Risk management constitutes a critical element in all of PTT’s business operations and is connected to all business levels. PTT therefore established the Enterprise Risk Management Policy for all PTT employees to adhere to, and appointed the Enterprise Risk Management Committee (ERMC) to formulate policy, implement the risk management framework, and govern and support organizational risk management to ensure alignment with business strategy and goals under various changing conditiond. The Committee also serves to provide guidance, monitor performance, and report risk assessment results to the Corporate Plan and Risk Management Committee (CPRC) in order to ensure maximum effectiveness and progress in accordance with the principle and management approach of the PTT Way of Conduct. Issues are also reported to the CPRC, the Risk Management Committee, the Audit Committee, and the Board of Directors for reviews and suggestions for continuous improvement. Thus, PTT is able to respond to all corporate risks in timely manner.
PTT’s risk management framework and risk management procedures correspond with the criteria of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management (ERM), and ISO 31000 Risk Management – Principles and Guidelines, all of which are international standards for relevant parties to understand the risk management principles and to apply them appropriately. Corporate risks are systematically managed through committees within specified scopes and responsibilities. All business functions have the responsibility to manage and maintain risks at a manageable level.
Corporate Risk Profile
PTT’s risk management process is designed to be integrated with components from each step of the organization’s strategic planning process. Every year, PTT analyzes and assesses risks to develop the Corporate Risk Profile, which corresponds to corporate targets and strategic plans and incorporates expectations from different stakeholder groups, economic trends, political conditions, as well as significant socioeconomic and environmental factors. These risks can be categorized as strategic risk, business risk, operational risk and financial risk – all of which pose potential impacts to PTT’s performance, employees, customers, suppliers, organizational reputation, the general public and the environment. In addition, PTT takes into consideration event risks, emerging risks, and PTT Group Black Swan Events. Risk owners have the responsibility of formulating risk management plans for such risks, defining Key Risk Indicators (KRIs), and monitoring and reporting results to the Corporate Plan and Risk Management Committee, the Risk Management and Internal Control Committee, and the Audit Committee in accordance with PTT’s defined procedures.
Emerging Risk Management
While businesses nowadays are more depending on technology to create product innovation, improve productivity and deepen relationship with clients through social media marketing, the cybersecurity risk has never been so eminent. As the number of reported cybercrimes has increased alongside the growing number of smartphone users, companies are taking a variety of approaches to strengthen information security system and keep valuable data and assets away from cyber criminals.
Depending on the nature and severity of the attack, the impacts of cyber threats could vary from basic identity theft, phishing e-mail and computer viruses to serious ones, such as disruption of production process, infrastructure shutdown and power outage, which might result in company finances, reputation and consumer confidence.
PTT, as the national energy company with the commitment to ensure long-term energy security for Thailand and to equally respond to all stakeholders, also has placed importance to cyber security. Along with company’s aspiration to progress the digital strategy to employ technological changes, such as social media marketing and internet of things (IoT) technology, for value creation and productivity improvement, we have realized that cyber risk would become a threat to key data and infrastructure system.
To respond, PTT has adopted the international framework ISO/IEC27001 (Information Security Management System) to make an effective protocol on cyber security within the organization. In addition, PTT has also carried on several activities to ensure that information security is given the priority. Those actions include:
An annual surveillance audit by third party (PTTICT) to make sure that our approaches are conformed with international practices
The vulnerability assessment (VA) to assess IT System for further improvement
IT Security Awareness program in various formats to increase awareness and educate PTT employees on data security issue (E-learning, infographics, animations, seminar/event, program report, etc.)
An orientation program as a prerequisite course for new employees
PDCA Model Applied to ISMS Processes (Reference: ISO/IEC 27001)
Cooperation of all employees is a key to effective organizational risk management and system. Therefore, an awareness program on risk management and business continuity management system has been implemented. The program consists of selecting employees with knowledge of risk management, building risk culture for all level of employees about their roles and responsibilities, and encouraging relevant employees to participate in the risk management plan. Also, key performance indicators of executive management are set to measure the efficiency and effectiveness of performances.
Business Continuity Management
With PTT’s commitment to securing energy for Thailand, protecting business operations, and maintaining the trust, safety and security of all its stakeholders, PTT has developed the Business Continuity Management System (BCMS) according to the PTT Group Business Continuity Management System Standard, which is based on the ISO 22301 and other relevant standards. The system, governed by the Corporate Plan and Risk Management Committee, covers protection, response, management, and recovery, and is divided into 3 phases: prevent/ prepare; response/ resume; and recovery/ restore.
Continuously changing conditions pose a challenge for PTT, where unexpected events as natural disasters, terrorism, and various threats could affect PTT’s ability to meet its business objectives and disrupt operations, resulting in the loss of assets or lives and extensive impacts on stakeholders. Without the capacity to restore business to normal operations, the corporation may not survive. In such circumstances, PTT gives priority to setting coordinated corporate management strategies that include mitigation measures, preparedness, and the promotion of awareness and responsibility in accordance with the BCMS.
PTT has formulated a safety and emergency response plan, broken down into 4 levels based on extremity of the event. Level 1 refers to an event that PTT can respond to on its own, and which will be managed by the Emergency Command Center (ECC) set up to resolve emergency events. In case of events where PTT requires help from external parties at the local, provincial, or national levels, the emergency event will be upgraded to Levels 2, 3 and 4, respectively, and the Emergency Management Center (EMC) or Crisis Management Center (CMC) will be set up to handle conditions as appropriate. A responsible person is identified and authorized to manage events at each level to ensure effective resolution and efficient response to both public and private agencies and neighboring communities. PTT believes that by implementing such protective measures and developing mechanisms to help manage operations and ensure continuity in times of crisis, the organization will be able to continue building confidence among stakeholders and create a competitive advantage over the long-term.
In readiness of crisis response, PTT has established business continuity management coordinator in each department to communicate critical information, including good practices, emergency phone numbers, temporary working sites, and yearly significant changes. Moreover, Emergency & Business Continuity Management Web Portal is used as a communicating channel on risk-related facts, emergency and crisis management, business continuity management, and internal and external factors for employees to build on knowledge capability. This channel also opens to public access serving as a knowledge database.
For additional information, please visit: Risk and Crisis Management and Business Continuity Plan (Available in Thai only).