Risk Management Framework

This Risk Management Framework ("the Framework") sets out TauKen Group Ltd.'s approach to identifying, assessing, mitigating, and monitoring risks across its operations. It is designed to ensure strategic resilience, regulatory compliance, and operational integrity in accordance with the laws of the Republic of Kazakhstan and the United Kingdom.

The Framework supports informed decision-making, protects stakeholder interests, and reinforces the Group's commitment to transparency, sustainability, and long-term value creation.

TauKen Group Ltd. complies with the following legislation:

Under Kazakhstan Law:

• Civil Code of the Republic of Kazakhstan
• Law on Joint Stock Companies (2003)
• Law on Combating Corruption (2015)
• Environmental Code (2021)
• Labour Code (2015)
• Tax Code (2017)

Under UK Law:

• Companies Act 2006
• Corporate Governance Code (FRC)
• Bribery Act 2010
• Health and Safety at Work Act 1974
• Data Protection Act 2018
• Environmental Protection Act 1990

Where legal obligations differ, TauKen Group Ltd. applies the stricter standard.

This Framework applies to:

• All subsidiaries and operational units of TauKen Group Ltd.
• All employees, directors, contractors, and third-party partners
• All strategic, financial, operational, legal, environmental, and reputational risks

TauKen Group Ltd. maintains a multi-tiered governance structure for risk oversight:

Board of Directors

The Board is ultimately responsible for risk oversight, setting the Group's risk appetite, and approving mitigation strategies.

Audit & Risk Committee

This committee monitors risk exposure, reviews internal controls, and liaises with external auditors. It receives quarterly risk reports and escalation notices.

Executive Management

The executive team is responsible for implementing risk controls, managing operational risks, and ensuring compliance with the Framework.

Group Risk Officer

The Risk Officer coordinates risk assessments, maintains the enterprise risk register, and ensures alignment with legal and regulatory requirements.

Subsidiary Risk Leads

Each subsidiary appoints a risk lead responsible for local risk identification, reporting, and mitigation.

TauKen Group Ltd. classifies risks into the following categories:

• Strategic Risk: Risks arising from business model, market positioning, or geopolitical exposure.
• Operational Risk: Risks related to processes, systems, personnel, and supply chain.
• Financial Risk: Risks involving liquidity, credit, currency, and capital structure.
• Legal & Regulatory Risk: Risks of non-compliance with laws, permits, or contractual obligations.
• Environmental & Social Risk: Risks related to emissions, biodiversity, community impact, and ESG performance.
• Reputational Risk: Risks affecting public trust, investor confidence, or brand integrity.
• Cyber & Data Risk: Risks involving data breaches, system failures, or digital infrastructure.

TauKen Group Ltd. follows a structured five-step process:

6.1 Identification

Risks are identified through internal audits, stakeholder consultations, regulatory reviews, and scenario analysis.

6.2 Assessment

Each risk is assessed based on likelihood and impact using a standardised scoring matrix. Risks are prioritised as low, medium, high, or critical.

6.3 Mitigation

Mitigation strategies are developed for all high and critical risks. These may include process redesign, insurance, legal safeguards, or technology upgrades.

6.4 Monitoring

Risks are monitored continuously through dashboards, KPIs, and control testing. Emerging risks are flagged for executive review.

6.5 Reporting

Quarterly risk reports are submitted to the Audit & Risk Committee and summarised in the Board's governance review. Material risks are disclosed in the Group's annual report.

TauKen Group Ltd. maintains a balanced risk appetite:

• Strategic Risk: Moderate tolerance for innovation and expansion within approved investment thresholds.
• Operational Risk: Low tolerance for safety breaches, compliance failures, or process disruptions.
• Financial Risk: Conservative approach to debt, currency exposure, and capital allocation.
• Environmental Risk: Zero tolerance for non-compliance with environmental laws or ESG commitments.
• Reputational Risk: Zero tolerance for unethical conduct, corruption, or brand misrepresentation.

Internal controls are embedded across all business functions:

• Dual sign-off for financial transactions
• Procurement integrity protocols
• Compliance checklists for project approvals
• Cybersecurity firewalls and access controls
• ESG audits and restoration plans
• Legal review of contracts and permits

Controls are tested quarterly and audited annually.

All employees receive risk management training during onboarding and annually thereafter. Training covers:

• Legal obligations under Kazakhstan and UK law
• Risk identification and escalation procedures
• Role-specific risk scenarios and mitigation tools
• Ethics, whistleblowing, and data protection

This Framework is reviewed annually by the Audit & Risk Committee and updated to reflect:

• Changes in legislation or regulation
• Strategic shifts or new business lines
• Lessons learned from incidents or audits
• Feedback from stakeholders and regulators

TauKen Group Ltd. is committed to continuous improvement and benchmarking against global risk management standards.