Organizational Importance and Commitment

Systematic risk management and crisis preparedness are key components of business stability and long-term sustainable operations. The Company places importance on establishing an appropriate risk management structure to analyze and assess risks comprehensively, including the assessment of emerging risks, to formulate risk management plans for dealing with crises and to ensure a timely response to unexpected events, thereby minimizing the potential impact on stakeholders.

Opportunities and Impact

Systematic risk and crisis management serve as essential mechanisms for preventing and mitigating the impact of unexpected events – both financial impacts and effects on the Company’s image, credibility, and strategic decision-making. It also presents an opportunity to develop the organization’s resilience and ability to adapt effectively to changing environments, thereby enhancing competitiveness and operational efficiency – crucial factors for achieving sustainable growth.

Supporting the SDGs Goals

Goal 16:
Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels.

Stakeholders Directly Impacted

Customers
Customers
Monitor technological changes to offer new products and services and resolve issues quickly and efficiently.
Trade Partners
Trade Partners
Implement ESG activities according to the Company’s plan and coordinate with partners to expand cooperation and build sustainable alliances.
Employees
Employees
Have job security and opportunities for career advancement.
Creditors / Lenders
Creditors / Lenders
Strictly comply with agreed terms and maintain transparency in business operations.
Shareholders
Shareholders
Financial performance and the direction of business development and growth.
Regulators / Government Agencies
Regulators / Government Agencies
Conduct business in full compliance with laws and regulations

Goals and Performance

ESG Performance Indicators and Targets 2024 Performance Results
The overall Risk Index decreased compared to 2023 The overall Risk Index is 10.73 decreased from 13.25 in December 2023
Conduct Risk Management Training sessions at least 1 time for annually Organized a training session on “Legal Consideration In Contract Management” There were 120 participants in the training.
Quarterly track and report risk management results Risk management result is monitored on a quarterly basis and reported to the Board of Directors 3 times
Number of complaints or incidents regarding security of information systems and customer information is zero 0 No complaints regarding security of information systems and customer information
Testing and risk assessment of equipment and information systems (Penetration Test) Completed according to plan
Preparation of Log Monitoring reports to ensure the safety of the network system from the risk of attack Completed according to plan

Management Guidelines

Strategy

1
Define clear structure, roles, and responsibilities in risk management from the organizational level, business level, and operational level.
2
Provide risk management methods, as well as supervise and review the risk management process regularly to be consistent with the changing situation and consistent with generally accepted risk management standards
3
Push risk management to be one of the main strategies of each agency by setting risk management measures to be at an acceptable level with a clear operational plan. This includes continuous monitoring of practice plans that are reviewed and adjusted according to changing situations and being able to measure progress and evaluate results.
4
Push for risk management communication throughout the entire unit to make everyone see the importance of risk management and can increase risk awareness on a wide scale, and promote the development of a risk management culture within the organization
4
Integrate information system and cybersecurity risks into enterprise-wide risk management
5
Establish a security management process for the information technology system that is consistent with the Information Security Policy

Management Approaches

1
Manage risks throughout the organization according to COSO guidelines to effectively reduce the opportunities and impacts of risks that occur.
2
Analyze the severity level and prioritize risk issues to prepare operational plans, establish measures for risk management, and key risk indicators (KRIs), as well as monitor performance to report to the Risk Management Committee and the Board of Directors.
3
Establish policies and procedures for maintaining information security and supervise compliance throughout the organization.
4
Develop information security systems
5
Check, analyze, and assess the risk of being attacked and regularly leads to blocking access to networks and information systems.

Risk Management Policy

The Risk Management Committee has formulated a policy that covers risk management processes and methodologies, including oversight and regular reviews to ensure efficiency and responsiveness to external risk factors. Additionally, the Company promotes widespread internal communication regarding risk management to foster organization-wide risk awareness.

Risk management is positioned as a core strategic component for all departments, with clearly defined risk appetite levels and actionable, adaptable plans that are regularly reviewed and updated in response to changing conditions. Progress tracking and performance evaluations are implemented to ensure the risk management process aligns with the organization’s policies, strategies, and goals, as well as regulatory requirements and the risk management standards recommended by the Securities and Exchange Commission and the Stock Exchange of Thailand. Ultimately, this approach helps mitigate potential obstacles to achieving organizational objectives and strengthens the foundation for sustainable long-term growth.


Risk Management Structure

The Board of Directors has established a risk management structure that includes a committee and a working group composed of representatives from core business units and support functions. This structure ensures that the diverse nature of the business group is fully addressed. The roles and responsibilities of executives are clearly defined, including planning, implementing measures, and monitoring performance to ensure alignment between business activities and the Company’s policies, goals, and strategies. This structure also supports the Company’s ability to respond to rapidly evolving sustainability issues. Furthermore, the internal audit unit operates independently to review and evaluate the risk management process. The details of roles and responsibilties are outlined in the related documents.

Risk Management Structure Click to Enlarge

Risk Management Framework

Risk Management Framework Click to Enlarge

Strategy Formulation

1. Building an Organizational Culture in Risk Management

Instilling a proactive risk management mindset among executives and employees at all levels, while encouraging executives to take a key leadership role in risk management, which is crucial to the organization’s strategic risk planning. This is carried out through training and seminars. Furthermore, the Company utilizes insights from actual events, past incidents, or near-miss events as case studies and promotes the integration of risk management concepts into all stages of operations. Employees are also responsible for setting goals, strategies, plans, and risk response measures. Risk management issues are also integrated into key performance indicators (KPIs) at both the organizational and departmental levels, applying to all personnel from the board of directors and executives to employees and risk owners.

2. Establishing Risk Appetite Criteria

To ensure that risk management is conducted with quality, is measurable, and clearly reflects outcomes that are beneficial to business operations, the Company has established risk appetite criteria as a guideline for determining which risks it should prioritize for improvement and development.

3. Planning for Future Risk Management

The Company closely monitors situational developments, forecasts, and prepares to handle future risks by considering all possible scenarios that may arise. It consistently sets measures and adjusts risk management plans to align with the organization’s long-term sustainability goals and build organizational resilience in response to current situations, including managing the diversity of the supply chain and reviewing plans to reduce redundancy in operations.

4. Risk Management Partnerships

Supports collaboration with partners, customers, business allies, surrounding communities and society, as well as educational institutions, government agencies, and private sector organizations. These collaborations aim to conduct both direct and indirect risk management activities to strengthen the supply chain in a systematic and effective manner. It also reflects a shared commitment and responsibility in addressing global challenges.

Partnerships in product and service development.

Collaboration in developing new technologies and innovations that address environmental and sustainability issues.

Business Risk Factors and Risk Management

The Company collected risk issues from business groups and support units, selecting key risk issues using acceptable risk criteria and grouping risk issues with similar causes or impacts to ensure effectiveness and efficiency in setting risk management measures.


Crisis Management

The Company has implemented a Business Continuity Plan (BCP) that addresses responses to major risks which could cause business disruptions or hinder work operations. These include fire, natural disasters, terrorism, cyberattacks, epidemics, and infectious diseases to ensure that internal departments are adequately prepared in advance to handle crisis or emergency events. This aims to ensure the Company is capable of responding to crises, continuing its operations, and consistently delivering quality products and services.


Information Technology and Cybersecurity Governance

The Company has established a governance structure and clearly delineates roles and responsibilities, continuously assesses risks and establishes mechanisms to monitor and respond to potential cyber threats systematically. The aim is to ensure to protect information and IT systems' security, confidentiality and availability, thereby safeguarding the Company's digital assets from all forms of cyber threats. This governance aligns with relevant regulations, standards and practices.

Information Technology and Cybersecurity Governance Click to Enlarge

Approach for Protection Against Threats to Systems and Information

Risk Assessment
Use of Security Technologies
Access Control Management
Monitoring & Incident Response
Training & Review

Cybersecurity Awareness and Culture Building

The Company has established an Information Security Policy and security regulations that all employees must follow. New employees receive documentation outlining these practices and are trained on these policies. Additionally, regular communication and alerts regarding cybersecurity threats are shared via email and internal communication channels. The Company also continuously organizes training sessions on information technology and system usage to foster a culture of cybersecurity awareness within the organization.


Cyber Threat Response Measures

Response procedures are in place for actual cyber threat incidents, including drills and simulated scenarios to assess vulnerabilities, system capability, and the responsiveness of responsible departments. Results from these exercises are used to improve response processes and mitigate risks. This also includes updating operational manuals and maintaining an incident reporting process. Moreover, the Company has a Business Continuity Plan and Disaster Recovery Plan in place to ensure swift and effective responses to emergencies.


Key Developments
A workshop on “Legal Consideration In Contract Management”
Was conducted to promote a risk management culture and as part of the operational plan for risk management. Approximately 120 participants joined, including Company directors, members of the Risk Management Committee, the Risk Management Working Group, executives, and other relevant personnel.
Enhancing Preparedness and Responsiveness to Cyber Threats (IT System Resilience and Verification)
Developing a testing plan to assess the risks of IT equipment and systems (Penetration Test)
Preparing log Monitoring Reports to ensure network security against potential attacks
Cybersecurity Awareness Enhancement
In 2024, the Company sent employees to attend the IT VISION 2024: Sustainable Tech seminar organized by the Stock Exchange of Thailand and conducted internal training sessions to develop technological knowledge through the use of Digital Solutions. These efforts aim to reduce risks and negative impacts while enhancing employees’ computer skills.
  • 4 courses were provided
  • 104 employees participating