Corporate control

Managing corporate conflicts

In the event of corporate conflicts, the parties attempt to settle them by negotiation to efficiently protect the interests of KMG and other stakeholders.

In order to be effectively prevented or addressed, corporate conflicts primarily need to be identified as soon and fully as possible, with all corporate governance bodies to act in a consorted manner.

Corporate conflicts are addressed by the Chairman of the Board of Directors assisted by the Corporate Secretary. If the Chairman of the Board of Directors is involved in a corporate conflict, such cases are addressed by the Nomination and Remuneration Committee of the Board of Directors. No such circumstances occurred in 2025.

Internal audit

The internal audit function is performed by the Internal Audit Service (IAS), which is functionally accountable to the KMG Board of Directors and overseen by the Audit Committee. The organisational independence of the IAS ensures that it carries out its audit and consulting engagements objectively and impartially.

The IAS operates in accordance with Kazakhstan’s laws, the Charter, the Corporate Standard of Samruk‑Kazyna, and international professional standards for internal audit. Its mission is to provide the Board of Directors with objective assurance and advisory services that strengthen the effectiveness of the risk management, internal control, and corporate governance systems.

Key objectives of the IAS

  • Assessing the reliability of the internal control and risk management system
  • Assessing the reliability, completeness and objectivity of the accounting policy as well as financial statements of KMG and its subsidiaries and associates based on such policy
  • Assessing the efficiency of resource management at KMG and its subsidiaries and associates and the methods used to ensure asset integrity
  • Monitoring compliance with applicable laws, corporate operational, investment and financial rules and regulations

The Audit Committee regularly reviews IAS reports, work plans, development strategy, and budgeting and staffing matters. Particular attention is given to the professional development of auditors as a key factor in sustaining high audit quality.

Independent external assessment of the IAS

Periodic independent external assessments of the IAS are conducted in accordance with the International Standards for the Professional Practice of Internal Auditing. The IAS has been recognised as fully conforming to those Standards, international best practices, the Regulations on the Internal Audit Service, the Code of Business Ethics, and other applicable external and internal regulations governing the internal audit function.

The next independent external assessment is planned for 2026, to verify conformity with the updated Standards for the Professional Practice of Internal Auditing that entered into force in 2025.

Effectiveness of the internal control system

Assessment of the effectiveness of the internal control system is an integral part of every IAS audit engagement. During audits, the design and operation of control procedures are analysed and evaluated.

Conclusions on the internal control effectiveness are regularly set out in IAS performance reports submitted to the Audit Committee and the Board of Directors at the close of each reporting period.

Internal Audit Service activities in 2025

In 2025, the IAS carried out its activities in line with the Annual Audit Plan approved by the KMG Board of Directors, developed on a risk‑based basis.

  • Scope: 30 audit engagements were completed against a plan of 28, including two ad hoc reviews.
  • Impact: findings informed recommendations for improving business processes and strengthening control procedures, with an implementation rate of 91.8% as at 31 December 2025.
  • Coverage: reviews spanned key areas, including procurement, contract performance, production activities, the technical condition of plant and equipment, investment activities, capital expenditure, oil and oil product accounting, risk management, information technology and information security, and occupational health and industrial safety.

External audit

To ensure an objective assessment of its IFRS financial statements, KMG engages an independent external auditor annually. The auditor is approved by the Board of Directors and confirmed by the General Meeting of Shareholders.

By the resolution of the annual General Meeting of Shareholders dated 28 May 2024, PricewaterhouseCoopers LLP (PwC) was appointed external auditor for the audit of KMG’s financial statements for 2025–2029.

Auditor selection and independence

The selection procedure is governed by the procurement rules of Samruk‑Kazyna and is conducted by a joint commission comprising representatives of the Audit Committees of the Fund and KMG. The key criteria are service quality, procedural transparency, and the absence of conflicts of interest.

The Audit Committee of KMG maintains ongoing monitoring of the external auditor’s compliance with independence principles. The Company strictly observes the statutory requirement for audit firm rotation at least once every seven years.

Non‑audit services

KMG’s policy requires that any non‑audit services provided by the external auditor receive prior approval from the Audit Committee.

In addition, the cost of non‑audit services in any reporting year may not exceed 50% of the average cost of audit services over the three preceding years. In 2025, non‑audit services accounted for 26.5% of the external auditor’s total fees.

KMG risk management and internal control system

KMG and its subsidiaries operate an integrated corporate risk management system (CRMS), which is part of the Fund’s unified risk management framework and a core element of the corporate governance system. The CRMS is designed to identify and mitigate risks, enabling the Company’s sustainable development and greater adaptability while striking an optimal balance between value growth, profitability and risk.

The system engages all levels of management – from the Board of Directors to executive leadership and employees – and provides reasonable assurance that the Company will meet its:

  • strategic goals – value creation and preservation, improved sustainability, and greater investment appeal;
  • operational goals – performance efficiency and asset integrity;
  • reporting goals – reliability of financial and management information;
  • compliance goals – conformity with legal and internal regulations.
CRMS organisational structure
Functions and responsibility of CRMS participants
Board of Directors

Oversees the effectiveness of the CRMS through the following risk management functions:

  • Defines KMG’s short‑ and long‑term objectives
  • Approves the Risk Management Policy
  • Approves risk appetite, tolerance levels, key risk indicators, risk register, risk map, risk response action plan, and consolidated risk reports
Audit Committee
  • Assists the Board of Directors in overseeing the reliability and effectiveness of the CRMS
Chairman of the Management Board
  • Ensures the CRMS functions effectively
  • Implements Board decisions and Audit Committee recommendations on CRMS organisation
Management Board
  • Ensures implementation of the CRMS Policy, and the development, approval and adoption of internal regulations on risk management
  • Ensures integration of risk management into KMG’s business processes
  • Preliminarily approves quarterly risk reports for submission to the Audit Committee and Board of Directors
  • Reviews matters relating to limits, risk management methodologies, and response measures
  • Monitors compliance with internal regulations, risk appetite and tolerance levels, reviews risk reports and takes necessary action
Internal Audit Service
  • Conducts independent assessments of the effectiveness of the risk management system and contributes to its improvement
  • Supports the Audit Committee and Board of Directors with independent opinions and recommendations on risk management matters
Compliance Service
  • Develops and implements the compliance programme to manage risks related to non‑compliance with the Code of Business Ethics, anti‑corruption legislation and other regulatory requirements applicable to KMG and its subsidiaries and associates
Risk Committee
  • Conducts preliminary reviews of risk management matters and provides recommendations to the Management Board for decision‑making.
Risk Management Unit
  • Informs the Board of Directors, Audit Committee and Management Board on the current risk landscape, response measures, changes in the control environment, significant deviations in risk management processes, and actions to improve the CRMS
  • Coordinates risk management processes across KMG and its subsidiaries and associates
  • Develops and updates internal regulations on risk management, communicates approved documents to risk owners, and puts forward proposals for embedding risk management into business processes
  • Prepares quarterly risk reports within established timelines
  • Establishes risk appetite with corresponding tolerance levels for specific risk areas
  • Critically assesses the completeness of identified risks and adequacy of response measures when preparing consolidated risk reports and materials for the Management Board and Board of Directors; analyses the risk portfolio; contributes to developing response strategies and, where necessary, resource reallocation; draws management’s attention to emerging or significantly changed risks
  • Provides methodological and practical support to risk owners and units across KMG and its subsidiaries and associates
  • Maintains an ongoing database of materialised and potential risks
  • Monitors credit, investment and market risks in accordance with established limits and requirements
  • Coordinates insurance and reinsurance of risks and potential losses as required
  • Automates key risk management processes
  • Assesses and monitors the probability of contingent liabilities materialising and evaluates provisions for potential default events
  • Engages with the Internal Audit Service, including contributing to the annual audit plan and assurance map, discussing audit findings, and sharing knowledge and methodologies
All units (risk owners / risk mitigation action owners
  • Identify risks and report them in a timely manner, proposing risk mitigation action
  • Assess risks, implement response strategies and specific measures, and propose improvements to the risk management system in their areas of responsibility
  • Develop and update policies and procedures governing their assigned business processes
  • Adhere to risk appetite and key risk indicators within their competence
  • Maintain the database of materialised and potential risks in accordance with internal regulations
  • Monitor external and internal factors that could materially affect risks within their functional scope
  • Provide timely and complete risk information to stakeholders, directly manage risks, monitor potential impacts, and implement risk mitigation measures.

Internal control and business continuity

KMG’s integrated internal control system (ICS) supports the achievement of objectives and ensures legal compliance, with a focus in 2025 on automating monitoring processes. The business continuity management system (BCMS) puts continuity plans in place for key processes across subsidiaries and associates. Property interests are protected through corporate insurance.

CRMS development in 2025

The system is based on the three lines of defence model (COSO framework). Employees and units form the first line, responsible for day‑to‑day risk management and for promptly identifying and reporting significant risks. Control units constitute the second line, coordinating processes, preparing reports, and providing methodological and practical support across risk identification, monitoring and management. The third line comprises internal auditors, who independently and objectively assess the risk management and control systems.

In 2025, KMG updated its consolidated risk register and approved revised versions of key internal documents:

  • Risk Management System Policy of KMG and its Subsidiaries and Associates (approved by resolution of KMG’s Board of Directors dated 10 September 2025, Minutes No. 15/2025);
  • Guidelines for Organising the Risk Management Process, including Risk Identification and Assessment Procedures, for KMG and its Subsidiaries and Associates (approved by resolution of KMG’s Management Board dated 24 November 2025, Minutes No. 47).

The Company also intensified monitoring of sanctions and regulatory risks, launched a pilot project to automate key risk indicators, and continued efforts to strengthen employee risk culture.

Looking ahead to 2026, planned activities include assessing the effectiveness of internal controls across five construction investment projects. Key internal documents will be updated, including the internal control system policy, the Regulations on the Risk Committee, and the terms of reference defining functional responsibilities of personnel responsible for risk management at subsidiaries and associates. Training and methodological support will be provided to subsidiaries and associates to facilitate the embedding of new risk management approaches. Tests and workshops will also be organised on internal controls, business continuity management, and the three lines model.

Risks that materialised in 2025

A number of key risks materialised across KMG Group during the reporting period.

Production and occupational safety

  • Work‑related injury risk – 20 incidents resulted in 21 work‑related injuries, including one fatality, affecting safety performance and prompting additional corrective measures.
  • Risk of emergency situations – unplanned power outages, pipeline integrity failures, reservoir damage, and other operational incidents caused process downtime and additional costs.

Financial and economic risks

  • Risk of adverse oil price movements – the risk materialised against a backdrop of falling global prices and the revision of the baseline oil price in the Development Plan from USD 75 to USD 65 per barrel, leading to deviations from revenues and cash flow targets.
  • Currency risk – the risk manifested through negative foreign exchange revaluation of liabilities and exchange rate volatility, affecting the financial result.

Environmental and regulatory risks

  • Risk of environmental damage – the risk materialised as fines imposed for waste injection into the subsoil and accumulation of drilling waste without appropriate environmental permits.

Mitigation measures

Although certain adverse events occurred, all materialised risks remained within acceptable levels and did not critically affect operational sustainability or the achievement of strategic and operational objectives. Measures were implemented across all areas to mitigate consequences and prevent recurrence, including:

  • strengthening the occupational health, industrial, and transport safety systems, and enhancing the corporate safety and production control system;
  • improving oil spill response readiness, implementing measures to minimise environmental impact, and applying environmental insurance mechanisms;
  • engaging with competent government bodies, participating in discussions on regulatory legal acts, and implementing comprehensive measures to introduce automated monitoring and control systems;
  • enhancing financial resilience through crisis management measures, investment project portfolio optimisation, and gradual debt reduction.

Risk management in the current geopolitical environment

Heightened geopolitical, military and political tensions in 2025 significantly increased the likelihood of the following risks materialising:

  • tightening of sanctions;
  • lower oil transportation and export volumes;
  • delays and cost overruns in the implementation of investment projects;
  • shortfalls in dividends from megaprojects.

Context

These elevated risks stem primarily from the inclusion of certain KMG partners – LUKOIL and Rosneft – in the sanctions lists of several states (the USA and the UK), as well as the continuing vulnerability of the Caspian Pipeline Consortium’s (CPC) infrastructure to external impacts and incidents.

Although sanctions restrictions do not directly extend to KMG Group, the risk of adverse consequences for joint projects persists, including potential refusals by counterparties under US and UK jurisdiction to supply goods, works, and services.

On 15 October 2025, the UK imposed sanctions against LUKOIL and Rosneft, restricting their access to European banking operations.

On 23 October 2025, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) introduced similar measures, also restricting banking access.

LUKOIL is a KMG partner in the Tengizchevroil project (5%), CPC (12.5%), Karachaganak (13.5%), and KKO (50%). Sanctions exemptions have been obtained for Tengizchevroil, Karachaganak, and CPC; no such exemptions exist for KKO.

Under US Executive Order 14024, entities directly or indirectly owned 50% or more by Rosneft or LUKOIL are treated as included in the OFAC SDN ListSpecially Designated Nationals and Blocked Persons List. even if they do not appear on the SDN List itself. Restrictions are therefore anticipated in relation to the KKO project (Kalamkas‑Khazar Operating LLP).

Consequences for the Kalamkas‑Sea and Khazar project

The placement of risk for the KKO offshore project on the international reinsurance market has become restricted or impossible, as KMG’s traditional reinsurance partners are refusing to provide coverage due to LUKOIL’s involvement. Without insurance coverage, KMG cannot attract external financing for the KKO project. This poses a threat to the KKO project model by materially narrowing the available financing mechanisms. The parties are currently assessing options for the project’s further implementation.

Risks to CPC infrastructure

Temporary CPC shutdowns and suspensions were also recorded during the reporting period in connection with incidents and unscheduled maintenance works, heightening the risk of disruption to export reliability.

On 17 February 2025, an unmanned aerial vehicle attack on the Kropotkinskaya pumping station damaged a turbine and transformers. On 29 November 2025, an unmanned surface vessel attack on the CPC marine terminal damaged the SPM‑2 single point mooring. SPM‑3 was commissioned on 25 January 2026 as a replacement, restoring the terminal’s throughput capacity.

Despite these events, Kazakhstan’s oil transportation continued through the year without major disruptions, owing to:

  • the timely replacement of critical CPC equipment;
  • transportation route diversification;
  • prompt engagement with government bodies.

A phased replacement of SPMs is planned for 2026.

To mitigate sanctions risks, Kazakhstan–China Pipeline LLP is coordinating with government bodies and engaging with the US OFAC to obtain permits for the transit of up to 10 mln tonnes of Rosneft oil to China, thereby reducing secondary sanction risks and safeguarding transit stability.

Risk profile and risk map

KMG’s risk profile is robust but susceptible to stress scenarios triggered by external factors, including oil prices, geopolitical developments, and sanctions. The Board of Directors maintains a moderately conservative risk appetite.

Risk map
Risk code Risk Assessment Threats Mitigants
Work‑related injury risk Red zone Work‑related accidents and occupational injuries Ensuring occupational health and safety, industrial and transport safety; developing the corporate security system
Production decline risk Orange zone Natural production decline at mature fields Increasing production process efficiency, reducing hydrocarbon extraction costs, field reclamation, negotiations with the state on further optimisation of the tax burden for mature fields
Environmental risk Yellow zone
  1. Global decline in hydrocarbon demand due to accelerated low‑carbon development
  2. Delayed implementation of energy efficiency measures at subsidiaries and associates
  3. 3.Low‑Carbon Development Programme targets lagging behind global industry peers depending on the pace of the transition to alternative energy sources
  4. Disruptions in renewable energy supply procured for energy transition purposes
  1. Maintaining and growing oil exports while implementing the optimal KMG carbon neutrality configuration
  2. Seeking and attracting strategic partners, identifying and adapting alternative technologies
  3. Monitoring Programme implementation, establishing a dedicated coordination and monitoring body, procuring green energy
  4. Investing to maintain reserve capacity
Risk of sanctions tightening Red zone Tightening of international sanctions against strategic partners or KMG Monitoring sanctions legislation, engaging international legal advisers, exiting or disposing of joint venture participation interests, attracting new strategic partners
Risk of liquidity shortfall Orange zone Deterioration in financial stability and credit rating downgrades Reducing debt levels, ensuring repayment of loan and borrowings, cutting costs, optimising the asset and project portfolio
Investment (project) risks Red zone
  1. Withdrawal of a strategic partner (involved in financing, technology, and management) from projects
  2. Lack of project financing sources
  3. Low profitability of potential renewable energy projects for acquisition or participation
  1. Upholding corporate governance principles, attracting new strategic partners
  2. Implementing measures to increase profitability and improve financial condition to ensure sufficient cash flow for investments; seeking new financing instruments
  3. Securing optimal terms at the stage of acquiring stakes or initiating renewable energy projects; utilising state support measures and investment incentives
Strong volatility of oil prices Red zone Adverse oil price movements, growing commodity market volatility Enhancing financial resilience, implementing crisis management measures, optimising the investment project portfolio, gradual debt reduction
Risk of lower transportation and sales volumes in the segment of oil exports Red zone
  1. Transportation restrictions, production shutdowns at major fields (Tengiz, Kashagan, and Karachaganak), storage overstocking, lost profits
  2. Tightening of international sanctions against strategic partners or KMG
  1. Developing additional oil transportation routes
  2. Producing and replacing critical CPC equipment
  3. Monitoring sanctions legislation, engaging legal advisers, exiting or disposing of joint venture participation interests, attracting new strategic partners
Exploration risk Orange zone
  1. Negative drilling results: no commercial hydrocarbon discovery
  2. Insufficient and/or untimely financing of exploration
  1. Applying new technologies (seismic surveying), attracting strategic partners on carry financing terms
  2. Negotiating with strategic partners on additional financing allocations

Risk appetite statement

Risk appetite serves as a guiding framework, defining the level of risk the Company is willing to retain while pursuing its strategic and operational objectives.

The approved risk appetite is broken down into specific tolerance levels for each key risk category, including financial, operational and investment risks, and these limits guide all relevant decision‑making.

Selected excerpts from KMG’s 2025 risk appetite statement

Financial activities

  • Comply with covenants established in debt instruments
  • Maintain positive consolidated free cash flow (before principal debt repayments)
  • Prevent any shortfall in planned dividend flows from subsidiaries to KMG in 2025
  • Ensure that KMG’s financial stability ratios do not fall below established minimum levels
  • Maintain KMG’s credit ratings with S&P, Moody’s and Fitch at no less than the current levels of BB+, Baa1 and BBB respectively.

Operating activities

  • Ensure social stability within the workforce of KMG Group companies Uphold employee rights and prevent discrimination and unequal working and hiring conditions
  • Prohibit transactions that would breach international sanctions regimes
  • For information security risks (including cyber risks), KMG shall:
    • Ensure service availability in the event of information and communication infrastructure disruption at no less than 99.7% (annualised)
    • Prevent any breach of integrity of information resources, software and hardware
    • Prevent loss or any unauthorised disclosure of confidential information
  • Maintain zero tolerance towards any forms of corruption, fraud or violations of business ethics
  • Maintain zero tolerance towards losses and damage associated with environmental pollution
  • Ensure achievement of carbon footprint targets
  • In relation to industrial safety, the Company shall: comply with national and international occupational health and safety standards; create safe working conditions; identify and eliminate hazardous production factors; reduce environmental impact; commit to zero injuries and the elimination of health and safety risks to employees; guarantee employees the right to refuse work in situations that reasonably pose a threat to their life or health or that of others.

Investment activities

  • Engage strategic partners for major investment projects to share risks
  • Implement subsoil use projects jointly with strategic partners, preferably on carry financing terms
  • Avoid exceeding approved investment project costs and adhere to project implementation timelines
  • Ensure new investment projects satisfy the profitability index (PI) requirement of no less than 1.3
  • Ensure new investment projects are evaluated taking into account their impact on the Company’s shareholder value
  • Ensure new subsoil use investment projects at the exploration stage demonstrate a positive expected monetary value (EMV > 0) based on preliminary estimates
  • Prevent any reduction in hydrocarbon reserve replacement

Internal control system (ICS)

Based on audit findings, the Risk Management and Internal Control Service provides methodological support to the following departments in developing and updating flowcharts, risk and control matrices:

  • the Budgeting and Planning Department of KMG’s Corporate Centre on the budgeting process;
  • the Administrative Affairs Directorate on the management of representation expenses;
  • KMG’s Human Resources Management Department on business travel management.

An analysis of control procedures within the procurement process at subsidiaries and associates confirmed that, based on a sample of procurement contracts, controls are being applied adequately to enable objective assessment.

A self‑assessment survey on ICS and BCMS maturity was conducted among subsidiaries and associates, using criteria based on the COSO framework (five components) and KMG’s internal assessment methodology. The results showed that subsidiaries and associates are generally progressing with ICS and BCMS implementation, with the weighted average score holding at 79% – unchanged from the prior year. Recommendations for strengthening control and business continuity management were prepared on the basis of the findings. KazTransOil, Embamunaigas and Pavlodar Refinery currently lead in ICS and BCMS maturity.

Leading subsidiaries in ICS and BCMS implementation and improvement include KazTransOil, Pavlodar Refinery, Atyrau Refinery, Ozenmunaigas, Embamunaigas, Mangistaumunaigaz, Kazakhoil Aktobe and Kazakhturkmunay.

Efforts continue with the other subsidiaries and associates to improve their implementation and enhancement of these systems.

During the reporting period, job descriptions for risk managers at subsidiaries and associates were reviewed and updated to reflect best practices, enhancing the effectiveness of internal controls. Work in this area is ongoing.

To strengthen risk management expertise, 104 employees from subsidiaries and associates completed training in “Objectives, Risks, Decisions” and “Risk Management Practice: ISO 31000 and COSO ERM Tools”.

An analysis of the Industrial Safety Department’s activities resulted in recommendations for improving internal controls in the planning and conduct of inspections.

104 employees of subsidiaries and associates
completed risk management training