Risk Management System

RISK MANAGEMENT SYSTEM
(based on COSO ERM and ISO 31000:2018)

General Information

At JSC “Navoiyazot”, a Risk Management System (RMS) based on the COSO ERM framework and the international standard ISO 31000:2018 has been implemented to improve corporate governance, ensure financial sustainability, and enhance the quality of strategic and operational decision-making.

The system was implemented step by step within the framework of the 2025 Roadmap, developed in cooperation with the Ministry of Economy and Finance of the Republic of Uzbekistan and JSC “UzAssets”, taking into account the expectations of the Company’s sole shareholder.

Stages of RMS Implementation

Stage 1. Preparatory and Institutional Framework (2024–2025)

•    A Risk Management Department was established and began operating as an independent structural unit;
•    Employees were trained in accordance with ISO 31000:2018;
•    Methodological documents recommended by JSC “UzAssets” were reviewed;
•    Technical specifications for RMS implementation based on COSO ERM and ISO 31000 were developed.

Stage 2. Diagnostics and Methodology (2025)

•    A three-stage consulting agreement was signed with “KPMG Audit” LLC;
•    A diagnostic audit was conducted;
•    A roadmap for the Risk Management System and Internal Control System was developed;
•    Risk Management Policy, methodologies, risk appetite and risk tolerance documents were prepared;
•    Relevant amendments were introduced into corporate governance documents (Regulations of the Supervisory Board and its committees).

Stage 3. Practical Implementation and Independent Operation (end of 2025)

•    Practical trainings were conducted for management bodies and employees;
•    A risk register, risk map, and KRI (Key Risk Indicators) system were established;
•    All internal regulatory documents related to RMS and ICS were approved;
•    A register of the Company’s TOP-21 key risks was developed.

Risk Management Policy and Objectives

RISK MANAGEMENT POLICY

The Policy is aimed at achieving the Company’s strategic objectives, maintaining financial stability, protecting assets, and integrating risk consideration into management decision-making processes.

Policy objective:

To preserve and enhance organizational value through timely identification, assessment, monitoring, and management of strategic, operational, financial, environmental, and other risks affecting the Company’s activities.

Key objectives:

•    establishing a unified approach and requirements for risk management;
•    integrating risk management processes into the corporate governance system;
•    systematic management of strategic, operational, financial, compliance, IT, and environmental risks;
•    supporting decision-making within the approved risk appetite;
•    clearly defining responsibilities at all management levels;
•    ensuring transparent risk monitoring and reporting.

RISK MANAGEMENT POLICY JSC "NAVOIYAZOT"

Compliance with COSO ERM

The RMS fully complies with the five core components of COSO ERM:

•    Governance & Culture — Supervisory Board and Risk Management Committee;
•    Strategy & Objective-Setting — risk appetite and shareholder expectations;
•    Performance — risk identification, assessment, KRI and risk register;
•    Review & Revision — continuous monitoring and review;
•    Information & Reporting — quarterly and annual risk reporting.

Participants and Responsibilities

Risk management in the Company is carried out based on the “Three Lines” model:

•    1st line — business and operational units;
•    2nd line — Risk Management Department and Compliance;
•    3rd line — Internal Audit.

The Risk Management Department reports directly to the Chairman of the Management Board and acts as the coordinating center of the system.

Risk Management Committee

At “Navoiyazot” JSC, a Risk Management Committee has been established under the Executive Body, which oversees the effectiveness of the risk management system and the internal control system within the Company.

Legal basis for the Committee’s activity
The Risk Management Committee operates in accordance with the Company’s Charter, the Regulation on the Supervisory Board, the Regulation on the Risk Management Committee, as well as the COSO ERM framework, the international standard ISO 31000:2018, and the legislation of the Republic of Uzbekistan.

Composition of the Risk Management Committee
(based on Order №1104 dated 13.07.2025)

If necessary, the Committee may involve heads of relevant departments and external consultants in its work.

Risk Appetite and KRI

The Company has established a consolidated risk appetite level equal to 10% of forecast net profit.
Continuous monitoring of key risks is conducted through risk tolerance levels and Key Risk Indicators (KRI).

Monitoring and Transparency

•    Risks are monitored on a quarterly and annual basis;
•    Corrective actions are defined in case of deviations;
•    Regular reports are submitted to the Supervisory Board and the Risk Management Committee.

Current Status

•    The RMS based on COSO ERM and ISO 31000 has been fully implemented;
•    The three-stage project has been completed;
•    Since 2026, the system has been operating in an independent operational mode;
•    Corporate governance and risk culture have been significantly strengthened.