Risk Management

Management Approach^{(GRI 3-3d., GRI 3-3e., GRI 3-3f.)}

Risk Management

  Today’s business operations are more challenging, in terms of market competition, crises, and transitions. Risk management is, therefore, considered an important tool for OR’s business management to ensure that business operations can achieve set goals and respond to the needs of all stakeholder groups in a balanced manner, as well as prevent losses that may arise from uncertainty. Risk management also includes seeking opportunities to add business value to maintain the competitiveness of the organization in the future. OR has established a risk management structure supervised by the Enterprise Risk Management Committee. The Audit Committee reviews the risk management system and helps in driving risk management throughout the organization effectively.

OR’s Risk Management Structure

Risk Governance Framework

OR adopts the Three Lines Model as a governance framework to establish clear roles and responsibilities in risk management. This model comprises three distinct levels: OR has been utilizing the Three Lines Model as a framework for governance and defining roles, which includes: 1) First Line – Business units and process owners accountable for identifying, assessing, and managing risks within their respective areas to ensure effective operational execution, 2) Second Line – Functions responsible for establishing risk management frameworks, setting control standards, and overseeing compliance with regulatory and internal requirements to enhance governance and risk oversight, and 3) Third Line – The Internal audit department or unit which provides independent and objective assurance on the adequacy and effectiveness of risk management, internal controls, and governance processes.

Risk Management Policy

OR has announced its risk management policy, establishing a framework and processes that interconnect at every level within the organization. The policy adheres to the COSO Enterprise Risk Management – Integrated Framework 2017 criteria and is steered by the Risk Management and Internal Control team under the Strategy and Investment Management Division. The risk management is intricately linked to the strategic and business planning processes from the outset, ensuring alignment across the entire value chain. There is continuous monitoring of quarterly and annual risk management progress to report to the Enterprise Risk Management Committee and the Company’s Board of Directors. This facilitates regular review and control of organizational risks, maintaining them at levels acceptable to OR.

OR has reviewed its risk management policy to align with the direction and business strategy of the Company, aiming towards conducting business for a sustainable future through the lens of OR Sustainable Development Goals (SDG). This is to efficiently address the OR 2030 objectives.

Risk Management Process

For sustainable growth for all groups of stakeholders, OR reviews factors that can cause significant risks both externally and internally. OR has communicated the 2024 Risk Trends, including Global Risk, Thailand Risk, and Business Area Risk. This enables all departments, both business and support functions, to take risks into account and prepare risk management plans along with the preparation of strategic plans and business plans of the divisions to be consistent with the OR’s strategic direction, goals, and Corporate Risk Framework. Key risk issues from business and support functions are consolidated to prepare the 2024 Corporate Risk Profile, and the Risk Exposure is reviewed annually. Additionally, the 2024 Corporate Risk Profile, approved by the Board of Directors, has been communicated to all departments to manage risks, ensuring consistency in risk management at the organizational level, functional, and operational level. .

The audit committee has examined the effectiveness and efficiency of the risk management process, including risk management policy, internal control, legal compliance, and regulations relevant to OR and its subsidiaries. Collaboration with the internal audit department or unit involves quarterly assessments and consultancy work, offering recommendations and suggestions regarding internal control and risk management in critical business processes for OR’s management and subsidiaries. Additionally, the results of the internal control assessment and feedback on the internal control system report are reviewed following the standards and guidelines set by the Ministry of Finance regarding the Internal Audit Standards and Ethics for Internal Auditing of Government organizations B.E. 2561 (2018). In 2024, the internal control assessment results were found to be adequate and consistently implemented, with identified risks accompanied by internal control improvements to prevent or mitigate these risks in 2025.

For external Risk Management Process Audits, OR undergoes Operational Risk assessments through third-party audits, which is an integral part for certification process for ISO 9001, ISO 14001, and ISO 45001, conducted regularly every year.

Enterprise Risk Issues

OR has conducted a business environment analysis based on various crises that occurred in 2024, considering both internal and external factors. The key risks in 2024 include the geopolitical, oil price situation, risk situation of the country where investment is made, government policies, exchange rate fluctuations, natural disasters, industry changes, competitors, technological advancements, cybersecurity, enforcement of new laws, and other relevant factors. The Company has identified these significant risk factors affecting current and future business operations, grouping them into 6 categories.

1. Strategic Risk
2. Operational and Business Risk
3. ESG Risk
4. Information Technology Risk
5. Financial Risk
6. Compliance Risk

OR has implemented comprehensive risk control measures and developed additional risk mitigation strategies to effectively reduce risks to an acceptable level. Furthermore, in 2024, the company conducted a review of its crisis response plan and carried out a business continuity management drill to enhance preparedness for oil spill incidents. A full-scale emergency response exercise was conducted on August 26, 2024, simulating a scenario involving a collision between vessels, damage to a port, and an oil spill impacting the environment, leading to community complaints. This exercise aimed to strengthen the company’s ability to respond efficiently to oil spill emergencies. The drill was carried out in collaboration with relevant government agencies and stakeholders, following the Incident Command System (ICS) framework for oil spill incidents, specifically in the case of an oil spill into a river (Bangchak Petroleum Terminal). Key focus areas included the readiness of emergency response measures, recovery plans for port repair, complaint management strategies, and engagement with affected communities to address concerns and mitigate opposition effectively.

Example of Identified Risks

Organizational Risk Factors		Prioritization (Likelihood and Magnitude	Process to Determine	Mitigating Actions	Monitoring and Audit
IT Risk	The cybersecurity risks and threats have been steadily increasing, causing widespread impacts. Examples of these include computer virus attacks, ransomware attacks, data theft, and data hacking. As a result, key corporate data and confidential information could be leaked or business could face disruption, and negatively impacting the organization’s reputation.		The leakage of information as required by law or the leakage of information that could significantly impact business operations is equal to 0 (zero).	OR places importance on prevention and mitigation measures to avoid becoming a target of cyber-attacks. This includes implementing cybersecurity plans to enhance security effectively, such as: • Adopting Firewall Systems and Security Operation Centers (SOC) to prevent attacks and data leakage. • Procuring, installing, and utilizing Cloud Access Security Brokers (CASB) and Data Leak Protection (DLP) software to control access, defend against attacks, and prevent data leakage. • Purchasing cyber insurance. • Creating awareness of cybersecurity among employees and BSA by developing learning materials and conducting Cyber Security Awareness tests. • Conducting system penetration testing and increasing the frequency of such tests, covering systems hosted outside of PTT Digital. Developing crisis response plans and conducting continuous business continuity management drills throughout the organization’s value chain.	• Monitoring Cyber Security Roadmap reports every quarter • Reviewing access control reports on information technology every quarter • Assessing Cyber Security Awareness test results every quarter. • Evaluating system penetration test results every quarter • Conducting internal audits by the Data Protection Officer (DPO) or the Personal Data Protection Officer regularly each year • External audits and certification to ISO27001 standard for PTT Digital

Organizational Risk Factors		Prioritization (Likelihood and Magnitude	Process to Determine	Mitigating Actions	Monitoring and Audit
Financial Risk	Financial liquidity risk may significantly impact the organization’s business operations and OR’s financial costs significantly.	Click	Financial liquidity must be sufficient to debt obligations, commitments, and investments, with financial ratios in line with the financial policy of the PTT Group.	• Prepare financial estimates to plan for fund management, aligning with the monetary demands and market situations in the financial and/or capital markets. • Planning for short-term and/or long-term loans to secure capital funds. • Prepare for the launch of bond issuance to enhance long-term financial liquidity.	• Monitor financial risk management quarterly. • Information on internal audit can be found at 56-1 One Report PDF page 62 (Click for more information) • The independent auditor’s report can be found at 56-1 One Report PDF page 293 (Click for more information)

Risk Culture

OR aims to promote a risk management culture throughout the organization to ensure that OR grows sustainably and securely. Executives and employees at all levels of the company possess Risk Awareness, Risk-Taking, and Risk Management. OR fosters a risk-aware culture through the following:
OR drives a risk management culture from organizational leaders or “Tone from the top” by declaring Risk Management Policy, articulating acceptable risk (Risk Appetite), and promoting and overseeing appropriate risk management throughout the organization.
OR assigns accountability where executives and employees are aware of the ownership of risks, with appropriate risk exposure. Key performance indicators (KPIs) are established that consider the balance between returns and risks. In terms of investing for business, OR sets criteria and guidelines for investment analysis, assesses risks, and prepares a Mitigation Plan to reduce the impact of investments. OR has an escalation process in the event that a risk is found to exceed the acceptable risk level of the Organization. Individual employees have responsibility to proactively identify and report potential risks throughout the organization that can lead to negative impacts on business operations or organizations via an e-mail OR-ERMC@pttor.com. OR communicates and exchanges ideas to create effective communication and challenges, supports open expression, and presents perspectives on risks at every stage of work from all departments.
OR provides incentives and HR practices to encourage personnel at all levels to act in accordance with the OR DNA, good risk management, as well as compliance with the company’s policies and processes, which are reflected in the annual performance evaluation. In addition, HR management plays a role in promoting the organization’s risk culture, such as succession planning, training, etc. OR defines and emphasizes that all employees adhere to operational guidelines that consider governance, risk, and compliance (GRC). The risk management manual is published throughout the organization on a website accessible to all employees, as well as training sessions throughout the organization are held during the year to make employees aware of the importance of risk management processes and internal control, and to increase knowledge and understanding of risk management principles and internal control for executives and employees to apply to their operations effectively. In particular, risk management has been incorporated as a key topic in the annual OR orientation for new employees. All employees must also complete the training on risk management and internal control through an e-learning course. OR also regularly provides knowledge in risk management for employees in chief executive position or above level through the Risk Management Program for Corporate Leader (RCL) training courses organized by the Thai Institute of Directors (IOD). The aim is to enhance understanding of roles and responsibilities in overseeing risk management aspects.
OR organizes training programs for employees to ensure compliance with legal requirements and organizational regulations, such as the Competition Act B.E. 2560 (2017), and adherence to laws and corporate regulations from the beginning.
In addition, OR encouraged directors, senior executives, and executives appointed as directors of OR Group and employees to attend GRC-related training courses of the Thai Institute of Directors Association (IOD) such as Advanced Audit Committee 2Program (AACP), Risk Management Program for Corporate Leaders (RCL), Ethical Leadership (ELP), Anti-Corruption in Practice (ACPG), Corruption Risk & Control, and Good Corporate Governance (CG) E-learning

Risk Training Details in 2024^{(GRI 3-3e.)}

Training program	Target group	Date of training	Number of trainees (people)	Summary of recommendations from training/Remark
Risk Management and Internal Control (Orientation)	New employees	Round 1: 24 June 2024 Round 2: 28 June 2024 Round 3: 8 July 2024 Round 4: 5 August 2024	166 people	New employees have knowledge and understanding in risk management and internal control as a basis for their work.
Risk Management	Strategic departments of every line of work and relevant department in business development and ORion project	20 May 2024	55 people	Trainees have increased knowledge and understanding of project risk management.
Risk Management and Internal Control (หลักสูตร Company Management Program)	Executives and employees across organization	Risk Management: 1 August 2024 Internal Control: 6 September 2024	1,840 people 1,786 people	Trainees have increased knowledge and understanding of risk management and internal control.

Knowledge-Sharing regarding Risk Management for the Board of Directors:

In 2024, OR actively promoted risk awareness and risk management practices through knowledge-sharing initiatives as part of the Enterprise Risk Management Committee (ERMC) meetings, conducted on a quarterly basis or as deemed appropriate. These sessions covered key topics such as Global Risk, Business Area Risk, Thailand Risk, and impact analysis on OR’s business operations. Additionally, OR facilitated discussions through “Sharing Risk Moments,” providing valuable insights into emerging risks and their potential implications, thereby enhancing the organization’s overall risk management capabilities.

Emerging Risk

OR prioritizes newly emerging risks and prepares to address them, considering their impact on OR’s business operations. Measures are in place to proactively manage the risks comprehensively and systematically, as follows:

1. Natural resource crises and biodiversity loss: Coffee Bean

Category	Business and Operational Risk
Description	The Global Risks Report by the World Economic Forum reports that environmental crises and biodiversity loss are ranked among the world’s top long-term risks in terms of severity. Additionally, the Food and Agriculture Organization (FAO) has revealed that rising global temperatures could reduce suitable areas for coffee cultivation by up to 50%. Countries around the Bean Belt—the region along the equator where coffee can be grown, spanning across five continents and including many countries such as Peru, Brazil, Ethiopia, and Colombia—are facing challenges from climate change. This may impact future coffee yields, including the extinction of certain coffee varieties, as well as alterations in taste, aroma, and overall quality of coffee.
Impact	Currently, Thailand’s annual coffee bean consumption reaches approximately 80,000 tons, while domestic production is limited to only 20,000 tons. Café Amazon, as one of the largest consumers of coffee beans with an annual demand of around 6,000 tons, may be adversely affected by future coffee bean shortages. This imbalance could lead to increased costs and negatively impact operating performance. Moreover, any changes in the taste, aroma, or quality of the coffee could further affect consumer satisfaction.
Mitigating Action	OR, in collaboration with the Ministry of Agriculture and Cooperatives, has undertaken initiatives to promote coffee cultivation and create sustainable opportunities for coffee farmers. This partnership facilitates the exchange of expertise with the Ministry to support and expand coffee cultivation areas through the adoption of an integrated agricultural model that combines coffee with other crops. Such measures are designed to enhance both the yield and income of coffee farmers through sustainable practices, thereby improving production efficiency to meet international standards in both volume and quality particularly for locally distinctive coffee products that can significantly increase the value of the commodity while also mitigating issues related to deforestation and environmental degradation. Moreover, there is a concerted effort in marketing collaboration wherein Café Amazon supports the procurement of quality-certified coffee produced by farmers benefiting from these cultivation initiatives. This strategy aligns with OR’s commitment to creating opportunities and delivering value to all stakeholders across its entire business chain, ensuring that no one is left behind.

2. Employment crises

Category	Business and Operational Risk
Category	According to the World Population Prospects, the global population is estimated to have reached 8 billion people, with approximately 10 percent aged 65 and above a figure projected to rise to 16 percent by 2050. Meanwhile, a report on the elderly population in Thailand indicates that the country ranks as the third fastest growing in terms of aging demographics. It is forecast that by around 2030, Thailand will transition into a super-aged society similar to Japan, with individuals aged 60 and above constituting up to 28 percent of the total population, while the overall population growth rate remains at a mere 0.18 percent. As the world increasingly becomes an aging society, almost every nation is experiencing challenges related to labor shortages.
Impact	OR employs a substantial workforce across its diverse business segments, including PTT Station, Café Amazon, and various other retail enterprises. As Thailand is projected to transition into a super-aged society in the future, this demographic shift may result in labor shortages and increased labor costs, thereby potentially impacting OR’s business operations and overall performance.
Mitigating Action	OR has developed a comprehensive fully self-serve gas station model, incorporating automation systems throughout its production, storage, and distribution processes to reduce labor dependency and enhance operational efficiency. In addition, Café Amazon has taken the initiative to expand employment opportunities for the elderly—a demographic segment that is rapidly growing as Thai society transitions into a super-aged society, leaving many seniors without adequate job prospects due to their advancing age. To address this challenge, OR has partnered with the Department of Social Development and Welfare under the Ministry of Social Development and Human Security to establish the “Café Amazon for Chance” outlet, which is operated by elderly employees. This pilot project involves hiring senior workers aged 60 to 65 who are capable of performing café operations. The outlet is specifically designed to meet the needs of elderly staff, featuring a curated menu that focuses solely on best-selling beverages, the use of automated coffee machines to maintain Café Amazon’s signature taste, appropriately elevated ingredient storage shelves, and the inclusion of emergency medical equipment. All personnel receive the same training provided by the Café Amazon Training and Standards Development team as their counterparts in other Café Amazon outlets. This innovative model aims not only to alleviate labor shortages but also to create meaningful employment opportunities for the elderly in Thailand.

3. Generated AI

Category	Information Technology Risk
Description	The Global Risks Report 2024 by the World Economic Forum indicates that risks associated with artificial intelligence—specifically Generative AI (Gen AI)—are expected to intensify over the next two to ten years, permeating every aspect of society. These risks encompass the dissemination of false information, threats to privacy, cyber threats, copyright infringements, inherent biases in AI systems, criminal activities, labor displacement, and even the potential use of AI as a military weapon. Furthermore, the Harvard Business Review (HBR) notes a growing trend in the adoption of Gen AI within organizations, and the Stanford AI Index confirms that the rate of AI adoption is increasing across all global regions. Prominent multinational companies, such as Microsoft and Salesforce, have integrated AI into their products and services, while some firms, including Apple and Samsung, have refrained from deploying AI in their operations due to concerns regarding the associated risks. In the context of Thailand, leveraging Gen AI for operational purposes presents a significant challenge for organizations. The Electronic Transactions Development Agency (ETDA) has reported that a sustainable and well-governed balance in AI usage must be achieved. The increasing implementation of Gen AI tools, such as ChatGPT and Gemini, comes with heightened risks. Key concerns include the potential for processed data errors leading to misuse or inefficiency; the possibility that AI-generated outputs may be biased or stereotypical due to the nature of the training data; copyright issues stemming from the generation of images or text; breaches of personal privacy and unauthorized disclosure of corporate secrets; as well as the spread of false or misleading information online, all of which could have considerable adverse effects on organizations.
Impact	OR has transformed its organization into a Digital Driven Organization and has implemented Gen AI to enhance operational efficiency, improve internal productivity, and elevate customer service, thereby securing a competitive advantage. However, this strategic initiative comes with inherent challenges and risks, including concerns regarding data privacy, security, transparency, and accountability. Such risks could potentially inflict significant harm on the organization’s business operations as well as its corporate reputation.
Mitigating Action	OR recognizes the inherent dangers of these risks and acknowledges the importance of proactive measures to mitigate their impact. Accordingly, OR has implemented an AI/ML Governance framework to ensure that the adoption of AI/ML within the organization is both efficient and secure, while adhering to ethical principles. A robust governance framework has been established that clearly delineates roles and responsibilities regarding both the use of AI/ML and the management of organizational data. This framework incorporates ongoing monitoring, evaluation, and continuous improvement of AI/ML applications, aligning AI/ML risk management with the overall enterprise risk management strategy to enhance the achievement of strategic objectives. Comprehensive risk control measures have been formulated, taking into account the three core elements of information technology security and privacy—namely, confidentiality, integrity, and availability. The organization has appointed dedicated personnel responsible for the development, testing, deployment, and oversight of AI/ML systems, ensuring that these functions are executed in a manner appropriate to the organization’s needs. In parallel, OR promotes the ethical use of Gen AI by investing in the continuous upskilling of its staff, fostering a deep understanding of ethical issues and best practices for the application of Gen AI, and instituting mechanisms to monitor compliance with organizational policies. In addition to these governance initiatives, OR has implemented robust preventive measures to mitigate potential risks. These measures include the deployment of firewalls and the utilization of a Security Operation Center (SOC) to defend against cyberattacks and data breaches. OR has also procured, installed, and implemented systems such as Cloud Access Security Brokers (CASB) and Data Leak Protection (DLP), along with specialized software on company computers, to control data access and prevent unauthorized data breaches. Regular audits and risk assessments are conducted to identify and address vulnerabilities in the IT systems, while ongoing training ensures that employees are well-versed in safeguarding sensitive information. Moreover, OR has secured cyber insurance and established a comprehensive Business Continuity Management (BCM) system to ensure resilience in the face of potential threats to its information systems.

4. Misinformation and Disinformation

Category	Information Technology Risk
Description	The Global Risks Report 2024 by the World Economic Forum states that the dissemination of false information and data distortion represent significant global risks that could have severe repercussions on political, social, and economic fronts—including inciting international conflicts. These risks are further exacerbated by the widespread use of Generative AI to create what is known as “Synthetic Content,” which spans fake videos (commonly referred to as deepfakes), voice impersonations, and even fraudulent websites. Coupled with the ubiquitous nature of social media, online communication now occurs at an unprecedented speed and scale. Society tends to place trust in information disseminated through these channels, leading to the rapid and uncontrolled propagation of false information. This distortion of information can be exploited for a wide range of purposes, from promoting minor social movements—such as environmental activism—to inciting more severe conflicts. Furthermore, new forms of crime, such as stock manipulation or the production of deepfake pornography, may emerge and proliferate at an accelerated rate. In addition, misinformation is increasingly being tailored to suit specific target audiences, including minority communities, and is often disseminated via messaging platforms that are difficult to verify, such as WhatsApp or WeChat.
Impact	OR has been adversely impacted by the dissemination of false information via social media, resulting in the widespread circulation of misinformation. This has led to a distortion of understanding and perception among consumers, society, and communities, causing significant damage to the organization both in terms of business operations and corporate reputation.
Mitigating Action	OR recognizes the significant impact of misinformation and the dissemination of false news. In response, the organization has closely monitored the spread of false information on social media platforms. It has implemented effective communication strategies with stakeholders, developed a comprehensive issue management process, and proactively anticipated potential negative issues to devise appropriate plans and response procedures. Proactive communication is carried out alongside the management of negative issues and crisis communication strategies to ensure timely resolution of matters affecting the organization. Furthermore, OR has conducted a Brand Health Check to assess the expectations of all stakeholder groups, with the aim of optimizing its public relations efforts. Additionally, proactive communication is employed to reach target audiences with clear, accessible messages, while cultivating Brand Love to safeguard the brand from attacks driven by false information that could negatively impact the organization’s image and reputation

Document Name	File (Attach or Link)
1. Risk and Crisis Management	Click to Download
2. Risk Management Policy (Please select “Corporate Risk Management”)	Click to Download