Regulations of identification and assessment of risks of the Joint
advertisement
«APPROVED » by the decision of the Board of Directors of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» from «28» may 2014 year minutes №6 «ENDORSED» by the decision of the Executive Board of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» from «18» April of 2014 year minutes № 02/9 «ENDORSED » By the decision of the Committee on risks of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» from «11» February of 2014 year minutes № TsUR-05-02/1 Regulations of identification and assessment of risks of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» Astana, 2014 1. Purposes and tasks of identification and appraisal of risks 1. These regulations of identification and assessment of risks of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» (further – Regulations) are developed according to Policy of risk management of JSC Samruk-Kazyna, Regulations of identification and an assessment of risks of JSC Samruk-Kazyna, approved as the decision of the Board of Directors of JSC Samruk-Kazyna from December 25, 2013 (minutes No.103) and other internal regulations regulating activity of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» (further – the Company). 2. Regulations define an order, procedures, methods of carrying out identification and an assessment of risks, and also control over the current risks and monitoring of efficiency of methods of management by risks. More detailed campaigns to an assessment of risks can be reflected in the documents regulating management process by separate risks of the Company. 3. Identification of risks and existence of a real objective view on available risks is one of bases of effective management of the risks, promoting in achievement by the Company of goals. 4. Identification of risks provides the tool for registration and the statement of possible negative events which can negatively influence achievement of the objectives and the tasks set for the Company and each his employee and also definitions of the direction and need of improvement of management of risks. 5. Observance of Regulations is obligatory for all employees of the Company. 6. The employees of the Company who are representatives of the Company in structures of governing bodies of the affiliated organizations of the Company (further - SO) are obliged to provide observance of the requirements stated in these Regulations. 2. Basic concepts, used in the Regulations 7. Basic concepts: Register of risks - represents the list of risks which the Company in the activity which also includes various scenarios of possible realization of risk faces. Owners of risk, i.e. division who deal with this risk owing to the functional duties are determined by each risk. Thus, the consolidated register of risks of Group of the Company (the Company and its affiliated organizations) joins only critical risks of Subsidiary Organizations (SO), the cards which have entered a red zone of risks of SO. Map of risks - is the graphic and text description of limited number of risks of the Company located in the rectangular table on which one 2 “axis” force of influence or the importance of risk, and on another probability or frequency of its emergence is specified. On the card the probability or frequency is displayed on a horizontal axis, and force of influence or the importance - on a vertical axis. In this case the probability of emergence of risk increases from left to right at advance on a horizontal axis, and influence of risk increases from below top on a vertical axis; Probability of occurrence of risk – the frequency of emergence of risk. Influence - the size of a potential loss which can arise at risk realization. Influence time – duration of influence of risk. The period of an assessment of risk – date, as of the end of the reporting period. The inherent risk is the size risk for lack of actions from owners of risk on change of probability or extent of influence of this risk on achievement of the objectives of the organization. Residual risk – the risk remaining after acceptance of actions by the owner of risk on change of probability or extent of influence of this risk. The loss size - the extent of predicted damage owing to risk realization. Other terms used in these Regulations, have the values established by Policy of risk management of the Joint Stock Company «National Company «Kazakhstan Temir Zholy». 3. General provisions 8. Each employee of the Company reflects the vision of available risks in questionnaires, or during the other events held by structural division of the Company, responsible for the risk management, directed on identification and an assessment of risks of the Company. 9. On the basis of the identified events the register of risks which represents the systematized list of all risks which the Company faces is formed. 10. The Company carries out work on consolidation of risks of Group of the Company, and also an assessment of their effect on the consolidated financial position of the Company, including on the basis of annual consolidated information, in the form presented in the Attachment 1 (the register is risk) to these regulations and point 55 of Regulations (the map of risks), represented within removal of questions at consideration of governing bodies of the 3 affiliated organizations of the Company no later than November 1 of the year preceding the expected period. 11. The division responsible for risk management, on an annual basis till October 25 of the year preceding the expected period, provides the register of risks of the Company and Group of the Company on the form presented in the Attachment 1 (the register is risk) to these regulations and point 55 of Regulations (the map of risks) to the Executive Board of the Company. 12. On an annual basis till November 1 of the year preceding the expected period, the Executive Board provides the register of risks of the Company on the consolidated and separate basis in the form presented in the Attachment 1 (the register is risk) to these rules and point 55 of Rules (the map of risks) to the Company’s Board of Directors. 4. Identification of risks 13. Identification of risks is important as a method of optimization of expenses of the Company as preliminary identification of risks, definition of adequate actions for their minimization and elimination of consequences allows to plan sources and the amounts of financing of such actions that, finally, influences efficiency of activity of the Company. For identification of risks the combination of various methods and tools is used. Events are identified both from the point of view of last experience, and from the point of view of future possible events. The main methods are described below. 14. Risks can be revealed with use of two approaches: Initial identification and inventory of risks – primary drawing up the Register of risks of the Company at introduction of a control system by risks and its regular revision; During initial identification of risks the register of risks of the Company to carry out the subsequent assessment is formed and to define approaches to management of these risks. Process of inventory of risks assumes regular (at least once a year) revision of earlier revealed risks, i.e. determination of relevance and level of importance of the risks which are in the register of risks of the Company. As a result of inventory some of earlier revealed risks can be recognized as the irrelevant. Detection of potential risk – is an identification of potential risk during the current activity. New risks can be revealed not only in course of execution of regular procedures within a control system of risks, but also during implementation by the staff of Group of the Company of the current activity. In case of detection of information on the potential risk, earlier not included in the register, the employee of structural division of Group of the Company has to send to the 4 division responsible for risk management, the corresponding service record in which information is stated and estimated consequences of realization of a risk event are listed. The division responsible for risk management analyzes and an estimate received information, and in case of need includes new risk in the register of risks of the Company. 15. Identification of risks on the basis of goals and tasks: On the basis of goals or system of the balanced indicators potential events which can influence their achievement are defined. Events are identified by owners of risks and pass coordination with the division responsible for risk management, and on this basis is formed (or it is corrected or supplemented) the register is risk - the list is risk, inherent in the concrete organization and (or) connected with its activity. 16. Branch and international comparisons: The register of risks is formed on the basis of the list of potential events, characteristic for the organizations similar to the Company and (or) the organizations for branch specialization or functional activity. 17. Seminars and discussions: The register of risks is formed on the basis of the organized discussion (brain storm, a round table, etc.) potential events which can influence the organization and achievement of its purposes, with employees of the Company. Such discussions can be carried out within each structural division for definition of events (risks) influencing activity of each such division and as a whole on Group of the Company, then results are integrated into the unified register of risks (or the existing register of risks is supplemented/is corrected). 18. Interviewing: The structural division of the Company responsible for risk management, carries out target interviewing of key workers (experts) of the Company for open discussion of existing and potential risks and ways of their management. Usually such interviews are conducted with heads of structural divisions of the Company. 19. Analysis of reports on results of audit and other inspections. This method represents check of separate sites of activity of Group of the Company and can be combined with carrying out separate expert methods (questioning, interview). Compliance between available documentation and the actual practice of application of regulations is checked, the analysis of regulatory base and instructions is carried out, and as a result it is prepared the conclusion on the basis of which identification of risks is carried out. 20. The analysis of Near Miss consists in registration of all facts of violation of regulations (operational, production and so forth), and forecasting on their base of probability of approach of risk events. So, owing to uncertain factors, violation of regulations can immediately not lead to realization of a risk event, however the probability of approach of this risk event of subjects is 5 higher and more unexpected, than it is more than facts of not realization of a risk event. Near Miss is incident which under certain circumstances, could lead to injuries, a fire, flood, accident, etc., but did not bring to. The statistics shows that on each 600 Near Miss there is a high probability of emergence of considerable incident – realization of a risk event. 21. Database of the occurred losses: The Company conducts continuous monitoring of the occurred losses information about which also allows identifying the events having negative effect on activity of the Company. Besides, the database of the occurred losses is a good basis for a quantitative assessment of risks. The database is formed on the basis of the reporting of structural divisions of the Company, and also can include data from external sources. This method includes: The analysis of data on violations – the analysis of the registered violations, non-staff situations, failures in processes of the Company and other facts of a deviation of indicators of the current activity from planned. The reporting analysis – the analysis of reporting and other documentation of the Company, including administrative, accounting, tax reports, indicators of activity of the Company, plans, registers of contracts, etc. The analysis of experience of other companies – the comparative analysis of processes and Company indicators with other large companies. For the analysis periodicals and reports of specialized agencies can be used. 22. The identified events and risks are systematized in the form of the register of risks according to the Table of 2 these regulations. The form and level of specification of the register of risks can change with development of a control system by risks. The group of risks can be carried out, proceeding from the nature of risks, their interrelation, and also on the basis of other factors (for example, use of concrete methods of management by risks). 23. The register of risks of the Company represents the list of risks which the Company in the activity, the risks spread on four main categories which also includes various scenarios of possible realization of risk faces. Owners of risk are determined by each risk. 24. The register of risks consists of 4 parts: The passport of risk in which the KPI, its threshold value, the name of risk which can prevent achievement of efficiency, the reason of emergence of risk, the description of possible consequences from realization of risk, a key risk indicator and the owner of risk is specified. The assessment of inherent risk – in this part to be made an assessment of risk on probability, influence and time of influence of risk. 6 Calculation of point of the importance is made according to point of 53 these rules. Actions for risk management – in this part are specified actions for risk management with the instruction, current or planned. The risk assessment as a result of execution of actions – is made a risk assessment as a result of execution of actions. This part of the register allows estimating efficiency of actions for risk management. 25. Systematization of the identified risks allows: reaching sequence in classification and a quantitative assessment of risks which allows to improve comparison of a profile of risks on Group of the Company (on business processes, structural divisions, projects, etc.); providing a platform for creation of more difficult tools and technologies of a quantitative assessment of risks; giving opportunity for the coordinated management and monitoring risks, as on the Company, and the subsidiary organizations. 26. For the purpose of standardization of the register of risks and consolidation of risks in the uniform card of risks of the Company, in Group of the Company the uniform nomenclature provided in the Attachment 2 of these Regulations, on designation of the main risks is used. 27. For definition of the nomenclature of risk the following format is used: "Risk number" - "Category of risk". 28. The Company uses the nomenclature of risks provided in the Attachment 2 to these Regulations for designation of risks of the Company, for consolidation of critical risks SO in the consolidated register of risks of Group of the Company. 29. If in the nomenclature of risks, there is no the risk specific to the Company, then the Company designates this risk, adhering to the above-stated format using continuing numbering (digital numbers in numbers of the risks designated in the nomenclature cannot be used, for designation of other risks). 30. The main result of this stage of a control system of risks is formation consolidated the register of risks of Group of the Company. Thus, the consolidated register of risks and the map of risks of Group of the Company join only critical risks of SO, the map which have entered a red zone of risks of SO. Thus definition of critical risks of the affiliated organization is carried out on the basis of an assessment of inherent risk, regardless of the size of potential damage from realization of a risk event. 31. Critical risks of SO of the Company need to be included in the corresponding zone of the map of risks, according to the size of potential damage from realization risk of an event which the risk appetite of the 7 Company is defined on the basis of consolidated one. Thus, risks from red zones of map of risks of the affiliated organizations can be carried to a green zone on the map of risks of the Company. Risks of green and yellow zones of map of risks of the subsidiary organizations do not join in the register of risks of the Company as these risks have to cope independently at the level of the subsidiary organizations. 32. The register of risks is reconsidered, specified or supplemented on an annual basis or a thicket in process of receipt of information on the risks provided by structural divisions of the Company at identification of new or changes of the status of existing risks in structural division of the Company, responsible for risk management. At inclusion in the register of risks new or change of the status of existing risk with potential influence above level of holding ability and high probability of its realization, the structural division of the Company responsible for risk management brings information on similar risk with offers on its minimization to data of the Executive Board of the Company. 33. For carrying out actions for identification of risks and formation of the register of risks, including consolidated the structural division of the Company responsible for risk management is responsible. The register of risks is subject to coordination with keepers (owners) of risks. 34. Due to the differently directed of SO operational, strategic and legal risks cannot be aggregated on Group of the Company, but can be integrated depending on belonging to a certain branch or the direction. Financial risks are given in the register of the Company on the aggregated basis. Risks of the Company (the corporate center) are allocated separately. 35. Structural divisions of the Company are responsible for providing information on risks, including about critical risks SO, in the structural division of the Company responsible for risk management. 36. Process of identification of operational risks is carried out within process of identification and an assessment of risks on a constant basis according to these rules and other internal normative documents of the Company. 37. Depending on circumstances (reasons) of emergence of operational risks, events or cases of manifestation of operational risks are classified by risk factors as follows: external frauds – robberies, forgery and forgery, documents/information thefts, hacking/breaking of information systems and other cases which have occurred because of the third parties; internal frauds – cases of emergence of losses because of deliberate actions of the personnel of the Company, including abuse of official position, deliberate concealment of the facts of transactions, information 8 leakage, plunders, fraud, extortion, waste of material values, misappropriation or deliberate causing damage to Company property; the labor relations – cases of labor disputes with workers, violation of provisions of the labor legislation, including requirements for safety measures and labor protection, big turnover of staff, disclosure by employees of the confidential information, insufficient qualification of the personnel; clients and business practice – cases of violations of the law at implementation of primary activity; non-execution or inadequate execution of the obligations arising from contracts connected with primary activity, before clients, contractors and other third parties; violations of customs of a business conduct; failures in information and technical systems – cases of failure of the equipment and systems, and, as a result, loss of details, untimely providing the reporting in supervisory authorities, etc.; management of processes – the inadequate organization of internal processes and procedures, violations of the set limits, lack of system of protection and an order of access to information, the wrong organization of information streams in the Company, mistakes at input and data processing on operations and transactions etc.; damage to material assets – loss or damage of fixed assets and other material assets as a result of objective situations not depending on the Company (technogenic); occupational accidents – events entailed causing damage to health, life of the workers who are in process of execution of functional duties. 38. The list of indicators is provided in the Attachment 3 to these Regulations which in process of emergence of various cases of operational risk can be changed and added. Appraisal of risks 39. The assessment of risks allows the Company to analyze influence of potential risk on achievement of its purposes. Risks are estimated from the point of view of probability or the frequency of their approach and influence, whenever possible using a combination of qualitative and quantitative methods. Positive or negative influence of potential risks has to be estimated individually or at interrelations in scales of all organization entering into Group of the Company, and (or) the Company. Risks are estimated from the point of view of their full influence (gross risks). 40. Process of an assessment of risks is carried out for the purpose of allocation of the most significant risks which can negatively influence activity 9 of Group of the Company and achievement of its strategic objectives and tasks. These risks are submitted for consideration of Board of Directors of the Company and decisions on their management and control are made. 41. Originally the assessment of risks is carried out on a qualitative basis, then for the most significant risks it is necessary to aspire to a quantitative assessment of risks with application described below approaches to an assessment depending on a concrete situation. So, for example, at an assessment of technological hazards it is necessary to make calculation of risks on the basis of property cost, on the basis of the half-received income, etc. Risks which do not give in to a quantitative assessment or not solid statistical data for modeling or creation of such models is not expedient from the point of view of expenses, are estimated only on a qualitative basis. 42. The quantitative assessment allows obtaining more exact analytical data and is especially useful when developing methods of financing of risks. 43. At a stage of preparation of carrying out quality standard of risks key parameters of such assessment are established. The assessment of risks is carried out on three indicators – the frequency or probability of risk; time of influence and extent of risk. For ensuring comparability of risks among themselves and simplification of quality standard the mark scale is entered: Frequency and probability of a risk Grade 4 Frequency or probability Once in 7 and more years (or probability of Very seldom approach to 5%) Once in 5 years (or probability of approach of Seldom 25%) From time to Once in 3 years (or probability of approach of 40%) time Once a year (or probability of approach of 80%) Frequently 5 Very frequently 1 2 3 Meaning Once in half a year and is more often (or probability of approach over 95%) Time of influence of risk Grade 1 Time of influence There is time for correction 2 Influence of risk is shown with temporary lag 3 The risk is shown with immediate effect 44. The assessment of influence of risks is carried out in terms of 10 money on the basis of consolidated risk appetite of the Company, defined in Policy. For the reporting of the Company and for ensuring consolidation of critical risks of SO in the unified register and the map of risks of the Company, SO use an assessment of influence of critical risks of SO according to the following table. 45. Volume of risk (financial indicators) Grade 1 Meaning Insignificant Potential loss from occurrence of risk Lower of 25% from the level of risk –appetite 2 Noticeable 25-50% from the level of risk –appetite 3 Large 50-75% from the level of risk –appetite 4 5 Critical Catastrophic From 75% from the level of risk –appetite till meaning of risk – appetite Higher of the level of risk – appetite 46. By providing quarterly information on the map of risks of SO, SO in addition to the map of risks of SO provide the separate map of risks with the indication of critical risks SO on the consolidated map of risks of the Company, according to influence of risk on the consolidated risk appetite of the Company. 47. After introduction in the Company the risk - the focused financial model will be carried out transition to a quantitative assessment of risks on the basis of an indicator of the cash flows subject to risks (Cash Flow at Risk). The potential damage will calculate from realization of risk on the basis of historical data from a database of the realized risks, using a method of imitating modeling of Monte-Carlo. 48. For the risks, which influence is difficult to estimate in financial performance (for example, risks of the personnel, reputation, etc.) the characteristics showing the extent of risk in comparable points are entered. Non-financial indicators of the importance of risks can be defined on the basis of the balanced indicators taking into account importance of a deviation from objectives. Non-financial indicators of influence of risks Grade Degree of influence Potential loss from occurrence of risk Insignificant Lack of any consequences in case of risk 1 realization Low Consequences from risk realization not the 2 considerable Consequences from risk realization not 3 Average considerable also can be completely corrected 11 4 5 Essential Catastrophic Consequences from risk realization very considerable, but can be corrected to a certain degree In case of risk realization, the company practically won't be able to be restored from the consequences connected with this risk 49. The register of risks and grade scale of an assessment of risks on the frequency (probability), time of influence and the extent (influence) of risk have enough to key employees (experts) of the Company for carrying out quality standard of risks. 50. Quality standard of risks is carried out or by target interviewing of key employees, or by questioning at which experts are offered to choose risks which they consider as the most significant for the organization, to estimate them on the offered grade scale, and also to give proposals (recommendation) on management of them. The combination of both methods can be used: broad questioning of employees of the Company on the basis of electronic system of questioning and interviewing of heads of structural divisions, managing directors of the Company, except for the Executive Board members of the Company. 51. When carrying out an expert assessment of risks, experts have to apply a net - assessment only provided that the current actions by experts are estimated as effective. Thus the assessment of efficiency of actions has to be confirmed. Otherwise, the assessment of risks is carried out on an inherent basis. 52. The received results are processed: for each risk indicators of risks on the basis of a cumulative assessment of experts pay off, the coefficient of the importance is appropriated to risks and on this basis the map of risks is under construction. 53. follows: Calculation of Grade of the importance of a risk is carried out as Importance grade = (frequency + realization time) * influence, 54. For an assessment of operational risk, on the basis of Grade of the importance of risk value of a rating of operational risk (RR) of each type of risk according to the table given below is defined: Grade of Value of the a rating importance of risk, of risk RR General importance of risk Definition 12 от 28,1 до 40 1,00 от 15,01 до 28 0,9 от 8,01 до 15 0,8 от 1,01 до 8 0,6 от 0 до1 0,5 The highest Measures for response to risk have to be defined or, at their existence, are improved, prepared for execution before realization of a project / task or immediately after risk identification at a stage of realization of a project / task. High Measures for response to risk have to be defined or, at their existence, are improved, and in short terms are realized in the course of project / task realization. Average Measures for response to risk have to be defined or, at their existence, are improved in the established optimum terms, and also executed in the course of project / task realization. Low Risks of this category have to be controlled, but preparation of measures for reaction is not required. The lowest Risks of this category have to be controlled, but preparation of measures for reaction is not required. 54. The map of risks allows estimating the relative importance of each risk (in comparison with other risks), and also to allocate risks which are critical and development of actions for their management demands. Map development of risks allows: Determining the potential of deduction of risks within which can be applied to all operations of the Company; Developing the list of critical risks of the Company and to provide existence of the corresponding processes on management with them; Defining priority of risks and to develop distribution of financial resources. 55. The map of risks is broken into some areas allocated with different color. Red zone – are risks which are critical for the Company or in connection with high probability of approach, or in connection with the serious potential of damage which can affect financial stability of the Company. Orange zone – are risks which have high probability of approach or large potential influence on financial stability of the Company. 13 Yellow zone – are risks which have average probability of approach or average potential influence on financial stability of the Company. Green zone – are risks which have low probability of approach and (or) have no considerable impact on financial stability of the Company. Influence 5 4 3 2 1 1 2 3 4 5 Probability 56. Identification numbers of risks (according to the register of risks) according to indicators of the frequency (probability) of approach and the extent (influence) of risk are plotted. 57. The map of risks represents a graphic representation of susceptibility of the Company to critical risks and is the obligatory attachment to the report on risk management for the Board of Directors of the Company. 58. Priority of risks is established according to a position of each of risks on the map of risks: 1 group – is catastrophic and critical risks – a red zone of the map of risks – the risks having the highest priority. Such risks which make 75% and above level risk appetite, and also exceed risk appetite; The 2nd group – are large risks – orange area of the map of risks – are the risks second for priority, damage from which realization remains within 50-75% of level risk appetite; The 3rd group – are average risks - yellow area of the map of risks – the third risks on priority, damage from which realization remains within 25-50% of level risk appetite; The 4th group – are low risks – green area of the map of risks – are risks in limits to 25% of level risk appetite – monitoring and control. 59. For the reporting under the map of risks the Company, SO of the Company use the consolidated indicator risk appetite of the Company for an assessment of influence of risk and for display of critical risks of SO on the consolidated map of risks of the Company. 14 60. In each of groups priority of risks is established on the basis of point of the importance of risk. 61. Each of the risks which have entered into 1, 2 and 3 group of priority is estimated on the basis of the following factors: analysis of the reasons of occurrence of risks (scenario of losses); the analysis of potential influence of risk on financial performance of the Company – gross (without methods of control over risks) and net (residual risk after application of methods of management by risks); the analysis of correlation of risks with other risks (repayment of negative effect from occurrence of risk in one division positive in other division – the principle of compensation, or strengthening of negative effect in connection with occurrence of other risks – a domino effect). 62 The amount of influence of critical risk has to be estimated quantitatively. At impossibility or not a practicality of a quantitative assessment, the detailed assessment of risk with application of a combination of methods of quality standard is necessary for achievement of the most reasonable assessment. At a quantitative assessment the risk is always estimated at first on gross basis, then on net - a basis taking into account taken measures for risk management. Change of risk can be reflected in the map by movement of the corresponding identification number. 63. Quantitatively the risk is estimated on the basis of an indicator of the maximum possible damage from occurrence of each concrete risk. For a quantitative assessment various methods and models can be used. 64. Methods of an assessment of risks include: quantitative assessment of risk on the basis of the cost of property which can be damaged as a result of occurrence of risk. At such model scenarios of material damage are under construction at occurrence of risk, and the recovery cost of property which can be damaged is counted and is subject subsequently to repair or replacement. It is usually used for a quantitative assessment of operational risks (material damage to property as a result of technogenic catastrophes, a fire, etc.). quantitative assessment on the basis of calculation of the uncollected income. Duration of possible idle time of production as a result of occurrence of risk is estimated and the income (or constant expenses) pays for day. As a result of multiplication of these indicators we receive a quantitative assessment of risk. Such assessment is usually used for an assessment of risks of interruption of production or violation of deliveries. quantitative assessment of risk on the basis of the comparative analysis. The assessment of the maximum damage from some types of risks, for example, risks of responsibility for infliction of harm or for ecological 15 pollution, can't be calculated on any formulas and therefore for a quantitative assessment of such risks the case statistics (branch and territorial) is used. For an assessment of such risks scenarios of their approach and the party which can be involved are usually estimated (to suffer damage), and also the general influence of such risk, and on the basis of existing information (statistics) on damage cost at implementation of such scenarios the maximum possible damage is defined. The case statistics also is used at an assessment of influence of any risks on a market stock value and other securities of the company. quantitative assessment of risk on the basis of statistical models. Such assessment is applied to risks which have concrete monetary value and dependence on certain external factors (for example, fluctuation in prices of oil, fluctuations of exchange rates, inflationary expectations, etc.) and are based on creation of statistical dependences (for example, with use of methods of the regression analysis). In this case it is possible to define accurately, under what conditions the come risk can be essential to corporation. 65. Statistical approach is based on historical this realized risk events. At this approach the quantitative assessment of risks is made on the basis of the saved-up internal or external statistics. The main methods of an assessment of risks within this approach: Cost subject to risk (to Value-at risk - VaR) – the maximum depreciation of a financial investment on a certain horizon of planning (for example, month) which will not be exceeded with the high (in advance set) probability (usually 95% - VaR95 of % or 99% - % VaR99). The size VaR has monetary value. Cash flows subject to risk (to Cash-flow at risk - CFaR) – the maximum decrease in size of monetary receipts (or the maximum increase in expenses), caused by influence of one or several risk factors which will not be exceeded with the big (in advance set) probability (usually 95% or 99%) on a certain horizon of planning. The method reflects specifics of risks of the nonfinancial companies. Because the majority of assets of the non-financial companies are illiquid, for them the main risk is decrease in operational cash flows. Therefore a key cost metrics of risk are cash flows in the conditions of risk. In this regard it is necessary to construct the model describing influence of one or Group of factors at a size of monetary receipts (expenses) of the Company. As risk factors casual events (credit, operational, regulatory, etc.) can act as market sizes (the prices, exchange rates, interest rates), and . Possible changes of risk factors and probability of such changes are estimated according to the historical drawn or expert opinions. On the basis of the constructed model possible changes of factors are transformed to possible changes of cash flows, 16 and probabilistic distribution of changes of cash flows is based. The CFaR method can be applied at an assessment of risk of changes of a cash flow to a separate kind of activity of the Company or to the Company as a whole. The size CFaR shows the greatest changes of cash flows on a certain horizon of planning at preservation on all horizons of all probabilistic distributions of risk factors and models of influence of these factors on formation of cash flows. The profit subject to risk (to Earnings-at risk – EaR) – this method of quantitative calculation of risks is analog of СFaR, but considers accounting aspects of recognition of the income of the Company. One of the main distinctions between СFaR and EaR is the cost metrics of risk. In difference from СFaR where a cost metrics of risk are cash flows, at EaR calculation by a cost metrics is of risk future profit of the Company. quantitative assessment of risks on the basis of stochastic (probabilistic, the Monte-Carlo method) models. Such assessment is used at an assessment of risks which can be expressed in a monetary form, but it is rather difficult to establish correlation dependence on external factors as risk has accurately expressed probabilistic character. The risk of natural disasters, for example, can belong to such risks. At this approach various scenarios of realization of risk events are modeled, and influence of consequences of risk events on planned cash flows and financial and economic results of activity of the Company is analyzed. 66. The main methods of an assessment of risks within stochastic (probabilistic) models: a. Stress testing. The method helps to define losses which the Company can incur at realization of unexpected adverse events. Stress testing does not give at the exit of one quantity of risk. This method allows estimating consequences of implementation of various adverse scenarios and "margin of safety" of the Company in relation to risk factors. As scenarios considered within this method are realization of rare events, at stress testing by it do not attribute any probabilities. Stress testing consists of two stages: 1) Creation of model of influence of risk factors on cash flows of the company (similar to the CFaR method); 2) Development of scenarios of realization of risk factors. For creation of model it is necessary to allocate a segment of cash flows of the Company which will participate in stress testing (the most effective the analysis of all cash flows is, however it is possible to consider and cash flows on separate financial instruments, or on separate kinds of activity). Then it is necessary to mark out the risk factors influencing size of chosen cash flows. Dependences between influences of risk factors and cash flows form necessary model. It can be very simple for one financial 17 instrument (for example, the credit under a floating interest rate – the size of each payment depends on rate change strictly certain and evidently), but for a cash flow of the Company as a whole dependences can be difficult. After model creation, it is necessary to execute the following: 1) To enter some stress scenarios into model; 2) To estimate changes of cash flows at change of the risk factors (parameters) included in the scenarios; 3) To allocate those scenarios for which change of streams is beyond the set criterion of importance; 4) To analyze possible ways of decrease in susceptibility of the risks involved in it. At stress testing two types of scenarios are used: 1) One-factorial scenarios – influence of only one risk factor, for example, the strong change in price for a certain type of service, an exchange rate, a default of a certain contractor, etc. is considered. This method is interesting only to an assessment of "margin of safety" of the Company in relation to one of such events. The more the size of change of the risk factor, not bringing to essential change of cash flows, the less the Company is subject to this type of risk; 2) Multiple-factor scenarios – simultaneous change of several factors that is more probable in practice. Stress testing can be carried out on: 1) To historical scenarios – are based on reproduction of the events taking place in the past. For example, the same changes of factors (exchange rates, interest rates, etc.) and the same events (defaults) which were during any chosen financial crisis are considered. 2) To hypothetical scenarios – allow to be beyond historical events. These scenarios demand work of experts. Especially it is necessary to consider the worst scenarios (all considered factors accept the worst value ever observed), and scenarios with the worst correlations. 3) Simulations by the Monte-Carlo method. This method means implementation of a large number of tests – single modeling of development of a situation in the markets. For generation of random numbers the expected (average) size and a standard deviation (σ) historical value of various parameters undertake. As a result of carrying out these tests distribution of possible financial results on the basis of which by cutting off of the worst according to the chosen confidential probability VaR or the CFaR-assessment can be received 18 will be received. The size VaR or CFaR is estimated in the following sequence: 1) The expected (average) size and standard deviation (σ) each parameter is estimated; 2) Casual values of each parameter within the set average size and the standard deviation are generated, thus each time different results turn out; 3) The size of the loss (change in price), the corresponding set probability is defined. Application of these methods of an assessment and forecasting of risks will be possible with introduction in the Company of financial and economic model. 67. Often it is necessary to apply a combination of some or all above methods, or specially developed methods to a reliable quantitative assessment of risks. For many risks mathematical models which allow to receive estimates of their quantitative influence depending on various factors can be constructed, and allow "losing scenarios" occurrences of risks. 68. The quantitative assessment of risks is necessary for understanding of the importance of each concrete risk, for an assessment of efficiency of expenses for management of such risks, and also for establishment of parameters (conditions) of contracts when transferring risk on the third parties. Degree of accuracy of a quantitative assessment is defined by requirements of the Company, but anyway, such assessment will give only reference points for the Company, i.e. so-called "corridor". Company task when carrying out a quantitative assessment of risks – to provide that this "corridor" was not only rather wide in order that all possible consequences kept within on value its limits, but also rather narrow not to pay the excessive sums for risk transfer. 69. The quantitative assessment of risk allows carrying out a stress analysis of financial performance of the company on risks – on indicators of profitability, long-term financial stability (capitalization) and liquidity. In case potential influence of risk goes beyond risk appetite of the Company, the risk belongs to critical risks. 70. The assessment of operational risk assumes an assessment of probability of approach of the events which are the reason of emergence of operational risks, and an assessment of influence of risk on the Company activity. The assessment of operational risk is carried out from two positions – qualitative and quantitative. a. The quantitative assessment of risk has probabilistic (expected) character, thus calculation leans on statistical methods; b. The qualitative way is applied to objects and categories of the 19 operational risk which level cannot be expressed unambiguously through some number characterizing possible level of losses. 71. For definition of level of operational risk the structural division of the Company responsible for risk management, can apply the following methods: a. statistical analysis of sources of operational risk and actual losses; b. grade and weight method. 72. The method based on application of the statistical analysis of sources of operational risks, allows making the forecast of potential operational losses proceeding from the sizes of the operational losses taking place in the Company in the past. At application of this method as basic data information which has been saved up in an analytical database about events, connected with operational risks is used. 73. The statistical database is necessary for creation of mathematical models of a quantitative assessment of operational risks about the events connected with operational risks, at least in 5 years of activity of the Company. Until then the structural division responsible for risk management of the Company carries out a quantitative assessment of operational risks on the basis of calculation of probability of losses from operational risks, proceeding from quantity of the cases connected with operational risks, and quantity of cases of manifestation of operational risks. Structural divisions of the Company, carry out the review of operational risks annually, within process of identification of risks. 74. Additional data from structural divisions of the Company the structural division responsible for risk management, can be received in the form of answers to concrete inquiries or in the form of reports on the forms developed for the analysis of a concrete event, connected with operational risks. 75. To each subspecies of operational risk corresponding to classification of operational risk of the Company, the weight coefficients (WC), depending on extent of influence on gross revenue of the Company are appropriated. Distribution of weight coefficients for the indicators characterizing factors of operational risk is given in the Table provided below. Factors of operating risk Weight coefficient, WC external and internal frauds labor relations clients and business practice failures in information and technical 0,05 0,10 0,10 0,10 20 systems management of processes damage to material assets occupational accidents 0,20 0,10 0,35 Total: 1,00 76. On the basis of data on value of a rating of risk (according to point 46 above) and weight coefficient of each subspecies of operational risk the coefficient of operational risk (Cor) used for further calculations pays off. This coefficient is defined as the sum of works of value of a rating of risk of each subspecies and the corresponding weight coefficient of a factor of operational risk. Cor = ∑ (WCi * PPi), i=1, n, where n – total of factors of operational risk 77. formula: Calculation of operational risk is carried out on the following OR = Cor*ASR*15 of %, where: OR – a quantitative assessment of operational risk, Cor – Coefficient of operational risk, ASR – The average size of gross revenue for the last expired three years pays as the relation of the sum of annual gross revenues for the last expired three years, in each of which the Company net income on number of years in which the Company net income was gained was gained. Until then while the term of activity of the Company doesn't exceed three years, the average size of annual gross revenue pays off proceeding from the actual number of the expired years of activity. The annual gross revenue is defined as the sum of pure revenue to the taxation, the annual amount of allocations for formation of provisions (reserves) and the size of the incurred extraordinary expenses minus the extraordinary income of the Company. 77. On the basis of data on value of a rating of risk 78. The received quantitative assessment of operational risks is used for the analysis of dynamics weak and strengths in management of operational risks. 79. Standard values for an assessment of operational risks can be determined by a measure of accumulation of statistical data. 80. Monitoring of operational risk is carried out by the structural division responsible for risk management of the Company, by the regular analysis of information from the Register of risks and information provided by structural divisions of the Company. 21 81. Minimization of operational risk assumes implementation of the package of measures, directed on decrease in probability of approach of events or the circumstances leading to emergence of operational losses and level of their influence on activity of the Company. 82. The main methods of minimization of operational risks are optimization of organizational structure and business - processes, development of internal rules and procedures of implementation of the current activity so that to exclude possibility of factors of operational risk. 83. Reduction of financial consequences of operational risk possibly by means of insurance. Insurance on Group of the Company is carried out according to Policy on the organization of insurance protection in the JSC «NC «KTZ». 84. The carried-out assessment of risks allows specifying the map of risks and indicators of the importance of risks, and on this basis critical risks of the Company – those risks to which the Company has to pay special attention and on which decisions on their management have to be made immediately are defined. 85. The main result of this stage of a control system of risks is the list of critical risks of the Company which are brought to the attention of Company Board of Directors. 4. Responsibility 86. For the organization of carrying out an assessment of risks the structural division of the Company responsible for risk management is responsible. 87. The structural division of the Company responsible for risk management coordinates work with all divisions of the Company. The questioning which is carried out by structural division of the Company, responsible for risk management, and also inquiries on key risks are all divisions obligatory for execution and the Company personnel. 88. The structural division of the Company responsible for risk management, gives support to structural divisions of the affiliated organizations of the Company responsible for risk management, in the course of identification and an assessment of risks, and also carries out consolidation of risks on Group of the Company. 89. Concerning identification and an assessment of risks the structural division of the Company responsible for risk management, is accountable to the Managing director (Risk officer), and to joint body of the Company which competence includes consideration of questions of risk management (in case of that creation in Company structure). 90. The Executive board member of the Company supervising 22 activity of division, responsible for risk management, submits questions of identification of critical risks of the Company, and also the offer on their management for consideration of the Executive Board of the Company which in turn submits questions on critical risks for consideration of the Board of Directors of the Company. 91. Responsibility for improvement of methods of identification and assessment of risks in Group of the Company bears the structural division of the Company responsible for risk management. __________________________ 23 Attachment 1 To the Regulations of identification and assessment of risks of the Joint Stock Company «National Company «Kazakhstan Temir Zholy», approved by the Board of Directors утвержденных of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» from «___» ______ 2014 year minutes №___ Register of risks Passport of a risk(1) № KPI 1 THRES HOLD MEANIN G OF KPI (tolerance ) 2 CO DE OF RIS K 3 Essential risks nonachievement of meaning of strategic KPI 4 Appraisal of inherent risk (2) Factors of risk (reasons of appearance of risk) The description of possible consequences from risk realization Key risk indicato r Owne r of risk Prob abilit y 5 6 7 8 9 STRATEGIC RISKS (risks connected with the Company’s Strategy) Risk 1 Risk 2 Risk N … FINANCIAL RISKS (risks connected with the financial activity) Risk N OPERATIONAL RISKS Risk N 24 Volume of damage Volum e of dama Influe ge in nce thousa nd tenge 10 11 Time of influe nce Grade of significance 12 13 LEGAL RISKS Risk N Appraisal of risks in the result of fulfillment of arrangements (4) Arrangements on risks management (3) Volume of damage Name of arrangement Pur pos e Type Appraisal cost of an arrangement, mln. tenge. (to indicate if possible) 14 15 16 17 Term of realization of an arrangement Person/ division, responsible for realization of an arrangement Probability 18 19 20 Influe nce Volume of damage in thousand tenge 21 22 STRATEGIC RISKS (risks connected with the Company’s strategy) FINANCIAL RISKS (risks connected with the financial activity) OPERATIONAL RISKS LEGAL RISKS Column 15 – is one of variants: A) decreasing of damage; B) decreasing of probability; C) risk prevention; D) restoration of losses. Column 16 – one of variants for: A) risk avoidance; B) risk transfer; C) decrease of risk; D) risk acceptance. 25 Time of influence Grade of significance 23 24 Attachment 2 To the Regulations of identification and assessment of risks of the Joint Stock Company «National Company «Kazakhstan Temir Zholy», approved by the Board of Directors of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» from «___» ______ 2014 year, minutes №___ The uniform nomenclature on designation of the main risks. Number of risk – Category of risk (the Company) Number of risk – Category of risk (The JSC «SamrukKazyna») 1-OpR 37-O-KTZ 2-OpR 8-C-KTZ 3-OpR 4-OpR 5-FinR 6- FinR 7-CountryR 8-FinR 9-FinR 10-FinR 11-FinR 12-CountryR 54-O-KTZ 55-O-KTZ 56-F-KTZ 24-F-KTZ 59-C-KTZ 57-F-KTZ 16-F-KTZ 18-F-KTZ 15-F-KTZ 10-C-KTZ 13-FinR 14-F-KTZ 14-FinR 15-FinR 16-OpR 17-OpR 18-LegalR 58-F-KTZ 17-F-KTZ 31-O-KTZ 27-O-KTZ 49-L-KTZ 19-OpR 26-O-KTZ 20-LegalR 48-L-KTZ 21-LegalR 60-L-KTZ 22-CountryR 23-CountryR 24-CountryR 1-C-KTZ 11-C-KTZ 3-C-KTZ Name of risk Risk of violations of traffic safety (Disaster and accident of railway branch) Risk of operational injuries (Occupational accidents entailed damage to health and life of workers in the course of execution of official duties) Risk of not safety of freights Ecological (environmental) risk Risk of decrease in level of a cargo transportation Tariff risk (Tariff setting) Risks of restructuring Risk of the competition Currency risk Credit risk Risk of liquidity (A lack of liquidity for implementation operational, investment, financial activity) Risk of not implementation of investment projects (Risks of the realized SO investment projects) Country risk (Country risk - loss of the means (investments) placed (enclosed) abroad) Price risk Percentage risk Risk of failure of information systems (Risks of information systems) Risk of violation of information security (Leak confidential information / use of insider information) Risk of presentation of judicial claims (Judicial proceedings (Pretension and claim work) Risk of illegal actions (fraud) (Fraud / corruption actions from the personnel and the third parties) Tax risk (Risk of violation of the tax legislation) Risk of unauthenticity of financial statements Risk of loss of reputation (Risk of damage of Reputation) 26 Attachment 3 To the Regulations of identification and assessment of risks of the Joint Stock Company «National Company «Kazakhstan Temir Zholy», approved by the Board of Directors of the Joint Stock Company «National Company «Kazakhstan Temir Zholy» from «___» ______ 2014 year minutes №___ Classification of the events having caused a loss Category of type of events (1st level) Internal fraud External fraud Cadre policy and labor safety Definition Category (2nd level) Examples of types of activity Losses owing to actions with intention to carry out fraud, to appropriate property or to bypass regulations, the legislation or internal normative documents of the Company, with participation of, at least, one inside Not allowed activity Losses owing to intention to swindle, steal property or to violate the law with participation of the third party Theft and fraud Losses owing to a violation of the law about work, safety of work and health protection or in connection with payments in claims about causing personal damage or to claims in connection with discrimination Relationship with employees Safe environment The operations not reflected in the reporting (intentionally) Not resolved types of operations (the caused pecuniary losses) Wrong assessment of a position (intentionally) Fraud Theft, extortion, plunders, robbery Assignment of assets Deliberate destruction of assets Fake Smuggling Assignment of strangers accounts/use of someone else's documents, etc. Deliberate non-compliance with the tax legislation or evasion from taxes Bribes Insider trading (not at the expense of the Company) Fraud Theft, robbery Fake Invoicing of poor checks Hacking, the theft of information which has caused pecuniary losses Questions of compensation, remuneration and severance pays Work organization General obligations for accidents Discrimination Qualification of the personnel All types of discrimination Insufficient qualification of the personnel Theft and fraud Safety of systems 27 Clients, products and business practice Losses owing to inadvertent negligence in implementation of professional obligations in relation to specific clients (including confidential and qualification requirements) or owing to character or a product design Acceptability, disclosure, fiducial relations Wrong business or market practice Defects of products Choice, sponsorship and risks Consulting services Causing damage to physical assets Violations in business and system failures Execution, delivery and management of processes Violation fiducial relations/violation of instructions Problems of disclosure of information (know the client) Violation of requirements of disclosure of information to retail clients The violations connected with disclosure of confidential personal information Agressiny sales Artificial overestimate of commission charges Abuse of confidential information Obligations of the creditor Antitrust law Wrong practice of trade / market transactions Manipulation market Insider trading Activity without license Money laundering Defects of products Errors of a design Failure to meet requirements of studying of the client Excess of limits of risk on one client Disagreements in estimates of results of consulting services Losses owing to damage or damage of physical assets as a result of natural disasters or other events Losses owing to violations in business and system failures Accidents and other events Damage from natural disasters, human losses from influence of external sources (terrorism, vandalism) Systems Losses owing to failure of processing of operation or failures in process or owing to relationship with trade contractors and sellers Execution and maintenance of operations Software Hardware Telecommunications Failures in power supply and providing utilities The wrong communications, mistakes at input, loading or maintenance of data Violation of terms or obligations The wrong functioning of systems or models accounting mistakes/mistakes in attribution of the contractor Other mistakes when performing tasks Delivery failure Failures in management of pledge Maintenance of reference data Non-compliance with the obligatory reporting The inexact external reporting which has entailed losses Monitoring and reporting 28 Customer acquisition and maintaining documentation Management of client accounts Trade contractors Suppliers and contractors 29 Absence permissions/release from responsibility from clients Absent or incomplete legal documentation Not authorized by the access to accounts The wrong client records which have entailed losses Damage or losses of clients as a result of negligence Wrong actions of contractors Conflicts to contractors Outsourcing Conflicts to suppliers
