EN / TH

The Company carries out Enterprise Risk Management (ERM) in accordance with the ISO 31000 standard and Business Continuity Management (BCM) in accordance with the ISO 22301 standard. Risk management is emphasised as a part of the corporate culture at all levels and is considered a duty of all employees, who are instilled with the understanding of the significance of risk management as well as the ability to apply risk management processes to all operations in a unified manner across the organisation.

Sustainability Risk Management

Enhancing confidence that sustainability matters are being driven in a systematic and concrete fashion, the Board established a Corporate Governance and Sustainability Committee with the express purpose of overseeing sustainability management.

Company management also set up a Sustainability Working Group, comprising management from each department. The group is tasked with overseeing the success of sustainability endeavours with the sustainability management department acting as a centre of coordination and evaluation, ensuring alignment with policies and processes set by the Sustainability Committee while promoting awareness among all employees.

The Company promotes sustainability in accordance with the ISO 31000 risk management process, which involves five steps, (1) Risk identification (2) Risk assessment (3) Risk control (4) Risk monitoring, and (5) Risk reporting, as displayed below. Materiality assessment is carried out by the sustainability management department and encompasses the identification and assessment of risk. The result of this activity is material issues, from which the sustainability working group derives the objectives and strategies put into practice by relevant units each year. These operations are part of risk management and are monitored by the sustainability management department, which issues reports to the Sustainability Working Group and Corporate Governance and Sustainability Committee.

Risk Identification
Risk Assessment
Risk Control
Risk Monitoring
Risk Reporting

For ESG-related risks that may directly impact the company's operations, such as climate change, employee safety and health, labor law compliance, and cybersecurity, these risks are considered enterprise-wide risks. Therefore, they are systematically managed to control risk as outlined in the 2024 One Report under the section on risk management.

Moreover, the Company’s Quality Control Department and Occupational Health and Safety Department actively monitor changes to regulations relevant to operations, including those involving sustainability matters. These departments carry out risk management to ensure the Company is able to adapt to any changes within an appropriate time and capital frame, as well as oversee and evaluate legal compliance.

Risk Culture Promotion

The Company focuses on promoting awareness and knowledge in risk management at all levels so it may genuinely become part of the corporate culture. This begins with the Risk Management Committee and Heads of Department, who play an important role in instilling awareness and knowledge on risk management.

Internal communications are utilized as a tool for further promotion, through channels such as newsletters, meetings, training, and the integration of the “4S” concept of “Fun, Style, Relations, and Sustainable Creativity” into different activities so employees may be made more aware of the need to participate in and see risk management processes as important.

A risk management system dubbed RedRadar was created by the Company through which risk managers can collect and analyse risks. Information from the system is used to improve the risk management process, with reports presented to the Board quarterly to support timely and effective decision making.

Active training and drills are staged by the Company, wherein employees engage in simulated risk situations to enhance their capabilities and readiness to respond. These training sessions also emphasise the ability of employees to appropriately apply their knowledge to work. Regular evaluations are carried out so this process may be made even more efficient.

Business Continuity Plan

The Company strives to develop its Business Continuity Management (BCM) plan in accordance with the ISO 22301 standard so that it may address any emergencies and their impacts on its business. The plan was drafted to align with the Company’s Emergency Response Plan and Recovery Plan for the effective and timely handling of crisis situations.

The goal of the BCM plan is to limit impacts from emergency situations and ensure confidence that the Company will continue to operate through conditions such as flooding, heat waves, power outages, or communication technology stoppages. In these circumstances the Company aims to return to normal operation in the shortest amount of time possible. The plan also involves making the Company flexible in its management.

In 2024, the Company continually tested and improved its BCM plan to address situations such as partial flooding at airports. Resource and personnel management was adjusted to ensure uninterrupted operation and a backup power system was developed for major airports from which the Company operates. Backup equipment was also added for instances such as information technology outages. Regular Disaster Recovery Testing took place in the year for certainty that critical Company systems would remain operational in all situations.

Moreover, the Company cooperated with partners such as Airports of Thailand Co. Ltd., to draft an integrative business continuity management plan to ensure operations at the major airports of Don Mueang, Chiang Mai, and Phuket would be prepared against emergencies. The collaboration has bolstered confidence that the basic infrastructure pertinent to the Company is fortified against situations that could impact operation and that effects to guests and partners will be minimised.

Heatwave Preparedness
FloodResilience
Wildfire Contingency Plan

Crisis Management

Importantly, the Company carries out crisis management to prevent unwanted incidents, crises and emergency situations that could lead to loss or negative impacts to its business, including aircraft accidents, missing aircraft, hijackings, bomb threats, natural disasters and public health emergencies. Effective crisis management entails the following:

1. Emergency Preparedness

In preparing for emergencies, the Company published an Emergency Response Manual (ERM) and Station Emergency Response Plan aligned with ICAO requirements and relevant airport plans. It has incorporated emergency response plan training into the curriculum for all employees and conducts annual emergency plan drills.

2. Emergency Response

The ERP outlines specific roles for employees during emergencies. Top management forms an Emergency Operation Centre to make critical decisions. On-site employees establish response centres like Survivor Reception Centre, Family and Friend Reception Centre, and Crew Rest Area within 30 minutes. Station managers coordinate between units from the Station Coordination Centre. For remote locations, a Go Team from headquarters is dispatched, comprising investigators, engineers, and a Special Assistance Team (SAT) for emotional recovery and counselling of victims and families.

3. Recovery Process

Once the emergency situation has resolved, managers are to assemble a Post Recovery Team to evaluate the situation and draft a BCP to normalise circumstances as quickly as possible.

Emerging Risk

Number of employees, Head of Departments, and Board of Directors who have completed risk training to date

Note:

Employees

A total of 4,696 employees have completed risk training. All employees who completed the training took the company's internal course titled "Risk Awareness for Allstars."

Head of Departments

A total of 14 members of Head of Departments have completed risk training. 11 members attended the "Risk Awareness for Allstars" course in 2023. The other 3 members have completed the "Director Certification Program (DCP)" from the Thai Institute of Directors (IOD), with 2 members completing it in 2011 and 1 member completing it in 2018.

Board of Directors

A total of 5 members of the Board of Directors have completed risk training. All of them completed the "Director Certification Program (DCP)" from the Thai Institute of Directors (IOD). Specifically, 2 members completed it in 2000, 2 members completed it in 2011, and 1 member completed it in 2018.