Risk Management

Management Approach(GRI 3-3d., GRI 3-3e., GRI 3-3f.)

Risk Management 

           Currently, business face more challenges from market competition, crises, and transitions. Risk management is, therefore, considered an important tool for OR’s business management to ensure that business can achieve corporate goals and respond to the needs of all stakeholder group in a balanced manner, as well as prevent losses that may arise from uncertainty. Risk management also includes exploring opportunities to add business value to maintain the competitiveness of the organization in the future. OR has established a risk management structure supervised by the Enterprise Risk Management Committee. The Audit Committee is responsible for reviewing the effectiveness of the risk management system and supporting the continuous enhancement of risk management practices across the organization to ensure their efficiency and alignment with corporate objectives.

OR’s Risk Management Structure

Risk Governance Framework

OR adopts the Three Lines Model as a governance framework to establish clear roles and responsibilities in risk management. This model comprises three distinct levels:

  1. First Line: Business units and process owners accountable for identifying, assessing, and managing risks within their respective areas to ensure effective operational execution;
  2. Second Line: Functions responsible for establishing risk management frameworks, setting control standards, and overseeing compliance with regulatory and internal requirements to enhance governance and risk oversight; and
  3. Third Line: The Internal audit department or unit which provides independent and objective assurance on the adequacy and effectiveness of risk management, internal controls, and governance processes.
Risk Governance Framework with Three Lines Model (Click here to view a larger image)

Risk Management Policy

            OR has announced its risk management policy, establishing a framework and processes that interconnect at every level within the organization. The policy adheres to the COSO Enterprise Risk Management – Integrated Framework 2017 criteria and is steered by the Risk Management and Internal Control team under the Strategy and Investment Management Division. The risk management is intricately linked to the strategic and business planning processes from the outset, ensuring alignment across the entire value chain. There is continuous monitoring of quarterly and annual risk management progress to report to the Enterprise Risk Management Committee and the Company’s Board of Directors. This facilitates regular review and control of organizational risks, maintaining them at levels acceptable to OR.

            OR has reviewed its risk management policy to align with the direction and business strategy of the Company, aiming towards conducting business to efficiently address the OR 2030 objectives.

Risk Management Process

               For sustainable growth for all groups of stakeholders, OR reviews factors that can cause significant risks both externally and internally. OR has communicated the 2025 risk trends, including global risk, Thailand risk, and business area risk. This enables all departments, both business and support functions, to take risks into account and prepare risk management plans along with the preparation of strategic plans and business plans of the divisions to be consistent with the OR’s strategic direction, goals, and Corporate Risk Framework. Key risk issues from business and support functions are consolidated to prepare the 2025 Corporate Risk Profile. Additionally, the 2025 Corporate Risk Profile, approved by the Board of Directors, has been communicated to all departments to manage risks, ensuring consistency in risk management at the organizational level, functional, and operational level. Risk management results under Corporate Risk Profile are monitored, reviewed and reported quarterly to the Management Committee, Enterprise Risk Management Committee and Board of Directors. In this regard, the Risk Appetite level has been determined, and the Risk Tolerance level has been applied to determine the threshold level of the Key Risk Indicator, facilitating more effective measurement of risk management outcomes.
               OR conducts a continuous review of its risk management processes annually, both internally and externally. The audit committee has examined the effectiveness and efficiency of the risk management process, including risk management policy, internal control, legal compliance, and regulations relevant to OR and its subsidiaries. Collaboration with the internal audit department or unit involves quarterly assessments and consultancy work, offering recommendations and suggestions regarding internal control and risk management in critical business processes for OR’s management and subsidiaries. Additionally, the results of the internal control assessment and feedback on the internal control system report are reviewed following the standards and guidelines set by the Ministry of Finance regarding the Internal Audit Standards and Ethics for Internal Auditing of Government organizations B.E. 2561 (2018). In 2025, the internal control assessment results were found to be adequate and consistently implemented, with identified risks accompanied by internal control improvements to prevent or mitigate these risks in 2026.
               For external risk management process audits, OR undergoes operational risk assessments through third-party audits, which is an integral part for certification process for ISO 9001, ISO 14001, ISO 45001, and ISO 22301 conducted regularly every year. In procuring external auditors, OR implements an open bidding and proposal submission process to ensure alignment with international standards and to enable a transparent and verifiable assessment of the effectiveness of management systems.

OR’s Enterprise Risk Management

Enterprise Risk Issues

                OR has conducted a business environment analysis based on various crises that occurred in 2025, considering both internal and external factors. The key risks in 2025 include the geopolitical, oil price situation, risk situation of the country where investment is made, government policies, exchange rate fluctuations, natural disasters, industry changes, competitors, technological advancements, cybersecurity, enforcement of new laws, and other relevant factors. The Company has identified these significant risk factors affecting current and future business operations, grouping them into 6 categories.

    1. Strategic Risk
    2. Operational and Business Risk
    3. ESG Risk
    4. Information Technology Risk
    5. Financial Risk
    6. Compliance Risk

Example of Identified Risks

Organizational Risk Factors
Prioritization (Likelihood and Magnitude
Risk Appetite
Mitigating Actions
Monitoring and Audit
IT Risk
The cybersecurity risks and threats have been steadily increasing, causing widespread impacts. Examples of these include computer virus attacks, ransomware attacks, data theft, and data hacking. As a result, key corporate data and confidential information could be leaked or business could face disruption, and negatively impacting the organization’s reputation.
The leakage of information as required by law or the leakage of information that could significantly impact business operations is equal to 0 (zero).
OR places importance on prevention and mitigation measures to avoid becoming a target of cyber-attacks. This includes implementing cybersecurity plans to enhance security effectively, such as:
• Adopting Firewall Systems and Security Operation Centers (SOC) to prevent attacks and data leakage.
• Procuring, installing, and utilizing Cloud Access Security Brokers (CASB) and Data Loss Protection (DLP) software to control access, defend against attacks, and prevent data leakage.
• Purchasing cyber insurance.
• Creating awareness of cybersecurity among employees and contract-out (BSA) by developing learning materials and conducting Cyber Security Awareness tests.
• Conducting system penetration testing and increasing the frequency of such tests, covering systems hosted outside of PTT Digital. Developing crisis response plans and conducting continuous business continuity management drills throughout the organization’s value chain.
• Monitoring Cyber Security Roadmap reports every quarter
• Reviewing access control reports on information technology every quarter
• Assessing Cyber Security Awareness test results every quarter.
• Evaluating system penetration test results every quarter
• Conducting internal audits by the Data Protection Officer (DPO) or the Personal Data Protection Officer regularly each year
• External audits and certification to ISO27001 standard for PTT Digital
Organizational Risk Factors
Prioritization (Likelihood and Magnitude
Risk Appetite
Mitigating Actions
Monitoring and Audit
ESG Risk: Climate Risk
Risks arising from global warming and climate change can cause damage to businesses, while stakeholders across the value chain may be affected by various disasters. In addition, regulations, measures, and laws at the national, regional, and global levels are increasingly being introduced to drive the transition toward a low-carbon economy, resulting in higher costs for businesses in preparing and disclosing relevant information. If OR is not adequately prepared to address both physical risk and transition risk, this may adversely affect the long-term sustainability of business operations.
OR places strong emphasis on security, safety, occupational health, and the environment, with a commitment to No Catastrophic Accident as defined by safety standards, and aims to achieve SET ESG Ratings scores of not less than 50% in each ESG dimension.
• Preparing business continuity plans and emergency response plans.
• Enhancing infrastructure resilience.
• Diversifying supply routes and sourcing.
• Strengthening inventory management.
• Implementing the 3R Climate Strategy and monitoring performance outcomes.
• Setting greenhouse gas emission reduction targets aligned with SBT, together with corresponding action plans for each BU.
• Closely and regularly monitoring government laws and policies.
• Developing low-carbon products and services.
• Enhancing ESG Due Diligence for investments to incorporate climate change considerations, supporting decision-making for investments and project implementation.
• Monitoring greenhouse gas emission reduction plans on a quarterly basis.
• Monitoring Scope 1 and Scope 2 greenhouse gas emissions to ensure alignment with established targets.
• Assessing damages, increased costs, and restoration expenses arising from disaster and climate change events.
Organizational Risk Factors
Prioritization (Likelihood and Magnitude
Risk Appetite
Mitigating Actions
Monitoring and Audit
ESG Risk: Biodiversity Risk
Risks arising from global warming and climate change may lead to changes in or loss of biodiversity. In addition, OR’s business activities may potentially cause adverse impacts on biodiversity.
OR places strong emphasis on security, safety, occupational health, and the environment, with a commitment to No Catastrophic Accident as defined by safety standards, and aims to achieve SET ESG Ratings scores of not less than 50% in each ESG dimension.
• Conducting Biodiversity Impact Assessments (BIA) across the value chain to determine risk levels and to serve as a basis for developing mitigation measures and action plans in the future.
• Preparing Environmental Impact Assessment (EIA) reports in compliance with legal requirements to monitor environmental impacts.
• Controlling operations and treating pollution prior to its release into the environment.
• Enhancing ESG Due Diligence for investments to incorporate biodiversity considerations, supporting decision-making for investments and project implementation.
• Monitoring changes in laws and government policies related to biodiversity.
• Tracking community complaints related to incidents affecting biodiversity.
• Assessing damages, increased costs, and restoration expenses arising from biodiversity risk events.

Risk Culture

              OR aims to promote a risk management culture throughout the organization to ensure that OR grows sustainably and securely. Executives and employees at all levels of the company possess Risk Awareness, Risk-Taking, and Risk Management. OR fosters a risk-aware culture through the following:
              OR drives a risk management culture from organizational leaders or “Tone from the top” by declaring Risk Management Policy, articulating acceptable risk (risk Appetite), and promoting and overseeing appropriate risk management throughout the organization.
OR assigns accountability where executives and employees are aware of the ownership of risks, with appropriate risk exposure. Key performance indicators (KPIs) are established that consider the balance between returns and risks.
            From an investment and business operations perspective, OR has established policies and standards related to product and service stewardship to serve as operational guidelines. In addition, OR has developed a product quality plan and a process control plan to manage risks that may affect the quality of products or services. Relevant risk assessment criteria are integrated into the processes for product and service development and improvement, and training programs are provided for employees in accordance with the requirements of ISO 9001:2015.
              Further details can be found at: https://www.pttor.com/en/sustainability/governance-and-economic-dimension/product-and-service-stewardship
              OR has an escalation process in the event that a risk is found to exceed the acceptable risk level of the Organization. Individual employees have responsibility to proactively identify and report potential risks throughout the organization that can lead to negative impacts on business operations or organizations via an e-mail OR-ERMC@pttor.com. OR communicates and exchanges ideas to create effective communication and challenges, supports open expression, and presents perspectives on risks at every stage of work from all departments.
              OR provides financial incentives which incorporate risk management metrics. KPI for senior executives, line managers and employees (such as Operation safety, Product and Service Quality, Image and Reputation Organization, Carbon Neutral Pathway, and Financial Performance) is tied to risk items of OR’s Corporate Risk Profile. KPI will be interpreted as an individual performance evaluation and result in financial incentive consideration.
              OR defines and emphasizes that all employees adhere to operational guidelines that consider governance, risk, and compliance (GRC). The risk management manual is published throughout the organization on a website accessible to all employees, as well as training sessions throughout the organization are held during the year to make employees aware of the importance of risk management processes and internal control, and to increase knowledge and understanding of risk management principles and internal control for executives and employees to apply to their operations effectively.
              In terms of human capital development, OR provides training programs ranging from new employee orientation (OR Orientation) and annual continuing training programs to online learning (E-learning). These include, for example, Good Corporate Governance (CG), Risk Management, Internal Control, and the Compliance Policy, which governs operational practices in accordance with applicable laws, rules, and regulations. At the same time, OR promotes compliance with laws and regulations by requiring employees to attend training on relevant legislation, such as the Trade Competition Act B.E. 2560 (2017), as well as internal requirements and corporate policies. This ensures that operations are conducted in line with the applicable legal framework and standards, thereby preventing operational risks.
For senior executives, OR provides risk management training organized by the Thai Institute of Directors (IOD) to enhance their knowledge and understanding of risk management.

Emerging Risk

        OR prioritizes newly emerging risks and prepares to address them, considering their impact on OR’s business operations. Measures are in place to proactively manage the risks comprehensively and systematically, as follows:

          1. Adverse outcomes of Generative AI technologies

Category
Information Technology Risk
Description
The Global Risks Report 2025 by the World Economic Forum highlighted that risks associated with Artificial Intelligence (Al), particularly Generative Al (Gen Al), were expected to intensify over the next 2-10 years as these technologies became increasingly embedded across all aspects of society. Such risks included the spread of misinformation, threats to privacy, cybersecurity risks, copyright infringement, algorithmic bias, the use of Al in criminal activities, workforce displacement, and even the potential militarization of Al technologies. In addition, Harvard Business Review (HBR) reported that the adoption of Gen Al within organizations continued to accelerate, consistent with findings from the Stanford Al Index, which reported a steady increase in Al usage across all global regions. Major global companies, such as Microsoft and Salesforce, integrated Al into their products and services, while other prominent companies, including Apple and Samsung, remained cautious in adopting Al within their operations due to concerns over associated risks. In Thailand, the application of Gen Al in organizational operations continued to face significant challenges. The Electronic Transactions Development Agency (ETDA) emphasized the importance of balancing the sustainable use of Al with the establishment of robust governance mechanisms. The growing use of Gen Al tools, such as ChatGPT and Gemini, gave rise to several


key emerging risks, including:
• Data Inaccuracy: Errors in data processed by Gen Al could lead to inaccurate or inefficient usage and decision-making.
• Bias and Stereotyping: Outputs generated by Gen Al might reflect inherent biases embedded in training data, resulting in biased or non-neutral outcomes.
• Copyright Issues: The use of Gen Al to generate images or written content raised concerns regarding potential copyright infringement.
• Privacy Violations: Posed a risk of unauthorized disclosure of personal data or confidential organizational information.
• Misinformation: The dissemination of inaccurate or misleading information online could cause significant adverse impacts on organizations.
Accordingly, organizations were required to manage these emerging risks effectively to fully leverage the benefits of Gen AI, while maintaining operational stability and preserving public trust.

Impact
OR advanced its transition toward a digitally driven organization through the integration of Generative Al (Gen Al) into its operations to enhance operational efficiency, strengthen organizational capabilities, and improve customer service delivery, thereby supporting competitive advantage. However, the adoption of Gen Al also presented emerging risks related to personal data protection, cybersecurity, transparency, and accountability. Inadequate management of these risks could potentially lead to significant adverse impacts on OR’s business operations, as well as its corporate image and reputation.
Mitigating Action
OR recognizes the potential risks arising from technology-related threats and places strong emphasis on preventive and mitigation measures to manage risks effectively. In response to these challenges, OR has established an AI/ML Governance Process to ensure that the adoption and application of AI/ML within the organization are effective, secure, and ethical. OR has developed a clear Governance Framework that defines roles and responsibilities for both Al/ML utilization and corporate data management. In addition, the use of Al/ML is continuously monitored, evaluated, and improved. Al/ML risk management is integrated with OR’s overall enterprise risk management framework to enhance the likelihood of achieving organizational objectives, supported by appropriate risk control measures and monitoring mechanisms, including specific policies and controls tailored to each type of risk. These measures are aligned with the three fundamentals principles of information technology security and privacy:

• Confidentiality

• Integrity

• Availability

OR allocates sufficient and capable personnel to develop, test, deploy, and govern AI/ML operations in alignment with organizational needs. The company also promotes the ethical use of Generative Al (Gen Al) by providing employee education, enhancing awareness of ethical considerations, adopting best practices, and implementing ongoing monitoring measures to ensure compliance with organizational guidelines. To mitigate potential risks, OR has implemented robust preventive measures, such as installing firewalls and operating a Security Operations Center (SOC) to prevent cyberattacks and data breaches. Additionally, OR utilizes Cloud Access Security Broker (CASB), Data Loss Protection (DLP) system, and company-installed software to control data access and prevent unauthorized data leakage. OR also conducts regular system audits and vulnerability risk assessments to identify and remediate weaknesses in the information systems, while educating employees on safeguarding organizational data from external leaks. Furthermore, the company has obtained cybersecurity insurance and established a Business Continuity Management (BCM) process to address potential threats to the information systems, enhancing organizational resilience and preparedness against cyber threats.

          2. Environmental Challenges and Biodiversity Threats in Coffee Bean Production

Description
Business and Operational Risk
Category
In the Global Risks Report 2025 by the World Economic Forum, nearly all environmental risks are included in the top 10 rankings for the decade ahead. Extreme weather events are anticipated to become even more severe over the next decade. The perceived severity of Biodiversity loss and ecosystem collapse worsens the most of all risks. Critical change to Earth systems and Natural resource shortages are also among those perceived to materially deteriorate. Concurrently, the Food and Agriculture Organization (FAO) has illuminated a concerning aspect of climate change: the potential reduction of suitable areas for coffee cultivation by up to 50% due to rising global temperatures. This phenomenon poses a substantial threat to countries situated in the Bean Belt, spanning various regions near the equator where coffee cultivation is prevalent. Nations such as Peru, Brazil, Ethiopia, Colombia, and others face the formidable challenge of climate change, with potential repercussions for future coffee production. The expansive impact on this vital global commodity encompasses not only the potential extinction of specific coffee varieties but also the alteration of the taste, aroma, and overall quality of coffee. In essence, the intertwining of natural resource crises and climate change poses a multifaceted risk to the coffee industry, impacting not only the economic vitality of coffee-producing nations but also the global coffee market’s sensory and qualitative attributes. Addressing and mitigating these challenges necessitate comprehensive strategies that span environmental, economic, and agricultural dimensions to ensure the resilience and sustainability of the coffee sector in the face of evolving climatic conditions.
Impact
Currently, Thailand’s annual coffee bean consumption stands at 90,000 tons, while domestic production capacity is only 40,000-50,000 tons per year. Café Amazon, recognized as a major coffee bean consumer, requires up to 6,000 tons annually. The Café Amazon business is susceptible to potential disruptions arising from a shortage in coffee beans, a scenario that could precipitate heightened operational costs and consequential impacts on overall operating results. The shortage in coffee beans, a core raw material for Café Amazon’s operations, has the potential to induce an upward pressure on costs, stemming from increased procurement expenses and potential supply chain complexities. Such cost escalations, if realized, may exert a discernible influence on the financial performance and operational efficiency of Café Amazon. In addition, changes in the taste, aroma, and quality of coffee may affect consumer satisfaction.
Mitigating Action
It is imperative for Café Amazon to proactively assess and strategize in response to this risk, potentially exploring diversified sourcing strategies, fostering resilient supply chain practices. OR has established a collaborative knowledge exchange initiative with the Ministry of Agriculture and Cooperatives with the strategic objective of fostering and bolstering the expansion of coffee cultivation areas. This initiative aims to catalyze a transition towards integrated agriculture practices aligned with coffee cultivation, thereby empowering farmers to enhance productivity and income through sustainable agricultural methods. The overarching goal of this partnership is to elevate the efficiency of coffee production, aligning with international standards, and particularly emphasizing the distinctive qualities of region-specific coffee varieties. By doing so, the initiative not only seeks to augment the value of coffee products but also contributes to mitigating environmental concerns, including deforestation. Central to this collaborative effort is the establishment of a mutually beneficial marketing cooperation. Within this framework, Café Amazon is committed to supporting the procurement of coffee products adhering to standardized quality from certified farmers. This approach is not only conducive to the advancement of sustainable farming practices but also aligns seamlessly with OR’s inclusive growth strategy, which prioritizes the creation of opportunities and the generation of value for all stakeholders throughout the entire business chain. In 2025, OR implemented the Amazon Park project in Lampang Province. The project aims to serve as a hub for coffee cultivation, research, and breeding of Thailand’s finest coffee varieties. This initiative is designed to strengthen the Café Amazon business across the entire value chain, from upstream to downstream, while fostering a sustainable business ecosystem.

          3. Employment crises

Category
Business and Operational Risk
Description
The World Population Prospects reveals a global populace reaching 8 billion individuals, with those aged 65 and above comprising approximately 10%, a figure anticipated to ascend to 16% by 2050. Thailand, in particular, has emerged as the world’s third-fastest growing elderly population, officially transitioning to an aging society in 2022. Projections indicate that by 2030, Thailand is poised to attain super-aging status akin to Japan, with individuals aged 60 and above constituting 28% of the nation’s demographic landscape. As nations worldwide confront the challenges of an increasingly aging society, the pervasive labor shortages experienced underscore the need for strategic responses.
Impact
OR employs a substantial workforce across various businesses, including PTT Station, Café Amazon, and other retail businesses, faces a potential labor shortage as Thailand transitions into the ultimate aging society. This demographic shift poses a significant concern, as it could lead to heightened labor costs, thereby impacting the efficiency of business operations and potentially affecting its business performance.
Mitigating Action
OR has innovatively introduced the “Fully Self Serve Station”. OR incorporates automation comprehensively throughout production, storage, and distribution processes, strategically aimed at minimizing labor requirements and optimizing overall work efficiency. Simultaneously, Café Amazon, an entity under the OR umbrella, has proactively undertaken an initiative to broaden employment prospects for the increasing senior citizen demographic. Recognizing the demographic shift towards an aging society in Thailand and the ensuing dearth of employment opportunities for the elderly, OR has entered into a collaborative effort with the Department of Social Development and Welfare, Ministry of Social Development and Human Security. This collaboration has given rise to “Café Amazon for Chance run by an elderly barista,”. The program involves the recruitment of individuals aged 55-65 to serve as coffee shop baristas. For instance, the drink menu is streamlined, focusing exclusively on best-selling items. Automation is seamlessly integrated into the operational processes, with an automatic brewing machine ensuring consistency in delivering the café’s standard flavor. Amazon has undertaken considerations such as determining optimal shelf heights for raw materials and provisioning emergency medical equipment. To facilitate a seamless transition for the elderly baristas, a comprehensive training program has been implemented. This training, conducted by the Amazon Café standard development and training team, adheres to the same exacting standards applied to all Café Amazon baristas. This pioneering model not only addresses the imminent challenge of labor shortages but also actively contributes to the creation of meaningful opportunities for the elderly population in Thailand.

Performance

Risk Training Details in 2025(GRI 3-3e.)

Training program
Target group
Date of training
Number of trainees (people)
Summary of recommendations from training/Remark
Risk Management and Internal Control (Orientation)
New employees

Round 1: 9 October 2025
Round 2: 15 October 2025

Round 1: 33 people
Round 2: 46 people

New employees have knowledge and understanding in risk management and internal control as a basis for their work.
Risk Management and Internal Control (E-Learning)
Executives and employees throughout the organization

• Risk Management: started from 1 August 2024 and has continuously promoted of training programs to date
• Internal Control: start from 6 September 2024 and has continuously promoted of training programs

Risk Management: 1,963 people
Internal Control: 1,880 people
Executives and Employees have gained a deeper understanding of risk management and internal control.

Knowledge-Sharing regarding Risk Management for the Board of Directors:

          In 2025, OR regularly promoted risk awareness and risk management practices through knowledge-sharing initiatives as part of the Enterprise Risk Management Committee (ERMC) meetings, conducted as quarterly or as deemed appropriate. Most of member is non-executive directors.
          The knowledge-Sharing regarding Risk Management is also provided for all executive and non-executive directors. These sessions covered key topics such as Global Risk, Business Area Risk, Thailand Risk, Global Sustainability Trend & Risk, Stakeholder Management, and impact analysis on OR’s business operations.
          Additionally, OR facilitated discussions through “Sharing Risk Moments”,” providing valuable insights into emerging risks and their potential implications, thereby enhancing the organization’s overall risk management capabilities.

Related Documents 

Document Name
File (Attach or Link)
1. Risk and Crisis Management
Click to Download
2. Risk Management Policy (Please select “Corporate Risk Management”)
Click to Download
  • About
  • Organization
  • Career
  • Oil Business
  • - Retail Energy Solution
  • - Commercial Business
  • Retail Business
  • Services
  • International Business
  • Business Opportunity
  • Sustainability
  • News
  • Contact Us
Follow Us
Facebook-f Youtube

PTT Oil and Retail Business Public Company Limited
555/2 Energy Complex Building B, 12th Floor, Vibhavadi Rangsit Rd., Chatuchak, Bangkok 10900
© 2024 OR Tel : 02 196 5959
About
Organization
Career
Oil Business
  • Retail Energy Solution
  • Commercial Business
Retail Business
Services
International Business
Business Opportunity
Sustainability
News
Contact Us