Internal Control

Bangchak Corporation PCL constantly values a sound internal control system under the scope of The Committee of Sponsoring Organizations of the Treadway Commission (COSO). This year it proceeded with system improvement at the recommendations of EY Corporate Services Ltd., which had been assigned by Bangchak to assess the system and table its recommendations to the Board of Directors and the management for improvement.

Having reviewed the recommendations, the Board provided its views on the adequacy and suitability of the internal control system. Below is a summary of assessment findings.

1. Control environment

Bangchak’s favorable environment provides for the system to proceed as aspired. Legal and Corporate Governance centralizes clear and measurable compliance with assorted laws and regulations; therefore, employees have guidance for their behavior. Amendment is made to work policies, the employee manual, work manuals, organization and taskforce structuring, all of which ease the management’s tasks. Bangchak relentlessly values business integrity and ethics under the corporate governance policy and sustainable business development in parallel with society and the environment, apart from the oversight of compliance.

Bangchak values the issues of fraud risks and conflicts of interest, as evident in its requirement for employees to provide data on their conflicts of interest via the e-HR system for their convenience and up-to-date data every year.

Bangchak appointed the Enterprise Wide Risk Management Committee (ERMC) to define policies, strategies, and goals for enterprise risk management and develop a corporate risk management system for ongoing efficiency under ISO 31000, which embraces strategic, operational, finance, and corporate reputation risks, which could arise from safety and health; impacts on the environment, society, and communities; compliance with laws; and anti-corruption. Covering the corporate hierarchy, Internal Control 114 Annual Report 2018 Bangchak’s risk management processes consist of the operating level for achieving corporate goals, business groups, divisions, work processes, and the establishment of investment project risk management plans for every project in and outside Thailand. The outcomes are then relayed to all business groups and affiliated companies so that all may follow the standard process. To this end, the corporate risk management structure embraces all business groups and affiliated companies to ensure that Bangchak Group may together achieve short-term and long-term goals.

Bangchak identified and drew up risk management plans in parallel with the establishment of corporate strategic plans to align with COSO Enterprise Risk Management – Integrated Framework (COSO ERM). It applied Key Risk Indicators (KRIs) to its monitoring and surveillance processes concerning risk occurrence to modify and Develop them into additional risk management plans, mitigate impacts on corporate goals, and pay special attention to risk management by Bangchak Group companies so that they may proceed suitably with manageable key risk control so as to jointly achieve goals.

To enable Bangchak to handle unforeseen risks that could hurt business capability, including natural catastrophes, sabotage, political change, and other incidents, it appointed a Business Continuity Management Taskforce to develop a system, oversee preparedness, and revise plans to cope with risks and crises more effectively so that Bangchak’s businesses may proceed uninterrupted and mitigate repercussions. To this end, it has introduced the ISO 22301:2012 system to the corporation, embracing Head Office, Bangchak Refinery, and Bangchak Oil Distribution Center, Central Region Business Office, and Bang Pa-in Oil Distribution Center since 2013 (for six consecutive years). This move certifies that Bangchak indeed commands a system to handle crises, manage business continuity on a par with international standards, and bolster confidence among stakeholders that it is capable of coping with crises, and of continuing to deliver products. The acquired ISO 22301:2012 certificate has been monitored each year by the standard certifier.

Bangchak’s control activities rely on KPIs for planning and exerting control. Duties and responsibilities are segregated for checks and balances, as are the revision and definition of authority levels and approval authority for each level for business suitability. Checks and balances and authority inspection are the mandates of dedicated units and committees, including Internal Audit, the Investment Committee, and ERMC.

If things go wrong, Bangchak’s documents are in place for respective liability borne by divisions and responsible parties. To prevent asset losses and abuses,the company sets stewardship procedures. Monitoring of transactions binding Bangchak in the long term is in place to ensure compliance with agreed terms. Preventive measures avert employees’ abuse of its business opportunities for self-interests. This year it also trained employees on “Procedure for Managing and Controlling Inside Information” for greater understanding and compliance with such procedures.

Bangchak’s procedures ensure employees’ compliance with applicable laws, articles of association, and key work processes. It also has developed an IT work system so as to ensure better internal control.

The company’s strict and suitable measures are in place for engagement in transactions with the major shareholder, directors, among others, to prevent benefit siphoning. For instance, such transactions must go through the approval process involving only those free of vested interests. Also, data for such transactions must be disclosed under SEC’s rules along with disclosure about related parties or businesses under accounting standards.

Bangchak has appointed an ISMS Management Team in charge of oversight and management of information system security.It has also reviewed and amended policies and requirements for IT system security under ISO 27001. Finally, it has constantly informed employees about risks and prevention of IT threats, together with the standards for accessing the information system.Also, it has achieved ISO/IEC 27001:2013 certification, the Information Security Management System, and a letter of compliance with ISO/IEC 27032:2012 and guidelines for cybersecurity-the first Thai company to do so under the certification by Bureau Veritas Certification (Thailand).

Bangchak commands a monitoring system for the regular oversight of subsidiaries under its business strategies, policy scope, and guidelines.

A Digital Roadmap has been drawn up to accommodate work on refinery management, marketing, finance, accounting, and personnel administration so that Bangchak may leverage various data through analysis and for higher-efficiency operation. Innovative technologies are applied to oil refining processes, including Technology IoT (Internet of Things), sensors installed around the refinery, execution of Big Data Analytics, data analysis for marketing planning, development of improved services for customers, and improvement of work process efficiency.Also, Bangchak investigated emerging technologies to improve work processes so that they may be convenient and concise (that is, more automated), including robotics, mobile technology, artificial intelligence, Blockchain, virtual reality, and augmented reality.

Bangchak employs several internal communication channels and processes to present synopses, depending on the contents. The key is swift and accurate information regularly passed on through diverse channels, including the Intranet, e-mails, intercom, and digital bulletin boards. In its external communication, online communication is common, and its website and Facebook are readily accessible; one can search data with mobile devices for swift and efficient application.

Bangchak has set up complaint channels as well as a whistleblowing system for employees and stakeholders, who can use phone numbers or e-mails; they are to be duly protected and enter the fact-finding process for eventual correction.

Bangchak commands a monitoring system for regular outcome comparison against targets. If incidents affect performance, steps will be taken to modify strategic plans for suitability, in line with assessment outcomes. As a result, performance will align with goals. Internal Audit, reporting to the Audit Committee, audits business proceedings under the internal control system. Finally, the company has set up an Internal Audit Division under Corporate Sustainability, whose responsibility is to promote internal control system improvement.

Risk management

Amid rapid changes in the current business environment, the risk management process is crucial for the formulation of plans to systematically tackle business uncertainties. Besides applying the international COSO ERM and ISO 31000 standards at the operational, business group, and divisional levels, Bangchak has integrated these standards into its work processes and the formulation of risk management for every investment project.

By structuring its management of risks to cover all business groups, requiring them to observe a standardized risk management system, Bangchak ensures that the company and its affiliates will fully achieve their long-term and short-term goals in line with the sustainable approach for business, environmental, and social development. This year Bangchak amended its crisis management and business continuity management (BCM) plans, as in every previous year. Also, it staged a BCM plan and emergency plan drills under the topic of “emergency at crude oil tanks located at the refinery and BCM plans”, a simulation embracing a communication drill between the management and relevant employees. The outcomes played a part in improving procedures and securing additional resources for Bangchak’s improved BCM system and the assurance of uninterrupted businesses in the face of assorted crises.

Risk management structure

The Board, executives, and all units are involved in the management of risks. The Enterprise wide Risk Management Committee (ERMC), appointed by the Board, assures that Bangchak has an efficient system that can appropriately manage all risks, and promotes the corporate culture of risk management to foster, among all executives and employees, awareness of potential impacts from risks. The Risk Management Subcommittee (RMC), comprising senior executives of business groups, functional groups, and divisions, monitors the performance of Enterprise Wide Risk Management, develops risk management system covering all business groups, and appoints a Price and Finance Risk Management Committee (PRMC) to regularly oversee and manage risks arising from the volatility of prices and exchange rates. To raise risk management efficiency and keep pace with circumstances, this year Bangchak appointed a subcommittee (Sub PRMC) to report to PRMC on performance, with effect from January 1, 2019.

Risk management outcomes

This year Bangchak examined internal and external factors threatening its business operations, covering the volatility of oil prices and exchange rates, business competition, economic conditions, and the growth of relevant technologies and innovations, which include alternative-energy, energy storage-related technologies, the progress of Electric Vehicle (EV) development, biotechnology, public policies, and megatrends. Bangchak also considered the needs and expectations of its stakeholders in analyzing impacts and future trends for the formulation of its risk management plans and identification of business opportunities. In enhancing the assessment efficiency of risk factors and their causes,Bangchak’s risk scope contains corporate, investment, and BCM risks.

The first step of corporate risk management is to assess key internal and external risk factors, including future trends potentially affecting Bangchak's short-term and long-term goals. Besides covering strategic, operational, and financial risks, the assessment includes risks concerning legal compliance, employees' safety and occupational health, together with Bangchak Corporation Public Company Limited 117 operational impacts on the environment, society and communities, all of which may affect Bangchak's credibility. Key risk indicators (KRIs) have also been developed for the monitoring processto help Bangchak stay vigilant foremerging threats, while data obtained from the process are utilized for the improvement and formulation of additional risk-management plans to mitigate impacts on Bangchak's goals.

Besides alignment with the corporate strategic directions and returns on businesses, consideration of risk management in all investment projects is vital. This year Bangchak developed international investment project risk management plans, including investment through subsidiaries by acquiring capital increase shares in OKEA AS (“OKEA”), which undertakes petroleum development and production in Norway, and acquisition of strategic areas to accommodate Bangchak Group’s new investment expansion in the future. Taken into account are key factors and business outlooks that could affect new businesses in the short and long terms so as to minimize investment risks.

To this end, explicit, systematic project risk analysis is essential for each phase of the project:

  1. Development phase
  2. Construction phase
  3. Operation phase (namely operational, finance and tax policy of invested countries, business, and reputation)
  4. Natural disaster.

The key is to ensure sustainable success for investment projects without impacts on the surroundings, society, and communities. Project plans must also secure ERMC’s endorsement before the Board’s review and approval.

Bangchak has acquired for six straight years ISO 22301:2012 standard certification covering its Head Office, Bangchak Refinery and Bangchak Oil Distribution Center, Central Region Business Office, and Bang Pa-in Oil Distribution Center. This certification underscores Bangchak’s readiness for crises and efficient Business Continuity Plan (BCP) implementation under international standards, while stakeholders can rest assured that Bangchak can handle emergency responses while continuing to deliver its products.

This year Bangchak amended its crisis management plan and BCM plans for the entire corporation, as done every year. Also, it staged a BCM plan and emergency plans under the topic of “emergency at crude oil tanks located at the refinery and BCM plans” based on a simulation embracing a communication drill between the management and relevant employees. The outcomes played a part in improving procedures and secure additional resources for Bangchak’s improved BCM system and the assurance of uninterrupted businesses in the face of assorted crises.

Download Document

[200.86 KB : pdf]
Internal Control and Risk Management
[51.93 KB : pdf]
Enterprise Wide Risk Management Policy