Risk Management
- Executives, employees, and contractors are responsible for risk management in their respective units within the Thaioil Group and integrate risk management into significant company operations and comply with the enterprise risk management policy and risk appetite to ensure adequate and appropriate control. Also, contribute to risk management development, report, and review the effectiveness of risk management to reduce potential impacts on company operations.
- Promote and cultivate awareness among executives, employees, and contractors about the importance of risk management, integrating it as a continuous organizational culture.
- Risk Management Committee (RMC) will consider and establish the risk appetite and support resources, tools, oversight, and guidance for the risk management processes.
- Risk Management Steering Committee (RMSC) will support, promote, and drive every function to manage risks according to enterprise risk management policy and procedure appropriately based on the changing business environment. Also, report the results of risk management to the Risk Management Committee at least once every quarter.
- Enterprise Risk Management policy serves as a guideline for all companies in the Thaioil Group to maintain a consistent standard for risk management.
Thaioil Group’s Vision is to empowering human life through sustainable energy and chemicals, with a goal to promote organizational growth, achieve leading investment returns, reduce profit volatility through business diversification, consider the interests of all stakeholders and ensure the sustainability of the economy, society, and the environment.
With our Mission to enhance the quality of life for stakeholders and deliver sustainable returns through innovation, technology, and a strong business structure, underpinned by leading governance and corporate social responsibility.
Thaioil Group is a Strategic-Focused Organization that regularly reviews its vision and business direction to ensure it has the right strategies to adapt to changing internal and external factors. To achieve sustainable growth, Thaioil Group has outlined three key strategic directions as follows:
- Value Maximization: focuses on enhancing Thaioil Group’s core competencies in the energy sector, where it holds expertise.
- Value Chain Enhancement: focuses on extending Thaioil Group’s value chain by leveraging its refining expertise to venture into high-value chemicals and related businesses.
- Value diversification: focuses on identifying and pursuing innovative new business opportunities.
To successfully implement its three main strategic directions, achieve its goals, and generate returns for stakeholders in an uncertain and ever-changing environment, Thaioil Group recognizes the need for a systematic and integrated Enterprise Risk Management (ERM) framework across the entire organization.
Enterprise Risk Management
This framework aligns with the principles of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM Framework and ISO 31000;2018 (Risk Management Principles and Guidelines). Enterprise Risk Management (ERM) framework reflects the governance and management policies of each organization. When an organization effectively manages its risks, it enhances its ability to achieve its organizational objectives in terms of both efficiency and effectiveness.
Risk Management Process
1. Scope, Context, Risk factors (link to mission, vision, core value, strategy, and objective)
The company defines the scope and context of the organization, including risk management criteria that are directly linked to the organization’s objectives. This is done by considering both internal and external factors that may impact the achievement of the company’s objectives in the short, medium, and long term. In the process of defining the objectives of the risk management process, the company considers events or situations that may arise and hinder the achievement of the organization’s objectives. As a result, the objectives are set to be aligned with the company’s vision, mission, goals, strategies, and performance indicators (Key Performance Index: KPI), as well as to take into account emerging risks and respond to the needs and expectations of stakeholders.
2. Risk Assessment (Identification, Analysis, Evaluation)
2.1 Risk Identification
The company identifies risks, which involves compiling a list or register of events or situations that arise both internally and externally to the organization and have the potential to hinder the achievement of the company’s objectives. Risk identification is carried out by individuals or groups of individuals, such as executives and/or relevant employees, using various methods, such as workshops, interviews or risk perception surveys, and reporting of past incidents.
In identifying risks, the company considers risk factors in six areas, namely:
1) Internal Factors Examples include: Executive policies, Organizational structure, Employee quality, Information technology systems, Integrity, Production plans, and Key Performance Indicators (KPIs)
2) External Factors Examples include: Politics, Community, Economic conditions, Technological changes, Laws, regulations, and contracts, Government regulations, Competitors, Customers, and Natural disasters
3) Needs and Expectations of Stakeholders Examples include: Shareholders, Financial institution officials, Customers, Business partners, Contractors, Employees, Community, Society, and Relevant government agencies and state organizations
4) Results from QSHE Aspect Assessment where risks are at level 4 or above, it should be elevated to the department level and included in the VP Risk profile.
5) Operational Risk Management (ORM) Risk Assessment Results where risks are high, it should be elevated to the department level and included in the VP Risk profile.
6) Additional Factors and Risks as Deemed Appropriate by Management
2.2 Risk Evaluation
The company assesses risks that may have an impact on achieving its objectives. This is a process that leads to decisions about which risks need to be managed and prioritized for risk management. These decisions are based on information obtained from risk analysis, considering both current risk levels, expected risk levels, and risk tolerance levels. The assessment considers:
- Impact in six areas, which are impact on people, impact on the environment, impact on assets, impact on reputation, impact on target, and impact on net profit.
- Likelihood, this is the probability or chance or frequency of a risk event occurring.
2.3 Risk Exposure (RAM)
To assess the company’s risk exposure, a 5×5 Risk Assessment Matrix (RAM) is used. This matrix defines five risk levels based on the impact and likelihood of each risk. The RAM serves as a tool for prioritizing risks and determining appropriate risk management measures.
2.4 Risk Prioritization
The company has established guidelines for dealing with risks at each level, which are divided into five color-coded areas representing the priority of the risk management plan. These guidelines are as follows:
Risk Level | Guidelines for Each Priority Level | |
|---|---|---|
Very high
(HH)
| Require immediate comprehensive risk management plan and significant
resources to mitigate must be provided as priority. | |
High
(H)
| Require immediate comprehensive risk management plan and significant
resources to mitigate must be provided after ‘Very high’. | |
Medium
(M)
| Develop a risk management plan when there are residual resources from
“High” Level. | |
Low (L)
| May develop additional risk management plan if there are residual
resources from “Medium” Level. | |
Very low (LL)
| No additional risk management plans are required at this time, but
regular monitoring is essential. Additional risk management plans can be
developed when residual resources become available from ‘Low’ level. | |
3. Risk Treatment (4T)
The company establishes measures or activities to manage risks in line with its acceptable risk framework (Risk Appetite) to minimize the likelihood and impact of risks that could hinder the achievement of objectives. This is done by addressing the root causes of risks or the potential consequences of those risks.
Risk Treatment Strategy
To address risks with the 4Ts strategy, as follows:
- Risk Acceptance (Take or Accept): Risk after implementing controls, falls within the company’s acceptable risk tolerance. No further action is required to address the risk.
- Risk Reduction (Treat or Reduce): Risk reduction involves implementing additional measures to lower the likelihood or impact of a risk to an acceptable level.
- Risk Avoidance (Terminate or Avoid): Risk avoidance entails eliminating or discontinuing activities that create the risk. However, with this strategy, it may consider whether its objectives are achievable or modify them to be in line with the company’s overall objectives.
- Risk Transfer (Transfer or Share): Risk transfer involves shifting or sharing a portion of the risk to another party.
4. Monitoring and Review (Risk treatment progress, Risk exposure, KRI)
Monitoring, evaluating, and reporting on risk management activities and reviewing various risk management practices is an ongoing process carried out by internal personnel within the organization. Additionally, external parties, such as consultants or independent experts, may be engaged to assist in these endeavors.
Due to the dynamic nature of risk situations, risk management approaches, objectives, and processes, the effectiveness of previously implemented risk control measures may diminish over time. Therefore, it is crucial to conduct regular reviews and monitoring of risk management practices to ensure their continued effectiveness and adaptability in the face of potential changes. The monitor and review risk management activities and the risk management process, including:
- Assess the implementation of risk management measures and their effectiveness. Report findings to the Risk Management Steering Committee and the Risk Management Committee.
- Engage external consultants or entities to conduct an independent review of risk management processes and evaluate Risk Maturity.
- Conduct an internal audit of risk management practices.
- Report identified risks and risk management results to relevant stakeholders following the established risk management reporting structure.
- Evaluate the effectiveness of controls and other risk management activities, ensuring their continuity.
- Collect comprehensive, accurate, clear, and timely risk management data and maintain proper documentation.
- Communicate regularly and openly with key stakeholders and relevant departments, both formally and informally.
In addition, the company has established Key Risk Indicators (KRIs) to assess the direction of risks and serve as early warning signals. All key risks must have corresponding KRIs defined, and the performance and appropriateness of these KRIs should be regularly reviewed, assessed, and reported.
5. Recording and Reporting (Risk profile, Risk management performance, Continuous improvement)
The company has mandated that all units prepare records of the analysis and reporting of significant risks in the form of a Risk Profile. This is to ensure a standardized approach, with defined formats and data elements, such as the name of the significant risk, risk level, control measures, risk key indicators (KRIs), etc.
The risk profile and risk management outcomes will be reported to relevant units and committees in accordance with the risk management structure for review, approval, and decision-making on measures or additional measures in a timely manner to address the situation. The organization encourages proactive risk reporting on a regular basis through formal channels as per the plan, including risk management committee meetings and Thai Oil Group management meetings. However, in some cases where urgent action is required, coordination or event-specific reporting may be done prior to formal reporting
6. Communication and Consultation
The company comprehensively communicates and consults with both internal and external stakeholders to ensure that all relevant parties and stakeholders fully understand the causes, impacts, and risk management measures. This ensures that everyone has complete and accurate information, which promotes risk awareness and understanding. Additionally, providing consultation allows for feedback and information to support decision-making.
Stakeholders:
• Internal: Employees, Contractors
• External: Shareholders, Customers, Partners, Competitors, Creditors, Community, Society & Environment, Government
Agencies & Relevant Organizations
Communication with External Stakeholders:
• Annual Reports
• Form 56-1
• Seminars and/or Knowledge Sharing within the PTT Group and other listed companies
Communication with Internal Stakeholders:
• Report risk management according to risk management structure.
• Risk management training and seminars.
• Articles
• Risk Management Information System (RMIS)
• Risk Newsletter
• Reporting of risk factors and potential impacts
The company promotes proactive and consistent communication through both formal and informal channels to assess, monitor, and manage risks, as well as control and action plans. This is in accordance with the risk management structure and is driven by the belief that continuous communication ensures timely access to and presentation of adequate risk information for informed decision-making.
Thaioil Group has established a risk management culture and integrating risk management into the organization’s strategic planning and decision-making processes by using ERM. It ensures a common understanding of risk management principles, concepts, methods, and processes across the organization. This enables consistent implementation of risk management steps and procedures, identification of risks, and a shared awareness of the potential impact of uncertainties and an increasingly complex environment on achieving business objectives aligned with the organization’s strategy. ERM also facilitates the development of risk management and internal control frameworks for all levels of the organization, ensuring consistent and continuous adherence to risk management and internal control processes.
Moreover, ERM also serves as a tool to cultivate an organizational culture that emphasizes risk management knowledge among executives and personnel at all levels. This enables systematic monitoring, review, and evaluation of risks, enhancing the effectiveness of risk management measures. It also facilitates effective communication and reporting of significant risks, providing valuable insights for executive decision-making. Ultimately, ERM contributes to Thaioil Group’s balanced achievement of economic, social, and environmental objectives under the principles of corporate governance. It ensures fair treatment of all stakeholders and promotes sustainable growth while supporting energy security in alignment with good corporate governance practices, regulations of the Stock Exchange of Thailand (SET), and the Securities and Exchange Commission (SEC).
Enterprise Risk Management Strategy
Thaioil Group has established a Enterprise Risk Management Strategy to achieve its strategic vision. This strategy is implemented through a comprehensive risk management process. That is, the organization establishes clear risk management policies and defines its acceptable risk appetite. These are reviewed by the Risk Management Committee (RMC), and the organization implements risk management across the entire organization, encompassing all business units and activities. The Risk Management Steering Committee (RMSC) reviews, monitors, and evaluates the effectiveness of risk management practices on a quarterly basis. Enterprise Risk Management (ERM) is a crucial tool that enables Thaioil Group to achieve its operational and business objectives. To effectively implement ERM, the company has established a comprehensive Enterprise Risk Management Strategy, as outlined below:
Risk Appetite Statement
In defining the company’s risk appetite statement, executives carefully consider the potential financial and non-financial impacts on both individual units and the organization as a whole. This includes potential damage to the company’s reputation. Furthermore, executives implement strategies to mitigate high-risk or severe risks that exceed the company’s risk appetite statement, bringing them within the acceptable range.
The organization will apply its established risk appetite statement to various activities, including:
- Communicate organizational risks, risk appetite statement, and risk management practices to stakeholders. This ensures that stakeholders are well-informed and have confidence in the organization’s ability to conduct business in accordance with the commitments made to shareholders.”
- Input for formulating strategies, business guidelines, and parameters or factors used in the planning process.
- Communicate the organizational values derived from fostering a culture of continuous risk management.
- Utilize as a framework for delegating authority and responsibilities for managing various units or personnel within the organization.
- Assess the overall organizational risk to ensure it remains within the organization’s risk appetite statement.
The Risk Management Policy mandates that the Risk Management Committee (RMC), under the supervision of the Board of Directors, establish a Risk Appetite Statement for each of the organization’s significant risks.
For other risks, the acceptable risk level is defined as low or very low. However, if mitigation is not feasible, such as in the case of external factors beyond the organization’s control or when the assessed return does not justify the increased cost of implementing risk management activities, the risks must be closely monitored.
Establishing Risk Appetite Statement must be aligned and consistent with the organization’s goals or objectives. This can be achieved by considering the following information:
Internal Indicators:
1. Key Performance Indicators (KPIs) aligned with targets set in the strategic plan and/or annual operational plan.
2. Internal Regulations
3. Financial statements and statistical data reflecting operational performance
External Indicators:
1. Peer Group or Benchmarking
2. Economic Indicators
3. Regulatory Requirements
Roles and Responsibilities
Board Oversight Level
The Board of Directors has the following responsibilities for risk management:
- Promote enterprise-wide risk management.
- Oversee risk management activities through the Risk Management Committee, ensuring its effective and continuous implementation.
- Evaluate the effectiveness of the organization’s risk management.
- Foster a culture of risk management and internal control principles throughout the organization.
- Participate regularly in risk management-related activities such as training, workshops, and seminars.
The Audit Committee has the following responsibilities for risk management:
Thoroughly review the adequacy and effectiveness of the organization’s internal control, internal audit, and risk management systems, and may recommend the review or audit of any items deemed necessary and important. The Audit Committee should provide recommendations for improvement of internal control systems, risk management systems, and submit audit reports to the Board of Directors.
The Risk Management Committee (RMC – Sub-Board level) has the following responsibilities for risk management:
- Define and review the risk management framework, risk management charter, policies, and management processes, recommending risk management practices and ensuring it aligns with strategic direction, business plans, and evolving circumstances.
- Promote and support risk management initiatives across all levels of the organization, including the development and implementation of risk management tools and fostering a risk-aware culture.
- Monitor and oversee the reporting of significant risks, ensuring that risk management practices are effective, aligned with business objectives, and maintain risks within acceptable levels as defined by the organization’s risk appetite.
- Promptly report significant risk management issues or events that could have a material impact on the company to the Board of Directors for their consideration and action.
- Take on any additional risk management-related duties assigned by the Board of Directors.
First Line of Defense – Operational Risk Ownership
1.Risk Coordinator (RCO) have the following responsibilities for risk management:
- Execute according to Thaioil Group’s Risk Management Policy as outlined in the group’s risk management manual.
- Coordinate and facilitate risk assessment activities within the department or unit. And set appropriate risk mitigation measures.
- Regularly monitor and review the result of implementation of risk mitigation measures together with concerned parties in the department or units.
- Present the identified departmental risks to internal meetings for consideration to ensure that risk assessments, reviews, and mitigation plans are efficient and effective.
- Meeting among Risk Coordinators – RCOs from across the organization to exchange risk management information between units and risk management function.
- Coordinate and collaborate with the Risk Management Unit to organize risk management awareness and training programs for employees within the department or unit, in order to enhance understanding and raise awareness of the importance of risk management.
- Participate in risk assessment analysis and develop mitigation for relevant departments
2.Employee and sub-contractor have the following responsibilities for risk management:
- Manage day-to-day risk and implement corrective actions to address process and control deficiency.
- Continuously integrate risk management into work processes, ensuring risk management aligns with the organization’s risk management framework, structure, and policies, ultimately cultivating a culture of risk management.
- Implement and support risk management measures to ensure work practices achieve objectives.
- Report risks and problems encountered in risk management to supervisors according to hierarchy, and also report to the organization’s strategic risk management unit.
3.Executive Vice Presidents (EVPs) has the following responsibilities for risk management:
- Encourage all departments, companies in the group, and major projects and investments related to their respective lines of business to conduct comprehensive risk analysis and assessment, including the establishment of appropriate risk management measures.
- Recommendations for improving risk management practices in their respective lines of business to ensure effective management aligned with business operations, growth, and changing circumstances.
- Mandate the regular reporting of risk management results and progress for their respective lines of business and group companies, including major projects and investments, to the Risk Management Steering Committee (RMSC) to ensure that appropriate and effective risk management practices are in place.
- Support and promote the development of risk management capabilities among their respective line of business personnel to foster risk awareness and continuous implementation, ultimately leading to an organizational culture of risk management.
- Encourage all relevant departments within their respective lines of business to collaborate with the Corporate Risk Management Department in monitoring, evaluating operational performance, and the adequacy of risk management measures and plans for all critical aspects, group companies, and major projects and investments.
Second Line of Defense – Risk Management and Compliance Oversight
1. Corporate Risk Management Department have the following responsibilities for risk management:
- Plan and prepare a budget for the operations of risk management, internal control, and business continuity management of Thaioil Group.
- Evaluate and review the organization’s risk management, internal control, and business continuity management processes to ensure compliance with international standards.
- Evaluate and review corporate risk, line-of-business risk, and departmental risk in alignment with the organization’s goals and direction, including monitoring the progress of implemented risk management measures.
- Evaluate and review investment project risks, including analyzing, monitoring, and implementing risk management measures to maintain an appropriate risk level for each project.
- Mandate regular risk assessment and review, including risk management measures, for all departments across Thaioil Group.
- Monitor and evaluate the effectiveness of risk management measures and overall risk levels for each department.
- Report the results of the analysis, assessment, and review of corporate risk, internal control, and business continuity management of Thaioil Group to the Thaioil Group Risk Management Steering Committee, the Risk Management Committee, and the Board of Directors in accordance with the risk management plan to summarize risk management results and communicate to all relevant units.
- Implement and communicate the policies and recommendations of the Thaioil Group Risk Management Steering Committee and the Risk Management Committee to relevant parties.
- Develop and update manuals and guidelines of risk management, internal control, and business continuity management for Thaioil Group to align with current business practices.
- Communicate, raise awareness, provide knowledge, and coordinate or arrange training on risk management, internal control, business continuity management, and related knowledge on a regular basis.
- Coordinate and exchange risk information with petrochemical and refining companies in the PTT group.
- Maintain and enhance the risk management database for efficient operation.
- Develop, review, and improve the business continuity plan (BCP) and action plans to support Thaioil Group’s business continuity management, including conducting regular BCP drills for Thaioil Group.
- Serve as the secretary of the Thaioil Group Risk Management Steering Committee (RMSC) and the Risk Management Committee (RMC).
- Review, monitor, and audit control activities and the results of compliance with the defined control activities to ensure that the organization has effective and efficient internal control, supporting the achievement of organizational goals and sustainable business growth.
2.Risk Management Steering Committee (RMSC) comprising of senior management or executive level has the following responsibilities for risk management:
- Establish a framework, policies, and structure, including risk management, internal control, and business continuity management strategies, for Thaioil Group that are appropriate for the business, aligned with changing circumstances, and in accordance with international standards.
- Promote various departments and companies in Thaioil Group to analyze, assess, and determine risk management measures and report risk management results, progress in risk management in all aspects of Thaioil Group companies, including important projects and investments, to the Committee on a regular basis to ensure that risk management is managed, and measures are taken appropriately and effectively.
- Review, monitor, and audit the results of risk management, including recommendations on risk management, internal control, and business continuity management practices of Thaioil Group in accordance with the risk management framework, policies, and internal control and business continuity management practices to ensure that management is effective and appropriate for the operations and growth of the business.
- Regularly screen and report significant risk management, internal control, and business continuity management results of Thaioil Group to the Risk Management Committee (RMC).
- Approve plans, guidelines, and manuals, and support and allocate necessary resources for risk management, internal control, and business continuity management of Thaioil Group.
- Support and promote the development of employee capabilities so that all levels of employees understand and are aware of risk management, internal control, and business continuity management in order to create awareness and can be implemented continuously until it becomes an organizational culture.
- Encourage all departments to cooperate with the Risk Management Department in monitoring, evaluating the results of operations, and the adequacy of risk management measures and plans for all aspects, companies in the group, including important projects and investments.
- Hold meetings at least once a quarter.
Third Line of Defense – Independent Audit Unit
Internal Audit Unit has the following responsibilities for risk management:
- The Audit Committee has assigned the Internal Audit team to provide independent assurance on the review of compliance, corporate governance, risk management, and internal control.
- Set strategic plans, annual and long-term audit plans, execution plans, and audit outcomes, while recommending and monitoring progress on significant issues, and reviewing the independence of the internal audit.
The Risk Management Unit is responsible for providing knowledge and guidance on risk management to employees and contractors across all Thaioil Group companies on a regular basis. By utilizing communication channels such as designated risk coordinators or management within each unit, including periodic training sessions or meeting as per risk management plan. Assessing risk and monitoring risk management activities and reporting identified risks and their assessments to relevant committees in line with the risk management structure, ensuring that all significant risks are reviewed from various perspectives and receive support from senior management through appropriate risk management measures.
Risk Audit
Internal audit, conducted by the company itself, consists of various units such as the Corporate Risk Management Department, the Quality Management Department, and risk coordinators from each unit.
External audit, conducted by an external auditor who provides system certification for various ISO standard certifications.
The audit process consists of the following steps:
- Define the Audit Plan: Establish the timeframe, objectives, and scope of the audit.
- Establish Evaluation Criteria: Define the standards and requirements to be used for evaluation.
- Conduct the Evaluation: Carry out the audit according to the defined plan and criteria.
- Identify Observations: Identify any issues that may not comply with the requirements.
- Implement Improvements and Follow-up: Take corrective action to address identified issues and track the effectiveness of the corrective actions.
- Prepare a Report: Document the audit findings in a written report.
Sensitivity analysis and stress testing
The company’s risk management process utilizes Sensitivity Analysis tools to analyze both financial and non-financial aspects, in order to evaluate and assess potential impacts. This process facilitates risk assessment and the evaluation of appropriate risk mitigation measures.
Enablers
The company has developed and promoted a risk management process that utilizes a variety of tools to effectively enhance risk governance. This includes the Risk Management Information System (RMIS), which serves as a centralized database for collecting, recording, and reporting risk data in a systematic manner. Employees can access this system through the company’s intranet for convenient and timely access to risk information.
Focused training throughout the organization on risk management principles
In addition, to foster a culture and awareness of risk management, the company continuously communicates through various activities, such as: Risk Newsletter: Prepared by the Corporate Risk Management Department, this newsletter presents information on risks and significant events that may impact the company in the future. Also, this includes Enterprise Risk Management (ERM) Training. These training sessions aim to enhance knowledge and understanding of risk management at the organizational level. The training includes both E-learning modules through the Thaioil Academy for all levels of employees and workshops focused on various concepts and techniques for risk coordinators from each unit. This provides opportunities to practice and apply risk management theory in real-world scenarios, enhancing preparedness to address various risks.
Finally, the company emphasizes Knowledge Management (KM) by recording and sharing lessons learned from past experiences and best practices. This contributes to overall improvement in risk management effectiveness.
Regular risk management education for all non-executive directors
To ensure that directors obtain regular risk management education. Thaioil has defined on the Charter of Thaioil’s Risk Management Committee requiring that the members shall have adequate risk management knowledge and understanding or relevant significant expertise to support the Company’s business operations to fulfill the Committee’s objectives. The company organizes training sessions to develop competency of the Risk Management Committee through the certified institute, for example, Thai Institute of Director Association (IOD), on risk governance, risk management roles and responsibilities and frameworks. The Risk Management Committee gradually receives the trends, or factors that will impact the company quarterly during the agenda of updating environmental scanning in the meeting.
Not only the Risk Management Committee but also all non-executive directors will receive the information and training session to annually educate the board of director to manage risk related the company business with various session through, for example, inviting expert in the topic of interest to share their point of view and information in the Strategic Thinking Session (STS), Risk expert sharing, Expert session etc. These training and sharing sessions emphasize and educate the board to understand the future trends, the risk and how this will impact the company for use in directing, suggesting and seeking the appropriate mitigation. This training and sharing sessions also aim to provide valuable insights and perspectives to our directors, executives, including key staff, to support in business strategies, risk management planning and new investment for future trends.
Financial incentives which incorporate risk management metrics
Thaioil aligns corporate strategic objectives and KPIs across all VPs to oversee functional performance, each with their own KPIs, risk profile, and individual performance metrics. Completion of risk management plan (%) is embedded in one of Executives’ KPIs. This initiative aims to embed risk management into Thaioil’s culture, with progress in mitigating key risks tied to financial incentives for each function and subsidiary, directly linking it to individual performance.
Incorporation of risk criteria in the development of products and services
Thaioil incorporates risk criteria into the product development and approval process by requiring that all investments undergo risk assessment procedures covering established corporate risks. At the initial stages of investment planning, a pre-risk assessment is conducted. Subsequently, investment analysis includes a risk assessment review using an investment checklist of key risks in each category. The examples of key risk considerations include price volatility, margin depression, technological risk, scope change, availability of supplier/vendors, staff competency, law and regulatory change, potential partner, liabilities, social tension, funds, ESG and strategy.
Depending on the project’s value, the risk assessment may be submitted to the Risk Management Committee of the Board for review. During the project execution stage, key risks are identified along with assigned mitigation measures. Finally, during the operational phase, a retrospective analysis is conducted to review results, including risks.
Corporate Risk Profile
Thaioil demonstrated two elements of its corporate risk profile, including detailed risk descriptions evaluating likelihood and magnitude, along with corresponding mitigating actions.
Emerging risk
The dynamic nature of political, economic, social, environmental, legal, and technological factors can significantly impact business operations and introduce emerging risks for the organization in the future.
