Font
A+
A
Dark mode Light mode
Quick links
Language :
Recommended Searches
Quick links
whistleblowing Procurement

Governance, Risk Management and Compliance

Global Power Synergy Public Company Limited (GPSC) always adheres to the good governance principles as a framework for strategic planning and operations across all economic, social and environmental dimensions, and creating value-added business with all stakeholders to become a global leading power company in innovation and sustainability.

Risk and Crisis
Management

Current changes and uncertainties, including the Russia-Ukraine conflict; challenges from geopolitics and polarization on the international level; economic recovery under COVID-19 control policies; fluctuations in foreign exchange rates, interest rates, and inflation due to sensitive economic condition; as well as other emerging risks, have led to volatility and severe repercussions and given rise to challenges that significantly impact GPSC’s ability to achieve its missions and business goals both in the short and long term. To support the operation as well as prevent and mitigate potential impact, systematic and efficient management is vital. On the other hand, GPSC has utilized the management of risks and uncertainties to create business opportunities for its current operations and the future, such as possible expansions towards electric vehicles and related businesses and expansion towards the production and distribution of new forms of energy in line with state policies to meet changing consumption behaviors. As a result, GPSC has adopted the Enterprise Risk Management (ERM) Framework issued by The Committee of Sponsoring Organizations of the Treadway Commission (COSO) to ensure that those involved understand risk management principles and can apply them appropriately in order to maximize benefits. GPSC oversees the overall corporate risk management through the Risk Management Committee as assigned by the Board of Directors and has designated the Risk Management and Internal Control Committee to closely manage risk at the management level. GPSC’s risk and crisis management guidelines are detailed below.

Risk Management
Culture

With a business philosophy centered on creating shared value for all stakeholders under the fundamental principles of a sound corporate culture and clear operational guidelines, GPSC places great emphasis on promoting a good enterprise risk management culture and putting in place both short- and long-term operational guidelines across various dimensions, such as management systems, procedures, and personnel. This is evident in, for instance, the formulation of a clearly defined enterprise risk management framework through GPSC Risk Management Policy and an operational framework shaped by the risk appetite; the establishment of guidelines for enterprise risk oversight and management; the prescription of the roles and responsibilities of personnel at all levels; the management of risk management knowledge for executives and employees across the organization through e-learning and workshops; and the risk management performance assessment based on key performance indexes (KPIs) for executives and employees in order to foster motivation and ensure that the organization can achieve the goals through effective risk management.
Risk Management Policy
GRI 2-23,2-24

GSPC, through the Risk Management Committee, has established a risk management policy to serve as a framework for the supervision of risk management in all dimensions, covering the establishment of systems, procedures, and roles and responsibilities within each function; and the allocation of personnel, responsible persons, and resources. The objective is to support risk management across different dimensions, including strategy and investment risks, finance risks, business risks, technology and operations risks, legal and regulatory risks, personnel and organizational structure risks, environmental, social and governance risks (ESG Risk), as well as corruption and emerging risks, for the Company and GPSC Group. The policy also serves as guidance for all executives and employees to ensure a uniform standard of practice and direction.

Risk Management Policy
Download

Governance and Risk Management Structure

GRI 2-12, 2-13, 3-3

GPSC’s risk management is implemented within the scope, authority, duties, and responsibilities of the Board of Director, who is responsible for considering the significant risk factors that may occur, defining comprehensive risk management guidelines, ensuring effective risk management processes for executives and the management, and monitoring risk factors that may arise during the pursuit of business opportunities in order to ensure that the risk management system and processes are effective, responsive to and in line with the ever-evolving changes in business context, and up-to-date. The Board of Directors has approved the Risk Management Committee Charter and assigned certain directors to the Risk Management Committee (RMC), who, according to the prescribed scope of duties and responsibilities, are charged with the oversight, review, and monitoring of the effectiveness and performance of GPSC’s risk management across different dimensions, such as strategy, finance, operations and production, as well as the performance of the Company’s anti-corruption efforts and ESG-led sustainable development. In addition, risk context is reviewed and revised to promptly advance risk management approaches in response to key factors and events related to the business operations. RMC is also responsible for overseeing, supporting, and developing enterprise risk management at all levels to ensure its alignment with the business strategies and targets as well as changing business conditions; establishing and revising the risk appetite to ensure comprehensiveness and consistence with evolving business context; and monitoring, reviewing, commenting on, and providing suggestions on risk management operations to ensure the continued effectiveness of risk management operations. (Further details on the scope of responsibilities of the Risk Management Committee can be found in the Risk Management Committee Charter.) https://www.gpscgroup.com/storage/content/about/management-structure/risk-management-committee-charter-2021-th.pdf

As driving risk management in practice by the management is also an essential component, GPSC has appointed GPSC Management Committee (GPSCMC), which consists of senior executives from various departments and is responsible for reviewing and monitoring performance, as well as the Risk Management and Internal Control Committee (RMCC), which comprises the Company’s senior executives and is responsible for overseeing GPSC’s risk management system, internal control, and business continuity system and ensuring their suitability and effectiveness. The monitoring, inspection, and reporting of the organization’s risk management progress is carried out through RMCC meetings, the outcome of which is reported to RMC, who reviews the comprehensiveness of the operational guidelines, the integration of internal operations, collaboration within GPSC Group and with external agencies; and assigns the management/relevant operators to manage relevant risk issues. Such meetings are convened at least every quarterly.

Furthermore, the risk management system is reviewed by the Audit Committee as stipulated in the Audit Committee Charter to ensure its overall effectiveness and adequacy.

Enterprise Risk Management Framework

GPSC promotes risk management through its personnel at all levels to ensure that, in line with the context of its business operations and governance, effective risk management will be brought about throughout the organization, from the employee/operator level all the way to the level of the highest-rank executive, through the responsibilities of each relevant position and committee, encompassing every activity across the Company’s business chain.

GPSC’s enterprise risk management framework and the connection between risk management components are as shown in the diagram.

Risk Management Strategies and Processes

GRI102-11

Under the enterprise risk management framework (ERM), GPSC has established guidelines for risk management operations at two levels: Corporate Level and Functional Level. Strategies and processes for risk management are as follows:

Strategies for Risk Management

GPSC’s enterprise risk management (ERM) strategies not only strive to widen knowledge among executives, employees, and related parties under the context of its enterprise risk culture but also encompass the appointment of representatives of various functions as risk agents, grouped by the risks involved as stakeholders in every business activity of the Company. Under these strategies, the risk management division serves as the coordinator and supervisor responsible for establishing strategies and advancing the continuous improvement of GPSC’s risk management systems to ensure uniform risk management across the organization and alignment with its business direction, business strategy and target, and business operations. In addition, GPSC has shaped its ERM process by using COSO ERM as international standardized framework, ISO standards and fostered collaboration within PTT Group in developing risk management know-how in various aspect, such as the development of an operational excellence management system (OEMS).

Risk Appetite

GRI 102-11

Corporate Risk Management Process

GPSC focuses on the systematic integration of risk management, from the assessment of either positive or negative uncertainties to the analysis, review, and preparation to chances of risk and opportunities for the business, including internal uncertainties that may affect the organizational context in areas corresponding to the Company’s strategic business plans and external issues/uncertainties arising from fluctuations in the business environment and emerging issues as well as functional risks that are significant and material to the business context. To address such risks or negative impacts, it is essential to advance and incorporate risk management at the functional level into the formulation of short-term, and medium-long term) corporate risk level. The upper corporate risk level has its framework to be approved for implementation in the supervision, management, monitoring, review, and reporting of performance in order to analyze and conclude the connection of data from various sources that affect the overall enterprise risk management, at quarterly intervals at a minimum at the levels of both the management and the Board of Directors. The corporate risk profile is also reviewed during the year and adjusted to include new risks with significant impact on GPSC to ensure that the company has put a response process in place for short-term and medium-term risks emerging during the year in a prompt, reasonable, and efficient manner. The aforementioned approach is vital and lies at the core of GPSC’s risk management system and is utilized as a tool to drive its performance, strategic plans and business operations to achieve its ultimate sustainable growth for all stakeholders. In addition to promoting and cultivating risk management as a corporate culture through the aforementioned operations in relation to the Company’s risk management policy, GPSC optimizes, through the assessment of key performance indicators (KPIs), the efficiency and outcomes of risk management operations, consisting of 1) organization-level risks, for which senior management and personnel in relevant departments undergo annual assessments in dimensions relevant to the achievement of organization-level goals; and at 2) function-level risks, for which personnel in each unit undergo annual performance assessments for their scope of duties to ensure that the performance under GPSC’s risk management and work-related uncertainties meets the required goals in their scope of responsibilities. This constitutes a factor that affects the overall risk management and business goals at the organizational level.

Risk Assessment and Labeling (Risk Register)

GRI 102-11

The assessment, analysis, review, and preparation of risk issues are carried out by relevant functions across various work processes, such as risk management in business operations; construction management; decision making in project investment development, project execution, including impact of occupational health, safety, and environment; and sustainability and human rights management. GPSC focuses on integrated operations and on putting in place adequate support measures in relation to risk assessment dimensions illustrated in the image below.

With the same standardized assessment criteria across the organization, including an emphasis on the escalation of items with significant impact on corporate goals and strategic plans as organizational risks, the procedures for risk assessment and risk register maintenance are as follows:

1. Risk Factor Identification

GPSC risk factor identification is conducted in line with enterprise risk management policy which prescribed risks at all dimensions both financial and non-financial aspects along with Environmental, Social and Governance (ESG) including emerging risks.

GPSC categorized risks areas for risk factor identification as follows:

  • Strategic risks are possibilities or causes that may impose failure to business objectives, strategic directions, business performance whether it comes from external or internal factors. These risks are, for examples, strategy, Investment and Business Expansion, climate change, biodiversity, Human rights, Regulatory and Compliance.
  • Financial risks are possibilities or causes that may impose failure to financial management whether it associates with market, credit, liquidity, or currency management. risks are, for examples, revenue structure, and funding.
  • Operational risk are possibilities or causes that may impose failure from internal processes, people, systems. These risks are, for examples, technology and operation, human resource, fraud and corruption, information technology and cybersecurity, and supply chain.
  • Shareholder Investment risks are possibilities or causes that may impose to negative changes in shareholders’ equity or drop in market prices of shares or interest rate. These risks are, for examples, uncertainty in shareholder investment, credit and price risks.

GPSC identifies risk factors by:

  1. Assessing future scenarios based on changes in both internal and external factors, covering emerging risks associated with changes in business activities or context that may impact the achievement of organizational goals.
  2. Assessing the situation based on changes in normal business operations that may affect business operations and current operations, which may affect GPSC’s business goals. Risk factor identification can be carried out by various sources, i.e. by personnel in relevant functions or through the review & feedback from the Board and executives.

The identification of risk factors can be carried out by personnel in the risk owner/relevant function and presented for review and implementation in accordance with the next steps of the risk management procedure.

2. Risk Assessment, Analysis, and Prioritization

GPSC assesses and analyzes all potential risks, including corporate, functional, and project/product development investment risks. GPSC’s standard risk assessment criteria applied throughout the organization are as follows:

  • Impact assessment criteria for risks in finance, business processes and operations, corporate reputation, and customers and people, divided into four levels: low, medium, high, and severe.
  • Likelihood assessment criteria, divided into four levels:
    • Low chance of occurrence (less than 10 percent or never or only 1 occurrence in 5 years)
    • Moderate chance of occurrence (between > 10 and < 20 percent or 1 occurrence in 3 years)
    • High chance of occurrence (between > 20% to < 50% or1 occurrence in 1 year)
    • Very high chance of occurrence (Severe) (more than 50% or has occurred more than once in 1 year)

    GPSC presents assessment results using a risk matrix to prioritize the risks, reflecting in severity (both likelihood and impact) of each individual. The risks are prioritized in regards to the severity and categorized by risk color which represented to company’s level of acceptance. Any risks being assessed whether in high or extreme level will be represented by orange or red color regarding to risk matrix. That rule implies the same to green and yellow color from risk matrix which refers to low or medium level in each assessment of risk.

    It's GPSC defined rule and acceptance that risks in red or orange color shall be prioritized to monitor at least in quarterly basis so that it can be ensured well-structured management is put in place to manage the risk to as low as reasonably practicable (ALARP) under yellow or green color. Risks with medium to low color which represents to moderate to low severity are classified as risks that need to be monitored and reviewed at least once a year.

    The risk dimensions for which GPSC has created a framework include strategic risks, business risks, operational risks, and financial risks.

    GPSC has divided risk management and supervision into two levels:

    • Corporate Level: Consider the impact or damage that may result in GPSC not being able to achieve its objectives, business strategies and plans, or business performance.
    • Functional Level: Consider the impact or damage that may result in the entity not being able to achieve its objectives and responsibilities.

In spite of risk stays in either corporate level or functional level, it is widen acknowledgement that GPSC’s risk appetite has been articulated and addressed throughout the organization in various area, so that everyone will perceive the sentiment of risk exposure the company is willing to accept in common ground. The risk appetite framework has been set and reviewed annually from the bottom functional level to the board level. GPSC risk appetite framework is demonstrated into 5 aspects; Financial, Business and Operation, Law and Regulation, Strategy and Investment, Human Resources and Organization to clearly understand company’s tolerance and support the decision making.

In 2022, GPSC has conducted risk assessment, analysis, and prioritization through the risk matrix. The results are interpretated based on likelihood, magnitude of the potential impacts. The mitigation actions are then identified to manage risk within corporate risk appetite. Examples of GPSC key risks 2022 are presented in the table below:

Risk Area Risk Description Risk Area Risk Description
Strategic Risks Investment and Business Expansion Business growth of GPSC can be restricted by the external challenges e.g., fuel cost, fluctuation of exchange rate, and interests rate caused by macroeconomic. Financial Risks Over-reliance on Industrial Customer Income Risk associated with industrial customers that cause financially influences to GPSC revenue structure.
Organizational Capability The risk related to the organizational capability derived from work model and procedural transformation. Referenced Price to Power Generation & Distribution Volatility The price of fuel that is not aligned with the electricity cost can dramatically impact on GPSC’s profitability
Changed Rules and Regulations Changed Rules and Regulations can cause the business obstacles to GPSC and customer. Especially, the direct impact from changed regulations to strategies and business practices. Funding Management for Business Expansion The barrier on business growth of GPSC represented by funding management is related to the supporting of future investment plans, capital mobilization tools, the models aligned with economic and financial market conditions to optimize benefit to GPSC, credibility ratings.
Climate Change As of international goal in the GHG emission reduction, GPSC addressed climate change with the business commitment to tackle on the climate change by focusing on GPSC’s business operation. Interest Rate Volatility The volatility from loans is addressed as a financial risk with respect to the fixed and float rates that GPSC has to effectively manages proportions of fixed and float interest rates
Operational Risks Power Plant Reliability The risk represented by power plant reliability can impact to GPSC in delivering the products throughout supporting national economic growth and energy security. Exchange Rate Volatility An overseas investment come up with the fluctuation of exchange rate which can return to GPSC’ financial risk accordingly.
Quality, Security, Safety, Health, and Environment This risk is the potential thread to GPSC’s operation, especially business losses resulting e.g., disruption and discontinuity of operations together with impacts on communities, society, and the environment. Shareholder Investment Risks Credit Risks GPSC’s reliability can be risked provided that bond issuers performance falls short of expectations and the collateral is less than the overall debt.
Management of Projects under Construction The risk from the project under the construction can cause the negative impact on the reliable delivery of power and steam to customers and achieve financial performance aligned with the budget plan. Price Risks The price risks associated with GPSC can be occurred due to the general economic conditions, money market movements, interest rate changes, the interest rate policy fixed by the Bank of Thailand, inflation rates, remaining tenors, excessive demand, or bond supply shortages in the market.
Imbalanced Fuel Supply Portfolio Secure and maintain the energy source are the challenges to GPSC in preventing the risk of managing fuel supply and generation stability. Liquidity Risks Bond holders may not be able to dispose of bonds before maturity when there is no liquidity in the secondary or over-the-counter markets
Fraud and Corruption in Business Risk associated with employees to perform duties in conforming to good governance and Code of Conduct. Default Risks GPSC has no records of default on either principal or interest for bonds, mortgages, or loans from commercial banks, finance and securities firms, credit fonciers, and specialized financial institutions (SFIs).
Key Risks Key Area Risk Appetite/Tolerance level Likelihood Magnitude Mitigation Actions
  • The inconsistency to maintain energy supply to IU customers due to;
    • Feedstock/Water shortage,
    • Equipment/ Machine, breakdown
    • Human errors, etc.
 Operational Risks
  • GPSC will neither accept any kind of reliability and stability risk which will impact to customers.
  • Enhance GPSC and GLOW power plant network to maintain capacity management in both normal operation and unexpected situations
  • Embed Operational Excellence Management System (OEMS) as the standardized framework to improve efficiency and performance
  • Supervise feedstock management to ensure its availability and enhance optimization in production process
  • Establish war room to closely monitor asset optimization and supply chain in weekly basis
  • Define performance indicators in form of leading and lagging to relevant parties in both bottom up and top down level to be responsible for power plant reliability and stability to customers
  • Closely follow up the water situation to ensure its prompt availability for GPSC’s and Customers’ plant balance and analyze its impact from customers’ business to GPSC’s business
  • Coordinate operating plan with customers to predict load of demand and supply in advance to maintain availability and reliability of energy supply
  • Engage with governmental and private sectors to closely monitor water volume, potential situation of drought, and mitigation progress in Rayong and Chonburi area
  • Appoint the specific committee as GPSC’s Water Management Working Team to drive and govern action plan of water management into direction stringently
  • Business growth of GPSC can be restricted by the external challenges;
    • fuel cost,
    • fluctuation of exchange rate, and interests rate caused by macroeconomic,
    • Environmental concerns,
    • Tax and non-tax barrier, etc which impact to GPSC and GPSC’s customers
 Investment and Business Expansion
  • GPSC will consider the investment which enhances value creation to stakeholders, communities & society, and environment.
  • GPSC will consider to invest in green energy in order to meet CO2 emission achievement as GPSC Group’s target
  • Seek for new growth opportunities to invest in renewable/ hybrid energy in Thailand and other opportunistic countries.
  • Expedite the business model of New S-Curve such as Battery Value Chain Business, the study of CCUS and hydrogen, etc. into commercialized phase
  • Funding Management for Business Expansion
 Financial Risks
  • GPSC will maintain strength of capital structure as target and maintain credit rating to investment grade
  • GPSC will provide funding which is suitable for business environment, market condition, and aligned with PTT Group’s policy.
  • Develop new energy trading platform to cope with new behaviors of users, upcoming power trading regulation, and simultaneously reduce impacts on current and future power generation and distribution operations
  • Joint development/ partnership with reliable and professional partners as the selective option to shorten into new business/ other area
  • Comprehensively scrutinize and decision making on strategic project under project return policy to ensure financial return will be met as target
  • Frequently review optimal financial policy rate and funding strategy to support GPSC group business target
  • Establish treasury center to facilitate fund-raising activities and for optimal benefit of financial management by GPSC Group
  • Seek for financial instrument from various green financing methods to support financing activities so that company can diversify and seek for attractive sources of fundsing along the way while pathing to sustainable green growth direction
Fraud and Corruption in Business Conduct Operational Risks
  • GPSC will neither accept any kind of risk from fraud and corruption nor any form of misconduct from regulatory compliance according to corporate governance
  • Place strong governance through GPSC Corporate Governance and internal control of fraud and corruption in functional activities
  • Communicate anti-corruption policy for all employee to acknowledgement as common ground throughout the company
  • Set whistleblowing channels for corrupt practice and written measures to aid assessment, detection, and response to corruption
  • Review assessment of corruption risks amongs related parties and annually reporting to the Risk Management Committee
  • Be a member of the Thai Private Sector Collective Action Against Corruption (CAC) to maintain the stringent intension of no involvement in any corrupt practices.
Low Medium High Extream
3. Risk Management

GPSC prioritizes the proper management of risks to keep them within its risk appetite. To this end, GPSC determines the timeframe for risk management actions in order to minimize the likelihood and impact of risk events as well as designates each responsible person to prepare a mitigation plan.

4. Risk Review, Approval and Risk Management
  1. Approval of the list of risks

    Following risk assessment and risk register formulation, the next steps that are vital to the integrity of the management process are the verification of the completeness of the management and operation approval and risk closure. GPSC divides risks into two levels:

    • Corporate risks: All risk items of corporate riskare prepared by the corporate risk management team together with relevant functions and presented for approval to the Risk Management and Internal Control Committee (RMCC) and the Risk Management Committee (RMC) and subsequently presented to the Board of Directors for approval.
    • o Functional risks: The list of functional risks is prepared by the risk owner together with the relevant functions and presented for approval to the senior line manager of the function.
  2. Monitoring, reporting, sensitivity analysis and stress test, and communication

    Under the Risk Management Policy, the Risk Management Committee Charter, and the directive on the appointment and assignment of functions of the Risk Management and Internal Control Committee (RMCC), GPSC has prescribed continuous risk management monitoring and reporting and clearly defined responsible persons as follows:

    • GPSC has designated the Risk Management and Internal Control Committee (RMCC) to monitor functional and corporate risks as well as emerging risks on a continuous basis and present the outcomes of the monitoring of material corporate and emerging risks to the Risk Management Committee (RMC) to track management progress on an ongoing basis.
    • GPSC has designated a central risk assessment representative of each workgroup (Risk Agent) to not only responsible for identifying risk factors and conducting risk assessment based on a risk register, but also representing as the coordinator of each area to comprehensively communicate risk management knowledge and mechanism to others. The Risk Management Division is responsible for reporting the results to the Risk Management and Internal Control Committee (RMCC), which is the management level, to monitor the management progress on a regular basis.

    In addition, GPSC communicates risk issues to all managers and employees to create a robust risk management culture. It also regularly provides risk management training and communicates risk information to all managers and employees through workshop on site, e-meeting, or e-publication. GSPC has also prescribed risk management as one of the performance indicators of all managers and employees.

    Sensitivity Analysis and Stress Test

    GPSC realizes that new challenges can emerge over time. Thus, not only when formulating corporate risk profile that GPSC measures significant factors impacted to business, GPSC continues to scrutinize key matters and trends along the way while operating. In the monitoring and review of risk assessment in each quarter, progression of risk mitigation and foreseen issues at the meantime must be integrated to analyze for preparation for next step. This includes scenario and sensitivity analysis of significant changes or factors that impact to business objectives, performance, and strategic directions so that management will analyze as portfolio view of risk we might be facing and seeking for mitigation plan or opportunities from changes.

    • Example for Financial Risk: Since the company is targeting to achieve megawatt growth as target, it is undoubtedly obvious that funding management for business expansion is crucial that company needs to manage. In case of that, revenue generated from existing business along with the return from project investment and the additional OPEX/CAPEX avoidance from unexpected circumstance must be in focus. Thus, GPSC places importance on various scenarios that may impact to those i.e. the fixed Ft policy price which is not in line to the increased fuel price, percent changes of fuel price, percent changes in FX, etc. and reflect in bottom line whether it is revenue or investment return to design prompt mitigation or optional initiatives i.e hedging management, and directly report to management level as monthly basis. This routine process is to ensure that company is integrating view of upcoming risks from all dimensions to look forward for future growth with consciousness.
    • Example of Non-Financial Risk: Apart from COVID-19 that GPSC had successfully been through the crisis from global demand disruption and economic breakdown, GPSC has continued to face the impact from global conflicts i.e. Russia - Ukraine Tension which has caused the spike of fuel price and global supply shortage, US - China Tension over Taiwan which has caused to trade war., etc. Those geopolitical risks do not only impose conflict between nations, but also cause significant challenges and uncertainties to company. Therefore, in order to make decision making on future growth whether in project or platform investment, all level includes the board and management are responsible to anticipate scenario of changes or new emerging risks which may occur, the following impact ahead, and needed mitigations to prepare for i.e. the limitation on boundary of investment landscape impacted to GPSC strategy of growth expansion internationally, the security of supply sources impacted to the higher CAPEX or additional OPEX, etc. In short, these uncertain factors have always been input in key assumptions when in decision making process to reflect that GPSC shall forward looking potential risks and stay ahead of the wind under uncertain times.
  3. Review of risk management plans and risk escalation

    GPSC pays attention to the review of the risk exposure including its description, likelihood and magnitude of impacts at by least quarterly and adjustment of the risk management plan to the situation. The goal of integrated risk management is to regularly keep the risk at an acceptable level. In addition to the corporate risk issues approved by the Board of Directors, if there are emerging risk issues during the year that may significantly affect GPSC, the management of the Risk Management Division, together with the relevant departments, will analyze all integrated information to the Risk Management and Internal Control Committee (RMCC) to obtain their suggestions and subsequently propose to the Risk Management Committee (RMC) for approval.

  4. Risk Management Overview

    The risk management overview is as shown in the diagram.

5. Risk Audit

For the purpose of assurance on overall risk management framework, GPSC conducts an audit in various channels:

  • Internal Audit
    • An adequacy of enterprise risk management is mandated to report annually to GPSC Audit Committee which comprise of individuals whom are independent directors.
  • External audit
    • From external parties including independent third-party auditors, the effectiveness of GPSC risk management process has been integrated to assess annually by diversified well known standards i.e. ISO 9001:2015 (Quality Management Systems), ISO 14001:2015 (Environmental Management Systems), ISO 14001:2015 (Environmental Management Systems), ISO 45001:2018 (Occupational Health and Safety Management Systems), ISO 22301:2019 (Business Continuity Management System), and ISO/IEC 27001 (Information Security Management Systems)
    • From PTT Group, overall GPSC risk management system from governance to implementation has been annually reviewed its alignment to PTT Group Way of Conduct in Risk Management Policy, in which its requirement is adopted from the standardized Enterprise Risk Management: Integrating with Strategy and Performance (COSO ERM (2017) by COSO and Principles and Guidelines on Corporate Governance for State - Owned Enterprises B.E. 2562 (2019) by SEPO

Correlation of risks

The risk issues classified as the most impactful on GPSC’s operations are the efficiency of investment, organizational capacity, compliance, power plant reliability, and project execution. Risk correlation is significant for GPSC’s risk management since it can cause a chain of effects which may increase or decrease the level of risk according to their relationship.

Chart of annual risk correlation analysis

Emerging Risks

GPSC recognizes and is aware of short-term, medium-term, and long-term emerging risks that can impact the Company as well as risks and opportunities that may arise from the management of such risks. To this end, GPSC identifies emerging risks that will impact its business strategies and targets and will result in loss of opportunities for the Company if they are not appropriately managed. GPSC has assessed the emerging risks, evaluated their impacts, as well as defined mitigation actions to manage those risks effectively.

Emerging Risks Risk level Time
frame		 Description Potential Business Impacts Mitigating Actions
1. Geopolitical risks and global economic risks High 2023 Geopolitical conflicts as well as the volatility of the money market, the capital market, and the production and consumption sectors due to sensitive economic conditions have resulted in limitations and created conditions for the business operations and operating results of the Company and GPSC Group.
  • Failure to achieve operating result targets as a result of increases in fuel and energy prices and of electricity tariffs determined by the government that did not reflect actual cost condition
  • Impacts of financial policy management amid inflation and international economic stagnation on GPSC’s financial costs and expenses
  • Impacts of regional and national geopolitical conflicts on GSPC’s operations under its expansion strategies
  • Manage impacts on the operating results by utilizing reference fuel prices formulas, selling electricity to fulfill power purchase agreements, carrying out plant optimization, and coordinating with relevant external agencies.
  • Undertake risk management through the Hedging Committee and monitor interest rates and financial costs to identify suitable financial instruments.
  • Manage risks and impacts that have arisen, from reviewing and selecting investment projects, for which potential short-term and long-term impacts are assessed, to fostering local business allies as well as studying and monitoring the in-depth business environment through personnel stationed local areas and considering exit strategies when suitable.
2. Cybersecurity Risk Medium 2026

Cyber threats can cause significant impacts on GSPC’s information technology management and work processes and management carried out online or in an online system. As digital technologies have improved operational efficiency and become much more widely used-particularly in the power generation business, every facet of operations at GPSC’s plant facilities and offices rely heavily on digital technologies and the internet. In addition, the need to adapt and work from homes amid the COVID-19 pandemic has necessitated the connection with the external internet. Also, in response to behavioral changes brought on by the new normal as well as global trends and digital transformation, GPSC has actively applied digitalization practices to its business context and created suitable IT infrastructure and management to avoid negative impacts. Thus, cybersecurity has become more important, and IT threats accompanying internet connections have become unwelcome risks.
  • Leak of the Company’s confidential information
  • Disruption of IT systems, affecting production and distribution systems, and thereby GPSC's reliability
  • Fines and penalties by regulators
  • Potential to harm GPSC’s financial and social capital
  • Loss of reputation, reliability, and stakeholder trust
  • Loss of business opportunities and revenue
  • Increase in infrastructure, operating, and insurance costs
  • Appoint a Digital and Cybersecurity Steering Committee (DCSC) to oversee and drive change management, assess digital risks and cybersecurity, and screen various projects to ensure alignment with GSPC’s strategies and businesses.
  • Monitor compliance with GPSC’s cybersecurity policy and provide practical guidelines in compliance with the international information security management system standard (ISMS, ISO 27001:2013).
  • Educate the workforce and raise their awareness of various forms of IT threat and related procedures for protecting against; and hand over a list of threats for each operational site to prevent damage to GPSC from escalating.
  • Periodically test the system with self-instructed decoys and compile lessons learned to nurture awareness for all employees on the use of information technology.
  • Regularly organize drills for employees to respond to IT threats for office support functions.
  • Regularly perform data system tests and system recovery drills in case of emergency threats to power generation sites.
  • Regularly update relevant cyber-related law and regulations.
3. Disruptive technology risks High 2027 As a result of rapid changes in customer and consumer energy consumption behaviors, as well as advancements in technologies such as Blockchain and IoTs, businesses need to adapt to remain competitive and develop innovations for future growth. Additionally, disruptive technology has rapidly driven changes in energy technology, leading to shifts in consumer behavior for both industrial and public users and a transition to renewable electricity, such as EVs, heavily influenced by the push for sustainability. These uncertainties are inevitable and may affect GPSC’s competitiveness against other players in the energy market.
  • Decreased competitiveness if GPSC is unable to adapt to technological changes
  • Loss of reputation, reliability, and stakeholder trust
  • Loss of business opportunities, market shares, and revenue
  • Invest in new S-Curve business models to support long-term expansion in battery and ESS businesses and other related businesses.
  • Actively develop a system integrator that can be integrated into the current business.
  • Formulate adaptation plans in support of the market for new forms of energy trade and develop new energy trade platforms consistently to cater to new consumer behavior while also reducing impacts on the power generation and distribution business both at present and in the future.
  • Study and develop carbon capture utilization and storage (CCUS) technology and hydrogen businesses in preparation for limitations/obstacles related to GHG emissions and to create opportunities for new alternative businesses in the future.
4. Changed Rules and Regulations High 2027

As for the energy transition agenda in the global context, the increased challenge of renewable energy generation and distribution has become an attractive topic. Adopting the change regarding this trend leads to new challenges for the competitive market and emerging business. Likewise, this has been addressed as an emerging risk related to the unforeseen uncertainty of the new and restrict coming regulations, policies, and measures in Thailand within 3-5 years. Particularly, the electricity tariff mechanism. An emerging risk driven from the changed in rules and regulation derived from energy transitions is recognized to potentially cause direct business impact to GPSC.

These are, for examples, the implementation of renewable energy transition policy and regulation through the pilot scale project from Energy Regulatory Commission (ERC) which aims to scale up at the macroscale. This leads to the amendment of regulations on new industry structure. One of the potential released regulations is the new system fee of electricity, which is so-called utility green tariff (UGT) i.e. UGT1 and UGT2. This is influentially deemed the dynamic change to GPSC’s direction owing to the driving of renewable energy role on the electricity mixed grid. With this regard, ERC allows third party to connect with the grid through the Third-Party Access (TPA). The TPA has been remarked as a challenge to GPSC in the competitive market for the energy trading and renewable energy capacity in the portfolio.

These are the drivers that trigger GPSC to expand the renewable energy capacity in the market among renewable energy buyers and prepare for those regulations.
  • The competitive market is also one of the challenges for new renewable energy businesses of GPSC in the market share context. In a highly competitive market, companies have to compete for customers, and they may have to lower their prices or offer better products or services to attract customers away from their competitors. This can result in a decline in market share and revenue for GPSC if the company is unable or unwilling to adapt to the changing market conditions.
  • The applicable electricity tariff from newly changed policies and regulations can influentially impact GPSC as generated revenue, which is uncertain, particularly imposing the electricity fee through the UGT mechanisms, i.e., UGT1 and UGT2.
  • Increasing the renewable energy in portfolio in responding the market expectation for trading through corporate strategy S2: Scale-up green energy. Prepare the renewable energy expansion plan to serve the renewable energy market demand as a key player in the competitive market.
  • Engaging with stakeholders, peers, and regulators to ensure that GPSC stay up-to-date on policies and market changes and to take an advantage of new opportunities for impact and enhancement.
  • Study on the tariff structure and potential changes in the rules and regulations based on the new coming policies that directly relevant to the GPSC’s businesses to ensure the benefits from new business related to the change.
  • Develop strategy of renewable energy trading through platform to secure the real time monitoring as part of new renewable energy business.
  • Reaching out to the new buyers in the renewable energy market to expand market shares.
5. Organizational Capability High 2027

Driving the growth of GPSC in the highly competitive market and changes of human capability need in the market conditions require the human resource competency to strengthen GPSC’s position in all business opportunities. The core driver in doing the value creation and delivery can be inferring all functions across the company.

It is the most potential capability of human resource to raise GPSC as a key player in the energy sector. In this respect, strategic corporate expansion and low carbon transition of GPSC associated with the global trends have consistently been prioritized in the GPSC’s business strategy and direction.

Nevertheless, the limitation is existed as the current in the transformation phase, which results in the one main barrier to continuing the long-term strategic plan of GPSC. This has become a threat to the continuous improvement of businesses, especially emerging businesses such as advanced renewable energy and low carbon technologies, energy storage system, and digital technology. These are the influential global trends that are rapidly changed and create the significant impact to GPSC’s businesses. Overall, unwell adopting can be shown as the highly potential risk to a company's long-term success and sustainability. Thus, organizational capability and human competency are essential for managing and adapting emerging risk derived from the global change and agenda.
  • Lacking appropriate and necessary expertise, technical skills, and knowledge in adapting to global change can restrict the consecutive development of GPSC.
  • Lower quality of value creation and delivery than the anticipated target. This leads to the negative consequences, for example, reduced customer satisfaction and trust, decreased reputation and credibility, and lower profits.
  • Rapidly change in the global agenda can highly reduce the overall of GPSC’s performance by lead time, which can cause decreased productivity, increased costs, and strained relationships with clients or stakeholders.
  • Misalignment between international trends and low GPSC’s capability can further cause the positions in the market opportunities.
  • Establishing an initiative development program in each particular function across the company.
  • Collaborate across external partner and network in exchanging knowledge in the energy industry.
  • Monitor and track global trends to early adopt into business practice.
  • Integrates an intuitive platform to training courses for all level functions across the company.
  • Build the flexible workplace culture regarding modern working model that can enhance the working efficiency.
  • Apply an incentivization concept to drive GPSC’s growth by valuable capability.
  • Encourage people to work in their expertise or right work and task to create and deliver the maximum outcome.
  • Being proactive in anticipating and adapting to global trends to gain a competitive edge and create new business opportunities.

Information Security / Cybersecurity Governance

Information Technology and Cybersecurity Strategies for Success

As digital technology and information systems are critical to business operation both the production system and the operating network that connect to the internet network which could lead to a risk of cyber threats. To productively and effectively facilitate the digital technology and information operation of GPSC group as well as be able to prevent threats and effectively manage the cyber and information risk in accordance with ISO / IEC 27001, NIST standard and relevant laws, the company has guidelines for information security and cybersecurity as follows:

Cybersecurity Policy
Download
/storage/content/sustainability/governance-risk-compliance/risk-crisis-management/information-technology-cybersecurity-measure/information-technology-and-cybersecurity-governance.png
Click to Enlarge

GPSC's Information Technology and Cybersecurity governance structure are as follows:

Board of Directors (BOD)

Board of Directors are responsible for reviewing and approving GPSC' s key strategies, policies, objectives, action plans, and financial goals as well as regularly overseeing and monitoring the executives so that such plans are carried out in accordance with the prescribed directions and strategies. Moreover, the roles and responsibilities of them are to consider potential risk factors, formulate comprehensive risk management guidelines, ensure that the executives operate with efficient risk management systems and processes in place and to ensure sufficient and effective internal control as well as regular assessment of the suitability of GPSC's internal control systems.

Risk Management Committee (RMC)

GPSC Risk Management Committee appointed by the Board, which has roles and responsibilities according to the charter consisting of determining and reviewing risk management policy and framework, monitoring and supporting the operation of risk management in accordance to the changing situations covering information technology and cybersecurity risk as well as providing recommendations for the Risk Management and Internal Control Committee (RMCC) (management level) and Management Committee (MC) to ensure that the company has an efficient risk management. The results of risk management operations will be reported to the Board.

Audit Committee (AC)

GPSC Audit Committee (AC) has duties to review to ensure that the internal audit systems, internal control systems and risk management of the company are appropriate and efficient as well as to guide and give any advice to management to improve processes effectively in order to reduce any risk factors.

Management Committee (MC)

GPSC Management Committee is responsible for monitoring and driving the business operations in accordance with the prescribed directions and strategies as well as managing any obstacles and risks which might affect business operations. In addition, the roles and responsibilities of them are to provide recommendations to President and Chief Executive Officer in order to make decisions on important issues to business operations and plans as well as to manage the working system with the same direction and to scrutinize the risk management of the company. The results of risk management and business operations will be reported to the Risk Management Committee and the Board, respectively.

Risk Management and Internal Control Committee (RMCC)

GPSC Risk Management and Internal Control Committee are responsible for governing risk management activities and internal control systems which cover all risks, including environmental, social, and governance risk (ESG risk) to ensure that the company can achieve organizational goals with reasonable confidence through supporting and monitoring the operation in accordance to the risk management policy and framework of GPSC Group as well as overseeing the operational risk management both corporate and functional risks. In addition, the roles and responsibilities of them are to scrutinize the risk management framework as well as to monitor and evaluate the results of risk management. They also have the responsibilities to support and provide recommendations to the management committee in risk management, according to their scope of duties as well as to develop enterprise risk management to align with international standard to ensure that the risk management system meets the requirements. The results of risk management will be reported to GPSC Risk Management Committee, Audit Committee, Management Committee and related functions. In case that there is a significant factor or situation which might affect the company significantly, the committee must report to the Board immediately.

Digital and Cybersecurity Steering Committee (DCSC)

Executive Vice President Corporate Strategy and Subsidiary Management performs the chairman of the DCSC and has responsibilities for managing any changes, assessing digital technology and cybersecurity risks, establishing strategies to achieve operational goals as well as driving and supervising various projects in accordance with the organization's strategies and operations.

In addition, senior executives from various departments join to perform the committee and be responsible for regulating and driving digital technology and cybersecurity operations to have the effective results and comply with the cybersecurity, ISO/IEC 27001, NIST standard, and relevant laws.

Digital technology and cybersecurity risk management and result of the operation will be reported to GPSC Management Committee as necessary. In case of emerging risk or high risk, the committee must report to the Risk Management and Internal Control Committee to consider and provide recommendations on the risk management as well as to concretely drive the efficient risk management.

Cybersecurity Working Team

Representatives from various departments, consisting of Information Technology (IT) and Operation Technology (OT) departments are responsible for preparing a plan, improving, and defining a framework for cybersecurity to comply with GPSC Group's cybersecurity policy, relevant laws and regulations in order to manage cybersecurity risks. The cybersecurity working team must monitor and report the operational result to DCSC as necessary.

ISO/IEC 27001 Information Security Management System (ISMS)

ISMS consists of 3 working groups as follows

Information Security Management Representative (ISMR)/ Information Security Management Assistance (ISMA) is the company's management representative which has responsibilities for supervising to establish, use and develop the information security management system in GPSC as well as for maintenance, continuously monitoring and improving to achieve the information security policy and to conform to ISO/IEC 27001 standard. In addition, ISMR/ISMA also has duties in providing recommendations and suggestions about information security and policy applying to all employees as well as supervising any changes that might occur in the company along with coordinating to assess, solve and appropriately control risks from those changes and in case of security breaches. ISMR/ISMA must report the result of the operation to DCSC.

ISMS Core Team (CT) consists of representatives from various departments. They have duties in coordinating with ISMR/ISMA to conduct risk assessments and manage risks for each segment as well as to measure the effectiveness of the process and control in the system. In addition, CT is responsible for coordinating with ISMR in the event of security breaches or any emergency cases to control and deal with these challenges that arise.

ISMS Document Controller (DC) is responsible for supervising and controlling the use of documents and records of the system to comply with the requirements of ISO/IEC 27001 standard, including coordinating with the GPSC central document controller team in order to operate the system to be in line with the company standard.

Information Technology and Cybersecurity Measure

GPSC has organized training courses on information security and cybersecurity awareness, including compliance standards of the company's Information and Communication Technology Policy Standard Practice such as computers and software usage, internet usage, sending and receiving e-mails, and computer virus protection to employees at all levels, as well as new employees through online channels such as e-Learning and orientation, to raise awareness of cyber threats and know the policies and regulations for the use of information technology systems that employees at all levels must strictly adhere to as part of their performance evaluation. Employees with violations will be subject to disciplinary measures by the company.

In 2022, the company held
2

courses in IT Policy and Cybersecurity
Awareness training through e-Learning and
Light Talk : Driving To The Future
with Digital Transformation & Cybersecurity activity.

Persons employee participation of over
1,400

people

In addition, GPSC has assigned a third party to perform vulnerability analysis of the organization's information technology system annually. It consists of four activities, including external penetration, internal penetration, vulnerability scanning, and phishing mail testing, with close monitoring. If any employee misconduct and falls victim to the test, there will be communication and training courses to raise awareness and improve comprehension of cyber threats in specific target groups. In cases related to information and cyber security, employees can contact or notify service channels such as the IT Service Desk, system administrators, and PTT-Digital to investigate and take corrective action on incidents.

Click to Enlarge

GPSC has established channels for reporting emails received by employees that are suspected to be spam or Phishing Mail through the Report Phishing function. In the past year, GPSC has been certified in Information Security Management System – ISO/IEC 27001:2013 for data center, supporting infrastructure and cloud management (IaaS).

Updated as of February 2023

The content above is based on the sustainability reporting standards of the Global Reporting Initiative (GRI Standards) and externally validated and verified for data accuracy at the "Limited Assurance" level.

You might also be interested in

Supply Chain Management
Evolving Business Model
Maintaining Availability and Reliability