Risk management
AOT is committed to managing risks as an issue that must be integrated in a concrete manner throughout the organization in compliance with international best practices. As a result, the organization can achieve its specified objectives, strengthen business stability, and create maximum benefits to the stakeholders.
Policy
AOT has established the Risk Management Policy, Corporate Governance Integration Policy, Risk Management and Supervision of AOT's operations, AOT's Business Continuity Management Policy, and Internal Control Policy for relevant executives and employees at all levels to follow by considering the consistency of AOT's Corporate Plan Fiscal Years 2023-2027( Years 2023 Revised Version), Action Plan and Project Management, including laws, rules, regulations and policies related to AOT's operations. Furthermore, AOT prepared the Risk Management Manual to be used as a comprehensive internal practice guideline as well.
See more details
Management System
AOT recognizes the necessity and importance of risk management. Therefore, the risk management system has been developed for all levels of work covering the entire organization or the Enterprise Risk Management, as follows:
AOT's Risk Management Structure
The risk management structure of AOT comprises several components aimed at effective risk governance. It includes the Risk Governance Committee (RGC), appointed by the AOT Board of Directors (BOD), responsible for setting risk management policies, guidelines, acceptable risk levels. The Risk Management Committee (RMC) of AOT, led by a senior executive as chair, and managers from various departments, offices, and airports, implements these policies and guidelines through risk management mechanisms within each area. This includes Internal Control and Risk Management Units (ICRMU) within departments, offices, and airports, responsible for identifying, assessing, and managing risks and reporting outcomes to the RMC and RGC regularly. Additionally, the Risk Management Division (RMD) oversees AOT's overall risk management efforts, ensuring alignment with COSO - ERM 2017 guidelines, which encompass 5 components and 20 principles. AOT's risk management and internal control systems are regularly evaluated by the Internal Audit Office to ensure adequacy, effectiveness, compliance with international standards, and efficiency.
Risk Management Process
AOT has set a risk management process systematically in order to collect and analyze scenarios of changes, or uncertainties both internal and external that may occur and affect AOT's operations. The aforementioned process is implemented annually, twice a year, before starting period of the fiscal year and reviewed in the mid-fiscal year. AOT's risk management process consists of important processes as follows:
AOT's risk management process consists of the following main processes:
1
Risk Universe
The Risk Universe serves as a database for identifying risk factors. The Risk Universe for the fiscal year 2023, compiled from a total of 8 sources, follows criteria for evaluating operational processes and managing Core Business Enablers of state enterprises. These sources include:
- Previous year's risk management outcomes at AOT, categorized as high risk (orange) and very high risk (red).
- SWOT Analysis of the organizational environment.
- Key performance indicators and objectives of strategic objectives.
- Performance Agreement (PA) between the Policy Commission Office of State Enterprises and AOT.
- Board policies of senior management.
- Action plans, operational plans, and public-private partnership projects.
- Internal control assessment reports.
- Risks affecting AOT operations and their implications (Uncertainty).
Analysis of potential changes
and their impact on AOT operations.
2
Analysis of environmental risks to inform the development of strategies, tactics, or risk management plans aimed at reducing the likelihood or impact of potential risks that may occur in the future. This involves assigning the Risk Management and Internal Control Committee of each department, division, office, and airport to analyze data on key change points across 8 dimensions.
See more details
3
Risk Index Definition and Review
AOT sets and reviews Key Risk Indicators (KRIs) at least twice annually, before the start of each fiscal year and mid-year, through the 'Review and Establishment of Key Risk Indicators (KRIs)' form. KRIs serve as tools for tracking risks and signaling early warning signs of potential future events. They are linked to significant risks and their impacts. AOT employs KRIs as instruments to monitor risk statuses and facilitate risk management.
See more details
Risk Management Plan
4
AOT stipulates to prepare the risk management plan at the levels of line / groups / airport to reasonably ensure of achieving the set goal. The details of the important steps are as follows:
The Risk Management Process
The Risk Management and the Control Working Group of each group and airport are responsible for monitoring and reporting the risk performance to the Risk Management Working Group of AOT and the Risk Management Committee on a regular basis to review the effectiveness of risk management. In addition, AOT has also provided channels to assess the level of risk awareness and get opinions to develop a risk management system through questionnaires in both document and online form. Every suggestion received will be considered in order to continually improve AOT's risk management.
Risk Management Guidelines and Business Continuity Management Standards of AOT
AOT's risk management system is consistent with the guidelines of the Committee of Sponsoring Organizations of the Treadway Commission - Enterprise Risk Management Integrating with Strategy and Performance: COSO - ERM 2017 and the Business Continuity Management Framework in accordance with International Organization for Standardization: ISO 22301: 2019 (Security and Resilience - Business Continuity Management Systems - Requirements). AOT aims to use the risk management process as a part of AOT's corporate plan preparation and important project management in order to manage risks and disasters that may occur and affect AOT's business operations in a timely and continuous manner. In addition, it also supports AOT to be able to achieve the set objectives and targets.
See more details
Risks of AOT
The risks of AOT can be categorized into 12 types as follows:
Strategic Risk
refers to the risks associated with the formulation of strategic plans, action plan and improper implementation of such plans. In addition, it also includes changes from external and internal factors which affect the formulation of strategies or operation to achieve the main objectives, goals, and operational guidelines of AOT.
Operational Risk
means the risk associated with the operations of each process or activities within AOT, including risks related to information management in information technology and various knowledge information in order to achieve the specified goals. It will affect the efficiency of AOT's work processes and affect the achievement of AOT's main objectives.
Financial Risk
refers to the risks associated with financial management which may be arising from internal factors such as liquidity management and investment, or from external factors, such as changes in interest rates and exchange rates, which affect the existence or the efficiency of AOT's work processes. This also includes resulting in damage to AOT.
Compliance Risk
means the risk associated with compliance to rules, orders, regulations of regulatory agencies such as the Stock Exchange of Thailand, Civil Aviation Authority of Thailand, etc., including various legal risks relating to AOT's business operations. It will affect the reputation and the image of AOT.
Human Capital Risk
The gap between the corporate goals and the employees' skills in performing their duties may impact the organization's ability to achieve its objectives. This gap can result from either intentional or unintentional actions by employees, such as when the efficiency of their work does not meet the expected standards.
Safety Risk
Risks that may arise from unintentional human actions or processes, leading to harm to individuals or damage to property.
Security Risk
an act of unlawful interference or intentional violation of the practice which can lead to personal harm, property damage or long-term interruption of service and reputation damage.
Hazard and Environmental Risk
Risks arising from hazards or natural disasters that may impact operations, such as floods, pandemics, and threats from terrorists.
Fraud Risk
Risks arising from intentional actions taken to seek benefits that are not legally justified for oneself or others, such as family members or friends.
IT Risk
Risk arising from the potential event and cause damage to AOT's information assets, such as data damage caused by virus, damage of the host computer system, unauthorized access to significant data, etc.
Reputation Risk
Risk arising from a potential event that has an opportunity to occur and cause a negative image of AOT, resulting in being criticized in the society and may lead to the loss of its reputation.
Emerging Risk
risk that emerges a loss arising from risks that have not yet occurred at present but may arise in the future, due to changing environment. This type of risk is a slow-occurring risk that is difficult to identify, have frequency of low occurrence, but will cause a serious impact once happening. This re-emergence of the risk is often identified by projections based on available evidence-based studies; this new risk is often the result of changes in the political, legal, social, technological, physical environment or natural changes. Sometimes, the effects of this type of risk may not be identifiable at the present. For example, problems that occur from Nanotechnology or climate change, etc.
Emerging Risks
Emerging risk 1: High Cost of Living & Social Division
Emerging risk 2: Supply Chain Damage
Promoting a risk culture
AOT has implemented a process to create an atmosphere and culture that supports risk management. The meeting of AOT's Risk Management Working Group and Risk Management Committee is scheduled every month as a platform to review risk situations that will help everyone to understand the relationship and impact of risk before making any decisions. This also includes stimulating the awareness of risks in the organization. The examples for risk management culture promotion activities are AOT e-Learning Platform, a joint meeting with Airports and Aviation Standards Group as well as risk awareness surveys.
Risk Awareness Survey & Education
AOT conducts regular survey on risk awareness and trainings. Out latest findings show that more than 75 of all employees acknowledge our risk management news and current practices. AOT continues to improve employees' awareness on risk management via several communication tools: AOT website, intranet, email, and dogotal dashboard. In terms of risk education, AOT provides all non-exectuive directors risk trainings (e.g., Intermediate Airport Management amd Airport Management in 2022 and Risk Management & Audit in 2023) that is based on our latest risk handbook (risk management principle) and align with AOT Master Plan. In addition, AOT promote risk culture by incorporating risk criteria into the development of our services and providing financial incentives for employees who achieve risk management metrics.
Risk Agents Training
Risk Management Performance Assessment
AOT performance assessment include (1) internal audit (2) external audit, and (3) State Enterprise Assessment (SE-AM). The former is done at least every two years, while the latter is done annually
AOT participated in the risk management performance assessment under the State Enterprise Assessment Model (SE-AM) for the improvement of AOT’s risk management operations continuously. The results of the assessment will be indicative of the strengths and weaknesses of the operation in 5 dimensions
- Governance and organizational culture
- Information, communication, and reporting
- Risk management review
- Risk management process
- Strategy and objective setting
Triple A Risk Management Project (3A: Alert Analysis Agility)
Triple A Risk Management Project is a collaboration between AOT’s Risk and HR Department to create risk management behaviors for executives and employees and a strong corporate risk culture. Triple A Risk Management Projects are the product of risk awareness surveys and risk management performance audits.
Last Updated: April, 12 2024