Risk Management
Organizational Importance and Commitment
Systematic risk management and crisis preparedness are key components of business stability and long-term sustainable operations. The Company places importance on establishing an appropriate risk management structure to analyze and assess risks comprehensively, including the assessment of emerging risks, to formulate risk management plans for dealing with crises and to ensure a timely response to unexpected events, thereby minimizing the potential impact on stakeholders.
Opportunities and Impact
Systematic risk and crisis management serve as essential mechanisms for preventing and mitigating the impact of unexpected events – both financial impacts and effects on the Company’s image, credibility, and strategic decision-making. It also presents an opportunity to develop the organization’s resilience and ability to adapt effectively to changing environments, thereby enhancing competitiveness and operational efficiency – crucial factors for achieving sustainable growth.
Supporting the SDGs Goals
Goal 16:
Stakeholders Directly Impacted
Goals and Performance
| 2025 ESG Performance Indicators and Targets | 2025 Performance Results |
|---|---|
| Quarterly track and report risk management results |  Risk management result is monitored on a quarterly basis and reported to the Board of Directors 4 times |
| The overall Risk Index for high and very high risk groups decreased, based on the performance of the Risk Management Committee (RMC). | The overall Risk Index for high and very high risk groups was 5.41, a decrease from 13.44 in January 2025. |
| Conduct training sessions to support risk management at least once a year. | Organize a training sessions on the topic "Economic Trends and Factors Businesses Need to Monitor for Adaptation and Driving Force in 2026" for directors, the Risk Management committee, executives, and relevant staff. The program aimed to enable participants to apply the knowledge to prevent and mitigate risks while supporting business operations with in their respective units. A total of 140 participants attended the training. |
| Zero complaints and incidents related to information system security and customer data | Zero complaints and incidents related to information system security and customer data |
| Zero ransomware attacks | Zero ransomware attacks |
| Zero incidents of software copyright infringement were reported. | Zero Software piracy |
| Network infrastructure outage resolution within one hour | There were two network outage incidents, both of which were resolved within one hour |
Management Guidelines
Strategy
Management Approaches
Risk Management Policy
The Risk Management Committee has formulated a policy that covers risk management processes and methodologies, including oversight and regular reviews to ensure efficiency and responsiveness to external risk factors. Additionally, the Company promotes widespread internal communication regarding risk management to foster organization-wide risk awareness.
Risk management is positioned as a core strategic component for all departments, with clearly defined risk appetite levels and actionable, adaptable plans that are regularly reviewed and updated in response to changing conditions. Progress tracking and performance evaluations are implemented to ensure the risk management process aligns with the organization’s policies, strategies, and goals, as well as regulatory requirements and the risk management standards recommended by the Securities and Exchange Commission and the Stock Exchange of Thailand. Ultimately, this approach helps mitigate potential obstacles to achieving organizational objectives and strengthens the foundation for sustainable long-term growth.
Risk Management Structure
The Board of Directors has established a risk management structure that includes a committee and a working group composed of representatives from core business units and support functions. This structure ensures that the diverse nature of the business group is fully addressed. The roles and responsibilities of executives are clearly defined, including planning, implementing measures, and monitoring performance to ensure alignment between business activities and the Company’s policies, goals, and strategies. This structure also supports the Company’s ability to respond to rapidly evolving sustainability issues. Furthermore, the internal audit unit operates independently to review and evaluate the risk management process. The details of roles and responsibilties are outlined in the related documents.
Click to Enlarge 
Strategy Formulation
1. Risk Governance
The Company places the risk management structure precisely. In this regard, the Board of Directors of the Company, and Senior Management have duties of establishing the risk management policy and framework together with the risk appetite, and to monitor all significant risks regularly.
2. Building an Organizational Culture in Risk Management
Instilling a proactive risk management mindset among executives and employees at all levels, while encouraging executives to take a key leadership role in risk management, which is crucial to the organization’s strategic risk planning. This is carried out through training and seminars. Furthermore, the Company utilizes insights from actual events, past incidents, or near-miss events as case studies and promotes the integration of risk management concepts into all stages of operations. Employees are also responsible for setting goals, strategies, plans, and risk response measures. Risk management issues are also integrated into key performance indicators (KPIs) at both the organizational and departmental levels, applying to all personnel from the board of directors and executives to employees and risk owners.
3. Risk Identification & Assessment
Identifies, analyzes, and assesses all risks relating to corporate strategy, finance, operations, law, technology, and sustainability, together with risks from climate change, risks in supply chain, and emerging risks. Then, those risks shall be analyzed and assessed to arrange their priority and to be selected for preparing the risk management plan. The indicators and targets for assessment and monitoring shall be set up as well.
4. Planning for Future Risk Management
The Company closely monitors situational developments, forecasts, and prepares to handle future risks by considering all possible scenarios that may arise. It consistently sets measures and adjusts risk management plans to align with the organization’s long-term sustainability goals and build organizational resilience in response to current situations, including managing the diversity of the supply chain and reviewing plans to reduce redundancy in operations.
5. Risk Partnership
The Company strengthens the collaboration with many business alliances, external experts, and regulatory entities to upgrade its risk management standards, to share knowledge in ESG, and to manage risks in its supply chain.
Partnerships in product and service development.
Collaboration in developing new technologies and innovations that address environmental and sustainability issues.
6. Monitoring & Disclosure
The Company monitors and assesses key risk indicators (KRIs), and reviews its risks regularly. Meanwhile, the information about the Company’s risks and sustainability opportunities in accordance with the good governance guideline are disclosed to enhance transparency and confidence in its stakeholders.
Business Risk Factors and Risk Management
The Company collected risk issues from business groups and support units, selecting key risk issues using acceptable risk criteria and grouping risk issues with similar causes or impacts to ensure effectiveness and efficiency in setting risk management measures.
Crisis Management
The Company has implemented a Business Continuity Plan (BCP) that addresses responses to major risks which could cause business disruptions or hinder work operations. These include fire, natural disasters, terrorism, cyberattacks, epidemics, and infectious diseases to ensure that internal departments are adequately prepared in advance to handle crisis or emergency events. This aims to ensure the Company is capable of responding to crises, continuing its operations, and consistently delivering quality products and services.
Information Technology and Cybersecurity Governance
The Company has established a governance structure and clearly delineates roles and responsibilities, continuously assesses risks and establishes mechanisms to monitor and respond to potential cyber threats systematically. The aim is to ensure to protect information and IT systems' security, confidentiality and availability, thereby safeguarding the Company's digital assets from all forms of cyber threats. This governance aligns with relevant regulations, standards and practices.
Click to Enlarge Approach for Protection Against Threats to Systems and Information
Cybersecurity Awareness and Culture Building
The Company has established an Information Security Policy and security regulations that all employees must follow. New employees receive documentation outlining these practices and are trained on these policies. Additionally, regular communication and alerts regarding cybersecurity threats are shared via email and internal communication channels. The Company also continuously organizes training sessions on information technology and system usage to foster a culture of cybersecurity awareness within the organization.
Cyber Threat Response Measures
Response procedures are in place for actual cyber threat incidents, including drills and simulated scenarios to assess vulnerabilities, system capability, and the responsiveness of responsible departments. Results from these exercises are used to improve response processes and mitigate risks. This also includes updating operational manuals and maintaining an incident reporting process. Moreover, the Company has a Business Continuity Plan and Disaster Recovery Plan in place to ensure swift and effective responses to emergencies.
Key Developments
