Internal Control

Bangchak Group values a sound internal control system under the scope of The Committee of Sponsoring Organizations of the Treadway Commission (COSO), which requires these components of internal control: control environment, risk management, control activities, information and communication, and monitoring activities.

Having reviewed the recommendations, the Board provided its views on the adequacy and suitability of the internal control system. Below is a summary of assessment findings.

1. Control environment

Bangchak’s work environment favors proceeding under the internal control system. Legal and Corporate Compliance centralizes compliance efforts for laws and regulations of agencies in a clear, concrete way to guide employees’ performance. Internal Control Division promotes and steers compliance with the internal control system under COSO. This has been communicated to executives and staff to win their recognition of sound internal control. Moreover, the Control Self-Assessment process has been developed with a consulting firm to strengthen internal control.

Amendment is made to business policies, employee manual, operating manual, and organization and taskforce structuring to render the management’s efficiency. Finally, Bangchak relentlessly values business integrity and ethics under its corporate governance (CG) policy, sustainable business development with the environment and society, as well as compliance.

Bangchak values the issues of fraud risks and conflicts of interest, as evident in its requirement for employees to provide data on their conflicts of interest via the HR-Service system for their convenience and up-to-date data every year.

Bangchak takes fraud risk and conflict of interest very seriously. Staff are required to declare their conflicts of interest on the e-HR system, designed to provide convenience and facilitate annual updates. Bangchak also values corporate governance, thus producing the CG Manual, which demands executives and staff to comply with the CG policy. Key points in the manual have been communicated and publicized among both internal and external parties. For example, the six key principles of Bangchak’s corporate governance, namely accountability, responsibility, transparency, equitable treatment, vision to create long-term value, and ethics, the No-Gift Policy, and the Do’s & Don’ts together with short messages from executives to staff on such matters as doing good, anti-corruption, and tone at the top leadership. The Company and the subsidiaries organized (hosted by BBGI Plc.) CG Day activities for the year 2022 (17th year) under the topic “Digital Transformation and Corporate Governance” to continually enhance understanding and raise awareness of the CG policy. and organized a supplier seminar for the year 2022 (9th year) which provided knowledge about Supplier Code of Conduct to partners to support sustainable business operations. Bangchak still encourages suppliers and partners to join Thai Private Sector Collective Action Against Corruption (CAC), which underscores continuous commitment to anti-corruption.

Bangchak appointed an Enterprise-wide Risk Management Committee (ERMC) to steer risk management for the entire corporation and develop a continually efficient enterprise risk management system under the ISO 31000 international standard embracing strategic, operation, financial, and reputation risks. These risks imply safety and occupational health risks; risks of impacts on the environment, society, and communities; compliance risks; and risks of corrupt practices, among others. Risk management processes cover the entire corporation, namely the corporate, business group/functional group, section, and work process groups. Also, in place is a formulating process for investment project risk management in each of Bangchak’s projects worldwide. And to promote ESG (Environmental, Social and Governance), the Board values risk management by affiliates and joint ventures so that they may operate suitably, stay vigilant, and monitor overall impacts for manageable risk control. Overall, Bangchak Group successfully managed these risks.

Bangchak’s defined policy and key risk management practices have been well-aligned with TQA and Dow Jones Sustainability Indices (DJSI) in parallel with corporate strategic plan formulation. Foreseeable post-Covid situations have been defined, prompting Bangchak to draw up a strategy under two scenarios to adapt to the actual situation. Key risk indicators (KRIs) have been applied to the vigilance monitoring of risk likelihood to finetune and define additional risk management plans to ease impacts on corporate goals and achieve manageable key corporate risk control and desired outcomes.

To enable Bangchak to handle unforeseen risks that could hurt business capability, including the spread of the COVID-19 virus, surveillance of the flood situation, global climate change issues, natural catastrophes, sabotage, political change, pandemic and other incidents, it appointed a Business Continuity Management Taskforce to develop a system, oversee strategic preparedness, processes, resources, and revise plans to cope with risks and crises more effectively so that Bangchak’s businesses may proceed uninterrupted and mitigate repercussions. To this end, it has introduced the ISO 22301:2019 system to the corporation, embracing Head Office, Bangchak Refinery, and Bangchak Oil Distribution Center, Central Region Business Office, and Bang Pa-in Oil Distribution Center. This move certifies that Bangchak indeed commands a system to handle crises, manage business continuity on a par with international standards, and bolster confidence among stakeholders that it is capable of coping with crises, and of continuing to deliver products.

Bangchak’s control activities rely on KPIs for planning and exerting control. Duties and responsibilities are segregated for checks and balances, as are the revision and definition of authority levels and approval authority for each level for business suitability. E-signature technology has been introduced to support business agility. Checks and balances and authority inspection are the mandates of dedicated units and committees, including Internal Audit, the Investment Committee, and ERMC.

Bangchak has adopted a system for documents and evidence of delegating responsibility should errors arise. Custody of company assets prevents losses or abuses, as does the monitoring of transactions with long-term corporate commitment, under which agreed terms are to be honored. Measures are in place to prevent exploitation of opportunities or benefits from personal gain. This year Bangchak repeated to staff procedures on corporate data management and control so that all units may effectively treat company information to avoid any harm to the business.

At Bangchak, procedures ensure compliance with laws and applicable regulations as well as key operating procedures. Technology systems have been developed for promoting internal control. This year Bangchak rolled out its “Work process management policy”, which takes seriously proper work practices by designated work processes. Work processes are constantly improved for effectiveness with due regard for points of control and control measures to lessen risks; these efficient processes are modern and align with Bangchak’s directions and goals. The e-Work Manual system is used to keep track of the preparation and update of the work manual to be up to date. In addition, Bangchak stressed in its communication and organized a seminar to educate executives and employees on conformance to the Personal Data Protection Act of 2019, which came into force on June 1, 2022. Bangchak also reviewed and amended the policy and requirements for IT security to achieve personal data management that aligns with the law. To this end, it earned ISO/IEC 27018:2019 management certification on IT security to safeguard personal identifiable information.

The company’s strict and suitable measures are in place for engagement in transactions with the major shareholder, directors, among others, to prevent benefit siphoning. For instance, such transactions must go through the approval process involving only those free of vested interests. Also, data for such transactions must be disclosed under SEC’s rules along with disclosure about related parties or businesses under accounting standards.

At Bangchak, watertight measures are in place for its transactions with major shareholders, directors, among others, to avert the siphoning of benefits. For instance, such transactions must be approved by those without vested interests and such transactions’ data must be disclosed under SEC’s rules, including data on parties or related undertakings under accounting standards.

Bangchak set up an ISMS Management Team to deal with information security management, which involves review and improvement of IT policy and regulations. The team’s mission includes monitoring of threats, email filtering, malware prevention, firewall system, as well as staff communication about regulations concerning information security and risk. Threat prevention is regularly run together with measures to boost awareness of possible threats to the business. Thanks to information security management, Bangchak won ISO/IEC 27001:2013 (information security management system) and a Letter of Compliance, which exhibits agreement with the standard (Guidelines for Cybersecurity) – the first to be so awarded in Thailand. Recertification has been continued to this date. Furthermore, this year Bangchak won ISO/IEC 27001:2013 concerning information security management in the oil refining control system from SGS Thailand Limited.

Bangchak has guidelines for supervision. and has a process to monitor the operations of associated companies and subsidiaries in accordance with business strategies, policy framework and guidelines of the company. There are committees according to the risk management structure, namely Enterprise-wide Risk Management Committee (ERMC), Audit Committee (AC), and Strategic Investment Management Committee (SIMC) and Subsidiary Synergy & Strategic Alignment Steering Committee (SSS).

Every year Bangchak revises its Digital Roadmap to agree with its strategic plans on refinery management, marketing, and key business processes, namely finance, accounting, personnel administration. Various digital technologies were relentlessly applied in support of its performance and greater efficiency of information system and data communication management. For instance, in refining activities, the Data Analytic system was applied to improve processing efficiency; the 5G technology was applied to safety management in the refinery’s operating areas; and the GPS technology found application in data management and logistics cost control. In marketing activities, Digital Cards were employed to grow channels for the Bangchak Card membership base. The company also uses various digital technologies to support its work, such as the use of Data Analytics systems to analyze marketing data and adopted the Robotic Process Automation (RPA) technology to support work processes involving a large volume of information and repetitive work.

Bangchak’s various employee communication channels and processes educate employees on various issues in a swift manner to ensure that messages get through, including the Intranet, e-mails, intercom, and digital message boards, in addition to informal but popular channels like LINE Group. Also, communication with external stakeholders is carried out through multiple media, especially online media, today’s popular means of communication due to its data transmission speed, including its website and Facebook. The purpose is easy access and application as well as successful data search results through mobile devices to quickly and efficient meet business demand.

Bangchak has set up complaint channels as well as a whistleblowing system for employees and stakeholders, who can use phone numbers or e-mails; they are to be duly protected and enter the fact-finding process for eventual correction.

Bangchak commands a system that monitors compliance with internal control. The Internal Control Division works to assess corporate compliance (CSA : Control Self-Assessment), with relevant executives assessing the adequacy and suitability of the internal control system. Online technologies have been adopted for greater efficiency of the corporate assessment system. The online assessment technology is being used to increase the efficiency of the enterprise assessment process including the internal control assessment at the process level by the process owner in a workshop format for critical work processes. Meanwhile, Internal Audit takes charge of assessing internal control under an audit plan earlier approved by the Audit Committee and giving recommendations for further development of the system. Should any flaw in the system be spotted, Bangchak takes corrective actions so that the business targets could be achieved. The internal audit department has followed up on corrections to ensure that the operation will meet the goals.

Risk management

Bangchak has adopted an international integrated enterprise-wide risk management system based on COSO ERM and ISO 31000 for more than 19 years to define management directions and measures to prevent and minimize impacts from a variety of risks preventing it from achieving goals.

The risk management system has provided not only the capability for Bangchak to operate all businesses successfully under a relentlessly changing environment but has also warranted confidence among all stakeholders. All executives and staff, as well as joint ventures, fully participate in this international risk management system aligned with the corporate strategy and planning, as well as the sustainability development policy involving environmental, social and governance (ESG), under the supervision and monitoring of an Enterprise-wide Risk Management Committee (ERMC), with reporting lines and organizational network.

Risk Management Results

This year countries around the world, Thailand included, were besieged by economic uncertainties. Economic recovery was delayed by multiple factors, including the transmission of COVID-19 early in the year, aggravating geopolitical situations, boycotts of Russia in the wake of the Russia-Ukraine war, consistently high inflation rates, costly energy and consumer goods resulting from disrupted supply chains and the weakening baht, climate change, and Thailand’s extensive flooding. However, Bangchak, including joint-venture companies, had prepared an enterprise-wide risk management plan to mitigate the impact on the business. It monitored and tracked the overall effect to keep risk levels acceptable and prepare for a volatile future business landscape. Bangchak developed a risk management plan in parallel with the operating strategy. It planned two scenarios in response to potential situations to ensure adaptability to changing circumstances.

Corporate risk management includes management of all internal and external risks incorporated with an assessment of future trends which could affect the organization in the short, medium, and long terms. The system incorporates risks in strategy, operation, finance, and reputation. The system is managed with specific key risk indicators (KRIs) to monitor and track the likelihoods and severity of all identified risks and provides treatment plans to mitigate and minimize the risks and drive operations to succeed as planned. In 2022, Bangchak assessed and managed corporate risks aligned with the corporate strategy and sustainability development involving the environment, society and governance.

In addition to strategic directions and returns on investment, project investment risk management is another crucial component of business success. All investment projects must therefore be reviewed for risk management with risk treatment at various stages as follows.

  1. Development phase risk
  2. Construction phase risk
  3. Operation phase risk including risks concerning operation, finance, taxation imposed by the tax policy of the country of investment, business, and reputation.
  4. Natural disaster risk.

For all investment projects significant to the Company's operations, the Enterprise-wide Risk Management Committee must approve their risk management plans to ensure that the business managed risks properly, impacted neither the community nor the environment, and could achieve Bangchak's goals. This year the Enterprise-wide Risk Management Committee approved, advised, and made observations on risk management preparation for the joint-venture project to form BSGF Co., Ltd., to engage in the production of Sustainable Aviation Fuel (SAF).

To ensure the ability to continue its businesses even during crises, Bangchak has developed and installed a Business Continuity Management (BCM) system. Bangchak won the ISO 22301: 2012 BCM award covering Headquarters, Bangchak refinery and Bangchak Oil Distribution Center, Central Region Business Office and Bang Pa-in Oil Distribution Center since 2013. The award is a guarantee of its preparedness to continue its businesses with maximum efficiency under international standards even during crises, and high confidence for all stakeholders on the ability of Bangchak to fully operate during crises and constantly deliver products to its clients.

In addition, for business continuity and sustainability, Bangchak reviewed trends and business factors that are expected to change and impact business (mega trends and global risks) to manage them in the medium term and long term, including competition in the business and industry, economic situation, consumers’ behavior, the surroundings and climate change due to global warming, and technological and innovation growth, including alternative & renewable energy, energy storage, electric vehicle, and policies of the public sector. These studies have been integrated with primary data of stakeholders’ expectations and needs for further analyses of future impacts and directions of risk management in parallel with integrated corporate strategy to strive for mutual sustainability.

Bangchak has grouped its risk management framework into 1) corporate risk management, 2) project investment risks, and 3) business continuity management. This framework helps formulate appropriate risk management system and assessment.

Download Document

[96.74 KB : pdf]
Internal Control and Risk Management
[85.06 KB : pdf]
Enterprise Wide Risk Management Policy