Risk and Crisis Management
Importance and Commitment
Business today encounters intensifying challenges stemming from changing business environment and emerging risks. Hitting the business world today includes oil price volatility from Russia-Ukraine War, COVID-19 pandemic, political unrest, laws and regulations varying in investment countries, declining demand for fossil fuels, importing of the liquified natural gas (LNG) to substitute domestic gas supply, disruptive technology and innovation, and cybersecurity risk. Moreover, the global warming and climate change are playing more critical role as a significant global issue for many countries including Thailand that had to come together on the pledge at the 26th United Nations Climate Change Conference of the Parties (COP26) held in Glasgow, Scotland in November 2021 for commitment in climate change solution in order to drive the world transition towards "Low Carbon Future" and more intense reduction of greenhouse gases, especially carbon dioxide to "Net Zero".
Hence, it is the great challenge that makes PTTEP realizes the importance of enterprise risk management and business continuity management. PTTEP is committed to prudently leverage effective and efficient management to prepare for dealing with key risks, uncertainties and any business changes, as well as to be able to achieve business objectives, strategic goals and PTTEP sustainable growth along with long-term value creation for stakeholders and energy security of the country.
Having effective and efficient risk management as its commitment, the Board of Directors approved the Risk Governance Framework to define oversight responsibilities and authorities that demonstrate strong coordination, collaboration and communication among the board level, the management and business unit level for managing all aspects of risk in accordance with PTTEP's policies effectively. In addition, the Board of Directors also approves the Risk Appetite Statement to be used as a framework for all PTTEP business operations and seeking for business opportunities with acceptable risks. Ultimately, PTTEP intends to ensure that key risks, especially risks with high impact to corporate level (Corporate Risk), and emerging risks are well managed to prevent the arising of negative surprise, reduce potential losses, and minimize recurrence risks.
PTTEP establishes Enterprise Risk Management Policy and Framework approved by the Risk Management Committee that emphasize on proactive risk management practices and strong risk culture, and establishes systematic Risk Management Process that aligned with international standard ISO 31000:2018. In addition, the frameworks of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management – Integrating with Strategy and Performance (COSO ERM 2017) and COSO Enterprise Risk Management – Applying Enterprise Risk Management to Environmental, Social and Governance-related Risks (COSO ESG 2018) have been applied to enhance integration of enterprise risk management, strategic planning, and ESG-related risk management. PTTEP management and employees at all levels have responsibility on effective risk management and promoting comprehensive risk management to contractors, suppliers, and business partners, to assure the achievement of PTTEP's vision, mission, strategy and business objectives to serve sustainable growth and create short- and long-term values to stakeholders.
1. Enterprise Risk Management Framework
PTTEP aims to integrate risk management into business activities and decision-makings which covering core business activities in PTTEP such as strategic planning management, investment and divestment decision-making, capital project management, operations and business process management including business continuity management, and ESG management. In addition, the Company implements risk management both in corporate level and operational level to ensure that all key risks are managed in accordance with risk appetite, allocates necessary resources for managing risk in proportion to the level of risk and cost benefit consideration, and monitors the progress of risk mitigation plans together with Key Risk Indicators (KRIs) which serve as a tool for early warning for timely executing prevention activities and properly setting up additional mitigation measures.
2. Risk Management Structure
To ensure all key risks are thoroughly and completely identified and effectively managed in accordance with the Three Lines Model, the risk management unit advises and works with the First Line Roles, which carry out their duties and concurrently manage risks as risk owners. The risk management unit also coordinates with other functions especially the Second Line Roles which supports risk management assistance on their own areas of expertise. One of them is compliance unit which shall monitor regulatory changes that may cause new risks or change risk levels. The internal audit unit, as the Third Line Roles, is responsible for the independent audit to ensure risk management implementing effectively and efficiently and provide recommendations for continuous improvement. Furthermore, the risk management unit and the internal audit unit shall exchange information to ensure that key risks are identified and managed continually.
3. Corporate Risk and Emerging Risk
In the process of Corporate Risk identification and assessment, PTTEP considers both internal and external contexts that affect to the achievement of the Company's objectives and strategies and may cause risks with high impact at the corporate level, such as significant global events, audit findings, and Risk Management Committee and management concerns. Meanwhile, key risks that identified and assessed by risk owners will be simultaneously considered to escalate with corporate criteria. All Corporate Risks will be consolidated to formulate Corporate Risk Profile (CRP) for monitoring and reporting to the management, Management Committee (MC) and Risk Management Committee (RMC). If there is any significant change, it will be promptly alerted to all relevant committees for managing risks in a timely manner.
PTTEP has developed Web-based Risk register System (RR System) which has been gone live since November 2020 to enable Risk Owners to quickly identify and analyze risks and enhance risk information communication throughout the organization. It also helps the Company to easily consolidate and escalate key risks to Corporate Risks and allows all relevant parties to monitor the risk management anywhere and anytime promptly and conveniently. PTTEP continues to strive for more efficient and faster risk management by developing Chat Bot to enhance risk identification capability. The risk database of RR System will be further utilized for Chat Bot development which aimed for best responding to the requirement of users as much as possible.
Additionally, PTTEP also conducts emerging risk assessment and consolidates the emerging risks to Corporate Risk Profile in order to report to the management and relevant committees for monitoring any significant changes and updating risk mitigation plans to effectively deal with any situation changes, minimize level of risks impacting to company targets, and maximize business opportunities. Currently, PTTEP has identified and keeps monitoring on 2 emerging risks as follows:
1) Climate Change Risk
Regarding the 26th United Nations Climate Change Conference of the Parties (COP26) held in November 2021, many countries has announced the commitment on targets to reduce greenhouse gas (GHG) emission, including Thailand that has put climate change action as top priority and committed in climate change mitigation targets to raise Nationally Determined Contributions (NDC) for GHG emission reduction by 40% compared to the business-as-usual (BAU) trajectory in 2030 if the financial and technological support are provided, to reach carbon neutrality in 2050 and to achieve Net Zero GHG emission by 2065. This has emphasized that climate change mitigation actions must be accelerated and seriously implemented.
PTTEP commits to reduce the GHG emissions intensity by at least 25% by 2030 from 2012 base year. As of the end of 2021, the Company reduced GHG emissions intensity by 24.1% and expects to meet this target in 2022, 8 years ahead of target year setting. Hence, to support global and Thailand commitment in dealing with climate change, PTTEP announced a new target to achieve Net Zero GHG Emissions by 2050 for E&P business covering scope 1 (direct emissions) and scope 2 (indirect emissions) under PTTEP's operational control through "EP Net Zero 2050" pathway.
PTTEP places the importance to manage risks that may result from climate change and conducts climate related risk assessment for both existing projects and acquiring projects. Climate change risk assessment consists of two aspects; (1) physical risks (the risks arising from the physical impact of climate change, such as heat wave, heavy precipitation, tropical storms, drought, and water related) and (2) transition risks (the risks arising from change in policy, law, technology, or market shift to green energy). The assessment covers short-term risks (2020 – 2025), medium-term risks (2025 – 2035) and long-term risks (2035 – 2050) under various scenarios according to the Representative Concentration Pathways (RCP), Stated Policies Scenarios, Sustainable Development Scenario (SDS) and IPCC 1.5๐C scenario. PTTEP has integrated the Task Force on Climate-related Financial Disclosures (TCFD) framework into its climate risk management and also disclosed environmental and climate change-related performance to CDP since 2010.
Climate change may impact on the environment and PTTEP's business, in term of more frequent natural disasters, stringent national and international policies and regulations (e.g. future carbon tax, emission trading schemes imposed by governments in PTTEP's operating countries), and a drive towards low carbon future. Furthermore, a conventional perception of not-so-green oil and gas industry also pose reputational risks for companies without actions.
The climate transition impacts especially COP26 results could increase the costs to improve our production and operation in compliance with more aggressive government's policies. The Company revenues will also be affected by the shifting in demands towards low carbon and renewable energy.
Company's enterprise value is also at risk, as the credit ratings turns to focus more on company's climate change performances.
PTTEP has reassessed risks with context-specific for timely improvement across all new operation assets and for compliance with modified requirements both at national and international levels and treated this risk as the Company's emerging risk with close monitoring and tracking climate change that may affect corporate risk level to manage with the balancing of risk appetite and corporate sustainable development.
PTTEP also has defined the interim targets to reduce GHG emission intensity by 30% by 2030 and 50% by 2040 (from base year 2020) in order to achieve Net Zero 2050 target. Accordingly, PTTEP has set the plans as follows:
2) Risks Arising from Disruptive Technology that Adversely Impacts Oil and Gas Industry
Exploration and Production (E&P) companies will face impacts from disruptive technology to energy industry (i.e. rapid technological advancement has accelerated R&D efforts in renewable energy, making it cheaper and more accessible). These technologies come in form of electrical energy storage devices and systems, as well as electric vehicles. Oil demand has consequently been affected and consumers for renewable energy potentially increases, coupled with the government's policy regarding environmental issues with the intention of reducing greenhouse gas (GHG) emissions following the recent United Nations Climate Change Conference of the Parties (COP26), it would cause tremendous damage to petroleum industry as well as the oil demand would consequently be affected.
This situation will be PTTEP's primary strategic risk as it directly impacts our revenues from crude oil, condensate and oil-linked gas sale. Additional risks include the loss of production cost advantages due to accelerated technology development by competitors.
The future energy transition to renewable energy means decrease in oil demand which has impacts on PTTEP's revenues. PTTEP's crude oil and condensate made up 38.35% of total revenue. Another is the loss of cost competitiveness (i.e. production cost advantage due to accelerated technology of competitors). These are potential impacts from disruptive technological advancement and the increasing use of renewable energy.
With the increasing demand for natural gas as the transition fuel, the bridge to renewable energy, PTTEP generates natural gas revenue which makes up approximately 50.50% of total revenue and continues to seek investment opportunities in the gas value chain businesses.
Since new technology is a key factor in the volatile energy business, PTTEP thus develops technology through partnership with both Thai and international parties and institutions, knowledge sharing within PTTEP and with partners across sectors, and collaboration with various expertise inside and outside the energy sectors to jointly develop technologies and innovation to enhance capabilities, business competitiveness and readiness for future energy transition to achieve sustainable business objectives.
PTTEP has revised business strategies to anticipate advancing technologies and drive transformation to enhance its adaptability and competitiveness. PTTEP's enterprise transformations are:
4. Risk Culture
To strengthen and sustain risk management in the organization, PTTEP therefore gives importance to build up risk awareness in all PTTEP personnel mindset together with competency development. The management at all levels commit and serve as leaders and role models, as well as support the continual development for efficient and effective risk management. The implementation of risk management is promoted as a corporate culture together with the enhancement of risk awareness and understanding through trainings and promoting activities; for example, training for newly appointed members of the Board of Directors and the Risk Management Committee, training for managements and risk coordinators, communications about risk management via Intranet, emails, podcast and at events. The knowledge sharing sessions focusing on the up-to-date important global issues that may cause risk to the Company are organized to enhance the capability of employees to better analyze risks and impacts on their responsible works and overall company. Moreover, PTTEP enhanced risk management effectiveness by establishing the key performance indicator for unidentified risk (Unidentified Risk KPI) to monitor and evaluate risk management results for all managements at all levels (risk owners of each business unit) including the risk management unit which responsible for the overall risk management. PTTEP also conducts GRC Maturity Assessment for operating areas of newly acquired projects e.g. Malaysia Project in order to analyze strengths and develop plans to improve weaknesses in GRC, which included enhancing the effectiveness of risk management.
Business Continuity Management (BCM)
PTTEP's Business Continuity Management System (BCMS) is part of the company's enterprise risk management. The Business Continuity Plan (BCP) is developed to prepare for effective response during disruption following emergency or crisis. PTTEP develops the BCMS in alignment with an international standard for ISO 22301 Business Continuity Management System (BCMS) and establishes the Business Continuity Management Policy with the following objectives:
- To protect our people, organization, brand and reputation, the interests of our stakeholders and the wider community.
- To Mitigate the risks of disruptive incidents, ensure mitigation, strategy & solution in accordance with PTTEP policies.
- To minimize risks of non-compliance with government regulations and laws including any contract or agreement with our partners, customers, suppliers and contractors.
- To continually improve the organization's business continuity capabilities.
PTTEP realizes its mission as the national oil and gas company to provide reliable energy supply to continuously serve the energy demand of the country. To ensure energy supply security with no disruption, PTTEP thus develops BCPs which documented the procedures to recover the prioritized business operations and support business continuity, if disrupted following emergency or crisis, with safeguarding of all personnel, environment, company's asset and reputation that adhering to the requirements of Safety, Security, Health, and Environment (SSHE) system.
The BCP of each operating area and supporting function shall be regularly reviewed and exercised to prepare for effective response to the case of emergency and crisis, and to continually improve the recovery plans and maintain standard of efficient BCP as well as to ensure that PTTEP will be able to perform effective business continuity management in times of emergency and crisis. PTTEP will enhance employees' BCM awareness and competency in BCMS by training program throughout the year.
Currently, there are 4 operation areas in PTTEP that received ISO 22301 Business Continuity Management System (BCMS) certifications such as S1 Project, Zawtika M-9 Production Operations and Business Support (Myanmar), Petroleum Development Support Base (Songkhla), and PTTEP Headquarter – Office Facility Management. In 2021, all 4 certified areas have been improved the business continuity management system to align with the latest version of ISO 22301: 2019 BCMS (updated from 2012 version). In addition, PTTEP has extended ISO 22301 BCMS to Malaysia Project, which is expected to be certified by 2022.
Apart from ISO 22301 BCMS certification, PTTEP developed BCM Document Management System which provides more systematic to effectively manage and control BCM's documents. Especially in case of emergency and crisis, all related BCM's persons can access and use the up-to-date version of BCP, to immediately recover the prioritized business operations to ensure PTTEP business continuity.
PTTEP strictly complies with Thailand Cybersecurity Act B.E. 2562. Cybersecurity guidelines have been in place, to prevent and tackle cyber threats as well as mitigate the impacts.
Presently, PTTEP bases its cybersecurity guidelines on the National Institute of Standards and Technology (NIST)'s standardized framework. Risk assessment has been conducted in line with ISO 27001:2013 with regards to emails and data center facility since 2014 and is also in the process of covering other applications / systems within 2020. PTTEP has continually invested in technology and obtained PTT Digital's services in preventing and mitigating cyber threats. PTTEP also established Security Operations Center (SOC) that completely connected Security Information and Event Management (SIEM) with the network firewalls across all petroleum development bases.
In 2021, PTTEP has implemented Multi-factor Authentication (MFA) to enhance the identity verification of the staff other than conventional username and password to support the company data and system access from anywhere and anytime as per PTTEP's direction of New Way of Work to promote Work-life Balance of its employee.
Furthermore, PTTEP also implemented Data Classification and Labelling with Microsoft Azure Information Protection (AIP) to support permission and sharing management of documents confidentiality.
PTTEP has delegated the oversight to the Risk Management Committee, which comprises 5 PTTEP directors including 4 independent directors, to oversee enterprise risk covering the Company's overall cybersecurity issues. In this regard, Lieutenant General Nimit Suwannarat (an independent director) is one of the committee members who has a related experience. Furthermore, PTTEP also appointed the Digital Steering Committee, having Information Management Department and its working team be responsible for the outlining of directions, targets, strategies, policies and information technology standards. Their tasks include the supervision of the IT master plan and roadmap as well as IT risk management, ensuring risks are in line with the Company's risk appetite. They must also regularly report risk management performance to the Risk Management Committee and the Board of Directors, to ensure that, should there be an emergency, PTTEP would be able to take control of the situation and respond promptly.
2. Control Measures
PTTEP has implemented control measures for the information system, equipment security as well as data backup and recovery to ensure business continuity. The Company announced the information technology policy which must be honored by all functions in line with the corporate governance guidelines. PTTEP's past efforts related to technology were aimed at ensuring safety and flexibility: for example, joining PTT Group's working team set up under PTT Group Cybersecurity Governance & Assurance Project, to enhance the efficiency of PTT Group's cybersecurity measures; and the application of Microsoft Office 365 system to increase the Company's work efficiency as well as data security. Furthermore, PTTEP established information technology (IT) infrastructure control and a clear policy to boost IT system efficiency through digital technology. IT strategies are outlined accordingly to the framework of Control Objectives for Information and Related Technology (COBIT 5) and ISO 27001. Cloud Platform is being used for continued development of an information technology system on an agile structure which maintains all efficient control measures as demanded by the Company's security standards.
Additionally, PTTEP has imposed the Security Policy and kept information technology in control to maintain its security, prevent violations, and support data backup and recovery for business continuity. Details are as follows:
1. General control refers to control guidelines on IT-related work process and activities, IT-related business continuity plan and etc.
2. Personnel-level control refers to the determining of individual employees' access to data; cybersecurity drills; the development of Digital Security Awareness e-Learning; training entitled "Cybersecurity Act" and "Personal Data Protection Act" for directors, employees and other relevant system administrators and etc.
3. System-level control refers to record keeping of system usage per legal requirement; external penetration testing by experts to identify and address any gaps that may cause damages and can be improved; etc.