responsible for the efficient operation and development of RMS in general. The Internal Audit Service is responsible for the regular audit of RMS and submission of the independent opinion to KEGOC Board of Directors/Audit Committee. 8.2.2. KEGOC Management Board and structural subdivisions. The Management Board is obliged to prepare, maintain and use the procedure on risk identification, assessment and management, to organize the efficient operation of RMS, to support the structural subdivisions when introducing the risk management processes in their activity. Members of the Management Board shall use the information on risks when making the managerial solutions. Structural subdivisions are the risk owners and shall bear the responsibility for timely risks identification, analysis, assessment, management, preparation of proposals for key risks mitigation and KEGOC key risks report. 8.2.3. Risk Committee and structural subdivision responsible for risk management. The roles of the Risk Committee are to preliminary review and prepare the recommendations for KEGOC Management Board to make decisions on risk management. Unauthorized copying of the document is forbidden page 6 out of 13 СТ KEGOC 00-202-10 Version 2 Structural subdivision responsible for risk management is obliged to develop RMS, clarify the internal and external requirements, render the consultant support for the structural subdivisions with regard to the risk management issues. Also the structural subdivision responsible for risk management together with the Internal Audit Service for successful implementation of the Policy on Corporate Risk Management can hold regular checks in order to identify the level of efficiency of the measures on risk mitigation. 9 Processes of Risk Management System 9.1. RMS consists of the following components and processes: - Internal environment. Internal environment determines the nature of the organization and provides for the preparation of the documents specifying the policy and minimum requirements with respect to the risks, corporate culture improvement, ethical values enhancement, understanding of risk-management, behaviour, processes and practices at all levels of the organization as an integral part of day-to-day operations. - Determination of goals. Potential risks identification process shall be in line with the Company's goals. Corporate risk management makes it possible to ensure that the organization has a process of goals and tasks setting, which are in line with its mission and correspond to its risk appetite. - Risk identification. This process determines the internal and external events which can influence the Company's goals achievement. - Risks assessment. Risks are analysed in terms of probability of occurrence and influence as a basis to decide on their management. Risks are assessed on qualitative and quantitative basis. - Risk management. This process determines the methods to response to the risks (to avoid, hold, control or postpone) and provides for preparation of the action plan which is in line with the tolerance level of the organization to the risks. - Control. It is a set of policies and procedures which provide for the risk management system functioning. - Information and communication. It means the required information to be submitted by the structural subdivisions to KEGOC for compilation of a risk management report. - Monitoring. This process tracks the risk management system integrity on a regular basis, and to be amended if required. Monitoring is performed on a regular basis or based on a sample assessment. 9.2. Detailed description, structure and procedures of RMS are given in the Guidelines for Risk Management System. Unauthorized copying of the document is forbidden page 7 out of 13 СТ KEGOC 00-202-10 Version 2 10 Reporting 10.1. The Company provides for a permanent information interchange throughout the RMS levels in order to increase the awareness level with regard to the risks, to develop the risk - culture and to manage the risk efficiently. Risk reports provide every level of the management with a certain volume of timely information according to the approved form. 10.2. KEGOC has the following reporting system on risk management: - every quarter before the 12th day of the month following the reporting one, the structural subdivisions - risk owners shall submit the risk reports to the structural subdivision responsible for the risk management in accordance with РСУР KEGOC 00-200-14-СД Guidelines. Risk Management System; - structural subdivisions/branches and affiliates (risk owners) shall submit the information on the occurred risks to the structural subdivision responsible for risk management, within five (5) business days from the day of risk occurrence (and within five (5) business days from the day of conclusion of investigation) in the form of the Report on the occurred risk; - based on the information submitted by the structural subdivisions - risks owners, the structural subdivision responsible for risk management shall prepare and submit every quarter the risk report to the Risk Committee, Management Board, Board of Directors in accordance with РСУР KEGOC 00200-14-СД Guidelines. Risk Management System. At year-end IAS prepares the Report on the RMS efficiency to the Board of Directors. 11 Policy Management 11.1 The Policy shall be managed in accordance with СТ KEGOC 00-101-10. 11.2 The Policy shall be approved by the Chairman of the Management Board Corporate Governance, KEGOC’s IMS Rules, Managing Director - Legal Support and Security, Head of Legal Department, Head of Internal Audit Service, Head of Corporate Development Department, by making a record in the Approval Sheet. Unauthorized copying of the document is forbidden page 8 out of 13 СТ KEGOC 00-202-10 Version 2 Prepared by: __________________ (signature) (date) Zh. Zhumabayeva, Senior Manager for Corporate Development and Risk Management Division - CDD Unauthorized copying of the document is forbidden page 9 out of 13 СТ KEGOC 00-202-10 Version 2 Appendix 1 to the Company Standard Policy on Corporate Risk Management Ф.СТ KEGOC 00-101-01 Approval Sheet Position First Vice President Name Date Signature S. Ospanov Vice President - Corporate Zh. Beksary Governance Vice President - Operations B. Kazhiyev Managing Director for System Services and Material and Technical Supply V. Lee Managing Director – Legal Support and Security K. Zhakipbayev Managing Director – Economics A. Botabekov Managing Director for NPG Development, Advisor for Corporate Development V. Osochenko Managing Director – Branches and Affiliates A. Akmurzin Head of Legal Department M. Auezova Head of Corporate Development Department Ye. Akhmetov Unauthorized copying of the document is forbidden page 10 out of 13 СТ KEGOC 00-202-10 Version 2 Appendix 2 to the Company Standard Policy on Corporate Risk Management Ф.СТ KEGOC 00-101-02 Acknowledgement List Position Name Date Signature Unauthorized copying of the document is forbidden page 11 out of 13 СТ KEGOC 00-202-10 Version 2 Appendix 3 to the Company Standard Policy on Corporate Risk Management Ф.СТ KEGOC 00-101-03 Amendments Record Sheet No. of Sheet No. statement being the basis for amend replac introducin new ed ed g amendme nt 1 2 3 4 Name of person introducin cancelle g d amendme nts 5 6 Signatur e of a person who made amendm ents Date of amendm ents 7 8 Unauthorized copying of the document is forbidden page 12 out of 13 СТ KEGOC 00-202-10 Version 2 Appendix 4 to the Company Standard Policy on Corporate Risk Management Ф.СТ KEGOC 00-101-04 Record of Periodic Checks Date of check Name of person who performed checks Signature of a person who performed checks Comments 1 2 3 4 Unauthorized copying of the document is forbidden page 13 out of 13