TH

Internal Control

Bangchak Group assigns paramount importance to having a robust internal control system. The Company operates by the internal control framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which defines the five key components necessary for internal control as: 1) control environment, 2) risk assessment, 3) control activities, 4) information and communication systems, and 5) monitoring system.

The Board of Directors has an opinion on the adequacy and appropriateness of the Company’s internal control system, on which a summary of the internal control system assessment is as follows:

1. Control environment

The Company’s environment facilitates the operation of the internal control system as anticipated. The Corporate Compliance Department serves as the central unit in overseeing compliance with the laws and regulations of various agencies clearly and measurably to guide employees’ operations. The Internal Control Division is responsible for promoting compliance with the internal control system according to COSO guidelines and communicating and providing knowledge to executives and employees to raise awareness of the importance of and strengthen the development of a sound internal control system.

The Company has revised its work policies, manuals, organizational structure, and various working groups to support efficient management operations. It continuously emphasizes integrity and ethics in conducting business under corporate governance policies, sustainable business development in parallel with the environment and society, and compliance with regulations.

The Company has prioritized Fraud Risk and Conflict of Interest issues by requiring employees to report their information through the online personnel management system for convenience and by updating information annually. In addition, the Company has emphasized corporate governance by creating a manual of corporate governance policies (“CG Policy”) for executives and all employees to adhere to as a code of conduct. Announcements and communications on corporate governance have been conducted both within and outside the organization on topics such as the six fundamental principles of corporate governance of the Company (Accountability, Responsibility, Transparency, Equitable Treatment, Vision to Create Long Term Value, and Ethics) and the No Gift Policy and Do’s & Don’ts. The Company also communicates short messages from executives to employees on doing good deeds and fighting fraud and corruption by setting examples from organizational leaders (Tone at the Top). The Company held the 19th CG Day 2024 with group companies, hosted by BCPG PCL, on “Decoding CG for Sustainable Vibes: Decoding CG Principles for Endless Happiness” to continuously build understanding and instill awareness of CG policies. Bangchak also held the 11th Annual Supplier Seminar 2024 to impart acknowledgment of the Supplier Code of Conduct to partners to support sustainable business operations and continued to assist partners in joining the “Thai Private Sector Collective Action Against Corruption”, which is a reaffirmation of its continued commitment to anti-corruption.

The Company has appointed an Enterprise-wide Risk Management Committee (ERMC) to oversee and continuously improve enterprise-wide risk management and the effectiveness of the enterprise-wide risk management system, based on the ISO 31000 international standard, which covers strategic, operational, financial, and reliability risks and covering safety and occupational health risks, environmental, social, and community impacts, legal compliance, fraud, and corruption risks, etc. The risk management process encompasses all levels of the organization, including the enterprise, business/ workgroup, department, and operational levels. There is also a process for developing risk management plans for all domestic and international investment projects. Furthermore, for the business to sustainably progress along with the environment and society under Environmental, Social, and Governance (ESG) oversight, the Enterprise-wide Risk Management Committee emphasizes risk management by group companies/joint ventures to ensure they operate appropriately, monitor and track the overall impact, and effect risk control to be within the Risk Appetite. Overall, the Company Group has successfully managed risks and achieved its targets.

The Company has considered the policies and has managed its main risks to be linked to and aligned with the criteria of the National Quality Award and the Dow Jones Sustainability Indices (DJSI), along with the process of developing the Company’s strategic plan, forecasting probable event scenarios so that operations can be adjusted to align with the actual situation. In addition, Key Risk Indicators (KRIs) have been used in the monitoring process for the likelihood of risks occurring to improve and develop additional risk management plans to reduce the impact on the organization’s goals and to control key enterprise-level risks to be at an acceptable level to achieve the targets.

In addition, to enable the organization to mitigate unforeseen risks affecting the ability to conduct business, such as in the event of a crisis at the oil refinery, cybersecurity threats, natural disasters, sabotage, political events, and various other incidents, the Business Continuity Management Taskforce is responsible for developing the system, preparing strategies, processes, resources, and reviewing plans to deal with potential risks and crises more effectively so that the Company can continue to operate in emergencies without interruption and reduce potential impacts. Bangchak has been continuously certified for the ISO 22301:2019 Business Continuity Management Standard to date, covering the

Head Office, Bangchak Phra Khanong Refinery, Bangchak Oil Distribution Center, Bang Pa-in Central Business Office, and Bang Pa-in Oil Distribution Center. This certification shows that the Company has a system that manages crises and business continuity efficiently according to international standards. It also builds confidence among stakeholders that the Company will be able to cope with and respond to emergencies and deliver products continuously.

The Company has control activities that employ Key Performance Indicators (KPIs) as a tool in planning and control. Duties and responsibilities are separated for mutual checks and balances. The scope of authority and monetary approval limits at each level are reviewed and defined to ensure suitability for business operations. Electronic signature technology is used for business agility. At the same time, there are checks and balances of power from departments and committees specifically appointed, such as the Internal Audit Department, Investment Committee, and Enterprise Risk Management Committee, etc.

The Company documented procedures and evidence that specify the segregation of duties and individuals responsible in case of faults. Measures are in place to safeguard Company assets from loss or misappropriation. Transactions that have long-term implications for the Company are monitored to ensure compliance with the agreed terms. Measures are in place to prevent the Company’s opportunities or benefits from being used for personal gain, and communication is in place to emphasize best practices in managing and controlling internal information. These measures ensure that all departments effectively manage and control Internal information and continuously prevent damage to the Company.

The Company has established methods to ensure compliance with relevant laws and regulations, including key operating procedures. It has developed technology systems for operations to achieve better internal controls. A work process management policy has been established to emphasize the correct execution Bangchak Corporation Public Company Limited of works according to previously designed or defined processes.

Work processes are constantly being improved to be more effective, taking into account control points and control measures to reduce risk. This efficient, modern process is consistent with the Company’s operational direction and goals. The e-Work Manual system tracks the preparation and updating of work manuals to ensure they are always up-to-date. Legal knowledge is also provided to various departments to reinforce continuous compliance with the law.

The Company takes strict and appropriate measures to prevent benefits transfer when conducting transactions with major shareholders, directors, etc. Examples include transactions to be approved by no-interest parties, transaction information disclosed according to the Securities and Exchange Commission and the Stock Market regulations, and information about related individuals or entities according to accounting standards.

The Company has established an Information Security Management Team (ISMS Management Team) to oversee and manage the security of information systems. The team reviews and updates the information technology security policies and requirements, including effectiveness measurement. The Company employs technologically advanced e-mail filtering, anti-malware, and firewall systems to detect and prevent increasingly complex new threats. Methods for preventing new IT threats are constantly being updated. Personal data is managed in accordance with the Personal Data Protection Act. There is an active system for monitoring anomalies and preventing threats, with contingency plans to manage threats with regular drills. Employees are regularly informed of IT security requirements, new risks and threats, and safekeeping methods. Measures are in place to raise awareness of threats that can cause damage to the business. The Company has received certification for the Information Security Management System (ISO/ IEC 27001:2022). Furthermore, it has achieved ISO/IEC 27018:2019 certification for Personal Data Protection in Public Cloud Environments. To date, a Letter of Compliance for Cybersecurity Management through Guidelines for Cybersecurity (ISO/IEC 27032:2012) has been continuously maintained.

Bangchak has guidelines for overseeing and a process for regularly monitoring the operations of its subsidiaries and affiliated companies to ensure they align with the Company’s business strategies, policy framework, and practices. Oversight is conducted in various areas through committees and working groups, including the Enterprise-wide Risk Management Committee (ERMC), Audit Committee (AC), Strategic Investment Management Team, and Subsidiary Synergy & Strategic Alignment Team.

The Company reviews its Digital Roadmap annually to ensure alignment with its strategic plan, covering refinery operations, marketing, and key core systems such as finance, accounting, and human resources management. Various digital technologies are applied to support operations and continuously improve the efficiency of information and communication systems management. Examples include refinery operations where Data Analytics are used to improve production efficiency, 5G technology to manage safety in refinery work areas, and GPS technology to manage oil transportation plan data, safety, and transportation costs. Moreover, digital cards are used in marketing to expand the Bangchak card member base, securely and efficiently connecting the points transfer system between Bangchak and its partners. Video analytic systems are used at service stations to improve service efficiency. Data analytics analyze marketing data and in-depth customer behavior to develop personalized marketing plans to meet customer needs better. Bangchak card members can also evaluate service satisfaction through a mobile application for continuous quality improvement. In addition, robotic process automation (RPA) is used in processes with large amounts of data and repetitive tasks. Combining RPA and optical character recognition (OCR) technologies, hyper-automation technology is used in the payment process to partners to increase operational efficiency.

In addition, the Company recognizes the potential of generative AI technology to improve work efficiency. Consequently, employees have been trained to enhance their knowledge of using this technology while raising awareness of how to apply it effectively and appropriately. The Company has also developed an AI chatbot for the call center to provide faster service and answer questions from Bangchak card members.

The Company has channels and processes for communicating with personnel within the organization to secure an accurate and rapid understanding of various issues through various communication channels and ensure that the message reaches recipients. These channels include the intranet, email, public address systems, employee computer screens, and digital signage. In addition, communication with external stakeholders is provided through various communication channels, especially online ones, which are popular due to the speed of information dissemination. For example, the Company’s website and Facebook page are easily accessible and used. Information can be searched through mobile devices instantly to meet usage needs quickly and efficiently.

The Company provides channels and processes for employees and other stakeholders to file complaints and report information or clues about fraud. Reports can be made by telephone, email, or regular mail and will be safeguarded and subject to a fact-finding investigation and further action.

The Company has a system for monitoring compliance with the established internal control system. The Internal Control Department is responsible for conducting an organization-wide Control Self-Assessment (CSA) by relevant executives to assess the sufficiency and adequacy of the internal control system. The Internal Audit Department is responsible for determining the adequacy of the Internal Control System established by the management of the Company and its subsidiaries, according to the audit plan prepared based on a Risk-Based Approach approved by the Audit Committee, and to provide recommendations for improving and developing the internal control system. In addition, if any internal control deficiencies are found, the Internal Audit Department will monitor the corrective actions to ensure these deficiencies are addressed.

Risk management

Throughout the past 20 years, Bangchak Corporation Public Company Limited, or the Company, has implemented a risk management framework across the organization. This framework utilizes international standards such as COSO ERM and ISO 31000 to establish guidelines for managing, preventing, and mitigating risks that could hinder the achievement of the Company’s objectives.

This assures stakeholders that the Company can operate effectively in the rapidly changing environment. Executives and employees at all levels, including those in joint ventures, participate in the standardized risk management system, which is integrated with the Company’s strategic planning processes and aligned with the Company’s policies for sustainable business development in environmental, social, and governance (ESG) areas. The Company conducts continuous risk monitoring on a quarterly basis, overseen by the enterprise-wide Risk Management Committee, to achieve our business objectives.

The Enterprise Risk Management Committee (ERMC) is responsible for establishing risk management polices and strategies, developing risk management systems, supporting and promoting risk management cooperation at all levels of the organization, and ensuring that the Company has adequate risk management. The Bangchak Group Risk Management Committee (RMC) is responsible for developing the risk management system, setting risk management policies and objectives, preparing and reviewing risk management plans, monitoring the progress of the risk management plan implementation, reviewing internal and external factors of changes in the business environment of the organization. The Corporate Strategy and Risk Management Division and the Corporate Strategy and Planning Department, which report directly to the Executive Vice President of Strategy and New Business Development, Bangchak Group, are responsible for managing the organization’s risk management system. They monitor and drive the implementation of enterprise-wide risk management. Risk managers are assigned to manage risks at the business/ functional group level and report to the executive vice president of the respective business/functional group. Risk Coordinators are assigned to ensure implementation at the operational level in each work unit, including enterprise-level risks arising from those business/functional groups. The Company has mandated all departments within the Bangchak Group assess risks and develop risk management plans annually. This is a key performance indicator considered in employee annual compensation reviews. The goal is for each department to establish a risk management plan and obtain approval from their supervisor within the first quarter of the year. Training is provided regularly to enhance knowledge in risk management and business continuity management, such as business continuity and risk management courses. Knowledge and understanding of risk management are also reinforced through the BCP-KMS system – an internal knowledge platform.

The Internal Audit Department regularly monitors and audits the risk management process according to approved schedules and reports findings to the Audit Committee (AC). This ensures that the internal audit is appropriate and effective in independently managing and controlling risks. The latest risk management audit was conducted in 2024. Furthermore, coordination will occur between the Audit Committee and the Enterprise Risk Management Committee, with joint meetings held between the Enterprise Risk Management Committee and the Audit Committee to foster a mutual understanding of risk issues and appropriate internal audit practices.

Risk Management Results

The global economic outlook is for slower growth than the previous year. Although inflation major economies is expected to ease due to fiscal measures in many countries, prolonged geopolitical conflicts led to risks in global supply chains and trade, including political and policy uncertainties due to elections worldwide. The Trump 2.0 policy, accelerating the intensification of international trade barriers, will put significant pressure on global economic stability. The Company has been monitoring issues related to global climate change, safety, impacts on the environment, society, and communities, compliance with laws, anti-corruption, monitoring risks from cyber security threats, including changes in government policies, to assess risks, monitor the overall impact, and develop risk management plans, as well as for joint ventures, to control risks so that the potential impact on business operations is at an acceptable level. To prepare for the rapidly changing and volatile business landscape of the future, the Company has developed a risk management plan in conjunction with its operation strategy, divided into two scenarios (scenario planning) to prepare for anticipated situations and define variables (trigger points) to adjust operation plans to align with changes in the situation.

In addition, to ensure continuity and sustainability in operations, the Company has considered the megatrends and global risks that may affect the business environment, factors that are expected to change and affect business operations, to manage risks in the medium and long term. These include competition in the industry, economic conditions, consumer behavior, changing environmental and climatic conditions due to global warming, energy transition, energy security, and the growth of technology and innovation, such as renewable energy and energy storage technologies, advances in the development of electric vehicles, biological technology, and various government policies. as well as gathering the needs and expectations of the organization’s stakeholders and analyze them for impacts and trends of the long-term risk management direction together with development the organization’s strategic plan to achieve mutual sustainability.

The Company has established a risk framework comprising 1) Enterprise Risk Management, 2) Investment Project Risk Management, and 3) Business Continuity Management to enable appropriate risk assessment and planning. The progress of operations is as follows:

This involves assessing the organization’s key risks from internal and external factors and future trends that may impact the organization’s short – term, medium – term, and long – term goals. It covers strategic, operational, financial, and reputational risks. The severity and likelihood of these risks are assessed, and prioritized using a Risk Matrix. This matrix categorizes risk levels into four levels: very high, high, medium, and low and monitoring and tracking of the potential occurrence of risks are conducted through key risk indicators (KRIs) comprised of defining the risk appetite (the level of risk the organization is willing to accept) and risk tolerance (the acceptable deviation from the desired risk level) and developing additional risk management plans to mitigate the risks that may impact operational goals. For example, monitoring and tracking financial risk such as inventory loss due to fluctuating oil prices, which affects earnings before interest, taxes, depreciation, and amortization (EBITDA), are classified as a very high risk. To monitor, track, and mitigate the impact of this risk, the Company tracks it through the Dubai crude oil price KRI and sets the risk appetite at US$83 per barrel and the risk tolerance at US$70 per barrel. This information is then used to plan for an efficient management of raw materials and inventory. An example of monitoring and risk surveillance regarding credibility is through risk indicators of accident statistics that affect credibility and widespread complains against the Company, which is classified as a very high-risk group. The acceptable deviation level is no more than one incident. The Company has implemented risk prevention and reduction by establishing a production Safety Management System (PSM).

In addition to considering the alignment of the organization’s strategic direction and business returns, investment project risk management is crucial and essential for conducting business. This involves analyzing project risks that may occur at each stage the project, as followers:

  • Development Phase Risks
  • Construction Phase Risks
  • Operation Phase Risk, which includes operational, financial, and tax risks by the tax policies of the invested country, as well as reputational risks
  • Natural Disaster Risk

In this regard, investment projects critical to the Company’s operations must obtain approval from the Enterprise Risk Management Committee their risk management plans. This is to ensure that the business has appropriate risk management in place, does not impact communities and the environment, and can achieve the goals set by the Company. In 2024, the Committee provided recommendations and observations on preparing risk management plans for projects such as investments in wind power plants and natural resource business investment projects, among others.

Bangchak has implemented a business continuity management system to ensure it can continue operating even during a crisis. The Company focuses on preparedness regarding strategy, processes, and resources and has been certified for the ISO 22301 Business Continuity Management standard since 2013. This certification covers the Head Office, Bangchak Refinery Phra Khanong and Bangchak Oil Terminal as well as the Central region Business Office and Bang Pa – in Oil Terminal. Such accreditation confirms that the Company has a system in place to prepare for crises and manage business continuity effectively by international standards, installing confidence among stakeholders that the Company can operate, respond to emergencies, and reliably deliver products.

In 2024, the world continued to face challenges in many areas. The Company has continuously improved its countermeasures to manage all situations. In the annual business continuity plan drill for 2024, a business continuity plan was exercised on the “Oil Tank Fire Case.” The results from the drill were used to improve operational procedures, enhance the system’s efficiency, and ensure that operations can resume and return to business quickly.

Download Document

[146.13 KB : pdf]
Internal Control and Risk Management
[85.06 KB : pdf]
Enterprise Wide Risk Management Policy