Corporate control

In the event of corporate conflicts, the parties attempt to settle them by negotiation to efficiently protect the interests of KMG and other stakeholders.

In order to be effectively prevented or addressed, corporate conflicts primarily need to be identified as soon and fully as possible, with all corporate governance bodies to act in a consorted manner.

Corporate conflicts are addressed by the Chairman of the Board of Directors assisted by the Corporate Secretary. If the Chairman of the Board of Directors is involved in a corporate conflict, such cases are addressed by the Nomination and Remuneration Committee of the Board of Directors.

Internal audit

Internal audits are carried out by KMG’s Internal Audit Service (IAS).

The IAS reports and is accountable to KMG’s Board of Directors, and is supervised by the Audit Committee of KMG’s Board of Directors.

For more details on KMG’s Internal Audit Service, see KMG’s 2023 Sustainability Report.

Internal Audit Service activities in 2024

The work plan of the Internal Audit Service for 2024 included a range of thematic audits and assessments of the production, operational, and financial processes at KMG and its subsidiaries and associates. Additionally, it encompassed monitoring the fulfilment of motivational key performance indicators for KMG’s management and tracking the implementation of recommendations issued by the Internal Audit Service. While the plan outlined 22 audits, the Internal Audit Service successfully conducted 35 audits in total, including 12 ad hoc reviews.

As a result of the audits carried out in 2024, the IAS issued 466 recommendations aimed at improving KMG’s operations. The IAS consistently monitors and oversees the development and implementation of measures to address these recommendations. To mitigate identified risks, the IAS evaluates the effectiveness of the internal control system, conducts ongoing monitoring, and performs post‑audits to ensure compliance with the recommendations. The key areas of focus where recommendations were made following the audits in 2024 include production activities, procurement procedures, occupational safety, contract execution, information technology and information security, as well as investment activities and capital expenditures.

The Audit Committee not only monitors the IAS’ performance but also facilitates professional development of the IAS employees and the management of its talent pool. These matters are covered by the IAS reports and reviewed by the Audit Committee on a quarterly basis.

The high professional level of the IAS employees is a key performance driver for KMG’s internal audit function, therefore training and upskilling are prioritised.

External audit

In order to independently assess the reliability of KMG Group’s accounting (financial) statements, each year the Company engages an external auditor to conduct an audit of financial statements prepared in accordance with the IFRS.

According to the resolution of shareholders represented by the Management Board of Samruk‑Kazyna dated 20 January 2022, an independent audit firm Ernst & Young LLP was selected as the external auditor of KMG’s financial statements for 2022–2024.

The external auditor is approved by the General Meeting of Shareholders following theapproval by KMG’s Board of Directors.

For more details on the auditor appointment and assessment of its independence, see KMG’s 2023 Annual Report.

Provision of non‑audit services by the external auditor

According to the Auditor Engagement Policy, the external auditor is required to obtain approval from the Audit Committee to provide non‑audit consulting services. The total fee for non‑audit services rendered bythe external auditor to KMG Group for the reporting year must not exceed 50% of the average fee for audit services rendered by the external auditor to KMG Group for three consecutive previous reporting years.

KMG annually submits to the Audit Committee forapproval the information on non‑audit services authorised for the external auditor and the audit and non‑audit services provided by the external auditor during the reporting year. Non‑audit services rendered by an external auditor in 2024 amounted to 2.8% of thetotal cost of audit services.

Risk management system

The corporate risk management system (CRMS) at KMG is designed to encompass all management levels and facilitate the identification, assessment, and mitigation of risks that could impact the sustainable development of the business. The primary goal is to enhance the Company’s resilience amidst external and internal changes.

For more details on KMG’s corporate risk management system, including its organisational structure, see KMG’s 2023 Annual Report.

CRMS development and improvement in 2024

The risk management system operates through interrelated processes that include the identification, analysis, monitoring, and management of key risks. In 2024, several initiatives were undertaken to improve the system, such as monitoring sanction risks and launching a pilot project aimed at automating key risk indicators.

KMG implements the three lines of defence model in accordance with the COSO framework. Ongoing efforts focus on promoting a strong risk culture and providing training to employees.

The internal control system (ICS) is integrated into KMG’s core processes, offering reasonable assurance in achieving operational and financial objectives as well as ensuring legislative compliance. In 2024, the emphasis was placed on automating the monitoring of control procedures and formalising internal controls within key business processes.

The business continuity management system (BCMS) is crucial for ensuring the Company’s resilience to various incidents. In 2024, business continuity plans were developed for key business processes at the subsidiaries and associates.

Corporate insurance protects the property interests of the Company and its shareholders. The main types of insurance include coverage for production assets, liability to third parties, and energy‑related risks.

KMG faces several key risks, including the potential decrease in oil exports, price volatility, changes in legislation, and environmental and climate‑related risks. Throughout the year, the Company implemented measures to mitigate these risks, such as diversifying oil transportation routes, monitoring sanction risks, and executing a low‑carbon development programme.

Risk map

№	Risk
	Risk of decreasing oil exports
	Work‑related injury risk
	Country risks and the risk of sanctions
	Liquidity and financial stability risks
	Investment (project) risks
	Social unrest in regions of operation
	Strong volatility of oil prices
	Production decline risk
	Risk of emergencies or man‑made disasters at production facilities
	Risk of changes in applicable laws, and litigation and arbitration risks
	Environmental risk
	Geological risk
	Climate risks and low‑carbon development
	Information security risks

Key risks of the Company

No change

Risk has increased

Risk has reduced

Trend (over the year)	Risk description and likely impacts	Mitigation and management
	Risk of decreasing oil exports Main causes: accidents, technical malfunctions at the the Caspian Pipeline Consortium (CPC), sanctions, geopolitical tensions, and a decline in demand. Impact Oil transportation restrictions, the suspension of production at major fields (Tengiz, Kashagan, and Karachaganak), storage overstocking, and a subsequent loss of profit.	In response, the Company is actively exploring alternative transportation routes, expanding pipeline capacity, and replacing critically important equipment at the CPC.
	Work‑related injury risk Causes: non‑compliance with occupational safety regulations and production discipline that poses threats to the lives and health of employees. Impact Injuries and threats to employee health, financial losses, reputational damage, and disruptions in production.	To mitigate these risks, the Company implements training programmes, establishes control procedures, and adopts new technologies to enhance safety. A near miss reporting programme is in place, utilising Qorgau cards and behavioural observations. Inspections and safety enhancement programmes continue at subsidiaries and associates, including collaboration with contractors.
	Country risks and the risk of sanctions Operating internationally exposes the Company to changes in economic and political environments. Sanctions may affect joint projects and the supply of equipment. In 2024, several suppliers withdrew from collaboration due to the involvement of Russian companies. Impact The tightening of sanctions may adversely affect operational and financial activities and may lead to the imposition of secondary sanctions on the Company.	Monitoring and analysis of sanction risks, along with regular updates to the Fund and relevant departments. Assessment of promising projects and engagement of alternative contractors. Inclusion of protective mechanisms against sanctions in agreements. Establishment of a working group focused on import substitution.
	Liquidity and financial stability risks The main risks are associated with liquidity, financial stability, and potential downgrades in credit ratings, which could necessitate urgent loan repayments and restrict access to financing. Impact There is a risk of insufficient funds for financing operational and investment activities. In 2024, the Company maintained financial stability.	Controlling leverage and using free cash flow to repay debt. Balancing borrowed and internal capital. Cutting costs and monitoring budget execution. Repaying existing loans and providing financial aid to subsidiaries and associates. Maintaining a robust credit profile to ensure access to capital markets. Making early debt repayments to reduce leverage.
	Investment (project) risks Projects in exploration, production, transportation, and processing of hydrocarbons are subject to both internal and external risks. In 2024, significant delays in project execution were primarily due to prolonged procurement procedures and waiting for guarantees from contractors. Impact Increased costs, commissioning delays, and failure to meet project goals.	Regularly monitoring projects and making necessary adjustments to plans. Engaging in negotiations with contractors to reduce operational costs. Optimising the investment programme by excluding unprofitable projects. Relying on a project management system maintained in line with international standards (Stage Gate Process)
	Social unrest in regions of operation The Company faces the risk of unauthorised strikes, particularly among contractor employees. In 2024, there was an increase in strikes in the Mangistau Region, with primary demands for wage increases and job security. Impact: Negative impact on the Company’s reputation, disruptions in production processes, increased operational costs, and effects on capital expenditures. Rising inflation and a weakening tenge may complicate wage negotiations.	KMG maintains a representative office in Aktau to address conflicts in the Mangistau Region. Continuous monitoring of social conditions at enterprises is ongoing, with efforts to prevent conflicts in collaboration with government agencies. Roadmaps have been developed to improve working conditions and infrastructure in subsidiaries and associates from 2023 to 2027. A unified internal communication system has been implemented, featuring regular meetings between management and employees. In 2024, a total of 1,194 individuals were employed in subsidiaries, associates, and contractor companies through additional agreements with contractors.
	Strong volatility of oil prices The Company is exposed to the risk of significant volatility in energy prices. Impact Volatility may lead to changes in revenue, cash flow, and other financial results.	Implementing crisis management measures during sharp market fluctuations. Adjusting the Company’s Development Plan, along with reducing and optimising costs. Prioritising investment projects. Continuously monitoring prices and analysing demand for oil and oil products.
	Production decline risk Main external causes: emergency shutdowns, power supply disruptions, and severe weather conditions. Main internal causes: well wear, inefficient planning, and low‑quality equipment. Impact Disruption of production plans, downtime in production, and loss of revenue.	Construction of a 247 MW hybrid power plant in Zhanaozen in partnership with Eni (scheduled for implementation in 2024–2026). Regular monitoring of the time between repairs for wells, ensuring timely equipment repairs and upgrades.
	Risk of emergencies or man‑made disasters The Company’s production activities are associated with potential accident risks that could harm property, the environment, and third parties. Impact Worker injuries and fatalities. Damage to equipment and infrastructure. Costs associated with accident response, along with environmental fines.	Monitoring geological data and drilling fluid parameters. Mandatory control of drilling fluid preparation and monitoring indicators for detection of gas, oil, and water influxes. Maintenance and diagnostics of equipment, along with industrial safety assessments. Training and briefings for employees on safe operation of equipment. Conclusion of voluntary property insurance contracts
	Risk of legislative changes and legal disputes The Company’s activities may be affected by changes in legislation, including tax and customs regulations, as well as risks arising from unfavourable outcomes in court and arbitration disputes. Impact In 2024, KMG’s Corporate Centre launched no lawsuits worth over USD 1 mln.	Continuous monitoring of legislative changes and assessing their potential impact. Participation in working groups to develop and discuss draft laws. Monitoring judicial practices and applying best legal solutions. Resolution of the Stati case without the right to renewal, which eliminated the risk of additional losses and strengthened the Company’s legal position.
	Environmental risk The Company is exposed to the risk of adverse environmental impact and the tightening of environmental legislation. Impact Environmental risks may lead to fines, excess emissions charges, costs for environmental remediation, and escalated social tensions.	Emission management and reduction of gas flaring. Management of water resources and production waste. Land reclamation and energy efficiency improvement. Preventive environmental management and engagement with stakeholders. Implementation of the waste disposal memorandum and monitoring of accumulated waste. Adoption of best available technologies and automated environmental monitoring systems in subsidiaries and associates.
	Geological risks Exploration projects are associated with risks arising from the uncertainty of geology, which may lead to the failure to discover hydrocarbons or result in low reserve estimates. Impact Absence of commercially viable reserves or identification of reserves below anticipated levels.	Collection and analysis of geological and geophysical data, along with data from similar fields. Application of advanced geophysical surveying and data interpretation methods. Conducting pro‑active seismic surveying to mitigate risks. Engaging strategic partners for joint field development. Enhancing team expertise through training and experience exchange with foreign companies.
	Climate risks and low‑carbon development The Company faces risks related to the energy transition and climate change, including regulatory, technological, and market risks, as well as physical risks due to extreme weather conditions and long‑term climate change implications. In 2024, floods in the Atyrau, Aktobe, and West Kazakhstan regions triggered emergencies. Operational headquarters were established to oversee the response, facilitate ongoing monitoring, and deliver financial aid for recovery efforts. Impact Climate‑related risks may result in increased costs, reduced profitability, decreased demand, negative effects on employee health, and diminished productivity.	Development of KMG’s 2060 Low‑Carbon Development Programme. Accounting for energy consumption and greenhouse gas emissions. Monitoring and implementing emission reduction plans in subsidiaries and associates. Engaging in negotiations with international organisations to attract investments in methane emission reduction projects. Implementation of a forest‑climate project in collaboration with Chevron and the Pavlodar Region akimat. Construction of a desalination plant in Kenderli (Mangistau Region). Implementation of renewable energy projects, including the development of a hybrid power plant in Zhanaozen (wind – 77 MW, solar – 50 MW, gas – 120 MW) in partnership with Eni, as well as the construction of a 1 GW wind power plant in the Zhambyl Region in collaboration with Total Eren.
	Information security risks The Company is exposed to risks related to breaches of confidentiality, integrity, and availability of information resources. In 2024, three critical‑category incidents concerning information security were reported. Timely responses were ensured for all incidents, preventing negative impacts on the Company’s IT infrastructure and business processes. Impact: Data leaks, disruptions in nformation systems, and failure to meet business targets	To manage information security risks, the Company implements: continuous monitoring of information security incidents via the information security operations centre; maintenance of the information security management system in line with the ISO/IEC 27001 international standard, as well as in compliance with the requirements established by Kazakhstan’s laws on information security; external assessments and audits of cyber security, along with initiatives aimed at identifying and addressing vulnerabilities in the information infrastructure; regular scans and pen testing of systems across KMG, its subsidiaries, and associates are conducted to detect potential vulnerabilities, with prompt measures implemented to fix them; utilisation of the latest and innovative technologies, including automated systems for vulnerability analysis and incident monitoring, enabling the Company to proactively manage cyber threats; awareness‑raising activities for employees regarding information security, including prevention of phishing and social engineering threats; the Company regularly conducts training sessions, workshops, and testing aimed at fostering safe behaviour skills when using email and other communication channels.