Key Stakeholders: Shareholders/ Customer and Consumer/ Government and Civil Society Sectors
to employees through various internal channels, such as internal PR and business unit risk management representatives.
relevant to the business. Risk trends and key issues impacting on the Company are shared with directors and executives on a quarterly basis. In addition, all employees at the officer level and above are required to complete basic risk management training through the Company's designated learning platform.
both domestic and international, on topics relevant to the Company and its employees through the Shared Point GRC Channel, which has over 1,000 followers.
through business continuity plan (BCP) drills conducted at 10 locations to strengthen preparedness and response to potential threats.
Mitr Phol has adopted the COSO Enterprise Risk Management Integrated Framework as a key tool for designing its risk management process. The Company emphasizes effective, transparent, and sustainability-aligned risk management practices. The Board of Directors has delegated the Risk Management Committee* to oversee the implementation of the Risk Management Policy and framework, monitor the overall risk management process, and ensure that key risks are managed within the defined risk appetite. The Risk Management Department is responsible for communicating the policy and recommendations from the Board and the Committee to relevant business units and coordinating corporate-wide implementation. It oversees risk management across six key risk areas: strategic, operational, digital and technology, financial, legal and regulatory compliance, and sustainability (ESG). The Department also reviews, monitors, and reports significant risks to the Risk Management Committee and the Board of Directors to ensure they are informed of the Company's risk management performance on an annual basis. The Risk Management Department reports directly to the Governance, Risk, and Compliance Division under the Corporate Sustainability Sub-Business Group, which operates independently from the core businesses.
Mitr Phol management structure is designed with clearly defined roles and responsibilities for each unit, based on the"Three Lines of Defense" model. This approach ensures independence among operational processes, promotes transparency in collaboration between executives and employees at all levels, and aligns with international standards. It supports effective risk management through the following structure:
First Line of Defense: Management and Operational Roles – Responsible for executing operations and managing risks associated with various organizational processes. This line integrates internal control measures and plays a crucial role in identifying and managing risks, as well as adhering to control measures to mitigate potential risks within work processes.
Second Line of Defense: Risk Management and Compliance Functions – Responsible for establishing policies, overseeing operations, providing consultation, and supporting the first line in managing risks and implementing internal controls. This line ensures that operations comply with established standards, monitors and evaluates performance, and enhances efficiency to align with organizational goals.
Third Line of Defense: Internal Audit – Responsible for auditing and assessing the operations of both the first and second lines of defense. This ensures that risk management processes and internal controls are effective and comply with established policies and requirements. The internal audit function operates independently from management and reports directly to the Audit Committee, fostering continuous improvement in organizational processes.
Realizing the importance of integrating risk management into operations enables the organization to effectively manage risks at all levels, while promoting operational efficiency and sustainable growth. Accordingly, Mitr Phol has established a Risk Management Policy, which was reviewed and approved by the Board of Directors, to provide a framework and methodology for identifying, assessing, and managing potential risks within the organization. The policy is reviewed every three years or when it is deemed no longer appropriate, given significant changes in the business environment.
The Company also provides tailored risk management training and education for the Board of Directors (both executive directors and non-executive directors), the Risk Management Committee, executives, and employees at all levels, based on their roles and responsibilities. This is delivered through a variety of formats and communication channels, including expert guest lectures, online and offline workshops, internal PR materials, and the Mitrsamphan internal magazine, aiming to encourage employee engagement in preventing and managing organizational risks.
In 2024, the Risk Management Department organized quarterly guest lectures by external experts and incorporated risk management and business continuity topics into the onboarding program for new employees at the operational level and above. The Department also produced a Geopolitical Risk Bulletin, summarizing regional conflicts and assessing their potential impact on the Company's operations. In addition, geopolitical risk updates and other risk-related communications were regularly shared with Mitr Phol employees through the Shared Point GRC Channel.
Risk monitoring and assessment are reviewed at least twice a year to ensure they remain current. Each business unit is required to review its key risks, develop corresponding mitigation plans, and define key risk indicators (KRIs) for monthly internal monitoring. These updates are reported to the Risk Management Committee on a quarterly basis. The collected information supports enterprise-wide risk assessment and monitoring, with the results of corporate-level risk management reported to the Board of Directors.
The assessment and essential risk factors management in 2024 are as follows:
