Skip to content

Risks and Opportunities Management

INTRODUCTION

Stakeholder Impact

Effective risk and opportunity management plays an importance role in supporting our investors, employees, and business partners by mitigating corporate risks. Not effectively managed corporate risks whether operational, strategic, or compliance-related can lead to severe business disruptions, financial losses, and diminished stakeholder trust.

In contrast, a proactive approach to identifying and managing risks not only protects the Group’s assets but also uncovers strategic opportunities for sustainable growth, thereby ensuring long-term value creation across the value chain.

MANAGEMENT APPROACH

Policies & Commitments

Practices

Enterprise Risk Management (ERM) is an integral part of our business operation planning and organization culture. ERM is applied to all business units and personnel to ensure business objectives are met while minimizing the probability and impact of potential risks, along with mitigating them. These considerations include internal and external aspects that may arise from within our organization and from other market factors. ​

Our ERM framework and processes are implemented in accordance with the Committee of Sponsoring Organization of the Treadway Commission (COSO) and ISO 31000:2018 Risk management guidelines. This has aided us in the execution of risk governance and culture, risk assessment and review that aligns our corporate strategies and sustainability development goals.

Risk Governance

To ensure resilient operations and prevent systemic failures, the Group requires a structured approach to risk management. The Group has adopted the “Three Lines of Defense model” to establish clear accountability and mitigate risk across the organization.

To ensure resilient operations and prevent systemic failures, the Group requires a structured approach to risk management. The Group has adopted the “Three Lines of Defense model” to establish clear accountability and mitigate risk across the organization.

Three Lines of Defense

The First Line of Defense

This  1st line consists of “Risk Champions and Risk Officers” from across all business functions, own and manage risks. As the primary risk owners, they are responsible for identification of risks and controls at the operational level and communicating  risk information to the second line of defense, which is Risk Management Office

Risk Champions leads individual risk management for each business unit within the Group and is responsible for updating their business unit risk registers to Risk Management Office.

Risk Officers are responsible for monitoring and updating day-to-day operation activities pertaining to risks while supporting Risk Champion for effective implementation of Enterprise Risk Management Policy.

The Second Line of Defense

This 2nd line is driven by the “Risk Management Office” which provides structural oversight, establishes risk frameworks, and guides the frontline risk championsand risk officers, in accordance with the established Enterprise Risk Management process and policy.

Embedding as proactive risk management, this function actively monitors the Group’s top corporate risks, Key Risk Indicators (KRIs), and mitigation plans then escalates  quarterly updates to the Risk Management Committee, the Executive Committee, and ultimately to the Board of Directors.

The Third Line of Defense

The 3rd line is the Internal Audit department, which operates with structural independence by quarterly updating Enterprise Risk Management implementation, executed by Risk Management Office, to the Audit Committee and, ultimately, the Board of Directors.

To maintain this independence, the Internal Audit function communicates audit findings directly to the Audit Committee and, ultimately, the Board of Directors.

Risk Management Process

The Group performs a risk management process by identifying corporate risks and unit risks along the value chain corresponding to the business direction and organizational goals including risk assessment, risk monitoring and control, reporting and Effective Risk Management Processes Promote Long-Term Corporate Sustainability Management communication, and regular review of the sufficiency and effectiveness of risk management of each unit involved.


Identify business risks based on business objectives across value chain

Risk
Identification

Risk 
Assessment

Analyze and assess risks
and prioritize based on likelihood of occurrence and potential impact

Report performance of risk management to the Board of Directors and management and communicate to stakeholders

Risk Report &

Communication

Risk Monitoring &

Review

Regularly monitor and evaluate mitigation plans, sensitivity analysis, stress testing, Key Risk Indicators (KRIs), and internal controls on a regular basis

This systematic approach ensures that potential threats are proactively identified and managed through three core pillars: risk review, risk audit, and risk training.

Risk Review

To maintain proactive risk management, Risk Management Office conducts the review of risks and in-place controls every two years. This structured process consists of reviewing the relevance of identified risks, recalibrating Risk assessment (impact and likelihood) results, assessing alignment with the established risk appetite, and reviewing the effectiveness of existing mitigation/control measures.

Risk Audit

The Company conducts regular internal audits and independent external audits to ensure effectiveness, reliability, and related processes.

  • Internal: the Audit committee assessed and proposed to the Board of Directors the adequacy of the internal control system of the Company through a complete Internal Control Sufficiency Evaluation Form, as provided by the Securities Exchange Commission (SEC), which was prepared by the management. The Board of Directors and Audit committee deemed the Company’s internal control system adequate on annual basis.
  • External: To validate the integrity of our risk controls and ensure continuous improvement, the Group conducts external audit every two years, aligned with the ISO 31000:2018 Risk management Guidelines.

Risk Training

To ensure effective implementation of the Group’s risk governance framework, targeted risk management training is provided to directors (including non-executive directors) and employees.

The training reinforces core risk management principles and equips participants with the practical skills needed to identify and mitigate risks within their respective areas of responsibility.

Emerging Risk

The Group proactively analyzes emerging risks projected to impact operations over the next 3 to 5 years, ensuring robust protection against future disruptive trends. Because these risks are unprecedented, the Group focuses on anticipating how these long-term forces might require strategic adaptation. While precise financial impacts cannot yet be calculated, the Group emphasize building a comprehensive understanding of these shifting dynamics to safeguard our business model.

To navigate this uncertainty, the Group has developed targeted risk mitigation measures and keeps pace with medium and long-term uncertainties. These initiatives are designed to bridge the knowledge and preparation gaps inherent to newly identified risks. By integrating these insights into our core planning, the Group ensures that we can dynamically adapt our corporate direction and successfully achieve our business goals.

The Group has identified key emerging risks, namely geoeconomic confrontation and state-based armed conflict, which may pose significant implications to operations and strategic direction.

2025 Performance - Enterprise Risk Management Process

KEY PERFORMANCE

HIGHLIGHT PROJECTS

Recognition of ISO31000:2018 as a guideline for Enterprise Risk Management

Mr. Thanapol Laosiripong (second from left), Senior Manager of Corporate Sustainability Development and Enterprise Risk Management, received the ISO 31000:2018 recognition Certificate from the Management System Certification Institute (MASCI) on December 15, 2025, at the Sustainability Room.

The recognition was conducted in accordance with the principles and guidelines of ISO 31000:2018 – Risk Management, based on an assessment framework comprising six

dimensions and 24 indicators, to evaluate the alignment, effectiveness, and maturity level of the Company’s enterprise risk management.

The assessment results indicated an optimized maturity level, with a score of 90.04%, representing the highest level of achievement. This reflects the Company’s strong and highly effective risk management practices, positioning it as a leader within the industry. The approach has been systematically integrated into the Company’s operational processes, continuously improved, and aligned with international standards.

Risk Management Training Session conducted for Board of Directors
Topic: Human Right Risk Assessment

In line with our commitment to strong corporate governance and sustainability material topic, called Upholding of Human Rights, Tipco Asphalt Group organized a dedicated training session for the Board of Directors focusing on Human Rights Risk Assessment. This session provided the Board with insights into newly identified and evolving risk trends in human rights due diligence.

The training aimed to bridge knowledge gaps, establish effective oversight on medium- and long-term societal risks, and ensure the company’s strategic direction remains aligned with global risk management expectations.

Enterprise Risk Management

Enterprise Risk Management (ERM) is an integral part of our business operation planning and organization culture. ERM is applied to all business units and personnel to ensure business objectives are met while minimizing the probability and impact of potential risks, along with mitigating them. These considerations include internal and external aspects that may arise from within our organization and from other market factors. 

 

Our ERM framework and processes are implemented in accordance with the Committee of Sponsoring Organization of the Treadway Commission (COSO) and ISO 31000:2018 Risk management guidelines. This has aided us in the execution of risk governance and culture, risk assessment and review that aligns our corporate strategies and sustainability development goals.

Enterprise Risk Management Structure

Once risk has been identified, they are categorized as follows; (1) Strategic Risk, (2) Operational Risk, (3) Reporting Risks, and (4) Compliance Risk. This allows us to assess and obtain a holistic view as to the potential affects the risk may have on internal and external functions and affects to related parties. The RMO coordinates with each business unit’s RC and RO to guide, follow-up, and implement mitigation plans, which results are monitored via Key Risk Indicator (KRI) reports.

Enterprise Risk Management Processes

The Group performs a risk management process by identifying corporate risks and unit risks along the value chain corresponding to the business direction and organizational goals including risk assessment, risk monitoring and control, reporting and Effective Risk Management Processes Promote Long-Term Corporate Sustainability Management communication, and regular review of the sufficiency and effectiveness of risk management of each unit involved. We established a Risk Management Committee to be responsible for the implementation under the supervision of the Board of Directors.


Identify business risks based on business objectives across value chain

Risk
Identification

Risk 
Assessment

Analyze and assess risks
and prioritize based on likelihood of occurrence and potential impact

Report performance of risk management to the Board of Directors and management and communicate to stakeholders

Risk Report &

Communication

Risk Monitoring &

Review

Regularly monitor and evaluate mitigation plans, sensitivity analysis, stress testing, Key Risk Indicators (KRIs), and internal controls on a regular basis

Report & Communication

Report performance of risk management to the Board of Directors and management and communicate to stakeholders

Risk Identification

Identify business risks based on business objectives across value chain

Monitoring & Review

Monitor and evaluate mitigation plans and internal controls on a regular basis

Risk Assessment

Analyze and assess risks
and prioritize based on likelihood of occurrence and potential impact