|Sustainable Development Goals|
Opportunities and Challenges
Challenged posed by Cybersecurity
The issue of cybersecurity threats tends to increase and produce a wide range of impacts including theft of confidential information, computer virus attacks, ransomware, and hacking to control over systems. PTT recognizes the dangers of such disasters and realizes the importance of preventive and mitigation measures to reduce and control potential risk of being a target for cyber-attacks, which will have impact on business continuity, and confidence and corporate image among stakeholders. Therefore, cyber security system is placed and managed in accordance with the International Standard of Information Technology Security Management System (ISO/IEC 27001) to improve the operations in both related processes and technology systems.
Challenges faced by the COVID-19 Pandemic
Due to the COVID-19 pandemic that occurred at the end of 2019, PTT has faced a global economic slowdown whereas the government’s related measures have had a significant negative impact on the demand and price of PTT Group’s products, which has become a critical challenge to the group's petroleum and petrochemical business. To mitigate the impact, PTT has been closely monitoring the situation to manage risks in various aspects such as performance and financial strength, supply chain and business processes, and health and safety of personnel, all of which led to establishing appropriate measures that are suitable to handle with each situation.
Risk and Crisis Management GRI102-11, GRI102-30
PTT recognizes the importance of risk management under various types of uncertainties by considering risk management as an important component of every process at all levels of businesses. PTT, therefore, established the Enterprise Risk Management Policy for all employees to adhere to, and appointed the Enterprise Risk Management Committee (ERMC) to take responsibility for formulating policies and risk management frameworks, supervising and ensuring the corporate risk management aligned with business strategies and goals. This involves always investigating internal and external changing circumstances under the analysis of changing dynamics, such as political uncertainty, fluctuations in supply and demand in petroleum and petrochemical industries, stakeholders' diverse expectations, changes in regulations and law, technological advancement, and environmental impacts caused by business operations. Furthermore, this involves providing guidance, monitoring, and evaluating risk management performance to the Corporate Plan and Risk Management Committee to ensure maximum effectiveness and the association with the principle of PTT Group’s Way of Conduct. It includes reporting to the Enterprise Planning and Risk Management Committee, which is in the management division, the Corporate Risk Management Committee, the Audit Committee, and PTT’s Board of Directors that has established procedures to constantly review and comment on improving the effectiveness of risk management to respond to risk in a timely manner and to build readiness to support all aspects of business risks.
PTT has formulated a framework for risk management that corresponds with the guidelines of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management (ERM), and ISO 31000: Principles and Guidelines on Risk Management for those involved to understand the risk management principles and apply them appropriately. In addition, risks at the organizational level are systematically managed through various management committees based on different scopes and responsibilities whereas risks at the business group, business unit, and operational levels are managed by various responsible managers in charge for which it is mandatory for every agency to maintain the risk to an acceptable level.
PTT Organization Structure
Corporate Risk GRI102-15
PTT's risk management processes are designed to be associated with the organization's strategic planning process at each stage along with annual risk analysis and assessment to develop corporate risks that align with corporate goals and strategic plans. This involves incorporating expectations from different groups of stakeholders, economic trends, political conditions, as well as significant social and environmental changes to establish corporate risks which can be classified as strategic risk, operational risk, and financial risk – all of which pose potential impacts on the company's performance, employees, customers, partners, corporate reputation, the public, and the environment. In addition, PTT takes into consideration the risks of general events, emerging risks, and ‘Black Swan’ Events which that are not highly likely to occur, but if they occur, cause severe damage and impact on the business. Therefore, risk owners have the responsibility of drawing up a risk management plan for such risks, defining Key Risk Indicators (KRIs), and monitoring and reporting results to the Board of Enterprise Planning and Risk Management, the Corporate Risk Management Committee, and PTT’s established Audit Committee.
Corporate Risk Culture
PTT cultivates risk management awareness for all employees while establishing risk management culture and work condition that focuses on proper allocation of resources and appropriate support in various areas by integrating PTT’s key operational processes to promote effective risk management
Business Continuity Management
PTT adheres to the commitment to secure energy for Thailand, protect interests, and maintain trust, safety, and security of all stakeholders. PTT has, therefore, developed the Business Continuity Management System (BCMS) according to the PTT Group Business Continuity Management System Standard, based on the Business Continuity Management Standard (ISO 22301) and other related standards covering prevention, response, support, and rehabilitation. The operation is divided into 3 phases: Prevention/ Preparation; Response/ Ongoing Business Operation; and Rehabilitation periods under the supervision of the Sustainability Management Committee. Meanwhile, constantly changing current environment poses challenges on PTT’s designated business goals. There have often been unexpected crises such as natural disasters, terrorism, and various types of threats that significantly affect PTT's business capabilities and may put a halt to important processes. In the event of PTT incapable to recover its business capabilities to normal, it may cause damage to assets and lives, and has a widespread impact on the country, society, communities, and every group of PTT’s stakeholders. Therefore, PTT gives priority to establishing a consistent corporate management strategy that involves preventive measures, preparedness measures, training, promotion of awareness and accountability in accordance with the framework of the business continuity management system to the fullest.
PTT has formulated a safety and emergency response plan which divides into 4 levels subject to the severity of the event. Level 1 refers to any event that PTT can solely cope with by its own operation of which the Emergency Command Center (ECC) will be set up to govern the emergency response. In case of events where PTT requires help from external parties at local, provincial, or national levels, such emergency event will be elevated to Level 2, 3 and 4, respectively, meanwhile the Crisis & Business Continuity Management Center will be set up along with designated and authorized person to manage events at each level appropriately. This ensures effective resolution and efficient response to both public and private agencies and neighboring communities. PTT believes that by implementing such protective measures and developing mechanisms to support business operations and ensure business continuity in time of crisis, the organization will be able to continue building confidence among stakeholders and create a competitive advantage in long term.
In preparedness of crisis response, PTT has appointed a coordinator in each department to be responsible for conveying crucial information, such as code of conduct, emergency phone numbers, temporary working sites, and yearly significant changes. Moreover, the Emergency & Business Continuity Management Web Portal is also available as a communicating channel on risk-related facts, emergency and crisis management, business continuity management, as well as internal and external factors for employees to learn for better knowledge.
Information Security/ Cybersecurity Governance ed)
PTT’s Board of Directors always reviews the company’s vision, business direction, strategy and enterprise risk on yearly basis. The Information Security/ Cybersecurity is, as a result, listed in the Corporate Operational Risk which is proposed by the management and approved by the Board of Directors. The effectiveness and performance of the Cybersecurity management are under the supervision of the Audit Committee (AC), the Enterprise Risk Management Committee (ERMC) and the Board of Directors. The Cybersecurity management strategy is currently directed by Mr. Danucha Pichayanan - the Independent Director/Member of the Audit Committee who was also a former committee of National Electronics and Computer Technology Center (NECTEC), meanwhile Chief Technology and Engineering Officer (CTO) is designated to be in charge of supervising strategy, policy and digital standardization as well as the information security/cybersecurity to conform with the direction of the corporate strategy.
Information Security/ Cybersecurity & System Availability
PTT has adopted the ISO/IEC 27001 framework for the enhancement of its information security/cybersecurity capability and performance. The main operations on the development process include system analysis and assessment of risks that may occurred from digital vulnerability, installation of the line of defend tools - both Intrusion Prevention System (IPS) Antivirus and AI to detect cyber threats. The company has also strengthened its IT Security policy in accordance with ISO/IEC 27032 covering Information Technology (IT) and Operation Technology (OT) by using the service of Cyber Security Operations Center (CSOC) of PTT Digital Solutions Co., Ltd. to monitoring and preventing PTT’s information system and main equipments from intrusion and unauthorized access on 24 hours basis, while vulnerability assessment is conducted on regular basis to improve the deficiency of service or application. PTT also has the Group’s business continuity management standard with relates to each business unit. In response to possible threats on PTT’s digital system, the company has, therefore, developed the rehearsal process for relevant preparation plans such as business continuity management plan, human resource preparation plan (key personnel monitoring process), temporary operation site preparation plan and digital system preparation, for instance. In the event of emergency occurrence that may impact the company’s business operation, PTT will be promptly collaborating with its corporative network to quickly control the situation and reduce the probable impacts. In addition, PTT has developed e-Learning Program on cyber security & data privacy, basic knowledge on good governance and PTT's anti-fraud and corruption policy for the staff, in order to educate its employees on cybersecurity and relevant matters, especially the phishing mail of which the employees will be given knowledge and tests on response to phishing mail on regular basis along with close monitoring and assessment.
In 2020, the Enterprise Risk Management Committee (ERMC) has established proactive measures focusing on risk prevention management along with reactive measures. An integrated emergency response plan has been developed of which the probable impact of business plan on all stakeholders was taken into account to set up appropriate risk management plan. The Committee has also provided comments on investment plan in mega projects as well as business contracts with long-term liability, having complicated model and high risk that may have significant impacts on PTT. Moreover, the Committee has annually assessed and updated enterprise risks listing by integrating enterprise risk management planning along with corporate risk management planning, in order to formulate a definite plan that complies with business’ goal, direction and strategy. The plan has been implemented throughout the company with constantly close monitoring on risk management exercises on quarterly basis. During the process, Key Risk Indicator (KRI) has been drawn up as predicator for precaution and measurement for risk management efficiency. The ERMC has also given advices to the operation department in the reviewing process of risk management plan to match with updated business environment and strategy, while the performance will be reported to the Board of Directors.
In addition, a number of training courses on risk management for Board of Directors and ERMC as well as the orientation on enterprise risk management matter for new ERMC committee have been carried out in the recent year.
Risk and Opportunity Management Process
PTT has recently enhanced its risk and opportunity management process by analyzing internal factors of each business group, unit and supportive line in order to understand the strengths and weakness of their enterprise. External factors obtaining from challenges and opportunities analyses as well as other incidents including international risks that may have either positive or negative impact on the company are also taken into consideration. Main risk factors and potential factors that may have effect on the company in short and long term, covering environment, society, economy and technology prospects have been listed out and taken into the process of risk management planning and strategy planning. An authorized officer will be appointed for governing enterprise risk management in integration with corporate risk management plan and seeking approval from Board of Directors before conveying to all units in the company. In addition, the Business Continuity Management System (BCMS) with according to the PTT Group Business Continuity Management System Standard has been established as well.