Risk Management Policy

Risk Management Policy (Risk Management Policy)

For clarity in risk management The company's executive committee has set Policy framework for risk management method of operation and risk management plans as follows:

  1. Focus on risk management that affects objectives and policies. including the reputation and image of the company
  2. Manage risk to be most effective and at an acceptable level. Involve all employees in the risk management process.
  3. Encourage employees across the organization to be aware of and prevent all possible risks.
  4. Examine, monitor and assess the risks that will occur according to the changing environment. Both from internal and external factors continuously
  5. Promote risk management as part of a culture that leads to creativity. value to the organization 
Risk Management Policy
TH
EN

Persons involved in risk management of the company It consists of officers at all levels. From the level of general staff to the level of the Board of Directors. The operation structure is as follows.

From the risk management structure The roles and responsibilities of each department have been defined as follows:

Segment

Roles and Duties

Board of Directors

Approve the company's risk management. as well as monitoring and supervising the implementation of the specified work plans to be effective.

Risk Management Committee

  1. Determine the strategy and operational policy of the organization. and supervise the ongoing risk analysis and management.
  2. Supervise and encourage employees at all levels to be aware of the risks. and continuously promote risk management processes throughout the organization Until becoming a corporate culture
  3. Encourage employees to gain knowledge about risk management.
  4. Review the risk management report. and take steps to ensure that risk management is adequate and appropriate. Able to manage risks to an acceptable level And risk management has been implemented continuously.
  5. Develop and review the Company's risk management system to ensure efficiency and effectiveness on a continual basis. The evaluation and monitoring of the risk management process are regularly performed in accordance with the established policies.
  6. Make decisions and advise on key issues that arise in the risk management process.
  7. Submit a report on the performance of the Risk Management Committee to the Board of Directors for acknowledgment and/or consideration every 6 months.

Secretary of the Risk Management Committee

  1. Gather risks and risk management of each department to present to the Risk Management Committee.
  2. Prepare a risk management report for submission to the Risk Management Committee.

Quality Management Department

  1. Coordinate for analysis and evaluation and manage risks according to the established guidelines
  2. Coordinate advice and assisting various departments in analyzing, evaluating and managing risks
  3. Provide knowledge to various departments In order to have an understanding of the criteria for analyzing and evaluating and risk management
  4. Follow up on risk management results of various departments. and notify the risk owners to manage and continually review risk management

Deputy Managing Director

  1. Supervise staff to analyze and regularly assessing the relevant risks
  2. Approve relevant risk management guidelines.

Director / Division Manager

  1. Propose risk information and risk management methods to the Risk Management Committee for approval.
  2. Propose risk issues that cannot be managed to the Risk Management Committee for consideration and determination of management guidelines.
  3. Follow up and evaluate the results of risk management.

Department heads and operational staff

  • Analyze and assess the risks of each segment. and regularly report risks to supervisors
  • Study, analyze and report potential risks to supervisors regularly.
  • Risk Management Report

General staff

  1. Implement the internal control system. to hedge
  2. Implement risk management in accordance with established guidelines.

Elements of risk management
     The company divides risk management into 2 types, namely, departmental risk management. and enterprise-level risk management

Segment level risk management
     It is a risk management that may arise from the operations of each department. The risks that occur can be managed by the authority of the department manager. or is a risk that does not affect the objectives and goals of operation or can be controlled The internal control process, such as the risk of procurement of raw materials, products at high prices but low quality, must be organized to control activities related to purchasing to be more strict, such as determining methods for selecting vendors, preparing a register of people. sales, price statistics, segregation of duties according to principles of good internal control, turnover purchasing officer, etc.

Enterprise Risk Management
     It is a risk management that affects vision, objectives or operational goals. Including affecting the operational goals according to the memorandum of agreement to evaluate the performance.

Elements of Enterprise Risk Management
     Enterprise Risk Management Implemented the corporate risk management system guidelines of The Committee of Sponsoring Organizations of the Treadway Commission (COSO), which has the following risk management components:
     1. Internal Environment
     2. Objective Setting
     3. Risk Identification
     4. Risk Assessment
     5. Risk Responses
     6. Control Activities
     7. Monitoring
     8. Information and Communication

 

1. Internal EnvironmentInternal Environment)

     Internal environment means internal guidelines and policies related to risk management. The internal environment of the organization is an important factor affecting the risk management process. The key elements of the internal environment include:

  1. Organization management model and risk management culture is an important factor that Make risk management a corporate culture.
  2. The role of the Board of Directors in supervising the work of the executives to ensure that risk management is appropriate and comprehensive.
  3. Proper organizational structure
  4. Selection and development of personnel with knowledge, competence and commitment to their responsibilities.
  5. Encouraging employees to be honest and ethical
  6. Delegation of appropriate authority and responsibility to employees to achieve the organization's goals.

 

2. Objective Setting

     Setting goals means understanding the mission. Objectives, goals and strategies for the operation of the organization. including the operating environment which things These have been outlined in the plan. This includes the performance goals according to the performance appraisal memorandum.

     The results of goal setting will reveal the event success factors that affect the achievement of the goal. measure of success and the degree of deviation from the acceptable measurement unit However, setting goals for risk management is determined from the target Carry out operations as stipulated in the enterprise plan. and other goals as additionally determined by the Executive Board

 

3. Risk Identification

     Risk identification is the consideration of events that lead to damage. which before the identification process The risk must be taken. That is, set the goal of the operation first, then analyze the events that will prevent the operation from achieving the set goal.

     The identification of risks must take into account both internal and external factors that affect the organization's goals and performance. The external factor is the environment. outside the company that cannot be controlled, such as government policies, politics, economic conditions interest rate exchange rate Operations of related agencies Natural disasters, laws, parties to contracts, competitors and lifestyles (life style). Internal factors are internal environment. which can be controlled or can be changed, such as policies, strategies, management systems organizational structure Work process, organizational culture, personnel and technology used.

     Risk identification should start with events that are obvious or significant and must include events with low likelihood but high damage. or affect important goals as well Risk identification can be done in many ways. Including interviews (Interviews) Judgment from work experience brainstorming ideas from different departments (Brainstorming), workshops (Workshop), setting up a working group consisting of knowledgeable personnel in various fields, analyzing from past data, etc. In addition, external risks may be identified such as comparisons with criteria or standards. international Using information from similar businesses and the presence of consultants to give advice, etc.

In managing the risks of the Company, the risks are divided into 4 categories as follows:

  1. Strategic Risk : S Means the risks associated with strategy formulation and strategic decisions that Including inconsistencies between policies, goals, strategies, organizational structures. Competitive situations and environments affecting the organization These include risks related to government policies, risks related to economic and political conditions. Reputational risks The risks associated with interest Business competition risks management risks, etc.
  2. Operation Risk : O  Means the risks arising from the operations in terms of personnel management. and technology used in the work These include operational risks. the risk of property management fraud risks Personnel risks Information technology risks, etc.
  3. Financial Risk : F Means risks related to financial and investment management policies and procedures, such as risks related to capital structure Risk related to accounting and financial reporting Risk related to financial liquidity Exchange rate risk/ Interest rate/ Inflation rate, etc.
  4. Compliance Risk : C Means the risk of violating or not being able to comply with laws, rules and regulations, or existing laws/regulations that are inappropriate or obstructing performance

 

4. Risk Assessment

     After identifying potential risks in Step 3, the next step is risk assessment, which is to predict the likelihood and impact of such risks. and assess that What is the severity of the risks that will occur? In order to prioritize the risk, the risk level will be assessed before the risk management (Inherent Risk) and the risk level changes after the control/management. (Residual Risk), which if the risk is still higher than the acceptable level, it is necessary to conduct additional management in order to reduce it to the acceptable level.

     1. Assessment of the level of risk

     Risk assessment is based on two components, namely likelihood and impact. Together, they will know the level of risk which is used as an indicator of the importance of that risk.

          (1) Likelihood of risk (Likelihood) means the likelihood that a risk or event will occur, which in considering the level of likelihood will usually use past information. However, in the case of an unprecedented event, information about similar events that have occurred in other agencies may be used. or the experience of the assessor The criteria for evaluating the likelihood of a risk occurring.
          (2) Impact means the effect or damage from the risk that will occur. which may be the value of the damage Significance to the target Sensitive to the people, which in considering the expected consequences must be considered to cover 5 aspects of impact, which are
     a) Financial impact Is the financially devastating effect or other damage which can be converted into money
     b)  Operational impact Is the effect that causes delays in the company's operations Including the impact from the production operation carry out various projects and from the service
     c)  Impact on reputation Is the effect that damages the reputation and The image of ALT Telecom Public Company Limited, whether it is a result of direct and indirect operations.
     d)  Information technology impact Is the effect that causes problems or damage to information systems, various work systems and information data
     e)  Management impact within the organization Is the effect that causes problems or dissatisfaction with work

     Opportunity and impact measurement Can choose to use different analytical techniques together as appropriate for each risk. including qualitative analysis (not specified in numbers) by explanatory assessment) semi-qualitative, semi-quantitative analysis (Numbers are assigned instead of technical data. qualitative to clarify the description of qualitative data) and quantitative analysis. (It's the use of Measures in numbers, such as the amount of money lost. Number of complaints lag percentage versus plan, etc.). Quantitative analytical techniques are difficult and require the collection of relevant statistics and data. Including the use of models or mathematical methods to help determine numerical values. which must be set risk indicators which indicates what indicators the risk has

     The company has set the criteria for assessing the level of opportunity and impact at 5 levels. However, there may be some risks that are inappropriate to use the level of opportunity. and the level of impact as specified in the risk assessment. In this regard, the Executive Committee will determine Criteria for assessing the level of likelihood and impact for that risk. especially next

     2. Levelof Risk Is an indicator used to determine the significance of the risk. The level of risk can be obtained from Taking into account the likelihood of the risk and the impact of the risk together as follows:

Level of Risk (R) = risk probability level (L) x impact level (I)

     The risk level calculated by the formula above. If the value is low, the risk is low and if the value is higher, the risk is higher. By definition of each risk level

Meaning of each risk level

Chart showing the level of risk (Risk Profile)

 

5. Risk Management

     After risk assessment in step 4 and having prioritized the risks, the risk management strategy will be determined by choosing either strategy. or a combination of strategies to reduce the risk level to an acceptable level. The strategies for managing risks include

  1. Risk Terminate (Terminate) It is about eliminating risks or avoiding risks. because there is a high probability and have high impact, such as changing goals Cancellation of a project or plan Changing the project's operation model, etc.
  2. Risk Transfer (Transfer) This reduces the chances of taking risks. and/or reduce the impact that will occur from the risk. by transferring or sharing some of the burden to others, such as taking out insurance transfer of responsibility to the contractor work transfer to concessionaires, outsourcing, etc.
  3. Risk Treat (Treat) It is to reduce the likelihood of the occurrence of risks and/or the impact that will occur from the risks by modifying work or preparing various plans to support such as adjusting work methods, determining monitoring measures. restructuring educating employees, etc.
  4. Risk Take (Take) It is an acceptance of the risks that will occur. This strategy does not take any actions to reduce the chances. or the impact because the remaining risk level is low Or is at an acceptable level or the cost of risk management is higher than the result.

     The decision to choose a risk management strategy must take into account the risk factors which are The cause of the risk and the costs or resources required for that alternative compare with the results It is also given whether or not it is worth choosing that strategy when choosing a risk management strategy. appropriate Segments related to that risk A risk management plan must be prepared in order to be able to monitor and evaluate the results of risk management. You can choose one method or a combination of several methods. In order to keep the risk within the acceptable deviation range (Risk Tolerance), the risk management plan has the following components:

  1. Strategies and Methods
  2. Determine the division responsible for that risk management plan.
  3. Set to finish

 

6. Control Activities

     Controlling activities are policies and procedures established to help management Ensure effective risk management Control activities include preventive, discovery and remediation controls, including:

  • Determination of policies and procedures, such as the preparation of operating manuals
  • Approval/certification/approval of work
  • Performance review
  • Security/Access information technology system
  • Separation of job responsibilities/assignments

     The company has clearly defined control activities. The risk management policies and procedures have been prepared according to the risk management manual. Assign responsible persons to implement the risk management plan. by managing risk at the operational level The department manager is responsible for determining the responsible person. Corporate Risk Management Division The executive committee will determine which department should be the main responsible person. There is a time limit for completion. The result of the implementation of the risk management plan is also reported for periodic review.

 

7. Monitoring and Evaluation

     1. Performance monitoring

     When the environment changes Established risk management methods may not be appropriate, control activities may become less effective. or operational goals may change Therefore, it is necessary to monitor whether the risk management in each step is still effective or not.
     Monitoring can be done in 2 ways: Ongoing Monitoring and Separate Evaluation.
     Inter-operational monitoring is a continuous monitoring of all operations. Procedures of risk management while periodic evaluation will be done from time to time according to the specified time period Therefore, monitoring during operations will be more effective. In addition, if there How many inspections during operation? Monitoring in the form of periodic evaluations will only be less.
     Monitoring may be performed by either or both of the above methods. If using the periodic assessment method The risk management assessment must be done at least every 6 months.
     In monitoring and auditing, the principle of self-assessment (Self-Assessment) is used. The main department responsible for managing any risk will be responsible for evaluating the efficiency of risk management itself. However, the Audit Office will be another department that will monitor and audit according to the routine duties of the department or may perform audits as instructed by the Audit Committee or the Board of Directors.

     2. Reporting

     The main function responsible for risk management is responsible for reporting the results of Enterprise-level risk management for the Executive Board to know at least every 6 months. However, if there is a significant risk or risk management that is not applied Efficiency must be reported to the Board of Directors immediately.
     The Executive Committee is responsible for reporting corporate risk management to the Board of Directors at least every 6 months. or when there is a significant risk

     3. Assessment of the risk management framework (Framework Appraisal)

     Steps and elements In managing the risks mentioned above Including a manual In managing this risk, the appropriateness and effectiveness of risk management must be assessed. take risks from time to time The assessment may be conducted in the form of a self-appraisal (Self-Appraisal) or may be assessed by an outsider (Independent Appraisal).

 

8. Information and Communication

     Information and communication means the establishment of good communication and risk information systems to ensure that all executives and employees understand the processes and their roles and responsibilities in relation to risk management, including:
     1. Board of Directors and senior executives The risk management policy and risk status are communicated to all employees to understand and implement risk management according to their roles and responsibilities.
     2. Provide effective two-way communication channels between executives and employees.
     3. There is coordination between the risk management and audit functions so that useful information can be exchanged between them.
     4. Information related to risk management is communicated both inside and outside the organization through information systems and internal communications. for employees to be informed about risk management information as well as information about risk management regularly and up-to-date

     This shall be effective from 16 July 2015 onwards.

Copyright © 2017 ALT TELECOM PLC. ALL RIGHT RESERVED.
  • +66-2-863-8999
  • info@alt.co.th
  • 52/1 Moo.5 Bangkruay-Sainoi Rd., Bangsithong, Bangkruay, Nonthaburi 11130 Thailand