Management Approach
Effective risk and crisis management is a crucial mechanism for long-term financial planning and organizational resilience. It helps identify potential risks and issues that may impact the organization. The company’s risk management process begins with a review of the organization’s strategic plans and business objectives, along with an analysis of materiality topics. This enables the development of a risk management framework and the identification of key risks to the business. The framework encompasses four dimensions: business risk, sustainability risk, emerging risk, and black swan risk. Additionally, the company implements effective prevention and mitigation measures to drive the organization towards its goals and create value for all stakeholders.
Risk governance framework
The company has established a Risk Management Committee responsible for setting risk management policies and plans, as well as determining the organization’s risk appetite. The risk management and internal audit departments serve as members of the committee, driving effective risk management operations under sound corporate governance and aligned with organizational objectives. The committee is also responsible for reporting risk management performance to the audit committee and the board of directors twice a year. This allows for a review of the risk management process, as well as the identification of opportunities to enhance efficiency and mitigate risks more effectively.
1. Board level risk oversight
The board of directors oversees the risk management system, providing independent recommendations for critical risks. It also establishes a risk management policy, considering significant risk factors, including risk management guidelines and monitoring the performance of risk mitigation plans.
2. Operational risk management functions
Roles and responsibilities in risk management
| Level | Responsible | Roles and responsibilitie |
|---|---|---|
| Third Line | Internal Audit Division / Internal Auditor | 1.Monitor, review, and audit against risk-based standards 2.Ensuring the organization has appropriate risk management practices |
| Second Line | Risk Management Committee (RMC) | 1.Identify and assess significant business risks, including strategic, financial, operational, regulatory, and reputational risks. Propose risk mitigation strategies and develop policies and procedures to manage these risks effectively. Provide recommendations to the board and management on risk management practices 2. Develop a comprehensive risk management plan and processes to achieve the organization’s objectives and goals. 3. Oversee and support the risk management program. Monitor and evaluate the effectiveness of the risk management framework throughout the organization. Review and update risk management policies, systems, and plans on an ongoing basis to ensure they remain appropriate to the changing business environment. 4. Communicate with the audit committee regarding significant risks to assess the adequacy of the company’s internal control system. 5. Report the results of risk assessments and risk mitigation efforts to the board of directors at least twice a year. In case of any significant events that could materially impact the company’s financial position or operating results, the board of directors shall be informed immediately. 6. Perform such other duties as may be assigned by the chairman of the board. |
| First Line | Risk Filter Team (Risk Manager , Risk Champion , Risk Owner) | |
| -Risk Manager | 1. Define a risk management strategy to maintain risks at an acceptable level, known as Risk Acceptance, to achieve departmental objectives and align with the organization’s goals 2. Review significant departmental risks, monitor them, and assign Risk Owners to take necessary actions. 3. Effectively communicate departmental risks to management and employees to promote a culture of identifying new or emerging risks 4. Appoint a departmental Risk Champion to coordinate with the enterprise risk management function and ensure compliance with established policies. 5. Propose improvements to enhance the risk management process, aligning it with the department’s mission |
|
| -Risk Champion | 1. Manage the identification, review, analysis, and reporting of risk profiles for relevant departments or units. Present these findings to the department’s senior management (Risk Manager) for consideration and subsequent presentation to the Risk Management Committee 2. Support the development of departmental/unit Business Continuity Management (BCM) plans, ensuring alignment with the organization’s and business group’s BCM plans 3. Coordinate with the Risk Management Committee to ensure compliance with established risk management policies 4. Execute risk management activities as assigned by the department’s Risk Manager |
|
| -Risk Owner | 1. Manage and control departmental risks, as assigned by the Risk Manager, to maintain them at an acceptable level 2. Review, assess, and document departmental risks in relevant risk registers in collaboration with the Risk Champion 3. Identify, monitor, and report significant risk indicators to the Risk Manager on a regular basis 4. Report on the progress of assigned risk mitigation plans and maintain emergency response plans 5. Participate in various activities as assigned by the Risk Manager and Risk Champion |
|
Risk Management Framework
CP ALL has adopted the international standards COSO ERM:2017 and ISO 22301:2012 as its Enterprise Risk Management Framework to effectively address evolving business needs within a sustainable risk management and crisis management framework for CP ALL Public Company Limited and its subsidiaries.
Risk Management Process
The company has established a framework for enterprise risk management and crisis management, encompassing enterprise-wide risk management, operational risk management, and effective communication to all employees. A risk management plan has been developed to address potential risks that could impact the organization’s operations and objectives. Risk prioritization is determined through a risk matrix analysis, considering the likelihood and impact of each risk, including the potential for fraud and corruption. Key risk performance indicators (KPIs) have been established, along with appropriate recovery plans to ensure the organization’s long-term sustainability.
Risk identification
Risk identification is the initial and crucial step in the risk management process. It involves identifying potential events, circumstances, or factors that could impede the achievement of objectives, cause harm, or result in losses to an organization, project, or activity. A risk assessment committee, comprising experts from diverse fields such as communications, retail operations, law, human resources, facilities, location, cybersecurity, data privacy, government relations, and occupational health and safety, is tasked with this responsibility.
Through brainstorming sessions with various departments and analyzing the potential risks associated with significant projects and activities, the committee identifies risks. To ensure comprehensive risk identification, the committee utilizes the Universal Risk Area (URA) framework. This framework provides a structured approach to understanding high-risk areas and identifying the types of risks that may arise within those areas. Additionally, the Universal Risk Project Area (URPA) framework is employed for project-specific risk identification, considering both internal and external factors as well as future trends that may impact organizational objectives. The types of risks identified encompass:
1.Business Risks: Including strategic, operational, financial, and compliance risks. 2.Sustainability Risks: Environmental, social, and governance risks. 3.Emerging Risks: New and unforeseen risks that may arise.
In 2023, the organization was able to identify and compile a comprehensive risk register for various projects and activities.
Risk Review / Risk Assessment
The risk management committee has established a framework for quantifying risk, considering both the likelihood and consequence of potential risks.
Translate into English and create a risk rating scale from low to high using colors to indicate risk levels.
Define the organization’s maximum acceptable risk levels in various areas, such as finance, operations, and reputation, to provide a framework for the risk assessment team to make decisions about the organization’s risk tolerance. This will help identify key risks that are relevant to the organization, ensure alignment with the organization’s strategy, and drive decision-making in a consistent direction.
Risk owners, in collaboration with the risk management unit, conducted a risk analysis using a risk matrix as a tool to assess risks. This involved evaluating the likelihood or probability of a risk occurring, compared to the severity or impact of the risk if it does occur. Risks were prioritized using a company-defined probability rating scale and impact rating scale. A risk score was assigned to each risk, and a maximum risk appetite level was established for the organization. This ensured that risk management activities aligned with the organization’s objectives, goals, and relevant laws, regulations, and standards, considering the business continuity and disaster recovery plans.
In 2023, the company reviewed, assessed, and prioritized its organizational risks.
Defining risk management measures
The organization will implement a risk management framework where significant risks are identified and assigned to appropriate organizational levels. Risk owners will develop risk mitigation plans, emergency response plans, or business continuity plans based on the principles of the 4T+1P framework: Treat, Transfer, Terminate, Example measures as follows:
Business Risk
2 Risk of Error or Failure of Distribution Center and Logistic
| Impact | Likelihood | Risk Ranking |
|---|---|---|
| Moderate | Moderate | MM |
| Impact | Mitigation |
|---|---|
| “Our company is committed to implementing a robust systems and technology-driven warehouse management system to support new business models and diverse channels, especially for online sales, O2O strategies, and the growing parcel delivery business. Beyond preparing goods primarily for 7-Eleven stores, which are supplied from our distribution centers nationwide, we aim to accommodate small and large suppliers in managing and distributing their products to operating 7-Eleven stores 24 hours a day, 7 days a week. Major disruptions to our distribution centers and transportation routes, such as natural disasters, system failures, or pandemics, could significantly impact 7-Eleven’s sales and jeopardize the achievement of our strategic goals, potentially leading to negative financial consequences for the company. |
The company is committed to reviewing and managing its distribution network, ensuring that all distribution centers nationwide have the capacity to support the increasing sales of both physical stores and online channels, both domestically and internationally. We have developed policies and procedures for our logistics partners to align with international standards, meeting all customer expectations through communication, training, and risk assessments. The results of these assessments will be used to develop improvement programs, monitoring, and evaluation to ensure the sustainable growth of our partners alongside the company. We assess the readiness of equipment, personnel, and transportation routes to handle crises such as the temporary closure of a distribution center due to floods, fires, communication or IT system failures, epidemics, serious accidents, or other force majeure events. When expanding our distribution network, we carefully select locations that are safe and highly efficient in delivering products to stores and customers directly. The company has prepared various contingency plans, including regular drills for scenarios such as floods, riots, fires, power outages, and epidemics. A 24/7 Crisis Assessment Team (CAT) has been established to assess situations and issue early warnings to at-risk areas, allowing for timely and appropriate responses in accordance with our Business Continuity Management plan. This includes utilizing nearby distribution centers, large-scale transportation, alternative routes, finding substitute products, and establishing temporary distribution centers. In 2023, we conducted 16 departmental and 4 organizational simulation tests and table-top exercises. We have also upgraded our ISO 22301 certification at our Bang Bua Thong warehouse and are expanding it to the Suvarnabhumi warehouse. With these measures, we are confident that our distribution centers will have the capacity to support our domestic and international expansion plans, as well as new businesses in the future, and can operate as a highly efficient, mutually supportive distribution network. |
Sustainability Risk
4 Cyber Threats
| Impact | Likelihood | Risk Ranking |
|---|---|---|
| Moderate | Moderate | MM |
| Impact | Mitigation |
|---|---|
|
The shift from offline to online business models has exposed our company to nearly constant cybersecurity risks. To ensure business continuity as outlined in our Business Continuity Management plan, we have implemented a robust cybersecurity management system. This transition has increased the potential for cyber vulnerabilities and threats, including data breaches. In Thailand, companies are facing stricter legal and regulatory requirements with the enactment of the Computer Crime Act, the Cybersecurity Act, and the Personal Data Protection Act. Failure to adequately manage these risks can lead to significant losses. Cyberattacks, such as the theft of trade secrets and customer or employee personal data, can result in financial losses, damage to our reputation and credibility, and legal penalties. |
The company has collaborated with international IT experts to review and develop a globally standardized digital technology strategy and operational plan. A committee overseeing IT and information security continuously reviews and evaluates these plans. An annual external security assessment by BITSIGHT Security Rating Service is conducted to ensure effective management aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which comprises five core functions: Identify, Protect, Detect, Respond, and Recover. The company has appointed a Chief Security Officer (CSO) to oversee the IT security of the group. Our subsidiary, GoSoft (Thailand) Co., Ltd., operates under international standards and regularly reviews its policies to comply with ISO 27001 (Information Security Management System) and ISO 27701 (Privacy Information Management System) standards, which govern the management of information technology services and cybersecurity strategies to ensure business continuity and acceptable risk levels. The strategy is reviewed at least once a year. We promote cybersecurity awareness among employees through internal communications, training, and simulated cyber crisis scenarios such as Cyber Security War Games, Phishing Campaigns, and cyber drills. This ensures employees understand how to use technology safely and respond effectively to cyber threats on a quarterly basis. |
Emerging Risk/Future Risk
9 Risks from Entering a Completely Aging Society, Increasing the Societal Demand for Health and Well-being Products
| Impact | Likelihood | Risk Ranking |
|---|---|---|
| Moderate | Moderate | MM |
| Impact | Mitigation |
|---|---|
|
The company has been continuously developing and promoting health and nutritional products through various support programs, as well as fostering research in health products both internally and externally. However, as we transition into a complete aged society and approach a super-aged society. The company must adapt and prepare to deliver products and services that meet future demands, preventing potential losses in sales of health products for the elderly, which currently account for 12% of total food and beverage sales in 7-Eleven stores. This will necessitate a shift in the company’s direction and strategy. In response, CP All has allocated an additional 17.1 million baht to research and develop products suitable for the elderly, representing 38% of the total R&D budget. |
The company has been continuously reviewing its corporate strategy, emphasizing the fundamental human right to health and recognizing the importance of providing nutritious, safe, and high-quality products to all consumers, especially the elderly. We have enhanced our capabilities and research funding in the area of health foods and appointed consultants to source and develop new products tailored to the nutritional needs of health-conscious individuals, including the elderly. This includes functional foods that promote various health benefits, personalized foods that provide essential nutrients suitable for individual lifestyles and genetics, products with reduced additives, preservatives, sugar, palm oil, and artificial flavors and fats, alternative protein products, and superfoods. These initiatives aim to address changing consumer behaviors, reduce health risks for all consumers, and meet the evolving needs of the elderly. To cater to customers who are unable to visit 7-Eleven stores, including the elderly, we have enhanced our services by offering product ordering through the 7APP application with delivery options. |
Furthermore, the Company has developed a Business Continuity Plan (BCP) to prepare for rapidly changing situations and ensure the Company’s operations remain continuous and uninterrupted. Additionally, every six months, the Risk Management Committee reports its operations to the Audit Committee and the Board of Directors.
Internal Control and Risk Monitoring Mechanism
Assessing high-risk activities
Selecting high-risk processes
Establishing risk control measures
Randomized assessment of control measures by auditors
Review interial process risk & control quarterly
Risk Management Process Audit
The Internal Audit Office oversees and audits risk management operations to implement risk reduction measures. In 2O23, the Company engaged an external firm to evaluate the overall Enterprise Risk Management (ERM) to ensure compliance with corporate governance principles and The Committee of Sponsoring Organizations of Treadway Commission (COSO) internal control framework. Additionally, it aligns with the international standard ISO 223O1: Business Continuity Management (BCM) to ensure the Company’s risk level is acceptable and manageable. The companies within the CPALL Group has been certified for ISO 223O1: BCM in three areas, including CPRam Ladkrabang and Distribution Center (CDC) Bang Bua Thong. Moreover, in 2O23, six more distribution centers received additional certification, including Mahachai Distribution Center (DC), Mahachai Temperature Controlled Distribution Center (CDC), Suvarnabhumi Distribution Center (DC), Suvarnabhumi Temperature Controlled Distribution Center (CDC), Mahachai Distribution Center (BDC), and Logistics Center.
CPALL ISO 22301 Certificate for Bangbuathong (CDC ) 
CPALL ISO 22301 Certificate for Head Office 
CPALL ISO 22301 Certificate for Mahachai (DC )
Emerging Risks
The Company establishes measures and guidelines for managing and governing to promptly respond to risks. This includes regular annual reviews of issues and various trends to analyze new risks that may affect business operations. Moreover, the Company can identify 3 new risks and analyze the impact of these risks on business operations, along with outlining preliminary management measures and guidelines as follows:
Risks from the rapid changes in Generative AI technology in the e-Commerce business
The e-Commerce industry in 2O24 has an increasing use of Generative AI technology, where online merchants can analyze customer needs and consumer data to find products and services that meet their demands most effectively. For example, customers can use Generative AI technology to analyze the credibility of stores and detailed sales history, allowing them to assess the history and credibility of merchants and check whether the products or services sold in the past had any issues. This has led to a significant growth of the e-Commerce industry in Thailand, estimated at 23% according to the Digital Economy Report for Southeast Asia by Google in the previous year. It has also resulted in a growth of over 9.6% for CP ALL’s e-Commerce business. However, the impact of using Generative AI technology includes new investment projects Investment in subsidiaries and distribution center (DC) in CP ALL’s business operations. The aim is to maintain and create sustainable service experiences for customers at 7-Eleven stores.
The rapid introduction of Generative AI technology in the e-Commerce business has impacted new investment projects Investment in subsidiaries and distribution center (DC) in CP ALL’s business operations. It helps maintain and create a sustainable customer experience at 7-Eleven stores. In 2O23, approximately 4,OOO – 4,1OO million Baht was invested. Furthermore, if Generative AI technology is fully utilized to analyze products and services for consumers in the next 3-5 years, it will significantly affect has impacted includes new investment projects Investment in subsidiaries and distribution center (DC). This is aimed at maintaining and creating a sustainable customer experience for visits to 7-Eleven stores in the future.
The Company closely monitors the rapid changes brought about by Generative AI technology, which increasingly influences CP ALL’s business operations. Currently, it sets business strategies to grow from strengths, adapt to new lifestyles, and embrace the digital society. This is to address the aforementioned changing trends by improving the way consumer experiences are created, such as promoting products that better meet consumer needs based on surveys conducted at 7-Eleven stores. This includes diversifying products and services, such as fresh food, frozen food, vegetables, fruits, and freshly prepared food, as well as expanding 7-Eleven branches to provide access and convenience to communities with limited access to products and services. This is considered value creation and promoting access for consumers that e-Commerce businesses may not fully meet yet.
However, the integration of Generative AI technology to support the analysis of consumer product and service preferences remains a critical focus for CP ALL in driving the growth for both 7-Eleven stores and e-Commerce business. This segment contributes more than 1O% of the Company’s revenue. Therefore, CP ALL is investing in Generative AI technology to assist in analyzing consumer product and service preferences, as well as to analyze various product trends to meet current consumer demands and prepare for the future. Additionally, CP ALL is expanding 7-Eleven branches to promote access to products and services for remote communities that may not have access to new technologies, equipped with comprehensive services.
The risk from transitioning into a Complete Aged Society increases the demand for health products
Thailand is transitioning into a Complete Aged Society, according to data from the Department of Provincial Administration, Ministry of Interior, in 2O23. It was found that Thailand has a population of people aged 6O and above, or the elderly, accounting for 1 in 5 (13 million people) of the total population (66 million people), with a continuous upward trend projected over the next 5-1O years. It is estimated that Thailand will evolve into a Super Aged Society, with the elderly population increasing to 28% of the total population. This will directly impact the demand for health-related products and services. This includes a greater need for health-focused food products, functional foods, and foods with modified ingredients. This trend may influence CP ALL’s strategies, budget planning, research in product and service development, as well as procurement of health-enhancing products.
CP ALL has been actively managing health and nutrition products through various support programs and promoting research in health products internally and externally. However, with the transition into a Complete Aged Society and the trend towards becoming a Super Aged Society, CP ALL needs to adapt and prepare to deliver products and services that can meet future needs. This may affect the risk of losing opportunities in selling health products and the elderly group, which accounts for 12% of total sales compared to all food and beverage products sold in 7-Eleven stores. It may also affect organizational direction-setting and strategy. Additionally, CP ALL prepares to address the increased budget for research on products and services suitable for the elderly group, aiming to procure health products worth over 17.1O million Baht , accounting for 38% of the total research and development budget.
The Company has continuously reviewed its organizational strategy and emphasized the fundamental right to good health as one of the basic rights. The Company is also aware of delivering products that are nutritious, safe, and meet standards for all consumer groups, especially the elderly. Moreover, the Company has elevated the capabilities and research funds in health foods and appointed consultants to source and develop new products tailored for health conscious individuals, including the elderly. These products include functional foods to promote various health aspects, personalized foods suited to individual lifestyles, health,
and genetics, as well as other categories, such as food with reduced additives and preservatives, low sugar, low palm oil, no coloring, no fat, alternative protein foods, and superfoods. This is to respond to changing consumer behaviors and reduce health risks for all consumer groups. Additionally, the product development aims to anticipate future trends in product and service changes for the elderly and elevate the services to cater to customers who find it inconvenient to shop at 7-Eleven stores, including the elderly, by offering product orders through the ‘7APP’ application along with delivery services.
The risk from promoting the reduction of packaging waste as legally enforced by the government
The Company operates primarily in the business of retail convenience stores, wholesale businesses, cash payment services, and food production with operations mainly in Thailand. The Company is mandated to adopt the policy of discontinuing single-use plastic packaging under the Thai Plastic Roadmap 2O18-2O3O, coupled with the development of the country’s waste management system and infrastructure to reuse and recycle waste. One of the tools being studied to inform policy decisions is the principle of Extended Producer Responsibility (EPR) or the principle that enhanced responsibility of producers, where producers are responsible for the entire lifecycle of their products, including design, distribution, return, collection, reuse, recycling, and post-consumer packaging waste treatment. That is, producers’ responsibility for managing their own product waste. This principle is widely used in Europe, North America, South Africa and some countries in Asia, with a trend toward legal enforcement expected in Thailand within the next 3-5 years. This directly impacts the business of CP ALL, which will incur additional expenses in system preparation, including readiness along the supply chain and requiring intensified collaboration with suppliers.
The Company serves an average of 13 million customers daily at 7-Eleven stores, with revenue from product sales and services in 2O23 totaling 921,187 million Baht. Each year, the Company uses an average of 53,965.53 tonnes of plastic packaging. The push for compliance with the Extended Producer Responsibility (EPR) principle impacts CP ALL’s policies, strategies, and product design processes, shifting from traditional Design for Assembly to Design for Disassembly to facilitate material separation for recycling or investment in reuse processes. The recycling of packaging waste, as well as changing perspectives on the environmental system of production and consumption into a new approach, means transitioning from a Linear Economy model where products are manufactured by producers, distributed to consumers, and then discarded to municipalities, to a Circular Economy model, where materials and energy are recycled back to producers or distributors, requiring new distribution systems and innovations. This impacts CP ALL’s operational expenses, including increased investment in system development and operations (estimated at over 538 million Baht over the next 3-5 years), as well as fees for waste management by central organizations. Furthermore, the Company’s reputation could
be affected in case of failing to adequately prepare to handle the supply chain responsibly.
The Company is dedicated to reducing the amount of plastic waste from packaging sent to landfills to the minimum possible, while also demonstrating leadership in environmental stewardship. This makes packaging management from CP ALL’s products more environmentally friendly. This is achieved through measures and management strategies such as:
Black Swan Search continuation project
The Company has continued the Black Swan project for the 1Oth consecutive year to raise awareness of risks for the Company’s personnel. Management and employees are encouraged to take part in identifying enterprise risks that could potentially impact the Company’s operations and goals through the submission of risk topics in a contest available at various channels. The risks topics are related to the below six issues, as follows:
Continuous Business Operations
Work Process
Products and Services
Outsources Hiring
Corporate Sustainability
Activities Related to the Outsources Hiring Company’s Subsidiaries
The awarded risk issues will be considered for further development of appropriate support measures and management strategies to effectively implement them. In 2O23, there were a total of 2,465 risk issues submitted by employees for competition. The top five risk issues with the
highest number of submissions are: 1. Health and safety related risks, 2. Environmental risks, 3. Legal compliance risks, 4. Customer satisfaction, and 5. Human resource management.
Furthermore, the Company conducts Risk Score evaluations to measure the overall risk management effectiveness of each department. The Company welcomes suggestions for further development and improvement of risk management systems in all areas to enhance efficiency. This covers over 74 departments on a quarterly basis, along with providing guidance and knowledge exchange through online systems. Additionally, exemplary risk management practices are showcased to elevate capabilities through the Risk Score Clinic project weekly. Departments demonstrating consistent excellent performance will be publicly acknowledged by the Chief Risk Officer and the CEO as role models for the organization, fostering pride among the department’s risk management personnel.
Risk Management and Business Continuity Management Training Program for Risk Champion continuation project
The Risk Management unit, in collaboration with Panyatara Co., Ltd. and All Training Co., Ltd., organizes quarterly training courses to develop Risk Champions skills. The objective is to train participants, providing them with new learning experiences that can be applied to managing risk within the CP ALL Group businesses. This aims to enhance the ability of Risk Champions to assess risk management practices within their respective units according to Risk Score criteria, ensuring readiness to respond to situations. Additionally, participants are required to complete a post training assessment to review their understanding and raise awareness in identifying risks and prevention methods, enabling the organization to continue its operations without interruption. In 2O23, more than 967 Risk Champions within CP ALL’s business units participated in the program.
Furthermore, the Company has elevated its Risk Management training for the Risk Management Committee (RMC) in four formats: from gurus/experts, practical exercises (Crisis), 3A signaling (Alert, Analysis, Alarm), and external training. The training provides knowledge to users of information technology systems, including committee members, senior management, employees, and customers. Seminars are organized on topics such as the impact of the Russia-Ukraine conflict on the Thai economy and industry. Additionally, meetings are held to update the Company’s Board of Directors on Global Sustainability Trends Updates to understand trends and potential impacts on CP ALL in the future.
Promote and Support SMEs Suppliers to take part in the Private Sector Collective Action against Corruption (CAC SMEs Certification) continuation project
CP ALL organized a training program for the Private Sector Collective Action against Corruption (CAC SMEs) in 2O23 for 58 SMEs entrepreneurs in an online format in the time of the New Normal. The objective is to encourage executives and employees, including suppliers, to operate in accordance with corporate governance principles. And to instill values of business operations with honesty, transparency, and without corruption. The Company raised the status of the organizations in CAC membership to the Change Agent level. All in all, there are 15 suppliers, or equivalent to 26% of the total, who have communicated and signed to join the declaration of intent to join the Private Sector Collective Action against Corruption.
In addition, Lotus’s has been recertified as a CAC member, joining the private sector’s collective efforts against corruption in Thailand. Lotus’s also received the CAC Change Agent Award for 2O23 from CAC. Furthermore, in 2O23, Lotus’s supported 17 SME suppliers in jointly declaring their commitment to anti-corruption, elevating the standards of transparent and ethical business practices.
These initiatives reflect the Company’s dedication to being a retail organization that prioritizes sustainability in all dimensions of business operations, encompassing environmental, social, and governance (ESG) aspects.
Cybersecurity and Information Management
The Company recognizes the importance of cybersecurity and information security risk management and conducts a review of the information technology security policy. The policy was revised to be consistent with the international standard guidelines for information security management systems (ISO 27001). The Company also adopts the international cybersecurity framework (NIST Cybersecurity Framework) in technical practices throughout the system, including personal data protection measures as follows:
Cyber Security continuation project
Currently, the Company faces cybersecurity risks almost constantly due to the shift from offline to online business operations, leading to reliance on digital tools for business. Therefore, the Company has established cybersecurity management strategies that encompass aspects on People, Process, and Technology.
Cyber Hygiene Culture Cultivating and organizational culture with cyber security wellness
Cyber Assurance Control cyber security standards
Cyber Operation Operations for surveillance and cyber threat prevention
In 2O23, the Company was rated on the credibility of cyber security management by an external party (BITSIGHT Security Rating Service), reflecting the responsibility of management and information management, credibility, and corporate image-the results show that the safety
management has improved respectively and with the following actions initiated:
Impacts and Benefits
the Company's network data systems are installed and provided services through the certified Information Security Management Systems, ISO 27OO1
employees working in cyber security (31 people) have undergone training and knowledge testing on cyber security topics
employees have passed the Phishing Test
the Company's systems and websites on the internet network have been searched and assessed for vulnerabilities by external companies and. They are then further evaluated and improved by the operations team to enhance security
Raising awareness of personal data protection continuation project
The Company aims to raise awareness of personal data protection among employees at all levels, following the guidelines outlined in the Company's key strategies and plans. This initiative can reduce the risks that may affect the organization. In 2O23, the Company worked to elevate
personal data protection to international standards with details as followed:
Impacts and Benefits
activities with personal data comply with the Personal Data Protection Act
employees have passed a training and knowledge test of PDPA guidelines
response to the access right requests for personal data at an appropriate time
serious grievances
personal data
Other Information
Sensitivity Risk
1.Business Environment Risk
According to business expansion continuously, the Company is aware of development of GHG emissions reduction initiatives for various operations, including research, pilot projects, and applied to the business as well as collaboration program with stakeholders thought value chain. Under continuously development principle, the Company has preliminary studied on advance sustainability targets, being a carbon neutral organization or net zero carbon 2030 afterward. The Company has simulated 3 GHG emissions reduction scenarios (shown in diagram 1) which all cases are linked with the business growth. Additionally scenario has been performed by limiting volume of carbon offsetting at 20% of projection BAU case in 2030. The offsetting cost of all remaining carbon emissions will be used for range determination.
Results are indicating cost that associated climate change mitigation and linkage with business case which reflect effort and preparations required for co-mitigating the global issue.
Diagram 1 GHG emissions and carbon offsetting
| Data Analysis | ||
|---|---|---|
| (inputs and factors used for the analysis) | ||
| Voluntary Emission Reduction | 42.72 | Euro / tonne |
| Exchange rate | 38.37 | Bath / Euro |
| Carbon emissions forecasting 2030 (CEF2030) | 3,042,632.71 | tCO2e |
| Target limited GHGs growth at 4% | 2,086,322.77 | tCO2e |
| Target GHG reduction at 4.2% each year | 1,764,726.97 | tCO2e |
| 1% of revenue 2020 | 5,465.90 | MTBH |
Table 1: Sensitivity analysis for carbon offsetting on target year 2030 scenario
| Unit (million THB) | |||||
|---|---|---|---|---|---|
| Carbon pricing valuation | -10% | -5% | +-0% | +5% | +10% |
| Carbon emission (CEF2030) | 4,488.64 | 4,738.01 | 4,987.38 | 5,236.75 | 5,486.12* |
| Targeting Limit GHG emission at 4% growth against BAU | 3,077.85 | 3,248.84 | 3,419.83 | 3,590.82 | 3,761.81 |
| Target GHGs reduction at 4.2% each year | 2,603.41 | 2,748.05 | 2,892.68 | 3,037.32 | 3,181.95 |
* exceeded threshold at 1% of revenue
2. Compliance Risk and Operation Risk
Sensitivity Analysis of Future Salary Growth and Employee Turnover Rate
| Consolidated Financial Statements | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1% increases in assumption | 1% decrease in assumption | 3% increases in assumption | 3% decrease in assumption | 5% increases in assumption | 5% decrease in assumption | |||||||
| 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | |
| At 31 December | (in million Baht) | |||||||||||
| Future Salary Growth | 466 | 488 | -416 | -436 | 1,398 | 1,464 | -1,248 | -1,308 | 2,330 | 2,440 | -2,080 | -2,180 |
| Employee Turnover Rate | -468 | -781 | 504 | 952 | -1,404 | -2,343 | 1,512 | 2,856 | -2,340 | -3,905 | 2,520 | 4,760 |
| Separate Financial Statements | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1% increases in assumption | 1% decrease in assumption | 3% increases in assumption | 3% decrease in assumption | 5% increases in assumption | 5% decrease in assumption | |||||||
| 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | |
| At 31 December | (in million Baht) | |||||||||||
| Future Salary Growth | 227 | 247 | -203 | -221 | 681 | 741 | -609 | -663 | 1,135 | 1,235 | -1,015 | -1,105 |
| Employee Turnover Rate | -230 | -463 | 262 | 595 | -690 | -1,389 | 786 | 1,785 | -1,150 | -2,315 | 1,310 | 2,975 |
3.Market Risk
Sensitivity Analysis of Discount Rate
| Consolidated Financial Statements | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1% increases in assumption | 1% decrease in assumption | 3% increases in assumption | 3% decrease in assumption | 5% increases in assumption | 5% decrease in assumption | |||||||
| 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | |
| At 31 December | (in million Baht) | |||||||||||
| Discount Rate | -439 | -453 | 502 | 518 | -1,317 | -1,359 | 1,506 | 1,554 | -2,195 | -2,265 | 2,510 | 2,590 |
| Separate Financial Statements | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1% increases in assumption | 1% decrease in assumption | 3% increases in assumption | 3% decrease in assumption | 5% increases in assumption | 5% decrease in assumption | |||||||
| 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | 2022 | 2023 | |
| At 31 December | (in million Baht) | |||||||||||
| Discount Rate | -205 | -223 | 234 | 254 | -615 | -669 | 702 | 762 | -1,025 | -1,115 | 1,170 | 1,270 |
Regular risk management education for all non-executive directors
Training Non-Executive Directors on risk management is pivotal to strengthening an organization. A deep understanding of risk management enables the board to effectively oversee operations, monitor and assess potential risks, and make strategic decisions based on risk information. In 2026, the company invited external experts to provide training to Non-Executive Directors on sustainability trends, risk challenges, and their impact on CP All Public Company Limited. All Non-Executive Directors participated in this training.
Financial incentives which incorporate risk management metrics
CPALL to enhance an effective risk culture throughout the organization, KPIs are linked to senior executives of the risk function and the performance of each KPI will be applied during the evaluation process. Part of senior executive’s incentive will be assessed by considering the evaluation result. KPIs that are used for performance evaluation of risk function are separated as follows:
- Dissemination of departmental risk management policies (Score 10%)
- Arrangement of internal risk reviews and reporting (Score 30%)
- Revision and improvement of BCM plan and BCM Team list (Score 25%)
- Ushering intra-agency participation in discovery for hidden corporate threats (Score 20%)
- Participation in risk management activities established by the Company (Score 15%)
Corporate KPIs related to risk management have been cascaded down from senior executives to line managers. Similar to senior executives, performances under these KPIs are linked to annual merit increase.
Incorporation of risk criteria in the development of products and services
CPALL values the integrity and safety of our products and services for consumers and customers. Integrating risk management practice into company-wide has become a corporate culture, Therefore, risk criteria have been incorporated into the product development and approval process. In addition, regulatory risks, product quality and safety, and product quality assurance risks are integrated into the product selection process via the “Pre-Audit Supplier” tool. The QA department will use the tool to assess the facilities, production potential, and product development of the new private brand suppliers.
