Risk and Crisis Management
Importance and Commitment
Business today encounters intensifying challenges stemming from changing business environment and emerging risks. Hitting the business world today include the global economic crisis induced by the Coronavirus outbreak (COVID-19); the volatility and the great plunge in oil prices; geopolitical changes and turmoil; declining demand for fossil fuels; disruptive technology; expectations on intensive environmental management measures; compliance of regulations varying in investment countries; and cybersecurity. Realizing these challenges, PTTEP commits to leverage enterprise risk management to enhance its capability to adapt to change and prudently and comprehensively manage all aspects of risk in a faster manner.
Business continuity plan is also in focus, to strengthen PTTEP's role as a leading national oil and gas company to sustain the security of energy supply and satisfy energy demand for the country.
Having effective and efficient risk management as its commitment, the Board of Directors approved the Risk Governance Framework to define oversight responsibilities and authorities that demonstrate strong coordination, collaboration and communication among the Board of Directors, the management and relevant functions for managing all aspects of risk in accordance with PTTEP's policies. Ultimately, PTTEP intends to ensure that key risks and emerging risks are well managed to prevent the arising of negative surprise, reduce potential losses, and minimize recurrence risks.
PTTEP establishes Enterprise Risk Management Policy and Framework approved by the Risk Management Committee that emphasize on proactive risk management practices and strong risk culture, and establishes systematic Risk Management Process that aligned with international standard ISO 31000. PTTEP management and employees at all levels have responsibility on effective risk management and promoting comprehensive risk management to contractors, suppliers, and business partners, to assure the achievement of PTTEP's vision, mission, strategy and business objectives to serve sustainable growth and create short- and long-term values to stakeholders.
1) Enterprise Risk Management Framework
PTTEP aims to integrate risk management into business activities and decision-makings which covering core business activities in PTTEP such as strategic planning process and execution, investment and divestment decision-making, capital project management, and operations and business process management. In addition, the Company implements risk management both in corporate level and operational level to ensure that all key risks are managed in accordance with risk appetite, allocates necessary resources for managing risk in proportion to the level of risk and cost benefit consideration, and monitors the progress of risk mitigation plans together with Key Risk Indicators (KRIs) which serve as a tool for early warning for timely executing prevention activities and properly setting up additional mitigation measures.
In 2020, PTTEP emphasized smooth and effective transfer of operations from the previous Operators of the projects acquired through mergers and acquisitions. Thus, the Company expands its risk oversight to cover the newly-acquired companies to ensure the same standard of risk management implementation and report for closely monitoring.
2) Risk Management System Integration and Improvement
To ensure all key risks are thoroughly and completely identified and effectively managed in accordance with the Three Lines Model, the risk management unit advises and works with the First Line Roles, which carry out their duties and concurrently manage risks as risk owners. The risk management unit also coordinates with other functions especially the Second Line Roles which supports risk management assistance on their own areas of expertise. One of them is compliance unit which shall monitor regulatory changes that may cause new risks or change risk levels. The internal audit unit, as the Third Line Roles, is responsible for the independent audit to ensure risk management implementing effectively and efficiently and provide recommendations for continuous improvement. Furthermore, the risk management unit and the internal audit unit shall exchange information to ensure that key risks are identified and managed continually.
In 2020, PTTEP developed a Web-based Risk Register System to enable risk owners to quickly identify and analyze risks and enhance risk information communication throughout the organization. This system also allows all relevant parties to promptly and conveniently monitor the risk management anywhere and anytime.
3) Risk Culture
To strengthen and sustain risk management in the organization, PTTEP therefore gives importance to build up risk awareness in all PTTEP personnel mindset together with competency development by all levels of management serving as leaders and role models with full support to employees on continual implementing risk management efficiently and effectively. Additionally, the implementation of risk management is promoted as a corporate culture together with the enhancement of risk awareness and understanding through trainings and promoting activities; for example, training for newly appointed members of the Board of Directors and the Risk Management Committee, training for managements and risk coordinators, communications about risk management via Intranet, emails, and at events.
In 2020, PTTEP enhanced risk management effectiveness by establishing the key performance indicator for unidentified risk (Unidentified Risk KPI) to monitor and evaluate risk management results for all managements at all levels (risk owners of each business unit) including the risk management unit which responsible for the overall risk management and the escalation of key risks with high impact to corporate level to report the Risk Management Committee.
Business Continuity Management
PTTEP's Business Continuity Management System (BCMS) is part of the company's enterprise risk management. The Business Continuity Plan (BCP) is developed to prepare for effective response during disruption following emergency or crisis. PTTEP develops the BCMS in alignment with an international standard for Business Continuity Management ISO 22301 and establishes the Business Continuity Management Policy with the following objectives:
- To protect our people, organization, brand and reputation, the interests of our stakeholders and the wider community.
- To mitigate the risks from events that could impact or disrupt operations and businesses.
- To minimize risks of non-compliance with government regulations and laws including any contract or agreement with our partners, customers, suppliers and contractors.
- To continually improve the organization's business continuity capabilities.
PTTEP realizes its mission as the national oil and gas company to provide reliable energy supply to continuously serve the energy demand of the country. To ensure energy supply security with no disruption, PTTEP thus develops BCPs which documented the procedures to recover the critical business operations and support business continuity, if disrupted following emergency or crisis, with safeguarding of all personnel, environment, company's asset and reputation that adhering to the requirements of Safety, Security, Health, and Environment (SSHE) system.
The BCP of each operating area and supporting function shall be regularly reviewed and exercised to prepare for effective response to the case of emergency and crisis, and to continually improve the recovery plans and maintain standard of efficient BCP as well as to ensure that PTTEP will be able to perform effective business continuity management in times of crisis.
In 2020, PTTEP received ISO 22301 Business Continuity Management System certifications for S1 Project, Zawtika M-9 Production Operations and Business Support (Myanmar), Petroleum Development Support Base (Songkhla), and PTTEP Headquarter-Office Facility Management.
PTTEP strictly complies with Thailand Cybersecurity Act B.E. 2562. Cybersecurity guidelines have been in place, to prevent and tackle cyber threats as well as mitigate the impacts.
Presently, PTTEP bases its cybersecurity guidelines on the National Institute of Standards and Technology (NIST)'s standardized framework. Risk assessment has been conducted in line with ISO 27001:2013 with regards to emails and data center facility since 2014 and is also in the process of covering other applications / systems within 2020. PTTEP has continually invested in technology and obtained PTT Digital's services in preventing and mitigating cyber threats. At present, PTTEP established Security Operations Center (SOC) that completely connected Security Information and Event Management (SIEM) with the network firewalls across all petroleum development bases in second quarter of 2020.
Since 2019, PTTEP has delegated the oversight to the Risk Management Committee, which comprises 6 PTTEP directors including 2 independent directors, to oversee cybersecurity issues. In this regard, the Committee appointed Major General Nimit Suannarat (an independent director) to oversee the Company's overall cybersecurity. Furthermore, PTTEP also appointed the Digital Steering Committee, having Information Management Department and its working team be responsible for the outlining of directions, targets, strategies, policies and information technology standards. Their tasks include the supervision of the IT master plan and roadmap as well as IT risk management, ensuring risks are in line with the Company's risk appetite. They must also regularly report risk management performance to the Risk Management Committee and the Board of Directors, to ensure that, should there be an emergency, PTTEP would be able to take control of the situation and respond promptly.
2) Control Measures
PTTEP has implemented control measures for the information system, equipment security as well as data backup and recovery to ensure business continuity. The Company announced the information technology policy which must be honored by all functions in line with the corporate governance guidelines. PTTEP's past efforts related to technology were aimed at ensuring safety and flexibility: for example, joining PTT Group's working team set up under PTT Group Cybersecurity Governance & Assurance Project, to enhance the efficiency of PTT Group's cybersecurity measures; and the application of Microsoft Office 365 system to to increase the Company's work efficiency as well as data security. Furthermore, PTTEP established information technology (IT) infrastructure control and a clear policy to boost IT system efficiency through digital technology. IT strategies are outlined accordingly to the framework of Control Objectives for Information and Related Technology (COBIT 5) and ISO 27001. Cloud Platform is being used for continued development of an information technology system on an agile structure which maintains all efficient control measures as demanded by the Company's security standards.
Additionally, PTTEP has imposed the Security Policy and kept information technology in control to maintain its security, prevent violations, and support data backup and recovery for business continuity. Details are as follows:
- General control refers to control guidelines on IT-related work process and activities, IT-related business continuity plan and etc.
- Personnel-level control refers to the determining of individual employees' access to data; cybersecurity drills; the development of Digital Security Awareness e-Learning; training entitled "Cybersecurity Act" and "Personal Data Protection Act" for directors, employees and other relevant system administrators and etc.
- System-level control refers to record keeping of system usage per legal requirement; external penetration testing by experts to identify and address any gaps that may cause damages and can be improved; etc.