|Sustainable Development Goals|
Opportunities and Challenges
Cybersecurity threats and cyberattacks are currently increasing at a rapid speed, and organizations are being exposed to a variety of risks, including but not limited to data breach, ransomware attacks, cyber extortion, image and reputation damage, and business interruption.
PTT recognizes the weight of cyber security hazards and threats, and cyber security is one of the key corporate risks that we consider every year. We closely monitor and track performance related to cybersecurity, and have developed improvement plans to increase the efficiency of our processes and continuously reduce risks and impacts associated with this challenge. For example, we have planned investment in new technologies, efforts to increase process efficiency, and cybersecurity awareness training for employees.
Since the onset of the COVID-19 pandemic in late 2019, we have observed a global economic slowdown and reductions in both the demand and prices of PTT Group products, which had resulted from measures implemented by government. These factors together contributed to key challenges for our petroleum and petrochemicals businesses. To mitigate the impacts of these challenges, PTT closely monitored the situation and implemented measures to manage associated risks, such as financial performance and strength, supply chain and business processes, and employee health and safety, as fitting to the context.
Innovation and disruptive technology, alongside a global increase in environmental consciousness, have driven momentum in the energy transition movement. This shift from traditional energy sources to new, clean energy sources, is creating major impacts on the demand for PTT’s products and our business. In light of economic and social changes, developments in the energy industry and in technology, and consumer behavioural changes that have followed global mega trends, PTT has established a business strategy to seek opportunities to continuously develop new businesses. We are exploring opportunities in integrated LNG business and new S-curve businesses, such as the electric vehicles business, renewable energy business, and life science business. We are also taking measures to ensure that our employees are equipped to efficiently fulfil their roles and support our business expansion. PTT has reviewed the corporate vision and strategy, and integrated risk management plans to our business plans. We regularly monitor the performance of PTT Group to ensure that performance will reach targets.
Risk and Crisis ManagementGRI102-11, GRI102-30
PTT is aware that under uncertain operating conditions, risk management measures are especially critical. Risk management is thus included as a key aspect in all of our business processes. We have also established the Risk Management Policy, which all employees are required to comply with, and developed a risk management framework and procedure that align with the Enterprise Risk Management (ERM) standards of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and ISO31000: Risk Management – Principles and Guidelines. In this way, we make certain that relevant employees understand risk management principles and are equipped to apply them in practice.
Furthermore, PTT has developed a governance framework for corporate risk management. This firstly includes the Enterprise Risk Management Committee (ERMC), which is responsible for establishing relevant risk management policies and frameworks, and providing oversight and support to ensure that risk management measures are implemented in accordance with our business strategy and targets. The ERMC gives guidance and recommendations regarding risk management, monitors and evaluates risk management performance, and feedbacks to the Corporate Plan and Risk Management Committee (CPRC). The CPRC, a management-level committee, then reports to the Audit Committee and the PTT Board of Directors. This serves as a channel for PTT to take feedback and recommendations on ways to improve the efficiency of our risk management measures and continuously strengthen our risk management measures. It also means that PTT is always ready to respond and adapt to all types of risks. Specific risks in business groups, business units, and operations are overlooked by responsible management staff. We consider it the responsibility of all teams to manage risks at acceptable levels.
To guarantee that risk management is governed effectively, PTT has organized a training course on risk management for the PTT Board of Directors, and an orientation program on corporate risk management specifically for new Board members who are in the Risk Management Committee. We are also implementing initiatives to build awareness and understanding of derivatives, foreign exchange risk management, and the use of KM Sessions to evaluate the outcomes of stakeholder management. These efforts together support our Risk Management Committee in governing risk management to achieve expected objectives.PTT Public Company Limited Risk Management Policy
PTT Organizational Structure
PTT’s risk management process was designed to be integrated to the strategic planning process. This means we analyse and assess risks every year in order to manage corporate risks in a way that aligns with our strategic plans and targets. As part of this process, we consider changing operating conditions – including internal and external factors – and how they are affected by the constantly fluctuating external environment. For example, we look at the effects of political uncertainty, volatility in the demand and supply for petroleum and petrochemical products, and evolving rules and regulations. We also consider the wide variety of stakeholder expectations facing us, the rapid developments in technology, and environmental impacts caused by businesses. For internal factors, PTT analyses risks resulting from internal factors within our business groups, business units, and supporting business lines in order to identify the key strengths and weaknesses of the organization. Meanwhile, we consider risks from external factors through mapping challenges and opportunities, and reviewing the different scenarios that may result in significant impacts – both positive and negative – to the organization. Furthermore, PTT has expanded risk assessment to include international factors. In this way, we identify key risks and opportunities that may create short- and long-term impacts on the organization, accounting for environmental, social, economic, as well as technological factors.
PTT’s key risks are categorized into four different groups, including strategic risks, operational risks, business risks, and financial risks. These are all risks that may create impacts on PTT’s performance, employees, customers, business partners, and corporate reputation, as well as impacts on the general public and the environment. We also consider risks from a variety of scenarios, including emerging risks and scenarios that have low likelihood of occurring, but could create significant damage and impacts on our business if they were to occur. Each type of risk is managed by an assigned team/department who is responsible for developing plans to manage the risk and determining key risk indicators. Performance is monitored and reported to the Corporate Plan and Risk Management Committee on a monthly basis, the Enterprise Risk Management Committee on a quarterly basis, and the Audit Committee on an annual basis, as specified in procedure.
In 2021, the recommendations of the ERMC led to improvements on the risk management process. PTT defined proactive measures that focus on reducing likelihood and reactive measures to ensure that our organization have comprehensive risk management measures in place and can respond to different scenarios. Details are outlined below;
Risk management process improvements completed following the review by the Enterprise Risk Management Committee
- Updated the “Risk Appetite Statement” to ensure alignment with changing conditions
- Considered potential stakeholder impacts that may result from business plans, and developed plans to implement measures as needed to reduce and mitigate those impacts..
- Provided oversight to ensure that innovation management in the organization is comprehensive, enables increases in innovation efficiency, and supports alignment with PTT’s key strategic objectives and targets.
- Reviewed and provided feedback on large investment projects and long-term, binding contracts that are complex and may create significant impacts on PTT’s business before they are presented to the Board for approval.
- Reviewed and screened annual corporate risks alongside the annual corporate plan before they are presented to the Board for approval; ensured that the corporate risks and the corporate risk management plan are considered during the development of the annual corporate plan in order to maintain clarity and alignment with the business direction, strategy, and targets, especially making certain that agreed plans are implemented across the organization.
- Closely monitored risk management on a quarterly basis; defined key risk indicators that can serve as early warning signs, supported risk monitoring, and measured the effectiveness of risk management measures; provided recommendations to management staff in reviewing risk management plans to ensure alignment with the business strategy and changing external conditions; and reported progress to the Board.
The Board including Risk, Audit, and Corporate Governance Committee annually reviews the corporate vision, direction, strategies, policies and key plans, while considering key corporate risks. Cyber security risk has been consistently identified as one of the organization’s key risks (operational risk). PTT has thus assigned the Chief New Business and Infrastructure Officer (CNBO), chairman of PTT Group Digital Steering Committee, the responsibility of overseeing this risk and setting the strategstrategyy, policies, and standards to guide digital and cyber security risk management to support PTT’s strategic direction. The CNBO is also tasked with establishing measures and controls to reduce risk likelihood, developing mitigation plans to reduce impacts, and defining key risk indicators (KRIs). Progress is reported to the governing body such as Board Committee on a quarterly basis.
PTT has implemented initiatives and a management framework, which are ISO/IEC 27001: Information Security Management Systems (ISMS) and ISO/IEC 27701: Privacy Information Management System in order to strengthen the effectiveness of our information security management system. We also further developed the Information Security Management System Policy to include information technology (IT) as well as operational technology (OT), which is a key component of PTT’s business.
Information Security and System Readiness
PTT appointed PTT Digital Solutions Company to operate cyber security services for PTT Group subsidiaries. We have also established the Cyber Security Operation Center (CSOC) as the center for cyber security surveillance and monitoring to detect abnormal cyber behavior before cyber attacks. The CSOC provides 24-hour service for all PTT Group subsidiaries. The Center utilizes highly advanced monitoring technology and tools, including machine learning, and is run by staff that have received relevant international certifications. PTT regularly organizes cyber drills on an annual basis and have put in place cyber security incident response plans that clearly specify our response measures. Furthermore, we have an incident response retainer that allows us to access support from international experts. We are also in contact with the Computer Security Incident Response Team for Thailand (ThaiCERT) and other global communities working on cyber security to share and exchange the most recent updates on cyber security.
Corporate Risk Culture
PTT implements a variety of measures to build a risk-conscious culture in our organization. We allocate resources and provide different forms of support as needed to promote effective risk management. All employees can access the organization’s risk management manual through the intranet, and/or consult communications materials and training courses on risk management developed by the Company. PTT also conducts surveys on an annual basis to assess employee awareness and understanding of risk management. Findings are then used to develop improvement plans to continuously increase the efficiency of risk management measures.
Business Continuity Management
PTT’s highest aspiration is to contribute to energy security in Thailand while protecting the interests of all stakeholder groups, safeguarding their trust in our organization, and ensuring their safety and security. To that end, we have aligned our Business Continuity Management System (BCMS) with the PTT Group Business Continuity Management System Standard (PTT Group BCMS Standard), which in turn is based on ISO22301: Business Continuity Management and other relevant standards. Our BCMS is comprehensive of protection, response, support, and recovery measures. It comprises of three stages: protection/preparation, response/ongoing business operation, and recovery, and is under the oversight of the Sustainability Management Committee. Current operating conditions, which are constantly changing, contribute to a challenging environment for businesses to continue meeting previously set targets. Unforeseen incidents such as natural disasters, political instability, terrorist attacks, pandemics, and other threats can often occur and compromise companies’ ability to conduct business and/or disrupt critical business processes. Failure to recover the ability to operate and resume normal operating conditions may result in adverse impacts on assets and even lives, and contribute to widespread impacts on the country, the public, communities, and all stakeholder groups. With these factors in mind, PTT has put in place a management strategy that is aligned throughout the organization and measures to control risks and ensure readiness to respond. We have also planned initiatives to promote awareness and accountability in following the business continuity management framework to the best of our ability.
PTT has formulated a safety and emergency response plan that specifies measures for responding to incidents depending on their severity. Incidents are grouped into four levels depending on the level of impact. Level 1 incidents are those that PTT can manage and control internally. For these incidents, the Emergency Command Center is appointed to resolve the situation. Incidents that cannot be managed by PTT and require the assistance from external agencies are considered at higher levels, with incidents that require local, provincial, and national level assistance classified as Level 2, 3, and 4 incidents, respectively. For these incidents, PTT will activate the Emergency Management Center or the Crisis Management Center, appoint responsible personnel, and provide them with the authority to manage the situation as needed in each level. These measures enable effective resolution of the incident and efficient response to both public and private agencies and neighboring communities. PTT strongly believes that by implementing such protective measures and developing mechanisms to help manage operations and ensure continuity in times of crisis, the organization will be able to secure the confidence of stakeholders and create a competitive advantage over the long-term.
To respond to crises and emergencies, PTT has appointed coordinators in each department to facilitate the exchange of critical information, such as emergency protocol for employees, emergency contacts and phone numbers, backup sites, and significant changes throughout the year. We have also set up the Emergency and Business Continuity Management Web Portal to communicate information on emergency/crisis management and business continuity management to employees. In addition, the Portal contains information on changes within and beyond PTT that employees can explore and study to increase their knowledge on the topic.
Key Projects and Activities
Strengthening the Effectiveness of Information Security Measures
2-Factor Authentication: 2FASDGs 16.10
The 2-Factor Authentication system is currently accepted as the standard for identity verification prior to use of a device or application. The 2FA prevents unauthorized access to data through requiring users to verify their identity a second time after inputting their passwords. Users can choose their preferred method of identifying themselves the second time. For example, they could input a one-time password (OTP), or approve or deny the request to access from an application on their smartphones. This verifies and confirms that the user is in fact authorized to access that data and/or system. 2FA thus contributes to benefits in preventing and reducing the loss of information and financial loss from cyber crime, minimize costs associated with data recovery, and protect our organization from damages to our reputation and stakeholder trust. As of present, PTT has rolled out the 2-Factor Authentication (2FA) across our organization, and it is required to access corporate emails and internal systems.
Phishing Test CampaignSDGs 16.10
The phishing test campaign tests and strengthen employee awareness of cyber threats. As part of this campaign, employees receive phishing emails that ask them to open a file or input their username and passwords, thus partaking in behavior that would expose the organization to significant risks. PTT is currently conducting these tests once every quarter. After the test, employees are provided with an explanation of the campaign and information on cyber threats. Through this campaign, we hope to increase employee awareness and understanding of cyber threats, and strengthen their cyber security mindset to minimize the chances that they will fall victim to such cyber threats.
Roaming Security and PostureSDGs 16.10
As businesses allow employees to work from anywhere, we are observing new risks for the organization. To respond to these risks and prevent users from accessing unsafe websites from wherever they are, PTT has applied a roaming security system that covers all organizational devices. Additionally, we also screen and inspect (posture) devices that employees are using to access the corporate VPN system to confirm that they meet PTT’s standards before allowing access to our systems.
PTT has developed the Cyber Security Roadmap to guide our cybersecurity plans for the next three years. The Roadmap is based on the “Zero Trust Security Model”, which means we follow the principle of never trusting and always verifying. Our plan is comprehensive of people, processes, and technology, and include the following highlights:
- Privileged Access WorkstationseSDGs 16.10
This initiative aims to increase security protection measures to access the organization’s active directory (AD).
- Network Segmentation AssessmentSDGs 16.10
We will complete a detailed assessment and design of network segmentation to limit access rights to users to as little as possible and consequently mitigate potential impacts from cyber attacks.
- Attack Surface ManagementSDGs 16.10