Corporate Risk Management Policy and Process^GRI102-16

PTT has recognized the importance of risk management amidst changes influenced by internal and external factors that may affect business sustainability. It thus employs an international standard issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO - ERM 2017) in a consistent manner to ensure effective risk management, which is also considered a key component for all PTT business processes that need to be connected vertically. As a result, there is an integration of Governance, Risk and Compliance (GRC) to support executives’ decision-making and safeguard, or systematically and effectively create added value for the organization based on potential risk factors.

PTT has developed a risk management policy, signed by the Chairman of the Enterprise Risk Management Committee, with which all employees must comply. In addition, a Governance, Risk and Compliance Committee (GRCMC), an Enterprise Risk Management Committee (ERMC) and a Corporate Plan and Risk Management Committee (CPRC) were established to monitor the overall risk management. The progress of risk management plans, as well as risk indicators, has been reported and proposed to the respective committee for further review of efficiency and effectiveness on a quarterly basis.

The department responsible for the enterprise risk management process has prepared a written PTT Enterprise Risk Management Manual (ERM) as a standard guideline applied throughout the organization. This consists of integrated enterprise-wide risk management, definitions of PTT's enterprise-wide risk management framework and risk management processes, etc.

Risk Management Structure

Corporate risks are systematically managed through PTT’s various management committees. Risk management must be integrated with the formulation of enterprise plans to give risk management plans effectiveness and efficiency in line with corporate goals and strategies. Operational risks fall under the supervision of executives responsible for a given function. All units are responsible for managing and controlling risks to manageable levels and this has been spelled out in the job descriptions of all units.

PTT’s risk management processes are reviewed by PTT’s internal units, the Corporate Management System department and the Internal Audit department and by external unit, Consultant of the State Enterprise Policy Office. In addition, PTT Audit Committee also performs oversight review of the efficiency and effectiveness of the risk management.

Risk Management Tools

PTT studies and employs risk management tools of various forms; for example

• Determination of acceptable risk level to the organization (Risk Appetite) (Link) as a framework of PTT’s operations. There are four main components;

1. Strategic Risk related to Energy Security and Investment Portfolio
2. Compliance Risk related to Transparency and Good governance
3. Operation Risk relate to Efficiency SSHE and Cyber Security
4. Financial Risk related to Financial Strength and Credit Rating

In addition to PTT Risk Appetite determination, Key Risk Indicator (KRI) and risk tolerance for corporate risk mitigation plans are set. All of them will be communicated and conveyed to relevant stakeholders. They are also being monitored to ensure that all risks are still acceptable.

• Prioritization of risk factors using Risk Map. The risk severity levels, both likelihood and impact, are set in relation to PTT Risk Boundary and are divided into 4 levels, low risk (green code), medium risk (yellow code), high risk (orange code) and extreme risk (red code)  as shown below
  
  
  Risk factors identified as high and extreme risks will be defined as corporate level risk and must be implemented  in accordance with the enterprise risk management process.
• The Monte Carlo Simulation techniques used to forecast PTT Group performance impact in the form of value at risk (VaR). VAR is analysed from key risk factors that affect PTT Group performance (net profit) such as petroleum and petrochemical product prices, refining margins, exchange rates and production volume. In addition, The Sensitivity Impact Analysis is conducted to analyze and assess the impact of each key risk factors under changing circumstances. Both VAR and Sensitivity Impact Analysis will be monitored on quarterly basis to ensure that PTT’s risk management plan will be effectively revised.
  
  

Enterprise Risk Management and Emerging Risks ^CSA1.3.3

The risk management plans after being approved by PTT Board of Directors will be continuously monitored. In circumstances that key risk indicator triggers alert, the responsible unit (Risk Owner) must revise its risk management plan and propose to the Corporate Planning and Risk Committee (CPRC) and the Enterprise Risk Management Committee (ERMC) for approval and expedite its plan.

Exposure	Management Plan	Risk Movement (Before and After Control and Mitigation)
1. Personnel Development to Sustain Business Growth: If PTT couldn’t groom an adequate supply of skillful and experienced personnel in time, this could harm businesses and long-term goal achievement.	Manage personnel through the mechanism of career path management by manpower review, identify key positions, and individual development plans to develop specialized skills for each career path. Develop executives and employees to have a leadership skill and encourage for overall learning about PTT Group. Recruit knowledgeable and experienced personnel from outside with direct expertise in new business for faster and more efficient business operations and expansion.
2. Strategic Direction Risks (Disruption by new technologies & customer’s behavioral change) : If PTT couldn’t promptly respond to the changes in directions of the economy, society, energy, technology, and consumers’ behavior that align with global megatrends, this could impact on businesses and performance.	Increase competitiveness by expanding the LNG market both domestically and internationally, including maintaining the market share. Moreover, set up PTT Group’s LNG commercial committees and working groups to promote cooperation and drive operations to achieve goals. Creating New S-Curve to seek opportunities and develop new business models such as investing in Electric Vehicle business, Renewable Energy, Life Science, Logistics & Infrastructure, and Artificial Intelligence, Robotics and Digitalization. Annually review vision, direction and future business strategies by senior PTT Group executives. The resulting business strategies then translate into five-year business plans, which are then integrated with risk management plans. In addition, PTT holds a meeting of PTT Group executives every month to monitor all affiliates’ performance and share ideas to modify short-term business plans and strategies to ensure planned performance outcomes.

• PTT monitors changes in internal and external factors, including emerging risks during the formulation of strategic plan and business planning to ensure that PTT can prepare proactive risk management measures before such risks affect PTT's business operations. In addition, If there are significant events that may have risk and impact on business operation of PTT Group (Risk Event), such as the impact of loss from derivatives and the situation in Myanmar and PTT’s natural gas procurement operations, PTT will assess those impacts and conduct risk management plans proposed to the Enterprise Risk Management Committee (ERMC) for their consideration, opinions or additional operational policies to reduce such impacts.

Challenges from the energy transition situation

Disruptive innovation or technology has brought about changes to business models while environmental awareness has shaped the concept of energy transition, that is, from traditional energy to clean energy of new forms. This greatly affects the needs of customers and PTT's business operation. In order to accommodate economic, social, energy, technological, and consumer behavior changes as influenced by the global mega trend, PTT thus sets business strategies and constantly identifies opportunities and develop new business models, namely an integrated LNG business, to create a New S-Curve business, e.g., investment in electric vehicles, renewable energy, life sciences business, logistics and infrastructure, and AI, Robotics & Digitalization, including personnel preparedness to effectively accommodate business expansion. The Company’s vision, direction, and strategy of future business, integration of risk management and business plans, and business performance monitoring have been regularly reviewed to ensure that the revenue generated shall meet the target.

Reinforcing the corporate risk culture

PTT cultivates awareness, creates an atmosphere and culture of risk management for all employees, focusing on resource allocation and appropriate support to different areas to promote effective risk management. An enterprise-wide risk management manual is published on a website accessible by all employees with relevant email being sent out to educate and strengthen understanding about risk management throughout the organization. Risk management communications and training are provided. There are surveys to collect feedback and identify the understanding of personnel regarding corporate risk management conducted on an annual basis to continuously improve the efficiency of corporate risk management. In 2022, there were culture-reinforcing activities; for example, GRC Talk in monthly PTTMC’s meetings, which is also defined as a regular agenda for every meeting of the department, GRC Camp that is focused on strengthening the GRC culture among employees by cascading experiences of the executives and guest speakers and communicating about GRC policies, GRC knowledge, and risk management. Moreover, the Company also encourages participation in training on GRC and risk management and rolls out reinforcement activities to promote understanding of employees and encourage behavior momentum toward GRC through communications and online activities. 

Risk management process improvement based on the reviews of the Enterprise Risk Management Committee.

PTT nurtures all employees with the awareness of risk management while also creating a risk management atmosphere and culture. It focuses on appropriate resource allocation and provision of support in different areas by integrating it with PTT's key work processes to promote effective risk management. 

1. Improve the “Risk Appetite Statement” to align with changing situations.
2. Take into account impacts of business plans on stakeholders to obtain work plans to mitigate impacts with an appropriate management model.
3. Supervise organizational innovation management to ensure its completeness and competency to enhance innovation effectiveness in line with PTT's strategic objectives and key goals.
4. Consider and comment on the agenda of major investment projects and contracts with long-term obligations, business complexity, and risks that have a significant impact on PTT before proposing them to the PTT Board of Directors for approval.
5. Contemplate the annual list of corporate risks before proposing it to the PTT Board of Directors for approval along with the annual enterprise plan. Risk registers and enterprise risk management plans shall be integrated in the enterprise plan to ensure that it is clear, aligned with the goal, business strategies and applicable enterprise-wide.
6. Closely monitor risk management on a quarterly basis by determining risk indicators for surveillance and precaution, including measuring the effectiveness of risk management and providing recommendations to the management in the reviews of risk management plans to reflect business strategies and the changing business environment and report the results to the PTT Board of Directors.
7. Consider the results of risk assessment, its impact severity and risk management plan if there is significant event that may affect PTT Group’s businesses (Risk Event) and give more advice or assign policy regarding this matter.

Business Continuity Management

Business Continuity Management Process

Business Continuity Management

PTT has developed a business continuity management system (BCMS) based on the business continuity management standard (ISO22301:2019) and others related, covering prevention, response, support and recovery. The operations are divided into 3 phases: prevention/preparation phase, response/business continuity phase, and recovery phase. The Business Continuity Plan (BCP) has been approved by the Management Committee and the PTT Board of Directors. With the current environment that is constantly changing, it is challenging for the organization with respect to unexpected crises, natural disasters, political unrest, terrorism, epidemic, which may cause disruption to PTT's critical processes. If PTT cannot recover its operating capacity, it shall cause damage to property or life, as well as resulting in widespread impact on the nation, society, community and all groups of stakeholders. PTT recognizes the importance of getting prepared in response to crises and operating business continuously. Therefore, a business continuity management policy has been established. Executives and employees, as well as third parties working for PTT, shall take part in the implementation, support and compliance with the policy on a regular basis.

PTT has developed a safety and emergency/crisis preparedness plan divided into 4 levels according to the severity of the events. Specifically, those events are crises that PTT requires further assistance from external entities at either local, provincial, regional or national level. The emergency/crisis severity level shall be raised to 1, 2, 3, and 4 respectively. An emergency/crisis and business continuity management center has been established with responsible persons assigned and authorized to each level of management appropriately to ensure that the solution process is timely, effective and responsive to the needs of both public and private entities and surrounding communities. In addition, PTT has appointed a coordinator to disseminate important information; for instance, what employees must do, important contacts, alternate work sites, and significant changes in each year, etc. An Emergency & Business Continuity Management Web Portal was also developed to be used as a communication channel and for managing emergency/crisis situations and business continuity.