EGCO Group has reviewed and edited the risk management policy and guidelines to cover all risk issues in parallel with enterprise-wide risk management, while maintaining the balance between risk and return to increase added values for shareholders sustainably.

The risk management policy applies to all subsidiary companies. EGCO Group encourages its partners, suppliers, and all related parties to acknowledge the risk management policy and operate in a similar direction.

EGCO Group has applied the 2017 COSO Enterprise Risk Management - Integrated Framework (2017 COSO ERM) for risk management throughout its organization and has developed a “Risk Management Manual” in line with the 2017 COSO ERM. Key risk indicators are determined which are both leading indicators and lagging indicators. All employees and power plants are encouraged to apply 2017 COSO ERM and the manual as appropriate to their operations. To ensure the efficiency of risk indicators, EGCO Group has conducted sensitivity analysis and stress testing for risk issues significantly affecting the business including financial risks, climate change risks, changes in water availability and water quality risks, as well as other risks e.g. operational risks, market risks, strategic business risks, project management risks, tax management risks, human capital risks, compliance risks, supply chain management risks, IT security and cyber security risk, and personal data protection risks.

Risk Management Process

Risk management is a continuous process within the company that should be integrated into normal business operations, aiming to ensure the achievement of determined corporate strategies, missions, and objectives. The risk management of the company comprises 8 interrelated components of the management process and business operational approaches as provided below.

  1. Internal Environment: The company’s management is required to establish a risk management philosophy and define acceptable risk levels. Integration of risk management into the company’s environment is fundamental for employees to recognize risks, and understand how to control and manage them. Human resources play an important role in every type of business, which includes their qualifications such as honesty, ethical values, and capabilities.
  2. Objective Setting: The company’s management shall define the objectives before identifying potential events that could impact their achievement. Corporate risk management ensures that the management has established the objective setting process, and the chosen objectives are supportive and aligned with the company’s missions, as well as consistent with the company’s acceptable risk levels.
  3. Event Identification: The management shall identify the events that could potentially affect the company or the achievement of goals, both by internal and external sources. The identified events may represent risks, opportunities, or both. In the case of an opportunity, it shall be incorporated into the strategy or objective-setting process accordingly.

    In 2023, EGCO Group adopted ESG, which are material topics and issues from materiality assessment < https://sustainability.egco.com/en/sustainability-at-egco/materiality-assessment> and integrated into the company’s enterprise-wide risk management (ERM) process.

  4. Risk Assessment: The identified risks are analyzed to establish consideration criteria for risk management. The risk correlates with the potentially affected objectives, therefore, the risk assessment shall apply to both inherent risk and residual risk, taking into account the likelihood and impacts of such risk.

    The corporate risk heat map has been developed in compliance with COSO ERM criteria and corporate assessment criteria, ensuring a thorough risk assessment for the organization.

  5. Risk Response: EGCO Group’s personnel are responsible for identifying and evaluating the risk response approaches, which include avoidance, reduction, sharing, and acceptance. The management shall select the risk management methods that are aligned with the acceptable risk levels of the company.
  6. Control Activities: Policies and operational procedures shall be established and enforced to ensure the effective implementation of the risk response approaches selected by management.
  7. Information and Communication: Relevant information shall be identified, stored, and communicated in an appropriate format and within a timeframe that allows personnel to adopt it according to their responsibilities. Information is required by personnel at all levels for identifying, evaluating, and responding to the risks. Communication must be effective and widely recognized, spanning from top to bottom, between departments, and bottom-up interactions. Personnel from all departments shall receive clear information about their roles and responsibilities.
  8. Monitoring and Internal and External Audit: All risk management processes shall be monitored and adjusted as necessary. This approach enables the company to effectively respond and address changing situations. Monitoring can be carried out during regular management activities, separate risk performance assessments, or a combination of both methods. Corporate risk monitoring takes place monthly, while power plant risk monitoring is undertaken at least quarterly. Additionally, EGCO Group performs both internal and external audits of risk management processes regularly.
    • Internal Audit: The Risk Assessment Department reports the corporate risk management performance and key risk indicator (KRI) to the Audit Committee by coordinating with the Internal Audit Department in each quarter, totalling 4 times per year. Additionally, it will be presented at the meeting between the Risk Oversight Committee Meeting and the Audit Committee twice a year.
    • External Audit: At the same time, the Risk Assessment Department process undergone external audits according to the risk maturity model by the Risk Management Society (RIMS), USA for once a year.

The Company has determined 5 types of risks as follows:

  1. Strategic Risk
    Risks arising from strategic planning, action plan, improper implementation and inconsistency with strategies and vision which affects the achievement of the organization’s main objectives.
  2. Operational Risk
    Risks related to the efficiency and effectiveness of resource utilization or operations which may be related to internal operation processes, personnel, work systems, or external events which affects the organization’s operations and drive to achieve strategic objectives.
  3. Financial Risk
    Risks related to the management of the organization’s budget which may cause an impact to the financial position of the Company, its credibility, transparency, and the misuse of budget funds.
  4. Compliance Risk
    Risks related to laws and regulations, as well as the ambiguity and out dated regulations which affects the Company’s credibility and reputation.
  5. Organization Structure Risk
    Risks related to the organizational structure, such as the loss of employees, inability to develop human capital, inability to develop IT working systems, and lack of organization’s plan for sustainable development and social and environmental responsibility which may reduce the effectiveness of work and reduce business continuity. In addition, it may cause loss of knowledge used in organizational development.

Examples of Corporate Key Risk

Details of corporate key risks potentially affecting EGCO Group and all annual risk mitigation actions are provided in the Annual Report.

Corporate Key Risk Description Risk Mitigating Actions Risk Audit (Internal & External) Prioritization of Risk Inherent Level (Likelihood x Magnitude of Potential Impact) Risk Appetite & Risk Tolerance
Plant Performance Risks: Power Plant Efficiency Risk PPAs stipulate various power plants’ efficiency indicators such as Heat Rate and failure to meet their performance requirements. Unmaintainable efficiency indicators will result in a higher cost of power generation than those specified within the contract. The cause of such risks can be maintenance malpractice in power plants.

EGCO Group sets the plant management policy and systems so that preventive maintenance is carried out continuously in a professional manner. Working procedures implemented by plant management also confirm that all relevant risks are under control. These procedures are as follows:

  • Regular inspections and maintenance according to the schedule by skilled technicians.
  • Installation of monitoring systems for critical equipment in power generation systems. These monitors will provide advance notification if a problem occurs with the equipment such as the vibration monitoring system of the gas and steam turbine and the monitoring system for pressure and temperature of the steam entering the steam turbine.
  • Provision of necessary inventory reserves which include machinery spare parts, chemicals, lubricants, and various supplies used in maintenance. These items should be sufficient for use and maintenance under proper inventory management.
  • Implementation of the Quality Management System (ISO 9001:2015) in 12 power plants to ensure their quality operation as well as to comply with PPAs such as Khanom, GPG, GYG, SPP Two, SPP Three, SPP Four, SPP Five, GPS, Solarco, SEG, PAJU, and SBPL.
  • Continuous development of employee competency
External Audit: ISO 9001:2015
Click to enlarge
To set the risk appetite and the range of acceptable risk tolerance, complying with business context and strategy Zero plant shutdown
Plant Performance Risks: Safety, Health, Environmental, and Social Risks that Must Comply with International Standards In conducting its business, EGCO Group may experience accidents that occur from human error or low machine efficiency. Possibly, community resistance may occur when the production negatively affects the community. Furthermore, there is a sabotage risk which will cause severe loss to power plants.

Management has put forth the following measures to investigate and reduce the likelihood of these risks listed here:

  • Conform to the requirements of safety, health, and environment management manuals in which the guidelines have specified for implementation, monitoring, and auditing.
  • Strictly comply with work manuals and emergency plans, administer training and plan testing, equipment and warning systems.
  • Implement an Environment Management System (ISO14001:2015) in the following 10 power plants: Khanom, GPG, BLCP, KLU, BPU, GYG, TWF, NTPC, SEG, and PAJU, for the objective of continuously and sustainably improving the environmental management system
  • Implemented Occupational Health and Safety Assessment Series (ISO45001:2018) in 5 power plants, specifically Khanom, BLCP, NED, Nam Theun 2, and SEG. The objective is to reduce and control health and safety risks in the employees, associated with the employees and the stakeholders, to improve business operations efficiency, maintain safety, and increase a corporate reputation of responsibility toward employees and society.
  • Communicate with personnel to avoid carelessness.
  • Regularly maintain all equipment.
  • Strengthen relationships with the surrounding communities.
  • Collaborate with government agencies as well as local authorities.
  • Deploy a security plan that includes regular drills and security equipment such as closed circuit TV and various monitoring devices that should always be in use.
External Audit: ISO 45001:2018, ISO 14001:2015
Click to enlarge
  • GHG emissions emitted per EIA requirement
  • Zero incident rate
Cyber security and privacy data protection risks

Technology and information system development have experienced rapid growth in recent years. EGCO Group has integrated its operations into an online system to facilitate collaboration among various departments within the company. It is important to safeguard business information, stakeholder data, supplier and partner information, as well as employees' personal data to ensure confidentiality and prevent any data leakage to external parties.

The information technology system serves as a fundamental tool to improve business operation efficiency, electricity generation control, and operational cost management. To strengthen EGCO Group’s competitiveness both domestically and in the countries where it operates or plans to invest, the importance of information technology in supporting business operations continues to grow.

In 2023, EGCO Group implemented its risk management strategy continuously. The company improved its information technology master plan to align with EGCO Group’s new strategies, information technology trends, energy industry, and financial technology trends. The company also reviewed and updated its technical data security measures to minimize the risk of external threats. Key activities implemented include the following.

  • A certification body conducted the audit of the information security management system (ISMS) of EGCO Group’s data center for ISO/IEC 27001:2013 (Information Security Management System: ISMS) certification maintenance and confirmed that EGCO is certified for Surveillance Assessment Year 3 in preparing the center's information security management system. Computer (Data Center) in preparing the center's information security management system of the Data Center
  • Khanom Power Plant Co., Ltd. was audited for the maintenance of the ISO/IEC 27001:2013 (Information Security Management System) Certificate for the ISMS of its Khanom 4 Power Plant for Surveillance Assessment Year 1.
  • Banpong Utility Co., Ltd. is ISO/IEC 27001:2013 (Information Security Management System) certified on the ISMS of its computerized control system of hydropower and gas turbine generation.
  • Providing cyber threat awareness training for employees to mitigate the risks of data breaches and the leakage of sensitive business information.Hackershave exploited the vulnerability of remote working set-ups during the COVID-19 pandemic and employed more sophisticated attacking methods to breach security measures.
  • Commissioning external specialists to conduct vulnerability assessments and penetration testing to identify vulnerabilities in EGCO Group’s applications,database, and internal network systems.The tasks also include analyzing and assessing the risks, loopholes, and weaknesses identified during penetration testing, and providing recommendations to enhance the efficiency of the systems and security measures.
  • EGCO Group has established a Privacy Protection Working Group and an Infrastructure and Information Security Department to review and disseminate personaldata protection policy, infrastructure and information security policy, and other relevant guidelines to employees for acknowledgment and implementation.Such policies cover areas such as personal data protection policy, personal data protection guidelinesin compliance with the law, information security, and cyber security policies, information technology security guidelines for users, confidentiality classification guidelines, labeling, and data management.
The information security management system (ISMS) of the Data Center successfully passed the audit for maintaining its ISO/IEC 27001:2013 (Information Security Management System) Certificate.
Click to enlarge
  • Number of power plants passing the audit for maintaining ISO/IEC 27001:2013 (Information Security Management System) Certificates.