SUSTAINABILITY REPORT 2024 Turning the Dream of Home into a Goal
Download report in PDF

Risk Management System

The Bank is committed to balancing the interests of business and society and aligning its economic, environmental, and social goals to ensure long-term sustainable development. The Bank integrates sustainability principles, as outlined by international sustainability standards, into its management system, development strategy, and core operational processes.

The Bank has an effective risk management system in place that complies with applicable legislation and aligns with international risk management standards.

To establish a unified approach to risk management and build an integrated risk management system, the Bank developed a Risk Management Policy. This policy covers the main risk concepts and types, principles, and organizational structure of the risk management system, and also includes the definition of risk appetite and procedures for identifying material risks.

The key regulatory documents within the risk management and internal control system, which define processes and methods for risk response and assessment of control mechanisms, include the following:

  • Risk Management Policy;
  • Capital Management Policy;
  • Liquidity Management Policy;
  • Market Risk Management Policy;
  • Credit Risk Management Policy;
  • Contingency Funding Plan;
  • Risk Appetite Strategy;
  • Internal Control Policy;
  • Business Continuity Management Policy;
  • Operational Risk Management Policy;
  • Information Security Risk Management Policy;
  • Information Technology Risk Management Policy, and others.

In the risk management process, the Bank applies various approaches in line with the requirements of the regulatory authority as a participant in the country’s financial system, such as:

  • the three lines of defense model;
  • development of the Bank’s risk appetite strategy;
  • capital adequacy assessment;
  • liquidity adequacy assessment;
  • stress testing of the Bank’s key financial indicators;
  • ensuring a comprehensive management reporting system.

To successfully implement its strategy, the Bank regularly analyzes key risks that may affect the achievement of strategic goals and financial stability, and develops corresponding risk mitigation measures. During the reporting year, as in previous periods, the Bank continued to maintain a high level of liquidity and capital adequacy, significantly exceeding the requirements of the regulatory authority.

Risk Management Organizational Structure

The Bank’s risk management system includes the involvement of the Board of Directors, the Risk and Internal Control Committee of the Board of Directors, the Management Board, other authorized bodies of the Bank, and risk management units responsible for the assessment, control, and monitoring of risks, with clearly defined responsibilities and authorities distributed among them.

The Bank’s Board of Directors is responsible for ensuring the proper functioning of the risk management system, taking into account the business model, scale of operations, types, and complexity of the Bank’s activities. It ensures an effective process for identifying, measuring, assessing, monitoring, controlling, and mitigating material risks, to determine the required level of capital and liquidity to cover these risks. The Risk and Internal Control Committee operates under the Board of Directors and coordinates the Bank’s overall risk management process. This includes the development of internal regulatory documents and the establishment of the Bank’s risk profile. The Management Board is responsible for monitoring the risk management process and implementing risk mitigation measures. It is also responsible for providing the Board of Directors with the necessary information regarding approved risk appetite levels and the reasons for any deviations, where applicable.

The Head of Risk Management is appointed and dismissed by decision of the Bank’s Board of Directors. The Head of Risk Management has sufficient authority, independence, and resources to maintain regular interaction with the Risk and Internal Control Committee and the Board of Directors. This officer organizes and coordinates activities in the areas of internal control, underwriting and collateral, as well as financial and credit risk management.

Risk management units are responsible for the overall risk management framework and for monitoring the application of commonly accepted methods and approaches to identifying, assessing, managing, and reporting both financial and non-financial risks.

Risk Appetite Framework

The Risk Appetite Strategy approved by the Board of Directors of the Bank is aimed at maintaining an optimal balance between achieving the Bank’s strategic objectives, ensuring profitability across key business areas, and managing the levels of risk accepted by the Bank. It also promotes the embedding of a risk culture across all levels of the Bank’s organizational structure and encourages adherence to established risk appetite thresholds within the context of this culture.

As part of the Risk Appetite Strategy, the Board of Directors approves risk appetite levels and aggregate risk appetite thresholds for material risk types. These thresholds are expressed through quantitative and qualitative indicators: quantitative metrics are used to assess managed risks, while qualitative indicators are applied to non-financial risks. These thresholds define the clear boundaries of acceptable risk exposure within which the Bank operates while implementing its overall strategy. This approach takes into account the Bank’s risk profile and aims to prevent the realization of risks or minimize their negative impact on the Bank’s financial condition.

The key risk types that form the Bank’s overall risk profile, including material risks defined for 2024, are as follows:

Material risks:
  1. Credit risk;
  2. Liquidity risk;
  3. Market risk;
  4. Operational risk;
  5. Strategic risk.
  6. Information technology risks;
  7. Information security risks;
  8. Compliance risk;
Other risks:
  1. Legal risk;
  2. Tax risk;
  3. Reputational risk;
  4. ESG risks;
  5. Corruption and fraud risks;
  6. Internal control risks;
  7. HR management risks;
  8. Audit risks.

The aggregate risk appetite level is expressed quantitatively and includes credit risk, market risk, operational risk, and liquidity risk.

The approved structure of the Bank’s aggregate risk appetite level for 2024 is as follows: credit risk – 69 %, liquidity risk – 17 %, market risk – 13 %, operational risk – 1 %.

Monitoring of compliance with the established risk appetite levels, in accordance with the Bank’s approved Risk Appetite Statement, is conducted on a regular basis. The results of this monitoring are submitted for review to the Bank’s authorized bodies, including the Board of Directors.

Risk Identification and Monitoring Process

The Bank’s risk management system comprises a set of components designed to enable effective interaction between the Bank’s internally developed and regulated procedures, processes, policies, and structural units, with the aim of timely identification, measurement, control, and monitoring of the Bank’s risks, as well as their mitigation to ensure financial stability and sustainable operations.

The Bank places a strong emphasis on risk management, particularly focusing on the identification and assessment of material risks that could significantly affect the Bank’s financial stability, reputation, or liquidity.

The Bank identifies material risks through the following activities:

  • Analysis and assessment of planned operations, including all on-balance sheet and off-balance sheet items exposed to risk;
  • Review of current market conditions and the impact of internal and external factors on risk levels;
  • Development of a set of tools and indicators for risk analysis and assessment.

Following the identification process, a monthly quantitative assessment of the Bank’s material risks is performed using methods that provide reliable estimations of the Bank’s risk exposure, taking into account assumptions embedded in the methodologies.

Risk assessment involves determining the magnitude and probability of potential losses over a given time horizon and their impact on the Bank’s financial position. Quantitative evaluation allows for determining the amount the Bank could lose at a specific risk level.

The methods used to assess material risks include, but are not limited to:

  1. Assessment of expected credit losses in accordance with IFRS requirements and those of the regulatory authority;
  2. Value-at-Risk (VaR) and Expected Shortfall (ES) for market risk assessment;
  3. Gap analysis for assessing interest rate and liquidity risk;
  4. Duration analysis for assessing interest rate and price risks;
  5. Ratio analysis to assess liquidity risk, including liquidity coverage ratio (LCR) and net stable funding ratio (NSFR);
  6. Stress testing, including scenario analysis and sensitivity analysis, for assessing market, credit, and liquidity risks;
  7. Forecasting and modeling, including cash flow forecasting for market and liquidity risk assessment.

To limit risk exposure, the Bank applies several risk mitigation techniques, such as setting limits, diversification, and provisioning.

The Bank’s risk management system ensures that authorized decision-making bodies are well-informed about risk-related issues by establishing an effective corporate governance framework and providing complete, accurate, and timely information on material risks inherent in the Bank’s activities.

Internal Control System

The Internal Control System (ICS) at the Bank has been developed in accordance with the requirements of the laws of the Republic of Kazakhstan, the Basel Committee on Banking Supervision, and international best practices. The Bank applies the COSO Integrated Framework (2013) in the construction of its internal control system. The ICS is an ongoing process embedded in day-to-day operations, implemented by the Board of Directors, collective governance bodies, structural units, and all Bank employees in the performance of their duties, aimed at achieving the following objectives:

  1. ensuring the efficiency of the Bank’s operations, including effective management of banking risks, assets, and liabilities, and safeguarding of assets;
  2. ensuring the completeness, reliability and timeliness of financial, regulatory and other reporting for internal and external users, as well as information security;
  3. ensuring the Bank’s compliance with the requirements of the civil, tax, and banking legislation of the Republic of Kazakhstan;
  4. preventing the involvement of the Bank, its employees, and customer in any unlawful activities.

The Board of Directors oversees the activities of the Management Board of the Bank by ensuring the implementation of the ICS and monitoring its condition. The Risk and Internal Control Committee of the Board of Directors of the Bank monitors the functioning of the ICS and reviews the results of evaluations of its quality and effectiveness. The Audit Committee of the Board of Directors reviews ICS effectiveness reports and the implementation and quality of developed (corrective) actions and provides recommendations to the Board of Directors of the Bank for ICS improvements. The Management Board of the Bank is responsible for ensuring the existence and proper functioning of all components and principles of the ICS.

The Bank develops internal control procedures based on the following interrelated elements:

  1. risk management oversight;
  2. control activities and segregation of duties;
  3. information and communication;
  4. monitoring and remediation of deficiencies.

The Bank’s ICS includes the following control tools:

  1. oversight performed by the Board of Directors, its committees, and the Bank’s Management Board to identify and address weaknesses in internal control, violations, and errors;
  2. control conducted by heads of structural divisions;
  3. control over the physical existence of and access to tangible assets, and the security of premises used for asset storage;
  4. verification of compliance with established limits;
  5. implementation of an approval and delegation system for rights and authority;
  6. verification of the timely and accurate accounting and reporting of the Bank’s operations and transactions;
  7. verification of compliance with the Bank’s policies and procedures when conducting operations and transactions.

From the internal control perspective, all the Bank’s operations and transactions are required to be recorded. Control tools over financial accounting and reporting include:

  1. monitoring of information systems used for accounting to ensure compliance with the accounting and financial reporting laws of the Republic of Kazakhstan and International Financial Reporting Standards (IFRS);
  2. availability of internal documents governing accounting processes within the Bank;
  3. chronological and timely registration of transactions and events in the accounting system;
  4. ability to generate financial statements at the close of each business day;
  5. consistency between general ledger (synthetic) and subledger (analytical) accounting;
  6. regular reviews of accounting records by employees who are not involved in authorizing or recording transactions in the financial reporting system;
  7. recording of accounting entries based on primary documents, ensuring their proper documentation and safe storage.

Control activities in operations are distributed through segregation of duties to minimize conflicts of interest, prevent illegal actions, and to avoid granting the same structural unit and/or employee the ability to:

  1. execute banking operations and other transactions while simultaneously recording them in the accounting system;
  2. authorize and make actual disbursements of funds, considering the limits established by the Bank’s internal documents;
  3. conduct operations both on customer accounts and on the Bank’s own operational and financial accounts;
  4. assess the accuracy and completeness of documents submitted for loan issuance and monitor loan repayment;
  5. perform actions in any other areas where a conflict of interest may arise.

Depending on the type of the Bank’s operations, the following control methods are applied:

  1. dual control (four-eyes principle and joint access);
  2. transaction analysis;
  3. operational result reporting to provide Bank management with information on performance indicators, financial condition, and deviations from the budget;
  4. staff training on control techniques and error detection;
  5. data protection measures;
  6. safeguards against human error;
  7. error-checking procedures to ensure timely detection.

From the internal control standpoint, the availability of reliable and detailed financial and operational information, as well as information on compliance with applicable civil, tax, and banking laws of the Republic of Kazakhstan, is ensured.