Sustainability

Risk and Crisis Management

Home Sustainability Sustainable Governance Risk and Crisis Management
Sustainability

Risk and Crisis Management

Sustainable Development Goals





Corporate Risk Management

Governance

Governance, Risk, and Compliance (GRC) framework of PTT, there are committees responsible for overseeing each aspect. These consist of the Corporate Governance and Sustainability Committee (CGSC) and the Governance, Risk, and Compliance Management Committee (GRCMC), which are responsible for supervision. They oversee compliance with the principles of good governance, operational risk management, internal control, legal compliance, organizational rules, sustainability management, and operations concerning society, communities, and the environment, including the promotion of ethics and the prevention and suppression of corruption and misconduct in the operation of state enterprises to be effective, transparent, ethical, and in line with national strategies on preventing and suppressing corruption in the public sector. This includes the establishment of an Enterprise Risk Management Committee (ERMC) and a Corporate Plan and Risk Management Committee (CPRC) to oversee organizational risk management. Progress reports on governance, risk management, internal control, and compliance (GRC) plans will be submitted to the relevant committees for periodic review of effectiveness and performance

PTT Board (PTTBOD) approved the appointment of the Enterprise Risk Management Committee (ERMC) on October 25, 2013. As of December 31, 2023, the ERMC consisted of two members who are an Independent Director from PTTBOD. The Senior Executive Vice President (SEVP) of Corporate Strategy and Sustainability was tasked as the Chief Risk Officer (CRO) and the Chief Stakeholder Officer (CSO) serving as secretary.

SEVP of Corporate Strategy and Sustainability, serves as the Chairman of Corporate Plan and Risk Management Committee (CPRC). This role entails the responsibility of implementing policies and recommendations received from the ERMC to govern overall risk management, reporting the results to ERMC, ensuring that the effective risk management process and stakeholder management process are implemented across the organization and aligning with the mission and strategy. The results of the ERMC are reported to the board of directors quarterly.

The Executive Vice President (EVP) of the Office of Corporate Audit has the responsibility to review the effectiveness and efficiency of corporate governance, risk management, and internal control processes, and report the results to the board of directors at least quarterly.

PTT has a Governance, Risk and Compliance: GRC framework with dedicated operational risk management functions in place:

Business Owner (first line): Front-line employees or dedicated operational roles (e.g., risk managers, business unit heads) own and manage risks.

Standard Setters (second line): A dedicated role(s) or committee(s) exist(s) at the senior management or executive level, which is responsible for setting control standards and oversees compliance with them (does not include the CEO).

Assurance Provider (third line): An internal audit function that provides independent assurance on the effectiveness of risk management and compliance processes.


PTT GRC Framework

In addition, Performance Management, Corporate Risk and Investment Management Department (PCRIM) is the unit under SEVP of Corporate strategy. The function is structural separated from business units as to avoid any conflict and unbiased risks. PCRIM’s key responsibilities is to

  1. Conducting ERM framework and policies in line with strategies and business objectives
  2. Conducting risk analysis to identify significant risks and presenting it to CPRC, ERMC and the PTT Board of Directors respectively
  3. Ensuring risk management processes is effective implemented across PTT
  4. Monitoring and reporting risk events and risk management performance to CPRC and ERMC


Promotion of Organizational Risk Culture

PTT has strategies in place to promote an effective risk culture throughout the organization via GRC culture by applying good governance principles and the Code of Conduct in business operations, also integrated these approaches into risk management, internal controls, and compliance. The Company communicates on these issues through several channels to help employees develop their own knowledge and understanding of GRC, aiming to instill a sense of responsibility and fostering a culture that prioritizes risk management among all employees. The organization focuses on allocating resources effectively to continually enhance the efficiency of its risk management practices. To achieve this, PTT offers various training programs throughout the organization covering Governance, Risk, and Compliance (GRC) including risk management principles and conducts culture-building activities. For example, monthly GRC Talks are integrated into PTT Management Committee (PTTMC) meetings, and regular GRC agenda items are included in departmental meetings. Additionally, GRC Forum activities are organized, and interviews with senior management on GRC topics are shared to establish a strong tone from the top, influencing both executives and staff. PTT conducts annual surveys to gauge employee feedback and understanding of organizational risk management practices.

In 2023, PTT has expanded its initiatives, including GRC Knowledge Awareness Workshops and increased promotion of GRC Policies and knowledge. The organization has also enhanced access to risk management resources, such as enterprise risk management manuals and various promotional materials, through the Risk Management Dashboard (RMD) system.

PTT has arranged various communication methods and reporting channels for employees to report potential risks and provide suggestions.

  • Whistleblowing: website at www.pttplc.com, e-mail (corporate@pttplc.com), and mail.
  • Department agenda-based meeting: risk management and other risk related topics, such as GRC Talk, must be reported on a regular basis along with performance.
  • Suggestion system: allows employees to propose suggestions in the interest of process effectiveness and efficiency improvement.
  • Sub-standard/Near-missed reporting system: enables employees to report any activities that may result in property loss or injuries.
  • Strategic review and business plan process: Every year, during the process of strategic review, key risks would also be discussed along with business objectives and action plans. It is the session that management and employees would take part in a brainstorming session. The result will be the risk profile and its mitigations.
Regular risk management education for all non-executive directors, All PTT non-executive and independent directors (100%) have undergone Director Certification Program (DCP) or Director Accreditation Program (DAP) from Thai Institution of Director (IOD), which contain risk management and GRC topics. PTT also set an orientation program for incoming directors to understand PTT business, as well as related laws and regulations.

No. of PTT Board Directors as of 31 Dec 2023 = 15.  All PTT Board Directors have education and experience in Business Administration and Corporate Governance.

  • Independent Directors 80%
  • Executive Directors 7%
  • Non-Executive Director 13%
12 directors have education and experience in Political Science and Risk Management. 

For directors appointed as ERMC members, PTT set an in-house orientation session to support their responsibilities in risk and stakeholder management. The contents include risk management standard, policies and frameworks, structure and mechanism, updated PTT Corporate risks and mitigations, to ensure that ERMC will be able to conduct oversight and consideration efficiently. In addition, in 2023, ERMC members attended Risk Management Program for Corporate Leaders (RCL 21/2020), organized by IOD, to ensure the alignment among the companies’ risk management practice, strategies and current and future business

Focused training throughout PTT on risk management principles, along with various risk management programs, the PTT Leadership and Learning Institute (PLLI) has established for the purpose of employee capability building and promoted learning and disseminating knowledge on risk management to executives and employees through risk management courses. Information on risk management is communicated through the Risk Management Manual and Knowledge Management Portal.

In 2023, PLLI developed comprehensive e-learning courses under PTT Intranet to enable all executives and employees attend session easier. There are risk management courses in e-learning format, for example, Strategic Enterprise Risk Management, Introduction to ESG for Business.

In addition, there are customized courses for specific risk management such as trading risk control, financial risk management. After the end of the program, all trainees will be evaluated.

PTT has financial incentives which incorporate risk management metrics, defined by its core values as SPIRIT, which is significant in molding PTT management and employees to command uniform work behavior. The issue of risk management is addressed in the organization’s SPIRIT values, promoting learning and the distribution of knowledge on risk management to employees. Risk awareness is embedded in:

I - Integrity & Ethics: Embed integrity & ethics to enhance good corporate citizenship by focusing on employees ’ability to perform properly, transparently, and as excellent employees of the company, with honesty and ethics at the forefront and risk awareness at work.

P- Performance Excellence: Agile for excellence by focusing on employees’ readiness to quickly adapt to changes and work hard to accomplish beyond-expectation results to create and deliver the best value to stakeholders.

PTT has required corporate value as one of the performance evaluation criteria. Employees have to demonstrate their year-end achievements which connects to PTT’s core value: SPIRIT. This results in work promotion, salary increase and fix/variable bonus.

Also, PTT applies KPI deployment as an essential tool for corporate performance management and to align executives’ objective with employees’ motivation for Senior Executives and Managers. By doing so, employees will have an accountability to participate in risk management. Examples of risk management related KPIs are such as Enterprise Risk Management Effectiveness and Hedging Pricing Risk Effectiveness etc.


Corporate Risk Management Policy and Process 

PTT acknowledges the critical importance of effective risk management, especially in the face of both internal and external changes that could potentially impact the long-term viability of the business. To address this, PTT has adopted the globally recognized standards outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO-ERM 2017) to ensure a continuous and comprehensive approach to risk management. This framework is viewed as an indispensable element woven into every aspect of PTT's business operations. Recognizing the need for a cohesive approach, PTT has integrated Good Corporate Governance (GCG), risk management, and legal/rules/regulations compliance into a unified system known as Governance Risk and Compliance (GRC). This integration is aimed at empowering decision-makers, safeguarding, and enhancing organizational value, and proactively managing systematic risks.

PTT has instituted a risk management policy that all employees must be abided, signed by the Chairman of the Enterprise Risk Management Committee. In 2023, PTT announced a revised Risk Appetite Statement (RAS) to align with changing conditions and communicate it to all PTT employees and also developed a comprehensive organizational risk management process known as the "PTT Enterprise Risk Management Manual (ERM)" to serve as the standardized, written practice guideline throughout the organization. This manual encompasses integrated organizational risk management, definitions and interpretations, the framework for enterprise-wide risk management at PTT, and the risk management process, among other key components.

PTT implements a comprehensive risk management framework through various management committees and integrates it with strategic planning to ensure that risk management plans are not only effective but also aligned with the organization's objectives and strategies. Each department is tasked with managing operational risks under the supervision of management to maintain risk appetite, as clearly outlined in their job descriptions. Furthermore, PTT's risk management processes undergo regular reviews by internal units like the Corporate Management Systems Department and the Internal Audit Department, as well as scrutiny by PTT's Audit Committee, the State Enterprise Policy Committee, and external audit on an annual basis.

In 2023, PTT has improved its organizational risk management processes to much more align with criteria and performance evaluation systems of state enterprises. In addition, PTT has implemented, with ERMC supervision, the following improvements:

  1. Revise the "Risk Appetite Statement" to reflect the evolving landscape accurately.
  2. Consider the impact of the business plan on stakeholders and devise plans to mitigate them effectively.
  3. Supervise organizational innovation management to ensure thoroughness and alignment with PTT's strategic objectives and primary goals.
  4. Evaluate major investment project proposals and long-term contractual agreements, assessing their business complexity and significant impact on PTT before submission to the PTT Board of Directors for approval.
  5. Scrutinize and refine the organization's annual risk register before presentation to the PTT Board of Directors, alongside the annual business plan, ensuring clear alignment with directions, objectives, and business strategies and effective communication throughout the organization.
  6. Regularly monitor risk management activities on a quarterly basis, utilizing risk indicators for proactive surveillance and mitigation, assessing the effectiveness of risk management measures, and providing management with recommendations to align risk management plans with evolving business strategies and environments. Report progress to the PTT Board of Directors.
  7. Evaluate the results of risk assessments, the severity of impact levels, and the development of mitigation measures in the event of significant risk events that may disrupt the operations of the PTT Group (Risk Events). Offer feedback or assign additional tasks for creating risk management plans.
  8. Enhance price risk management guidelines by leveraging derivatives of companies within the PTT Group.

Risk Management Tools

PTT conducts studies and implements diverse risk management tools and frameworks, such as:  

  • Establishing the organization's risk appetite level (Risk Appetite) and formalizing it as a Risk Appetite Statement to serve as a guideline for its operations, comprising four primary dimensions:
       1. Strategic Risk: Pertaining to energy stability and investment portfolio.
       2. Compliance Risk: Associated with transparency and integrity.
       3. Operational Risk: Encompassing efficiency, SSHE (Safety, Security, Health, and Environment), and cyber security.
       4. Financial Risk: Concerning financial health and credit rating.

Furthermore, PTT annually sets Key Risk Indicators (KRIs) at the corporate level within each Risk Mitigation Plan, addressing items outlined in the Corporate Risk Profile. PTT communicates and distributes its risk appetite, along with the Risk Mitigation Plan and KRIs, to stakeholders, ensuring regular monitoring to prevent the organization's risk level from surpassing the predefined threshold.
  • The assessment and ranking of risk factors are conducted using a Risk Map, aligning the severity levels of likelihood and impact in which PTT utilizes criteria for measuring the severity level of risk impacts in three aspects: financial impact, business process and operational impact, and organizational reputation impact, for use in product and service development with the organizational risk tolerance boundaries. These are categorized into four levels: Low risk (green), Moderate risk (yellow), High risk (orange), and Extreme risk (red), as illustrated in the diagram.

Furthermore, High and Extreme risk items will be classified as corporate level risks, necessitating the implementation of risk management procedures by the organization.
  • Implementing Monte Carlo Simulation techniques to gauge the impact on business components in terms of Value at Risk (VaR), analyzing from key risk factors affecting the profitability of the PTT Group (net profit). These factors encompass petroleum and petrochemical product prices, refining costs, exchange rates, and production volumes. Moreover, conducting Sensitivity Impact Analysis to evaluate the effects of each key risk factor under varying scenarios, with assessments carried out quarterly, empowering PTT to refine risk management plans for greater efficacy.

Management of Enterprise Risk

The Control and Mitigation Plan activities have been approved by the PTT Board., PTT will diligently track the Mitigation Plan. Should any trigger alerts arise, the responsible risk owners must promptly assemble necessary data alongside adjustment strategies for risk management. These will then be presented to PTT's Corporate Plan and Risk Management Committee (CPRC) and the Enterprise Risk Management Committee (ERMC) for review and approval, facilitating swift action to restore risk levels to normalcy.

Additionally, PTT applies Control-Self-Assessment (CSA) method to all processes to ensure that effective internal control activities are consistently applied. Process owners must have an understanding of the risks inheriting in their processes or activities before assessing the adequacy of control activities/measures. If there are residual risks beyond tolerance, the owner has the responsibility to design an additional control to reduce its impact or likelihood to the acceptable level. Management is responsible for overseeing the continuous improvement of effective control. The CSA results will be consolidated by Internal Control and Risk Management Department to analyze of control effectiveness and reported to responsible committees and board for CSA improvement suggestions and next year plan approval.

Also, PTT has structured channels to receive feedbacks on risk management practices from board level, management level, to all employees. Feedbacks are gathered to reduce future risks.

Example two identified risks of PTT-specific risk exposure (considering likelihood and magnitude), including mitigating actions

Risk Exposure

Risk Management Guidelines


Risk Movement

Risk Appetite
1. The success of PTT's transition into its New S-Curve hinges on effectively managing the risks associated with operating in AI, Robotics & Digitalization, and Logistics & Infrastructure. Failing to explore opportunities and innovate in these domains could have significant repercussions on PTT's business outcomes.
  • Develop a prototype to assess both the technology's viability and market reception before scale up to commercialization.
  • Scout and cultivate a knowledgeable and adept team, while also pursuing further investment opportunities with capable partners.
 % Invested Capital of Low Price Volatility Business in PTT Group Investment Portfolio
2. Cybersecurity Risk: In the event of cyber threats within PTT’s Information Technology (IT) and Operation Technology (OT) systems, it could result in various repercussions including data breaches, ransomware incidents, tarnished reputation and brand image, potentially leading to business interruptions.

  • Enforcing cybersecurity best practices and standards diligently across government agencies and essential infrastructure entities.
  • Boosting operational efficiency by investing in technology, optimizing workflows, and fostering cyber threat awareness among internal staff. This includes conducting vulnerability scans and penetration tests by experts to uncover weaknesses and evaluate the effectiveness of internal defense systems, covering both Information Technology (IT) and Operational Technology (OT), among other measures.
  • PTT Digital Solutions has been tasked with providing cybersecurity services to companies within the PTT Group. Operating from the Cyber Security Operation Center (CSOC), they conduct round-the-clock monitoring and anomaly detection to safeguard against cyber threats. Furthermore, robust incident response plans are in place to address various cyberattack scenarios.
  • Collaborations are also established with the Thailand Computer Emergency Response Team (ThaiCERT) and other global communities to facilitate the exchange of cybersecurity incident information.
  Cybersecurity Incident Case

Emerging Risk

Labor shortage due to market competition

Risks of Misinformation and Disinformation   

Description

The rapid pace of technological advancement and innovation within the industry due to energy transformation is creating an increased demand for highly skilled labour, yet national education systems are underdeveloped in preparing the workforce with the necessary competencies to match the demand. In the next 3-5 years, this issue will be compounded by competitive market dynamics driving up salaries and intensifying talent acquisition challenges, technological disruptions requiring specialized skills, globalization increasing demand for skilled professionals, and economic shifts impacting labour availability and mobility. As a result, companies may face reduced innovation capability, operational inefficiencies, quality and compliance risks, higher talent acquisition and retention costs, and strategic limitations in pursuing growth initiatives. It is therefore crucial for company to mitigate these risks by developing systematic plan and long term strategy to create business advantages.

In the era of online society, access to information and the rapid dissemination of news are widespread. This accessibility leads to the circulation of both inaccurate or false information (misinformation), often unintentionally shared by individuals who believe the information to be accurate. Additionally, there is the deliberate spread of distorted information (disinformation), where the sender aims to create false or misleading content. These lead to misunderstandings, incorrect beliefs, creating confusion serves to breed distrust.

Impact

The shortage of skilled labour poses a significant risk to the company's ability to effectively implement and sustain innovation advancements including the following aspects:

  • Reduced Innovation Capability: challenges in executing its innovation strategies, delayed time-to-market for new technologies, and a potential loss of competitive edge.
  • Operational Inefficiencies: operational disruptions, decreased productivity, and increased costs due to the reliance on less experienced staff or the need for extensive training and development programs.
  • Quality and Compliance Risks: effects on product quality which adhered to regulatory standards, increasing the risk of non-compliance and potential legal and financial repercussions.
  • Talent Acquisition and Retention Costs: higher costs in recruiting, attracting, and retaining skilled professionals, competitive compensation packages, and investments in training and development to upskill existing employees.

This situation can significantly impact the organization's image and reputation, potentially leading to business interruptions.

Mitigating actions

To address this risk, the company should consider implementing strategies such as Strategic Partnerships and Development:

  • Strengthen partnerships with educational institutions to tailor programs that align with industry needs.
  • Invest in continuous learning and development programs to upskill existing employees and fill skill gaps.
  • Engage in industry collaborations and networks to access a broader talent pool and share best practices in talent management.
  • Technological Integration and Efficiency:
  • Leverage technology and automation to augment human capabilities and optimize workforce efficiency.
  • Strategic Workforce Planning:
  • Implement robust workforce planning and forecasting to align talent acquisition efforts with future innovation and growth strategies.

Internally verify the facts and seek confirmation from relevant agencies. In certain instances, submit the information to legal authorities for potential legal action. Additionally, prepare detailed information to provide clarification both internally and externally. The outlined details include:

1. Communication to the public and outsiders (Target group: general public) through the following channels:

1.1. PTT's Social Media channels: Facebook Fanpage PTT News

1.2. Anti Fake News Center, Ministry of Digital Economy and Society.

2. Internal communication (Target group: executives and employees) through the circulation of public relations materials within the organization via email as the primary channel.


Sensitivity Analysis & Stress Test

PTT Disclosure of sensitivity analysis or stress testing on financial risks being foreign exchange rate, Interest rate, Oil market price is in Form 56-1 One Report 2023: Financial Report, page 200-201

In addition, for financial and non-financial risks, PTT has established price risk management by formulating a business plan to support a variety of scenario planning in various oil price situations, promptly responding to changes and uncertainties that may occur in the future. The Price Strategy and Risk Management team has been appointed under the Petrochemical and Refining Integrated Synergy Management (PRISM), responsible for analyzing world oil price movement and jointly conducting price hedging management among PTT Group companies for the greatest benefit. Today, PTT Group engages in hedging through derivative contracts in both petroleum and petrochemical prices. To this end, meticulous, prudent data analyses are conducted while suitable risk management tools are chosen to fit periods and objectives. (Form 56-1 One Report 2023, page 66-69)

Further details on the risk factors affecting the Company’s business operations for 2023 can be found in Form 56-1 One Report 2023, page 63-69

Emerging Risks
Emerging Risks Description Potential Business Impacts Mitigation Plan
1. Risks posed by regulations aimed at reducing greenhouse gas emissions As the Ministry of Natural Resources and Environment progresses with the drafting of the Act, it aims to steer towards the objectives of achieving carbon neutrality by 2050 and Thailand's target of net zero greenhouse gas emissions by 2065. The inability to comply with the Climate Change Act may lead to increased operating costs for PTT's business.
  • Advocate for critical issues and provide opinions and suggestions on changes to major and minor laws that impact the strategic direction of corporate sustainability.
  • Coordinate with relevant agencies to enhance operations in line with the Climate Change Act. This involves tasks such as reporting greenhouse gas data and reviewing the organization's carbon pricing to ensure consistency with enforcement measures outlined in the carbon pricing mechanism.
2. Risks of Misinformation and Disinformation In the era of online society, access to information and the rapid dissemination of news are widespread. This accessibility leads to the circulation of both inaccurate or false information (misinformation), often unintentionally shared by individuals who believe the information to be accurate. Additionally, there is the deliberate spread of distorted information (disinformation), where the sender aims to create false or misleading content. These lead to misunderstandings, incorrect beliefs, creating confusion serves to breed distrust. This situation can significantly impact the organization's image and reputation, potentially leading to business interruptions.

Internally verify the facts and seek confirmation from relevant agencies. In certain instances, submit the information to legal authorities for potential legal action. Additionally, prepare detailed information to provide clarification both internally and externally. The outlined details include:

  1. Communication to the public and outsiders (Target group: general public) through the following channels:
    1. PTT's Social Media channels: Facebook Fanpage PTT News
    2. Anti Fake News Center, Ministry of Digital Economy and Society.
  2. Internal communication (Target group: executives and employees) through the circulation of public relations materials within the organization via email as the primary channel.

The risk factors affecting the company's business operations for the fiscal year 2023 can be further explored in Form 56-1 One Report 2023, page 63-69
Form 56-1 One Report 2023
Form 56-1 One Report 2023: Financial Report

Business Continuity Management

Business Continuity Management Process

PTT has upgraded its Business Continuity Management System (BCMS) in line with the ISO 22301:2019 standard and other relevant standards, encompassing prevention, response, recovery, and preparedness measures. This involves dividing operations into three key phases: prevention/preparedness, response/business continuity, and recovery. The Business Continuity Plan (BCP) has received approval from both the PTT Management Committee and PTT Board of Directors. Given the ever-evolving landscape, the organization faces the challenge of navigating unforeseen crises such as natural disasters, political instability, terrorism, pandemics, and cyber threats. These events could severely disrupt critical processes within PTT. Failure to restore operations to normalcy may result in extensive damage to property, loss of life, and widespread societal impact. Thus, PTT acknowledges the critical importance of readiness across various fronts to effectively respond to crises and ensure continuous business operations. Consequently, a comprehensive Business Continuity Management Policy has been established to instill awareness and active participation among executives, employees, and all stakeholders, encouraging consistent adherence to the policy's principles.

PTT has devised comprehensive plans to address security and emergency preparedness, classified into four levels corresponding to the severity of the situation. Should PTT require additional assistance from external agencies at the local, provincial, regional, or national levels, the emergency/crisis level will be elevated to levels 1, 2, 3, or 4 respectively. Moreover, dedicated Emergency and Business Continuity Management Centers have been established, with designated personnel empowered to oversee operations at each level. This framework ensures swift problem resolution, responsiveness to both public and private entities, and effective communication with neighboring communities. Additionally, PTT has appointed coordinators within departments to serve as communication liaisons, disseminating critical information such as employee responsibilities, important contact details, alternative work arrangements, and annual updates. Furthermore, PTT has developed an Emergency & Business Continuity Management Web Portal to streamline communication and facilitate operations related to emergency/crisis management and business continuity.

PTT organized drills to test its Business Continuity Management (BCM) plan in the event of a cyberattack that disrupts all systems. Additionally, it prepares for scenarios where natural gas supplies are diminished from both the East and West. The Chief Executive Officer and President, being the Chairperson, oversees the Crisis Management Center (CMC), with executives from PTT Digital Solutions actively participating in these exercises. Coordination extends to the emergency management centers across the Group and PTT Digital Solutions Co., Ltd., through virtual meetings and video conferencing. In 2023, PTT maintained its ISO 22301 certification for BCM, accredited by the Management System Certification Institute (MASCI).