Risk and Crisis
Management

Among the current and emerging business risk and uncertainty situations, both can impact directly and indirectly business goals. This must be managed systematically and efficiently. If, on the one hand, risks and uncertainties can also create business opportunities, the organization must seek ways to take advantage of such opportunities. As a result, the company has adopted the Enterprise Risk Management framework (ERM) from The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and ISO31000:2009 to ensure that those involved have an understanding of the risk management principles and can apply them appropriately in order to make the most of them. The Company has established a Risk Management Committee under the authority of the Board of Directors to oversee the organization's overall risk management. The Company has guidelines for managing risk and crisis as follows:
Risk Management Policy

The Company, by the Risk Management Committee, has established a risk management policy to serve as a framework for the supervision of risk management in all dimensions, covering strategy and investment risks, finance, business, technology and operations, legal and regulatory aspects, personnel and organizational structure, as well as environmental, social and governance risks (ESG Risk) Corruption and emerging risks of the Company and the GPSC Group. To guide all management and employees to implement the same standards and in the same direction.

Risk Management Policy

Governance and Risk Management Structure

GRI 102-30, 103-2

The company's risk management will operate within the scope, authority, duties, and responsibilities of the Board of Director who is responsible for considering the significant risk factors that may occur, defining comprehensive risk management guidelines, and guiding the management team to have effective processes for risk management. The operation will also include risk factors that may arise from the pursuit of business opportunities and for the effectiveness of the risk management system and processes to have a consistent response to the constantly changing business context. The Board of Directors has approved the Risk Management Committee Charter by assigning some of the directors to perform the duties of the Risk Management Committee (RMC) and assigning the scope of duties and responsibilities to define and review the corporate risk management policy framework, review supervision, monitor the performance and results of operations in several dimensions such as strategy risk, financial risk, and risk on business operations and production, etc. Moreover, the assigned directors will support implementing enterprise risk management to align with business strategy and goals. This also includes establishing a comprehensive review of the company's acceptable risk framework according to the changing business context, including monitoring, screening, giving feedback, and risk advising in order to ensure the continued effectiveness of risk management operations. (Further details on the scope of responsibilities of the Risk Management Committee can be found in the Risk Management Committee Charter. https://www.gpscgroup.com/storage/content/about/management-structure/risk-management-committee-charter-2021-en.pdf)

The Audit Committee also reviewed the risk management system under the Audit Committee Charter to ensure the effectiveness and adequacy of the risk management system as a whole.

Enterprise Risk Management Framework

Apart from the enterprise risk management framework pushed by the Board of Directors and the Risk Management Committee, driving risk management in practice by management committee is also an important component. The company has designated the management committee of the company ( GPSCMC), which consists of senior management of the company from several departments, the Risk Management and Internal Control Committee (RMCC), which includes the Company's senior management responsible for overseeing the risk management system and internal control system of the Company to be appropriate and effective. The monitoring and reporting on the organization's risk management progress are done through RMCC meetings and reporting to the RMC. Meet at least quarterly.

The company's enterprise risk management framework and the link between risk management as shown in the diagram.

Risk Management Strategies and Processes

Under the company's enterprise risk management framework (ERM), The company has established guidelines for risk management operations in 2 levels: the Corporate Level and the Functional Level. There are strategies and processes for risk management, including:

Strategies for Risk Management

The company establishes strategies for risk management throughout the organization. The goal is to create a risk culture through training for management, employees, and those involved, including the appointment of representatives of agencies as Risk Agent by the group of risks related to all aspects of work which has risk management as a central coordinator and supervision as well as defining the strategy and driving the continuous improvement of the risk management system. Also, within the context of risk management, the company has set objectives and acceptable risk levels (Risk Appetite) and acceptable levels of deviation (Risk Tolerance) to provide risk management with the same direction throughout the organization and in accordance with the strategy for business. The company has also established cooperation with the PTT Group. In pursuit of developing risk management knowledge in areas such as Operational Excellence Management System (OEMS)

Organization Acceptable Risk (Risk Appetite)

GRI 102-11

Corporate Risk Management Process

The Company focuses on the systematic management of risk issues, from the assessment of risk factors to the analysis and preparation of risk issues in line with the strategy and risk management from the changes under fluctuations in the business environment and new emerging risks. Consideration, approval, supervision, management, monitoring, reviewing, escalation, and driving risk mitigation are essential to the risk management system to drive the strategic plan and business operations to achieve the stated goals. In addition to promoting the thrust of risk management into the organization's work culture through operations such as the Company risk management policy, the company has also driven the performance of risks management at all levels through the performance assessment (KPI). 1)Organizational level risks that senior management and personnel in relevant departments will be exposed to. They will receive an annual performance assessment on the relevant risk-management dimensions to achieve the goals. Contribute to driving performance at the organizational level and in responsibility. And 2) Unit-level risks. Workers in each unit will receive an annual performance assessment in the scope of their duties. To ensure that the performance under risk management and work uncertainty is achieved in accordance with the goals they are responsible for. This will be a factor that will affect the overall risk management and business goals at the organizational level.

Assessing and labeling risk (Risk Register)

GRI 102-11

The relevant departments will conduct the assessment, analysis, consideration, and preparation of risk issues. As shown, the company focuses on operating comprehensively and has adequate support measures under the risk assessment dimension.

With the same standardized assessment criteria across the organization, including an emphasis on escalation as an organizational risk on items that have a significant impact on corporate goals and strategic plans, the following procedures for assessing and maintaining risk registers are in place:

1. Identification of Risk Factors

The Company identifies risk factors by

  1. Assessing future scenarios based on changes both internal and external factors that cover emerging risks based on changing activities or business contexts that may impact organizational goals.
  2. Assessing the situation of changes in normal business operations that may affect business operations and current operations, which may affect the company's business goals. Identifying risk factors Can be carried out by personnel in relevant departments and through the review and management of risks according to the next steps

The identification of risk factors can be carried out by personnel in the relevant risk owner/function and presented for review and further risk management procedures.

2. Risk Assessment and Analysis

The Company has assessed and analyzed all potential risks, including corporate, agency, and project/product development investment risks. The criteria for assessing the risk that is the central standard of the organization are as follows:

  • The criteria for assessing the impact of risk in finance, business processes & operations, the reputation of the organization, and customers & people are divided into 4 levels: low, medium, high, and severe.
  • Likelihood assessment criteria are divided into 4 levels from
    • Low chance of occurrence (less than 10 percent or never or only 1 occurrence in 5 years)
    • Moderate chance of occurrence (between > 10 and < 20 percent or 1 occurrence in 3 years)
    • High chance of occurrence (between > 20% to < 50% or1 occurrence in 1 year)
    • Very high chance of occurrence (severe) (more than 50% or has occurred more than once in 1 year)

The company presents the assessment results using a Risk Matrix to prioritize the risks. Risk groups assessed as having high to severe impact are classified as Risks that need to be managed, and Risks with medium to low impact are classified as Risks that need to be monitored.

The risk dimensions that the company has framed include strategic risk, business risk, operational risk, and financial risk. At the level of risk management, the company has divided into two levels of management and supervision:

  • Corporate Level: Consider the impact or damage that may result in the company not being able to achieve the objectives, strategies, and business plans of the organization.
  • Functional Level: Consider the impact or damage that may result in the entity not being able to achieve its objectives and responsibilities.
3. Risk Management

The company considers the proper management of risks to be at an acceptable level. The company determines the timeframe for risk management actions to reduce the likelihood and impact of risk events. And designate the person responsible for the action (Risk Owner). To prepare a risk Mitigation Plan.

  1. Approval of the list of risks

    After assessment and preparation of the risk register, the verification of completeness of the management approach and consideration of the approval of the operation and risk closure are important steps for the integrity of such a management process. The company is divided into 2 levels of risk:

    • Corporate Risk: this will be prepared by the Corporate Risk Management team together with relevant departments and presented for approval to the Risk Management and Internal Control Committee (RMCC) and the Risk Management Committee (RMC) before presentation for approval to the Board of Directors.
    • Functional Level: It will be prepared by the Risk Owner together with the relevant departments and presented for approval to the Senior Manager according to the following functions.
  2. Monitoring, reporting, communication

    Under the Company's Risk Management Policy, Risk Management Committee Rules, and the Directive on Appointment and Assignment of Functions of the Risk Management and Internal Control Committee (RMCC), the Company organizes continuous monitoring and reporting of risk management. It requires a straightforward person responsible for monitoring and reporting as follows:

    • The Company requires the Risk Management and Internal Control Committee (RMCC) to manage the level of agency monitoring and corporate risks as well as emerging risks on an ongoing basis and present the results of corporate & emerging risks monitoring that are significant to the business. The Company proposes to the Risk Management Committee (RMC) to monitor the progress of management on an ongoing basis.
    • The company requires a central risk assessment representative of each workgroup (Risk Agent) to identify risk factors and assess risk through a risk register. The Risk Management Section will report the results to the Risk Management and Internal Control Committee (RMCC), which is the management level, to monitor the progress of management on an ongoing basis.

    In addition, the Company communicates risk issues to all managers and employees to create a robust risk management culture. The company provides ongoing risk management training, and risk information is communicated to all managers and employees through email. The company defines risk management as one of the operational indicators of all managers and employees.

  3. Review of Risk Management Plan and Risk Escalation

    The Company pays attention to the review and adjustment of the risk management plan to the situation. The goal of integrated risk management is to regularly keep the risk at an acceptable level. In addition to the corporate risk issues approved by the Board of Directors, during the year, if there are emerging risk issues that may significantly affect the company, the management of the Corporate Risk Management Section, together with the relevant departments, will prepare information for approval to the Risk Management and Internal Control Committee (RMCC) Before presenting for approval to the Risk Management Committee (RMC)

  4. Risk Management Overview

    The risk management overview can be shown in the diagram.

Correlation of risks

The risk issues classified as the most impactful on the Company's operations are the efficiency of the investment, organizational capacity, compliance, power plant security, and project implementation. Risk correlation is significant for the Company's risk management since risk correlation will cause chain effects which may cause the level of risk to increase or decrease according to each other's relationship.

Annual risk correlation analysis flowchart

Emerging Risk

GPSC Group recognizes and aware of the long-term emerging risks that could cause impact to the company. Accordingly, GPSC Group identify risks that may arise in the next 3-5 years, which will result in opportunity loss for the company if it is not appropriately managed. Therefore, the company has assessed the emerging risks, evaluated the impacts as well as defined mitigation actions to manage those risks effectively.

Emerging Risks Risk level Time
frame
Description of Risks Potential Business Impacts of the Risks Mitigating Actions
1. COVID-19 Pandemic Medium 2023 The Covid-19 pandemic has hurt the global society and economy including GPSC Group, its joint ventures, and customers. Rapid outbreak of this pandemic causes obstacles in operations and changes of customer behavior due to several containment measures i.e. lockdown, prohibition of mass gathering.
  • Constraints on National Power Policy and Macro Power balance
  • Constraints on power generation and the overall business outlook
  • Reduction of energy demand which cause an effect on GPSC revenues and profits
  • Shifting of customer energy consumption behavior
  • Shifting of business operation practices to new normal
  • Monitor the situation closely.
  • Development of a business continuity plan (BCP)
  • Provide safe houses for employees in charge of power generation and reliability and critical utility supply.
  • Screen employees and contractors operating on site, and work support of those working from homes.
  • Conduct stress tests on our financial system.
  • Provide cash flow to ensure proper liquidity in case of emergencies affecting business operations.
  • Develop new business to meet the needs of variety customers in the new normal (e.g. small scale distributed power generation, micro grid management).
2. IT Threats and Cybersecurity High 2026

Cyber threats can cause significant impacts on company information technology management and online operations since digital technologies have improved its efficiency and become much more widely used-particularly in the power generation business. Every facet of operations at plant facilities and our offices rely heavily on digital technologies and the internet. In addition, the need to adapt and work from homes amid the Covid-19 epidemic, which requires connection with the external internet. Also, the behavioral changes from new normal and global trend on digital transformation lead the company to actively adopt digitalization practices into business context with decent IT infrastructure and management to avoid negative impacts. Thus, cybersecurity becomes more important and IT threats using internet connections have become unwelcome risks.

  • Leak of company's confidential information
  • IT comes to a halt, affecting production and distribution systems, and thereby the company's reliability
  • Get penalized through fines and penalty from regulators
  • Potential to damage to company's financial and social capital
  • Loss of company reputation, reliability, and trust from stakeholders
  • Loss of business opportunities and revenue
  • Increase in infrastructure, operating, and insurance cost
  • Appoint a Digital and Cybersecurity Steering Committee (DCSC) to oversee and drive change management as well as assessing digital risks and cybersecurity. It also screens various projects to ensure alignment with GSPC’s strategies and businesses.
  • Define a clear cybersecurity policy for GPSC Group and form  the dedicated taskforces in charge of short-term and long-term management, thus winning information security management system certification (ISMS, ISO 27001:2013).
  • Educate the workforce on various IT threat patterns and related procedures for protecting against and handing each threat to minimize escalating damage to the company.
  • Periodically test the system with self-instructed decoys and organizing lessons learned to nurture awareness for all employees on the use of information technology.
  • Regularly organize workforce drills to respond to IT threats for office support functions.
  • Regularly perform information system tests and system recovery drills in case of emergency threats to the power generation operating areas.
  • Regularly update for cyber-related law and regulations.
3. Innovation and Technology Transformation (Customer and consumer behavior changes in energy use) High 2026 With rapid change in customer and consumer energy consumption behaviors, technology transformation such as Blockchain and IoTs, businesses need to adapt to stay competitive and to develop innovations for future growth. In addition, disruptive technology has been rapidly driving energy technology changes, leading to changing consumer behavior for industrial and public users in energy transition towards renewable electricity such as EV heavily influenced by the stride into sustainability. These uncertainties are unavoidable and may affect on company competitiveness against its peers
  • Decrease competitiveness if the company is unable to adapt to technological changes
  • Loss of company reputation, reliability, and trust from stakeholders
  • Loss of business opportunities, market share and revenue
  • Increase financial and intellectual capital to build company's competency on new business.
  • Aggressively continue with the new S-Curve business model beyond the existing power generating business model to support future growth. This new model includes storage battery manufacturing; power storage system development and related businesses; and research and development (R&D) investment in new energy technologies to maintain our competitive advantages and drive our vision to become the leading innovative energy company.
  • Actively develop a system integrator, integrating energy production and consumption patterns to better respond to the needs of both such as Micro Grid and Smart Grid.
  • Develop a new energy trade platform to cope with new behaviors of users, simultaneously reducing impacts on our power generation and distribution business currently and in the future.
  • Conduct customer behavior analysis and shift in market pattern to understand current and future change in consumption behaviors.
  • Battery and Energy Storage Technology
4. Drought Crisis Medium 2026 Climatic feature caused by the lack of rainfall over an extended period of time cause an inadequate of water resources. As water is a critical component of our power generation business, drought and water shortages are a threat to GPSC's operation as previously seen on a drought crisis that became more severe in 2020.
  • Water shortages for manufacturing bases of many firms in Thailand and for hydropower generation from hydroelectric dams in neighboring countries. This impacts on company production and delivering processes, which resulted to company reliability and financial impacts for more than 739 MTHB.
  • Closely monitoring the national water supply and networks.
  • Participate with other organizations and state agencies in the Committee on Water Resource Management (a public-private cooperation in charge of monitoring and managing water resources at all storage facilities).
  • Implementing 3Rs program
  • Reduce water usage by up to 10-30 percent in case of crisis.
  • Install a mobile wastewater RO unit and a seawater reverse osmosis system.
  • Joint efforts with customers to cut water usage
  • Manage water both internally and externally with the representatives from PTT Group's water resource management committee in order to assess water situation in the Eastern region.
  • Have back-up emergency storage for at least 3 days of operations.
  • Set up water management plan to prepare for risky events related to water resource such as secure contract of demineralized water from other suppliers.

Information Security / Cybersecurity Governance

Information Technology and Cybersecurity Strategies for Success

As digital technology and information systems are critical to business operation both the production system and the operating network that connect to the internet network which could lead to a risk of cyber threats. To productively and effectively facilitate the digital technology and information operation of GPSC group as well as be able to prevent threats and effectively manage the cyber and information risk in accordance with ISO / IEC 27001, NIST standard and relevant laws, the company has guidelines for information security and cybersecurity as follows:

Cybersecurity Policy

GPSC's Information Technology and Cybersecurity governance structure are as follows:

Board of Directors (BOD)

Board of Directors are responsible for reviewing and approving GPSC' s key strategies, policies, objectives, action plans, and financial goals as well as regularly overseeing and monitoring the executives so that such plans are carried out in accordance with the prescribed directions and strategies. Moreover, the roles and responsibilities of them are to consider potential risk factors, formulate comprehensive risk management guidelines, ensure that the executives operate with efficient risk management systems and processes in place and to ensure sufficient and effective internal control as well as regular assessment of the suitability of GPSC's internal control systems.

Risk Management Committee (RMC)

GPSC Risk Management Committee appointed by the Board, which has roles and responsibilities according to the charter consisting of determining and reviewing risk management policy and framework, monitoring and supporting the operation of risk management in accordance to the changing situations covering information technology and cybersecurity risk as well as providing recommendations for the Risk Management and Internal Control Committee (RMCC) (management level) and Management Committee (MC) to ensure that the company has an efficient risk management. The results of risk management operations will be reported to the Board.

Audit Committee (AC)

GPSC Audit Committee (AC) has duties to review to ensure that the internal audit systems, internal control systems and risk management of the company are appropriate and efficient as well as to guide and give any advice to management to improve processes effectively in order to reduce any risk factors.

Management Committee (MC)

GPSC Management Committee is responsible for monitoring and driving the business operations in accordance with the prescribed directions and strategies as well as managing any obstacles and risks which might affect business operations. In addition, the roles and responsibilities of them are to provide recommendations to President and Chief Executive Officer in order to make decisions on important issues to business operations and plans as well as to manage the working system with the same direction and to scrutinize the risk management of the company. The results of risk management and business operations will be reported to the Risk Management Committee and the Board, respectively.

Risk Management and Internal Control Committee (RMCC)

GPSC Risk Management and Internal Control Committee are responsible for governing risk management activities and internal control systems which cover all risks, including environmental, social, and governance risk (ESG risk) to ensure that the company can achieve organizational goals with reasonable confidence through supporting and monitoring the operation in accordance to the risk management policy and framework of GPSC Group as well as overseeing the operational risk management both corporate and functional risks. In addition, the roles and responsibilities of them are to scrutinize the risk management framework as well as to monitor and evaluate the results of risk management. They also have the responsibilities to support and provide recommendations to the management committee in risk management, according to their scope of duties as well as to develop enterprise risk management to align with international standard to ensure that the risk management system meets the requirements. The results of risk management will be reported to GPSC Risk Management Committee, Audit Committee, Management Committee and related functions. In case that there is a significant factor or situation which might affect the company significantly, the committee must report to the Board immediately.

Digital and Cybersecurity Steering Committee (DCSC)

Executive Vice President Corporate Strategy and Subsidiary Management performs the chairman of the DCSC and has responsibilities for managing any changes, assessing digital technology and cybersecurity risks, establishing strategies to achieve operational goals as well as driving and supervising various projects in accordance with the organization's strategies and operations.

In addition, senior executives from various departments join to perform the committee and be responsible for regulating and driving digital technology and cybersecurity operations to have the effective results and comply with the cybersecurity, ISO/IEC 27001, NIST standard, and relevant laws.

Digital technology and cybersecurity risk management and result of the operation will be reported to GPSC Management Committee as necessary. In case of emerging risk or high risk, the committee must report to the Risk Management and Internal Control Committee to consider and provide recommendations on the risk management as well as to concretely drive the efficient risk management.

Cybersecurity Working Team

Representatives from various departments, consisting of Information Technology (IT) and Operation Technology (OT) departments are responsible for preparing a plan, improving, and defining a framework for cybersecurity to comply with GPSC Group's cybersecurity policy, relevant laws and regulations in order to manage cybersecurity risks. The cybersecurity working team must monitor and report the operational result to DCSC as necessary.

ISO/IEC 27001 Information Security Management System (ISMS)

ISMS consists of 3 working groups as follows

Information Security Management Representative (ISMR)/ Information Security Management Assistance (ISMA) is the company's management representative which has responsibilities for supervising to establish, use and develop the information security management system in GPSC as well as for maintenance, continuously monitoring and improving to achieve the information security policy and to conform to ISO/IEC 27001 standard. In addition, ISMR/ISMA also has duties in providing recommendations and suggestions about information security and policy applying to all employees as well as supervising any changes that might occur in the company along with coordinating to assess, solve and appropriately control risks from those changes and in case of security breaches. ISMR/ISMA must report the result of the operation to DCSC.

ISMS Core Team (CT) consists of representatives from various departments. They have duties in coordinating with ISMR/ISMA to conduct risk assessments and manage risks for each segment as well as to measure the effectiveness of the process and control in the system. In addition, CT is responsible for coordinating with ISMR in the event of security breaches or any emergency cases to control and deal with these challenges that arise.

ISMS Document Controller (DC) is responsible for supervising and controlling the use of documents and records of the system to comply with the requirements of ISO/IEC 27001 standard, including coordinating with the GPSC central document controller team in order to operate the system to be in line with the company standard.

Information Technology and Cybersecurity Measure

GPSC has organized training courses on information security and cybersecurity awareness, including compliance standards of the company's Information and Communication Technology Policy Standard Practice such as computers and software usage, internet usage, sending and receiving e-mails, and computer virus protection to employees at all levels, as well as new employees through online channels such as e-Learning and orientation, to raise awareness of cyber threats and know the policies and regulations for the use of information technology systems that employees at all levels must strictly adhere to as part of their performance evaluation. Employees with violations will be subject to disciplinary measures by the company.

In 2021, the company held
2

courses in IT Policy and Cybersecurity
Awareness training through e-Learning

Persons employee participation of over
1,030

people

In addition, GPSC has assigned a third party to perform vulnerability analysis of the organization's information technology system annually. It consists of four activities, including external penetration, internal penetration, vulnerability scanning, and phishing mail testing, with close monitoring. If any employee misconduct and falls victim to the test, there will be communication and training courses to raise awareness and improve comprehension of cyber threats in specific target groups. In cases related to information and cyber security, employees can contact or notify service channels such as the IT Service Desk, system administrators, and PTT-Digital to investigate and take corrective action on incidents.

GPSC has established channels for reporting emails received by employees that are suspected to be spam or Phishing Mail through the Report Phishing function. In the past year, GPSC has been certified in Information Security Management System – ISO/IEC 27001:2013 for data center, supporting infrastructure and cloud management (IaaS).

Updated as of February 2022

The content above is based on sustainability reporting standards by The Global Reporting Initiative (GRI Standards) and externally validated and verified for accuracy of the reporting data at "Limited Assurance" level.