Risk Management
Importance and Mission
The Company places a high importance on organizational risk management since it is essential to the organization's long-term viability. It is a tool that helps organizations in being prepared for current and future challenges. It also helps in strengthening security, reducing risks, and promoting confidence among all stakeholders.
SDGs in the Risk Management
Goals and Performance Highlights
Goals
Develop a comprehensive risk management system to support sustainable business operations aligned with organizational strategies.
Manage risks in alignment with economic, social, and environmental changes
Performance Highlights 2024
Established the Risk Management Committee to oversee policies, guidelines, and risk management systems.
Implemented policies aligned with operational strategies and continuously improved the framework
Management Approach
The Company has set risk management policies for the entire organization following the enterprise risk management of the Committee of Sponsoring Organizations of the Treadway Commission (COSO ERM 2017) and the Thai Corporate Governance Code for Listed Companies - 2017. Additionally, anti-corruption measures have been implemented, with the Group Company receiving certification as a member of the Thai’s Private Sector Collective Action Against Corruption (CAC). This ensures that the Group Company manages risk effectively. The Company has developed policies and risk management manuals to guide operations as follows:
01
Establish a clear risk governance framework and balance system for effective risk management. The Board of Directors has assigned the Risk Management Committee to establish the framework and risk management policies, as well as the risk management plan. The Audit Committee has been assigned to oversee and ensure that risk management follows the risk management plan and policies.
The Risk Management Committee and the Audit Committee will meet at least 2 times a year to communicate significant risks, link risks with internal control, and report risk management to the Board of Directors. The Risk Management Committee met to review risks related to strategies, objectives, targets, and alignment with acceptable risks, and to provide recommendations on emerging risks on February 28, 2024, and June 7, 2024.
02
Develop a risk management plan covering all aspects to achieve the vision, mission, strategic plan, and business plan. The organizational risks include: 1) strategic risks, 2) operational risks, 3) regulatory and compliance risks, 4) fraud and corruption risks, 5) financial risks, 6) emerging risks, and 7) ESG risks.
03
Promote a risk management culture to build understanding, awareness, and shared responsibility regarding risks, controls, and the impact of risks on the Group Company throughout the management and operations process.
04
Implement processes, guidelines, and measures for risk management of appropriate international quality, including continuous identification, analysis, evaluation, prioritization, management, control, monitoring, reporting, assessment, and communication of risk-related information across the entire Company.
05
In assessing and analyzing risks, measure both qualitative aspects such as the reputation and image of the Company, and quantitative aspects such as losses, revenue decreases, and expense increases with the consideration of the likelihood and impact.
06
Establish risk limits to confine potential damage within levels acceptable to the Company. Appropriate risk management measures (4Ts: Tolerate, Treat, Terminate, Transfer) are considered for each risk, and warning signs are defined to prompt actions if risks exceed the set limits.
07
Implement a Three Lines of Defense Model for effective risk management and control. In this case, internal control systems are defined across three lines: 1) First Line: all employees are responsible for their risk management, 2) Second Line: the management oversees operators and report to executives, managing directors, and the Board of Directors, and 3) Third Line: internal auditors review the first and second lines to ensure that internal control system are suitable for risk management.
08
Establish a Business Continuity Plan (BCP) to guide executives and employees in responding to future crises. The aims are to ensure continuous operations of the Group Company, protect stakeholder interests, maintain organizational reputation and credibility, and sustain business operations. The BCP plan is reviewed and updated annually based on drill results to ensure system recovery within the specified targets. The Board approved the BCP on July 10, 2024.
09
Implement written operating procedures to guide executives and employees. This is considered as the operational risks control.
The risk management policy and manual will be reviewed at least once a year or when changes occur that could impact the Company’s operations. The latest review was conducted on February 1, 2024, ensuring that the policies and manual are up-to-date, aligned with current conditions, and effectively applicable to reduce the likelihood of risks and help achieve business goals.
Risk Management Process
1. Governance
- The Board of Directors approves risk management policies to provide a framework for risk management, such as establishing a risk management committee and defining the risk management process.
- The risk management governance structure includes a risk management committee, consisting of experts with diverse specializations. The committee members play a crucial role in setting policies, reviewing, and overseeing the organization’s risks.
- All members of the risk management committee are company directors. A risk management working team and responsible units are appointed, operating independently from operational and internal audit departments, following the Three Lines of Defense Model.
- The risk committee charter is used to specify the scope, authority, duties, and responsibilities, such as promoting a culture of risk management, holding risk committee meetings to monitor risk status, and reporting performance to the Board of Directors.
- The risk management committee ensures that the risk management system is robust, appropriate, up-to-date, and efficient, complying with international standards.
- The internal audit unit is responsible for auditing and evaluating the effectiveness of the internal control and risk management systems, providing recommendations for system improvement, and reporting audit results to management and the Board of Directors.
Scope Authority Duty and Responsibility of the Risk Management
2. Strategies, Objectives, and Goals
The Company has integrated risk management into its strategy, objective, and goal-setting process, including context analysis, ESG materiality assessment, and stakeholder engagement. This ensures that strategic risks—such as expanding the business to new countries, achieving Net Zero targets by 2050, and sustainable community engagement—align with acceptable risk levels.
3. Risk Management Process
The Company identifies risks linked to its goals in various areas to evaluate their severity and prioritize them. Risk response measures are then established, such as investing in clean technologies, raising awareness through leadership and employee training, and collaborating with stakeholders.
4. Monitoring and Review
- The Company’s Risk Management Working Team, consisting of experts in relevant fields, plays a crucial role in coordinating with the management. They report on risk status, review performance, and assess risks. Additionally, they use Key Risk Indicators (KRI) for early warning signals, measuring risk management performance, and supporting strategic decision-making before analyzing, filtering, and presenting to the Risk Management Committee.
- The Risk Management Committee meets to review risks related to strategies, objectives, and goals, ensuring alignment with acceptable risk levels and providing recommendations on emerging risks. For instance, in 2024, meetings were held on February 28, 2024, and June 7, 2024.
- The Company recognizes that continuous improvement in risk management must be consistently integrated into management and culture. This includes practices like root cause analysis and the use of KRI alongside performance outcomes.
5. Information, Communication, and Reporting
The Company places great importance on transparent communication and reporting of risk management results to build confidence and trust among stakeholders. This includes comprehensive risk management reports covering critical information, such as risk factors that may impact operations and risk management practices, ensuring stakeholders can clearly and fully understand the information. This approach integrates risk communication into promoting understanding, knowledge, and awareness among allinvolved parties.
Risk Management Culture
For example, in 2024, workshops on COSO ERM 2017 & ESG were conducted to enhance understanding of risk management and ESG management processes effectively, using tools like Key Risk Indicators (KRIs) for monitoring and evaluation, and adapting operational plans to current situations.
In 2024, the Company organized risk management activities and training for executives, employees, and partners, such as the Enterprise Risk Management and ESG Risk courses on October 16 and November 7, 2024, and the Sustainability and ESMS Training course on August 28, 2024.
Risk Factors
The Company engages in the production and distribution of electricity from renewable energy sources, such as solar, wind, biomass, and other renewable energies, both domestically and internationally. These activities involve various risks that could impact the business. This document outlines risk factors based on current information and forecasts; however, there may be other risks beyond the Company’s control that could affect future performance. Therefore, the Company places importance on identifying, assessing, controlling, and regularly reviewing risk management measures.
The following risk information highlights some significant risks that could negatively impact the business. The Company may not be aware of other risks not listed or may consider certain risks currently insignificant but could become materially impactful. These risks could adversely affect the business, cash flow, operating results, financial status, and business opportunities of the Company and its subsidiaries.
For information referencing or related to the government or the overall economy of markets in Thailand and globally, the Company relies on disclosed data or copies of official documents or other credible sources. However, the Company does not verify or guarantee the accuracy of such information or the methods by which it was obtained.
Crisis Management and Business Continuity Management System
1. Importance
The Company recognizes and prioritizes business continuity management to handle unexpected emergencies or crises that may impact operations, such as fires, natural disasters, or cyber-attacks. The Business Continuity Plan (BCP) is designed to guide executives and employees in responding to future crises, ensuring the Company’s operations remain continuous, protecting stakeholder interests, maintaining the organization’s reputation and credibility, and sustaining business continuity.
2. BCP Management Process
2.1 Policies and Organizational Structure
The Board of Directors approved the Business Continuity Management Policy on July 10, 2024, to set management guidelines and raise awareness among all levels of personnel. The policy appoints a Business Continuity Management (BCP) Team, comprising members from various departments, such as Strategy, Finance, Engineering, Accounting, Operations, Human Resources, and Business Development, to take on specialized responsibilities while maintaining coordination.
2.2 Planning and Impact Assessment
The Company has analyzed business impacts to assess the risks of various events, considering both the potential impact and the likelihood of occurrence. These events include natural disasters, pandemics, security and reputation events, and personnel-related incidents. Timelines for recovery and restoration have been established to ensure a swift return to normal operations.
2.3 Crisis Response and Preparedness Approaches
The Company has established procedures for handling crises before they occur, during the event, and after returning to normal conditions. This includes an emergency call tree and detailed key business recovery strategies, along with designated responsible parties. Additionally, to ensure the BCP team can effectively handle crises, the plan mandates at least annual drills to monitor, share lessons learned, and improve responses to various threats.
3. Examples of Drill Activities
For business continuity plan drills, the Company had scheduled drills for each site and each scenario, conducting them alternately. For example, in October 2024, the SPN Solar Power project in Lopburi conducted a fire drill and evacuation exercise according to the plan. This training includes inspecting fire prevention systems and coordinating with the BCP team as specified in the procedures, or drills by primary service providers.