Risk and Crisis Management


Risk and Crisis Management

Sustainable Development Goals

Corporate Risk Management

Corporate Risk Management Policy and Process 

PTT acknowledges the critical importance of effective risk management, especially in the face of both internal and external changes that could potentially impact the long-term viability of the business. To address this, PTT has adopted the globally recognized standards outlined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO-ERM 2017) to ensure a continuous and comprehensive approach to risk management. This framework is viewed as an indispensable element woven into every aspect of PTT's business operations. Recognizing the need for a cohesive approach, PTT has integrated Good Corporate Governance (GCG), risk management, and legal/rules/regulations compliance into a unified system known as Governance Risk and Compliance (GRC). This integration is aimed at empowering decision-makers, safeguarding, and enhancing organizational value, and proactively managing systematic risks. Presently, PTT has established the Corporate Governance and Sustainability Committee (CGSC) and the Governance Risk and Compliance Management Committee (GRCMC). These committees oversee various aspects including ethical practices, operational risk management, internal controls, legal compliance, sustainable management, community, and environmental stewardship, as well as the promotion of ethics and the prevention of corruption and misconduct within state own enterprises. Furthermore, to ensure effectiveness, transparency, and alignment with national strategies aimed at preventing and combating corruption in the public sector, PTT has also formed the Enterprise Risk Management Committee (ERMC) and the Corporate Plan and Risk Management Committee (CPRC). These committees are tasked with overseeing organizational risk management. Regular quarterly progress reports on governance, risk management, internal controls, and legal compliance are submitted to the relevant committees for thorough review and evaluation, ensuring accountability and continuous improvement in these areas. 

PTT has instituted a risk management policy that all employees must abide by, signed by the Chairman of the Enterprise Risk Management Committee. Furthermore, they have developed a comprehensive organizational risk management process known as the "PTT Enterprise Risk Management Manual (ERM)" to serve as the standardized, written practice guideline throughout the organization. This manual encompasses integrated organizational risk management, definitions and interpretations, the framework for enterprise-wide risk management at PTT, and the risk management process, among other key components.

Risk Management Structure

PTT implements a comprehensive risk management framework through various management committees and integrates it with strategic planning to ensure that risk management plans are not only effective but also aligned with the organization's objectives and strategies. Each department is tasked with managing operational risks under the supervision of management to maintain risk appetite, as clearly outlined in their job descriptions. Furthermore, PTT's risk management processes undergo regular reviews by internal units like the Corporate Management Systems Department and the Internal Audit Department, as well as scrutiny by PTT's Audit Committee, the State Enterprise Policy Committee, and external audit on an annual basis. A variety of tools are employed in these risk management processes.

Risk Management Tools

PTT conducts studies and implements diverse risk management tools and frameworks, such as:  

  • Establishing the organization's risk appetite level as a guideline for its operations, comprising four primary dimensions:
       1. Strategic Risk: Pertaining to energy stability and investment portfolio.
       2. Compliance Risk: Associated with transparency and integrity.
       3. Operational Risk: Encompassing efficiency, SSHE (Safety, Security, Health, and Environment), and cyber security.
       4. Financial Risk: Concerning financial health and credit rating.
Furthermore, PTT annually sets Key Risk Indicators (KRIs) at the corporate level within each Risk Mitigation Plan, addressing items outlined in the Corporate Risk Profile. PTT communicates and distributes its risk appetite, along with the Risk Mitigation Plan and KRIs, to stakeholders, ensuring regular monitoring to prevent the organization's risk level from surpassing the predefined threshold.
  • The assessment and ranking of risk factors are conducted using a Risk Map, aligning the severity levels of likelihood and impact with the organizational risk tolerance boundaries. These are categorized into four levels: Low risk (green), Moderate risk (yellow), High risk (orange), and Extreme risk (red), as illustrated in the diagram.

 Furthermore, High and Extreme risk items will be classified as corporate level risks, necessitating the implementation of risk management procedures by the organization.
  • Implementing Monte Carlo Simulation techniques to gauge the impact on business components in terms of Value at Risk (VaR), analyzing from key risk factors affecting the profitability of the PTT Group (net profit). These factors encompass petroleum and petrochemical product prices, refining costs, exchange rates, and production volumes. Moreover, conducting Sensitivity Impact Analysis to evaluate the effects of each key risk factor under varying scenarios, with assessments carried out quarterly, empowering PTT to refine risk management plans for greater efficacy.

Management of Enterprise Risk and Emerging Risks

Following approval by the Board of Directors, PTT will diligently track the Mitigation Plan. Should any trigger alerts arise, the responsible risk owners must promptly assemble necessary data alongside adjustment strategies for risk management. These will then be presented to PTT's Corporate Plan and Risk Management Committee (CPRC) and the Enterprise Risk Management Committee (ERMC) for review and approval, facilitating swift action to restore risk levels to normalcy.

Risk Exposure

Risk Management Guidelines

Risk Movement

1. The success of PTT's transition into its New S-Curve hinges on effectively managing the risks associated with operating in AI, Robotics & Digitalization, and Logistics & Infrastructure. Failing to explore opportunities and innovate in these domains could have significant repercussions on PTT's business outcomes.
  • Develop a prototype to assess both the technology's viability and market reception before scale up to commercialization.
  • Scout and cultivate a knowledgeable and adept team, while also pursuing further investment opportunities with capable partners.
2. Cybersecurity Risk: In the event of cyber threats within PTT’s Information Technology (IT) and Operation Technology (OT) systems, it could result in various repercussions including data breaches, ransomware incidents, tarnished reputation and brand image, potentially leading to business interruptions.

  • Enforcing cybersecurity best practices and standards diligently across government agencies and essential infrastructure entities.
  • Boosting operational efficiency by investing in technology, optimizing workflows, and fostering cyber threat awareness among internal staff. This includes conducting vulnerability scans and penetration tests by experts to uncover weaknesses and evaluate the effectiveness of internal defense systems, covering both Information Technology (IT) and Operational Technology (OT), among other measures.
  • PTT Digital Solutions has been tasked with providing cybersecurity services to companies within the PTT Group. Operating from the Cyber Security Operation Center (CSOC), they conduct round-the-clock monitoring and anomaly detection to safeguard against cyber threats. Furthermore, robust incident response plans are in place to address various cyberattack scenarios.
  • Collaborations are also established with the Thailand Computer Emergency Response Team (ThaiCERT) and other global communities to facilitate the exchange of cybersecurity incident information.

Further details on the risk factors affecting the Company’s business operations for 2023 can be found in

56-1 One Report 2023
Promotion of Organizational Risk Culture

PTT is committed to instilling a sense of responsibility and fostering a culture that prioritizes risk management among all employees. The organization focuses on allocating resources effectively to continually enhance the efficiency of its risk management practices. To achieve this, PTT offers various training programs throughout the organization covering Governance, Risk, and Compliance (GRC) including risk management principles and conducts culture-building activities. For example, monthly GRC Talks are integrated into PTT Management Committee (PTTMC) meetings, and regular GRC agenda items are included in departmental meetings. Additionally, GRC Camp activities are organized, and interviews with senior management on GRC topics are shared to establish a strong tone from the top, influencing both executives and staff. PTT conducts annual surveys to gauge employee feedback and understanding of organizational risk management practices. In 2023, PTT has expanded its initiatives, including GRC Knowledge Awareness Workshops and increased promotion of GRC Policies and knowledge. The organization has also enhanced access to risk management resources, such as enterprise risk management manuals and various promotional materials, through the Risk Management Dashboard (RMD) system.

The risk management process has been enhanced following a thorough review by the Organizational Risk Management Committee.

PTT has implemented the following improvements as a result of this review:

  1. Revise the "Risk Appetite Statement" to reflect the evolving landscape accurately.
  2. Consider the impact of the business plan on stakeholders and devise plans to mitigate them effectively.
  3. Supervise organizational innovation management to ensure thoroughness and alignment with PTT's strategic objectives and primary goals.
  4. Evaluate major investment project proposals and long-term contractual agreements, assessing their business complexity and significant impact on PTT before submission to the PTT Board of Directors for approval.
  5. Scrutinize and refine the organization's annual risk register before presentation to the PTT Board of Directors, alongside the annual business plan, ensuring clear alignment with directions, objectives, and business strategies and effective communication throughout the organization.
  6. Regularly monitor risk management activities on a quarterly basis, utilizing risk indicators for proactive surveillance and mitigation, assessing the effectiveness of risk management measures, and providing management with recommendations to align risk management plans with evolving business strategies and environments. Report progress to the PTT Board of Directors.
  7. Evaluate the results of risk assessments, the severity of impact levels, and the development of mitigation measures in the event of significant risk events that may disrupt the operations of the PTT Group (Risk Events). Offer feedback or assign additional tasks for creating risk management plans.
  8. Enhance price risk management guidelines by leveraging derivatives of companies within the PTT Group.

Business Continuity Management

Business Continuity Management Process

PTT has upgraded its Business Continuity Management System (BCMS) in line with the ISO 22301:2019 standard and other relevant standards, encompassing prevention, response, recovery, and preparedness measures. This involves dividing operations into three key phases: prevention/preparedness, response/business continuity, and recovery. The Business Continuity Plan (BCP) has received approval from both the PTT Management Committee and PTT Board of Directors. Given the ever-evolving landscape, the organization faces the challenge of navigating unforeseen crises such as natural disasters, political instability, terrorism, pandemics, and cyber threats. These events could severely disrupt critical processes within PTT. Failure to restore operations to normalcy may result in extensive damage to property, loss of life, and widespread societal impact. Thus, PTT acknowledges the critical importance of readiness across various fronts to effectively respond to crises and ensure continuous business operations. Consequently, a comprehensive Business Continuity Management Policy has been established to instill awareness and active participation among executives, employees, and all stakeholders, encouraging consistent adherence to the policy's principles.

PTT has devised comprehensive plans to address security and emergency preparedness, classified into four levels corresponding to the severity of the situation. Should PTT require additional assistance from external agencies at the local, provincial, regional, or national levels, the emergency/crisis level will be elevated to levels 1, 2, 3, or 4 respectively. Moreover, dedicated Emergency and Business Continuity Management Centers have been established, with designated personnel empowered to oversee operations at each level. This framework ensures swift problem resolution, responsiveness to both public and private entities, and effective communication with neighboring communities. Additionally, PTT has appointed coordinators within departments to serve as communication liaisons, disseminating critical information such as employee responsibilities, important contact details, alternative work arrangements, and annual updates. Furthermore, PTT has developed an Emergency & Business Continuity Management Web Portal to streamline communication and facilitate operations related to emergency/crisis management and business continuity.

PTT organized drills to test its Business Continuity Management (BCM) plan in the event of a cyberattack that disrupts all systems. Additionally, it prepares for scenarios where natural gas supplies are diminished from both the East and West. The Chief Executive Officer and President, being the Chairperson, oversees the Crisis Management Center (CMC), with executives from PTT Digital Solutions actively participating in these exercises. Coordination extends to the emergency management centers across the Group and PTT Digital Solutions Co., Ltd., through virtual meetings and video conferencing. In 2023, PTT maintained its ISO 22301 certification for BCM, accredited by the Management System Certification Institute (MASCI).