Risk and Crisis Management & Cybersecurity and Data Privacy
Impact on Business
Challenges and Opportunities
The world is currently faced with rapid changes, ranging from global inflation, economic volatility, geopolitical conflicts, and climate change all the way to threats to cybersecurity and personal data protection. These are all challenges that can potentially impact business operations and stakeholders.
Therefore, CKPower actively monitors the situation and establishes a prudent organizational risk management process in compliance with international standards and applicable laws, while also fostering a corporate culture focused on ensuring preparedness for future risks and crises in order to prevent or mitigate potential damage, minimize impacts on stakeholders and investors, and increase business opportunities through flexible and suitable strategy development, with the ultimate goal of optimizing the Company’s adaptability and competitiveness and driving sustainable and stable business growth.
Commitment
CKPower is committed to risk and crisis management, cybersecurity, and data privacy in adherence to guidelines and practices that are in line with international standards and applicable laws. This encompasses everything from policy formulation, organizational structure, operational processes, all the way to performance monitoring and the anticipation of emerging risks.
Furthermore, CKPower seeks to cultivate an organizational culture by fostering knowledge and awareness among personnel at all levels about the importance of risk and security, thus enabling them to respond to changes that may affect business operations and contribute to the Company’s opportunities for sustainable growth in the long term.
These approaches demonstrate CKPower’s commitment to enhancing its adaptability and competitiveness and developing an excellent risk and security management system in order to drive the Company’s stable and sustainable growth across all dimensions.
Operational Guideline
Risk Management
CKPower implements enterprise risk management (ERM) in line with the international COSO-ERM 2017 Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which is a framework for managing and keeping enterprise risk within the risk appetite/risk tolerance. The Company has also established a risk management policy and a Risk Management Working Group comprising executives from all lines of work, such as business planning, engineering, operations and maintenance, and power plant managers. The Working Group is tasked with preparing annual risk mitigation plans to manage CKPower’s strategic, operational, financial, and compliance risks, environmental, social, and governance (ESG), risks, and emerging risks. Risk management outcomes are to be reported on a quarterly basis to assess and monitor risk management measures, keep enterprise risk within the risk appetite, and ensure preparedness as well as appropriate and timely response to changes that may affect business operations. The Corporate Governance, Risk Management, and Sustainable Development Committee convenes at least four meetings a year to consider various issues on its agenda and steer comprehensive risk management.
Four Risk Categories under Assessment
Risk Management Structure
With regard to CKPower’s risk management structure, the Board of Directors has charged the Corporate Governance, Risk Management, and Sustainable Development Committee with the duties of considering and approving the risk management activities of the Company and its affiliates as well as establishing policies, giving recommendations, and verifying risk management effectiveness. In addition, CKPower has tasked the Internal Audit Department with monitoring and reviewing its risk management process to provide an additional layer of oversight independent from the Risk Management Working Group to further increase confidence in the suitability and effectiveness of CKPower’s risk management. This structure demonstrates CKPower’s commitment to systematic and transparent risk management in line with good corporate governance practices.
Risk Management Process
The risk management process is utilized to identify, analyze, and manage potential risks in the Company’s business operations. To ensure effective risk management, CKPower’s risk management process consists of the following six steps:
Crisis Management and Business Continuity
To instill confidence in stakeholders across the value chain, ensure business continuity, and uphold good corporate governance, CKPower has formulated a business continuity policy, a business continuity plan (BCP), an emergency response plan, and a crisis management plan in anticipation of potential risks that may disrupt business continuity.
In addition, as part of business continuity management, annual training and drills are conducted to enhance the ability to respond effectively to emergencies or crises. These management processes address a full range of risks, including power production and distribution from various energy sources. By adhering to international standards, these operational procedures ensure business continuity and stability while sustainably meeting stakeholder needs sustainably.
Risk Management Performance in 2024
While most risks were at moderate levels, the risk assessment identified one very high-risk issue, namely the risk of equipment and machinery unavailability, and three high-risk issues:
- Investment management and business growth risks
- Climate change risks
- Personnel risks
To address these risks, a mitigation plan was carefully developed, with clearly designated risk management responsibilities. The plan included specific timelines and monitoring processes for each risk category to ensure the effective management of all risk scenarios and minimize potential business impacts.
Emerging Risks
CKPower’s is dedicated to identifying and managing emerging risks that could affect business operations in the short, medium, and long term. While these risks present challenges in that they have the potential to adversely impact the Company’s business continuity, competitiveness, and sustainability, they also present opportunities with effective risk management.
Based on a comprehensive risk assessment and analysis, CKPower has identified the following emerging risks, which must be monitored and handled appropriately to foster organizational growth and sustainability in the future.
| Emerging Risk | Timeframe of Impact | Description | Potential Impact on Business | Management/ Opportunity |
|---|---|---|---|---|
| Evolution of energy technology | Short term – long term | Energy technology is increasingly transforming in response to evolving energy consumption patterns and new innovations, such as renewable energy, energy storage systems, green hydrogen, and green ammonia. These changes may impact future investment decisions and competitive opportunities. | Delays in adapting to new technologies could result in lost competitiveness and increased costs for technology development or legacy system upgrades. |
|
| Cybersecurity and personal data protection | Short term – long term | Cyber threats could compromise critical company information, such as financial and sensitive data, potentially leading to data recovery costs and reputational damage. | Increased expenses from stolen data recovery and reputational damage, and impacts on stakeholder confidence. |
|
Fostering a Corporate Risk Culture
Prioritizing the promotion of an organization-wide risk management culture, CKPower has established policies and operational guidelines and measures risk management performance using key performance indicators (KPIs), consisting of leading indicators and lagging indicators, to assess and monitor risk management performance, create motivation, and instill confidence in the Company’s efforts to achieve its goals through effective risk management. To foster an enterprise risk management culture within CKPower Group, initiatives have been undertaken to build awareness among personnel through training sessions and talks. Key activities for the promotion of a risk management culture in 2024 are summarized below.
- Training and Talks
- CKPower organized a training session on ESG risks and climate change risk and opportunity assessment, conducted by ERM (Siam) Limited, to enhance understanding of sustainability risks, which were key strategic risks for the Company. The session presented risk management guidelines, potential business impacts, business opportunities, and sustainability risks that could affect CKPower’s business operations and corporate strategy. The training formed part of the ongoing effort to build awareness and preparedness among all directors in support of effective risk management in line with the Company’s long-term sustainable development approach.
- Communication Through Various Channels
- Compliance Journal
The Company shared information on risk management and good corporate governance through various channels. In 2024, the Compliance Journal was published to present information about the significance of good corporate governance as well as business-related laws in an easily digestible format, complete with relevant case studies. Additionally, CKPower fostered engagement among directors, executives, and employees across the organization through quizzes and games to assess their awareness and understanding, with 100% participation as targeted. - E-Learning Courses
The Company has developed e-learning courses for employees at all levels to promote self-directed learning on crucial topics including:- Managing legal risks associated with the Personal Data Protection Act (PDPA)
- Legal compliance risks
- Risk mitigation protocols
- Cybersecurity risks
- Guidelines for self-protection against cyber threats
- Climate change risks
- Compliance Journal
The e-learning system enables employees at all levels to access comprehensive risk-related information and knowledge, appreciate the importance of legal compliance and best practices, and effectively apply this knowledge to reduce operational risks.
CKPower’s efforts to cultivate a robust risk management culture have enhanced its preparedness to appropriately handle changes and challenges and promoted long-term organizational growth by encouraging all employees to play a role in driving business sustainability across all dimensions.
Cybersecurity and Personal Data Protection
Cybersecurity Policy
CKPower prioritizes cybersecurity risks of all forms, which may lead to the loss of critical company data, such as sensitive data stored in the server system and significant financial data, as well as impact on its production and power plant management systems, which requires reliability to ensure operational continuity and stability.
To foster preparedness to cope with and respond to potential threats, CKPower has assessed and identified the critical scope of cybersecurity risks and developed an information security policy, which has been designed to comply with relevant standards and laws. The policy stipulates clear guidelines and procedures for all employees across the organization and all suppliers in the supply chain and includes appropriate measures for maintaining cybersecurity.
Furthermore, the information security policy is reviewed on a yearly basis to keep abreast of evolving cyber threats and technologies. In addition, relevant roles and responsibilities within the organization are clearly defined to support effective cybersecurity initiatives and instill confidence among stakeholders.
Cybersecurity Management
CKPower places great emphasis on preparation for risks of cyber threats that may lead to the loss of critical company data. To this end, cyber risk management has been implemented in accordance with its policies and enterprise risk management practices and integrated into its business continuity management so as to ensure the availability of the Company’s information system and its compliance with relevant laws, regulations, and standards, such as ISO 27001.
To strengthen the data security system, mitigate risks, and protect data from theft, CKPower also has established a monitoring protocol, preventive control measures, and a response process for incidents that may impact the integrity of the information systems as well as clearly assigned responsible parties and reporting channels to ensure that incidents and vulnerabilities related to the security of the information systems are promptly reported and addressed correctly, efficiently, and in a timely manner. The management framework is as detailed below:
Personal Data Protection
Personal Data Protection Policy
Recognizing the importance of personal data protection, CKPower has formulated an external personal data protection policy in accordance with the Personal Data Protection Act B.E. 2562 and other relevant laws to instill confidence in the safety of personal data. The policy delineates the definition of personal data, types of personal data, purposes of personal data collection, use, and disclosure, entities or individuals to whom the Company may disclose information, duration of data retention, personal data storage formats, and rights of data owners. Additionally, CKPower has appointed a Data Protection Officer to oversee compliance with applicable laws and requirements and established procedures for handling complaints and complaint management processes related to its data processing activities. Guidelines for personal data security and have also been developed to prevent loss of personal data or unauthorized or unlawful access, use, alteration, modification, or disclosure of personal data.
Personal Data Protection Management
As personal data protection management is of paramount importance, CKPower has defined access rights to personal data, information, information processing systems, and other information technology assets according to business purposes on the need-to-know and need-to-use basis to ensure that all access to such data is for business purposes and is conducted within a secure framework.
In addition, access rights are organized hierarchically, with which all executives and employees must comply, to prevent leakage of vital data, whether personal data or information, to external parties. This has been clearly stipulated in the Business Code of Conduct, whereby all executives and employees are required to comply and not to disclose any confidential information obtained during the performance of their duties for personal gains or the benefits of others. These measures reflect CKPower’s commitment to personal data and information protection against unauthorized access, which fosters confidence among all stakeholders in a sustainable way.
Cybersecurity and Personal Data Protection Auditing
Information Security Management System (ISMS) Auditing
CKPower conducts internal Information Security Management System audits annually to ensure that the objectives of control, control measures, processes, and system protocols align with the specified requirements for information security. The system is also continuously assessed and maintained to ensure it can accomplish the set goals and comply with ISO 27001:2013 standards and relevant laws.
External Accreditation and Auditing
CKPower was certified to the ISO/IEC 27001:2013 Information Security Management System standard by BSI in 2022. Additionally, assessments by external parties are regularly conducted to analyze vulnerabilities and strengthen the security of the Company’s information system in line with international standards and applicable laws.
Personal Data Protection Policy:
Recognizing the importance of respecting individuals’ privacy and the necessity of handling personal data appropriately in compliance with the law, CKPower has formulated a personal data protection policy and information security maintenance practices that align with the guidelines for listed companies set forth by the Stock Exchange of Thailand. In addition, CKPower promotes the use of information technology systems with systematic risk monitoring and management processes to ensure cybersecurity.
ISMS Training and Knowledge Enrichment:
In addition, CKPower has defined roles and responsibilities for the maintenance of information asset security to ensure that data and critical information assets are adequately protected. Moreover, CKPower offers ISMS Intensive Training and ISMS Security Awareness Training to enhance their knowledge and awareness of IT security. The courses are accessible for employees via email and the CKPower Mobile Application, offering convenient access to learning for personnel across the organization.
System Efficiency Assessment:
CKPower regularly assesses the efficiency of its information security systems and power plant operation systems to ensure the security of its information systems and power plant operations and foster stakeholder confidence in its business operations.
These measures encapsulate CKPower’s commitment to information system security and personal data protection in support of transparent and stable business operations in the long term.
ISMS Intensive Training
ISO/IEC 27001:2022
Long-term targets, 2024 targets, and 2024 achievements
Risk Management
| Risk and Crisis Management & Cybersecurity and Data Privacy | |||
|---|---|---|---|
Risk Management
|
|||
| Long-term Targets | |||
| A risk management culture is fostered across CKPower Group |
100% |
||
| 2024 Targets | 2024 Achievements | ||
| The directors undergo training on ESG risks |
100% |
100% |
|
| The executives and employees recognize and understand corruption risks |
100% |
100% |
|
| The executives and employees pass an assessment test on corruption risks |
100% |
98% |
|
| SDGs |   |
||
Cybersecurity
| Risk and Crisis Management & Cybersecurity and Data Privacy | |||
|---|---|---|---|
Cybersecurity
|
|||
| Long-term Targets | |||
| A cybersecurity culture is fostered across CKPower Group |
100% |
||
| 2024 Targets | 2024 Achievements | ||
| Cybersecurity breaches or other cyber threats |
No
|
1
|
|
| Data leakage, theft, or loss |
No
|
No
|
|
| Customers or employees are affected by data leakage. |
No
|
No
|
|
| Fine for data breaches or cyber threats |
0
|
0
|
|
Personal Data Protection
| Risk and Crisis Management & Cybersecurity and Data Privacy | |||
|---|---|---|---|
Personal Data Protection
|
|||
| Long-term Targets | |||
| A culture of personal data protection is fostered across CKPower Group |
100% |
||
| 2024 Targets | 2024 Achievements | ||
| Personal data breaches from individuals or agencies |
No
|
No
|
|
| Personal data breaches from regulatory agencies |
No
|
No
|
|
Performance in 2024
In 2024, CKPower experienced one cyberattack, which was efficiently and swiftly thwarted and brought under control, with no personal data breaches occurring, as the threat was systematically detected and responded to. Following the incident, CKPower has tightened its cybersecurity measures and continuously improved its risk management plans to prevent future incidents.
Cybersecurity and personal data protection risk management initiatives undertaken in 2024 include the following:
- Formulating an Information Security Policy to establish operational frameworks in line with international standards
- Implementing ISO/IEC 27001:2022 standards for information security systems, with regular annual assessments conducted by both internal and external auditors
- Conducting annual cyber security awareness training for employees at all levels to enhance threat awareness and preparedness
- Continuously developing and updating cyber threat response plans to keep pace with evolving cyber threats in the digital landscape
These measures not only enhance confidence among all stakeholders but also strengthen CKPower’s organizational data security and build a solid foundation for its business operations in the long term.