- Home
- >
- Sustainability
- >
- Risk Management
Risk Management
Management Approach(GRI 3-3d., GRI 3-3e., GRI 3-3f.)
Risk Management
Today’s business operations are more challenging, in terms of market competition, crises, and transitions. Risk management is, therefore, considered an important tool for OR’s business management to ensure that business operations can achieve set goals and respond to the needs of all stakeholder groups in a balanced manner, as well as prevent losses that may arise from uncertainty. Risk management also includes seeking opportunities to add business value to maintain the competitiveness of the organization in the future. OR has established a risk management structure supervised by the Enterprise Risk Management Committee. The Audit Committee reviews the risk management system and helps in driving risk management throughout the organization effectively.
OR’s Risk Management Structure
Risk Management Framework
OR provides knowledge in risk management for employees in chief executive position or above level through the Risk Management Program for Corporate Leader (RCL) training courses regularly organized by the Thai Institute of Directors (IOD). The aim is to enhance understanding of roles and responsibilities in overseeing risk management aspects to handle business opportunities, foster business development, and comprehend roles and responsibilities during crisis situations. Additionally, training sessions on Risk Management and Internal Control are conducted for new employees in the Orientation program. Furthermore, Risk Management training is provided for employees across all departments and units to apply in developing Business Unit Risk, Project Risk, analyzing Business Unit Risk, and creating Workflow Process and Process Control Plan. Moreover, specialized Risk Management and Internal Control training is also organized for executives or employees undertaking Secondment roles in companies within the OR group. This includes top executives within the organization, CFOs, Company Director, and members of the Overseas Pool, all of whom undergo the Company Management Program.
OR has announced its risk management policy, establishing a framework and processes that interconnect at every level within the organization. The policy adheres to the COSO Enterprise Risk Management – Integrated Framework 2017 criteria and is steered by the Risk Management and Internal Control team under the Strategy and Investment Management Division. The risk management is intricately linked to the strategic and business planning processes from the outset, ensuring alignment across the entire value chain. There is continuous monitoring of quarterly and annual risk management progress to report to the Organizational Risk Management Committee and the Company’s Board of Directors. This facilitates regular review and control of organizational risks, maintaining them at levels acceptable to OR.
In 2023, OR has reviewed its risk management policy to align with the direction and business strategy of the Company, aiming towards conducting business for a sustainable future through the lens of OR Sustainable Development Goals (SDG). This is to efficiently address the OR 2030 objectives. These objectives include:
S – SMALL: Opportunities for Communities, achieved through business operations that uplift the quality of life and well-being of local communities.
D – DIVERSIFIED: More Partners, Products, and Services, utilizing OR’s potential as a platform to distribute diverse business opportunities, fostering collective growth.
G – GREEN: Low Carbon Business Areas, promoting all types of OR businesses to become green businesses, supporting the creation of a sustainable low-carbon society. OR is committed to achieving carbon neutrality by 2030 and progressing towards net-zero carbon emissions by 2050.
For sustainable growth for all groups of stakeholders, OR considers factors that can cause significant risks both externally and internally. OR communicated the 2023 Risk Trends, including Global Risk, Thailand Risk, and Business Area Risk. This is to allow all departments, both business and support functions, to take risks into account and prepare risk management plans along with the preparation of strategic plans and business plans of the divisions to be consistent with the OR’s strategic direction, goals, and Corporate Risk Framework. Key risk issues from business and support functions are gathered to prepare the Corporate Risk Profile 2023 and the Corporate Risk Management Plan 2023, approved by the Board of Directors. The plan has been communicated to all departments to manage risks to ensure consistent risk management at the organizational level. Functional and operational levels the risk management results are monitored and reported quarterly to the Management Committee, Corporate Risk Management Committee and Board of Directors. In this regard, the Risk Appetite level has been determined and the Risk Tolerance level has been used to determine the threshold level of the Key Risk Indicator to measure the risk management results more effectively.
OR conducts a continuous review of its risk management processes annually, both internally and externally. The audit committee has examined the effectiveness and efficiency of the risk management process, including risk management policy, internal control, legal compliance, and regulations relevant to OR and its subsidiaries. Collaboration with the internal audit unit involves quarterly assessments and consultancy work, offering recommendations and suggestions regarding internal control and risk management in critical business processes for OR’s management and subsidiaries. Additionally, the results of the internal control assessment and feedback on the internal control system report are reviewed regularly, following the standards and guidelines set by the Ministry of Finance regarding the Internal Audit Standards and Ethics for Internal Auditing of Government organizations B.E. 2561 (2018). In 2023, the internal control assessment results were found to be adequate and consistently implemented, with identified risks accompanied by internal control improvements to prevent or mitigate these risks in 2024.
For external audits, OR undergoes others external audits conducted in the past 2 years which is the Operational Risk assessments through third-party audits, which is an integral part of the ISO 9001, ISO 14001, and ISO 45001 certifications.
OR’s Enterprise Risk Management
Enterprise Risk Issues
OR has conducted a business environment analysis based on various crises that occurred in 2023, considering both internal and external factors. The key risks in 2023 include the Russia-Ukraine conflict, Israel-Palestine conflict, political situations, government policies, economic conditions, inflation trends, interest rates, exchange rate fluctuations, natural disasters, drought conditions, industry changes, competitors, technological advancements, cybersecurity, financial market volatility, enforcement of new laws, and other relevant factors. The Company has identified these significant risk factors affecting current and future business operations, grouping them into six categories.
- Strategic Risk
- Operational and Business Risk
- ESG Risk
- Information Technology Risk
- Financial Risk
- Compliance Risk
OR has conducted risk control and implemented additional risk mitigation measures to reduce the risks to an acceptable level. In addition, due to the geopolitical tensions between Israel and Palestine in 2023, which had a minor impact on oil prices, OR analyzed the situation using Bloomberg’s scenario model. The analysis examined the impact on OR and included preparations for management and close monitoring of the situation. Furthermore, OR recognized the increasing risk of cyber-attacks in the present digital-driven organizational transformation. Cyber-attacks could potentially become Black Swan events, causing operational interruptions and affecting the entire business. Consequently, OR has reviewed crisis response plans and conducted business continuity drills across the organization’s value chain. Specifically, for the ‘Cyber Attack OR Digital Infrastructure’ scenario, a comprehensive review and efficient response were carried out on August 29, 2023, to support effective response to emergencies from Cyber Attack situations.
Example of Identified Risks
Organizational risk factors | Prioritization (Likelihood and Magnitude) | Risk Appetite | Mitigating Actions | Monitoring and Audit | |
|---|---|---|---|---|---|
IT Risk | The cybersecurity risks and threats have been steadily increasing, causing widespread impacts. Examples of these include computer virus attacks, ransomware attacks, data theft, and data hacking. As a result, key corporate data and confidential information could be leaked or business could face disruption, and negatively impacting the organization’s reputation. |  | The leakage of information as required by law or the leakage of information that could significantly impact business operations is equal to 0 (zero). | OR places importance on prevention and mitigation measures to avoid becoming a target of cyber-attacks. This includes implementing cybersecurity plans to enhance security effectively, such as:
Developing crisis response plans and conducting continuous business continuity management drills throughout the organization’s value chain. |
|
Organizational risk factors | Prioritization (Likelihood and Magnitude) | Risk Appetite | Mitigating Actions | Monitoring and Audit | |
|---|---|---|---|---|---|
Financial Risk | Financial liquidity risk may significantly impact the organization’s business operations and OR’s financial costs significantly. |  | Financial liquidity must be sufficient to debt obligations, commitments, and investments, with financial ratios in line with the financial policy of the PTT Group. | Prepare financial estimates to plan for fund management, aligning with the monetary demands and market situations in the financial and/or capital markets.
Planning for short-term and/or long-term loans to secure capital funds.
Prepare for the launch of bond issuance to enhance long-term financial liquidity. | • Monitor financial risk management quarterly. • Information on internal audit can be found at 56-1 One Report page 62 (Click to read more) • The independent auditor’s report can be found at 56-1 One Report page 293 (Click to read more) |
Risk Culture
OR aims to promote a risk management culture throughout the organization to ensure that OR grows sustainably and securely. Executives and employees at all levels of the company possess Risk Awareness, Risk-Taking, and Risk Management. OR fosters a risk-aware culture through the following:
OR drives a risk management culture from organizational leaders or “Tone from the top” by declaring risk management policies, articulating acceptable risk (Risk Appetite), and promoting and overseeing appropriate risk management throughout the organization such as incorporates risk criteria into the product development or approval process. For example lubricant product development plan requires health and safety risk assessment to reduce potential risks. In addition, OR develops the product and service stewardship plans following the difference types of business operation and sets the topic ‘Product and Service Standard: Quality/Safety/Environment’ as the Corporate Risk Profile to highlight the importance of product and service stewardship in business. Risk criteria are established for research and development of products and services, encompassing the Risks & Opportunities section. For more details on incorporates risk criteria into the product development or approval process, read more on Product and Service Stewardship Website (Click)
OR assigns accountability where executives and employees are aware of the ownership of risks, with appropriate risk exposure. Key performance indicators (KPIs) are established that consider the balance between returns and risks. In terms of investing for business, OR sets criteria and guidelines for investment analysis, assesses risks, and prepares a Mitigation Plan to reduce the impact of investments. OR has an escalation process in the event that a risk is found to exceed the acceptable risk level of the Organization. Individual employees have responsibility to proactively identify and report potential risks throughout the organization that can lead to negative impacts on business operations or organizations via an e-mail OR-ERMC@pttor-staging.livetubex.com. OR communicates and exchanges ideas to create effective communication and challenges, supports open expression, and presents perspectives on risks at every stage of work from all departments.
OR provides financial incentives which incorporate risk management metrics. Risk culture is tied to KPI for senior executives, line managers and employees (such as Operation safety, Product and Service Quality, Image and Reputation Organization, Carbon Neutral Pathway, and Financial Performance). KPIs are listed as Key Risk Profile of OR’s Corporate Risk Profile. KPI will be interpreted as an individual performance evaluation and resulted in financial incentive consideration.
As well as, OR provides HR practices to encourage personnel at all levels to act in accordance with the OR DNA, good risk management, as well as compliance with the company’s policies and processes, which are reflected in the annual performance evaluation. In addition, HR management plays a role in promoting the organization’s risk culture, such as succession planning, training, etc. OR defines and emphasizes that all employees adhere to operational guidelines that consider governance, risk, and compliance (GRC). The risk management manual is published throughout the organization on a website accessible to all employees, as well as focused training throughout the organization on risk management and internal control principles are held during the year to make employees aware of the importance of risk management processes and internal control, and to increase knowledge and understanding of risk management principles and internal control for executives and employees to apply to their operations effectively. In particular, OR Orientation course is organized annually to provide appropriate training on risk management to employees from the beginning. OR’s compliance such as the Competition Act B.E. 2560 (2017), risk management, compliance with laws and corporate regulations. In addition, OR encouraged directors, senior executives, and executives appointed as directors of OR Group and employees attended GRC-related training courses of the Thai Institute of Directors Association (IOD) such as Advanced Audit Committee 2Program (AACP), Risk Management Program for Corporate Leaders (RCL), Ethical Leadership (ELP), Anti-Corruption in Practice (ACPG), Corruption Risk & Control, and Good Corporate Governance (CG) E-learning.
Risk Training Details in 2023(GRI 3-3e.)
Training program | Target group | Date of training | Number of trainees (people) | Summary of recommendations from training |
|---|---|---|---|---|
Risk Management and Internal Control (Orientation) | New employees | 25 Aug 2023 | 50 | New employees have knowledge and understanding in risk management and internal control as a basis for their work. |
Risk Management | Strategic departments of every line of work and direct unit | 1 June 2023 | 50 | Trainees have increased knowledge and understanding of risk management. |
Risk Management Program for Corporate Leaders (RCL) | Regular risk management education for all non-executive directors (All Board of Directors) | 21 Nov 2024 | 32 | Risk management education is provided for all |
Emerging risks
OR prioritizes newly emerging risks and prepares to address them, considering their impact on the business operations of OR. Measures are in place to proactively manage the risks comprehensively and systematically, as follows:
1. Natural resource crisis and biodiversity loss: coffee beans
Risk Description | Mitigating Action |
|---|---|
The Global Risks Report by the World Economic Forum reports that environmental crises and biodiversity loss are ranked among the world’s top long-term risks in terms of severity. Additionally, the Food and Agriculture Organization (FAO) has revealed that rising global temperatures could reduce suitable areas for coffee cultivation by up to 50%. OR’s Café Amazon business faces significant risks due to climate change impacting natural resources and biodiversity loss. Rising global temperatures and environmental crises could reduce suitable areas for coffee cultivation. These changes threaten the availability and quality of coffee beans, leading to increased sourcing costs and potential supply chain disruptions. Long-term Impact to OR The shortage and increased cost of high-quality coffee beans would negatively impact the profitability of Café Amazon, requiring higher investment in sustainable practices. Variations in taste, aroma, and quality could affect consumer satisfaction and brand loyalty, reducing market share and revenues. Supply chain disruptions could further increase operational costs and inefficiencies, potentially leading to higher consumer prices and harming customer loyalty and brand reputation. | OR collaborates with the Ministry of Agriculture and Cooperatives to promote coffee cultivation, creating sustainable opportunities for coffee farmers. This involves exchanging knowledge with the Ministry and cooperatives to promote and support the expansion of coffee cultivation. The approach includes transitioning to integrated farming with coffee to enhance farmers’ productivity and income sustainably. This initiative aims to develop the efficiency of coffee production to meet international standards in terms of quantity and quality, particularly focusing on locally distinctive coffee products that add more value. Additionally, it contributes to addressing concerns related to deforestation and environmental issues. Moreover, there is a marketing collaboration, where Café Amazon supports the purchase of high-quality coffee produced by farmers who receive promotional support for coffee cultivation. This aligns with OR’s commitment to emphasize creating opportunities and value for people without leaving anyone behind throughout the business operations chain. |
2. Employment crisis
Risk Description | Mitigating Action |
|---|---|
The Global Risks Report by the World Economic Forum reports that employment crisis is one of the long-term global risks. Additionally, the World Population Prospects predict that the global population will reach around 8 billion people. People aged over 65 are estimated to make up approximately 10%. This number is expected to rise to 16% by 2050. The situation of the elderly in Thailand reveals that the country has rapidly become the world’s third-ranked nation in terms of the growing elderly population. In 2022, Thailand entered a full-fledged aging society, and it is anticipated that by 2030, Thailand will transform into an aged society similar to Japan. This transformation includes an increase in the population aged 60 and above, comprising up to 28% of the country’s total population. The population growth is minimal, with an increase of only 0.18%. As the world enters an increasingly aging society, nearly every country faces the challenge of labor shortages. Long-term Impact to OR OR employs a large workforce, including for businesses like PTT Station, Café Amazon, and other retail businesses. As Thailand enters the ultimate aging society, this may lead to labor shortages for OR’s businesses, resulting in increased labor costs. This situation can impact the overall business operations and performance of the Company. | OR has developed a fully self-serve model for its gas stations, known as “Fully Self-Serve Station,” incorporating automation systems in production, storage, and product distribution processes. This aims to reduce labor dependency and enhance operational efficiency. Additionally, Café Amazon has expanded opportunities for elderly individuals, considering the aging population in Thailand. There are many elderly people who lack employment opportunities due to advancing age. Therefore, OR collaborated with the Department of Social Development and Welfare, Ministry of Social Development and Human Security, to establish “Café Amazon for Chance,” operated by senior baristas. This initiative involves employing individuals aged 60-65 as baristas, designing the cafes to suit the working conditions of seniors, for example, offering a limited menu tailored to popular preferences, using automatic brewing machines to achieve a standard Café Amazon taste, determining the appropriate height of raw material shelves, and emergency medical equipment. Through standardized training, these senior baristas are prepared similarly to regular Café Amazon staff. This model aims to address labor shortages and create opportunities for the elderly in Thailand. |
3. The spread of cybercrime and cyber security issues
Risk Description | Mitigating Action |
|---|---|
The Global Risks Report by the World Economic Forum reports that widespread cybercrime and cyber insecurity are ranked as one of the global risks with long-term severity. At the same time, NT cyfence’s Cybersecurity Operations Center (CSOC) has reported that malicious code, including viruses, worms, trojans, and spyware, remains a top cybersecurity threat in Thailand. With technology and information systems being essential for rapid business progression, OR’s digital transformation, which includes ventures like xplORe and EV Station Pluz, exposes the organization to increased cyber threats. Long-term Impact to OR As OR continues to expand its digital ventures, cybersecurity threats such as computer viruses, ransomware, data theft, and system breaches pose significant risks. These incidents can lead to operational disruptions, financial losses, and damage to OR’s reputation. Prolonged system outages or data breaches can erode customer trust, leading to a decline in customer base and market share. Ensuring robust cybersecurity measures is crucial for maintaining business continuity, protecting sensitive information, and sustaining OR’s long-term growth and competitive edge. | OR recognizes the dangers posed by the aforementioned cybersecurity threats and understands the importance of preventive measures and impact reduction to control the risks of being targeted in an attack. Therefore, the Company has initiated the Cyber Security Roadmap project to enhance security effectiveness in the cyber world. Key activities include the use of firewall systems and Security Operation Center (SOC) services to prevent attacks and data leaks. The Company has implemented and utilized Cloud Access Security Brokers (CASB) and Data Leak Protection (DLP) systems. Furthermore, software has been installed on Company computers to control data access, as well as prevent attacks, and data leaks. Regular system checks and risk assessments are conducted to identify vulnerabilities in the information systems. Additionally, employees are provided with knowledge on safeguarding data to prevent external leakage. OR has also taken the step of acquiring cybersecurity insurance and preparing a Business Continuity Management (BCM) system to support any threats that may arise against the Company’s information systems. |
Related Documents
Document Name | File (Attach or Link) |
|---|---|
1. Risk and Crisis Management | Click to Download |
2. Risk Management Policy (Please select “Corporate Risk Management”) | Click to Download |
