Risk management

AOT is committed to managing risks as an issue that must be integrated in a concrete manner throughout the organization in compliance with international best practices. As a result, the organization can achieve its specified objectives, strengthen business stability, and create maximum benefits to the stakeholders.


AOT has established the Risk Management Policy, Corporate Governance Integration Policy, Risk Management and Supervision of AOT's operations, AOT's Business Continuity Management Policy, and Internal Control Policy for relevant executives and employees at all levels to follow by considering the consistency of AOT's Corporate Plan Fiscal Years 2023-2027( Years 2023 Revised Version), Action Plan and Project Management, including laws, rules, regulations and policies related to AOT's operations. Furthermore, AOT prepared the Risk Management Manual to be used as a comprehensive internal practice guideline as well.

Management System

AOT recognizes the necessity and importance of risk management. Therefore, the risk management system has been developed for all levels of work covering the entire organization or the Enterprise Risk Management, as follows:

AOT's Risk Management Structure

AOT's Risk Management Structure

The risk management structure of AOT comprises several components aimed at effective risk governance. It includes the Risk Governance Committee (RGC), appointed by the AOT Board of Directors (BOD), responsible for setting risk management policies, guidelines, acceptable risk levels. The Risk Management Committee (RMC) of AOT, led by a senior executive as chair, and managers from various departments, offices, and airports, implements these policies and guidelines through risk management mechanisms within each area. This includes Internal Control and Risk Management Units (ICRMU) within departments, offices, and airports, responsible for identifying, assessing, and managing risks and reporting outcomes to the RMC and RGC regularly. Additionally, the Risk Management Division (RMD) oversees AOT's overall risk management efforts, ensuring alignment with COSO - ERM 2017 guidelines, which encompass 5 components and 20 principles. AOT's risk management and internal control systems are regularly evaluated by the Internal Audit Office to ensure adequacy, effectiveness, compliance with international standards, and efficiency.

กรอบบริหารความเสี่ยงขององค์กรตามแนวทางของ COSO-ERM 2017

Risk Management Process

AOT has set a risk management process systematically in order to collect and analyze scenarios of changes, or uncertainties both internal and external that may occur and affect AOT's operations. The aforementioned process is implemented annually, twice a year, before starting period of the fiscal year and reviewed in the mid-fiscal year. AOT's risk management process consists of important processes as follows:

AOT's risk management process consists of the following main processes:


Risk Universe

The Risk Universe serves as a database for identifying risk factors. The Risk Universe for the fiscal year 2023, compiled from a total of 8 sources, follows criteria for evaluating operational processes and managing Core Business Enablers of state enterprises. These sources include:

  1. Previous year's risk management outcomes at AOT, categorized as high risk (orange) and very high risk (red).
  2. SWOT Analysis of the organizational environment.
  3. Key performance indicators and objectives of strategic objectives.
  4. Performance Agreement (PA) between the Policy Commission Office of State Enterprises and AOT.
  5. Board policies of senior management.
  6. Action plans, operational plans, and public-private partnership projects.
  7. Internal control assessment reports.
  8. Risks affecting AOT operations and their implications (Uncertainty).

Analysis of potential changes

and their impact on AOT operations.



Analysis of environmental risks to inform the development of strategies, tactics, or risk management plans aimed at reducing the likelihood or impact of potential risks that may occur in the future. This involves assigning the Risk Management and Internal Control Committee of each department, division, office, and airport to analyze data on key change points across 8 dimensions.

See more details


Risk Index Definition and Review

AOT sets and reviews Key Risk Indicators (KRIs) at least twice annually, before the start of each fiscal year and mid-year, through the 'Review and Establishment of Key Risk Indicators (KRIs)' form. KRIs serve as tools for tracking risks and signaling early warning signs of potential future events. They are linked to significant risks and their impacts. AOT employs KRIs as instruments to monitor risk statuses and facilitate risk management.

Risk Management Plan


AOT stipulates to prepare the risk management plan at the levels of line / groups / airport to reasonably ensure of achieving the set goal. The details of the important steps are as follows:

The Risk Management Process
The Risk Management and the Control Working Group of each group and airport are responsible for monitoring and reporting the risk performance to the Risk Management Working Group of AOT and the Risk Management Committee on a regular basis to review the effectiveness of risk management. In addition, AOT has also provided channels to assess the level of risk awareness and get opinions to develop a risk management system through questionnaires in both document and online form. Every suggestion received will be considered in order to continually improve AOT's risk management.

Risk Management Guidelines and Business Continuity Management Standards of AOT

AOT's risk management system is consistent with the guidelines of the Committee of Sponsoring Organizations of the Treadway Commission - Enterprise Risk Management Integrating with Strategy and Performance: COSO - ERM 2017 and the Business Continuity Management Framework in accordance with International Organization for Standardization: ISO 22301: 2019 (Security and Resilience - Business Continuity Management Systems - Requirements). AOT aims to use the risk management process as a part of AOT's corporate plan preparation and important project management in order to manage risks and disasters that may occur and affect AOT's business operations in a timely and continuous manner. In addition, it also supports AOT to be able to achieve the set objectives and targets.

มาตรฐาน ISO

Risks of AOT

The risks of AOT can be categorized into 12 types as follows:


Strategic Risk

refers to the risks associated with the formulation of strategic plans, action plan and improper implementation of such plans. In addition, it also includes changes from external and internal factors which affect the formulation of strategies or operation to achieve the main objectives, goals, and operational guidelines of AOT.

ความเสี่ยงด้านปฏิบัติการ (Operational Risk)

Operational Risk

means the risk associated with the operations of each process or activities within AOT, including risks related to information management in information technology and various knowledge information in order to achieve the specified goals. It will affect the efficiency of AOT's work processes and affect the achievement of AOT's main objectives.

ความเสี่ยงด้านการเงิน (Financial Risk)

Financial Risk
refers to the risks associated with financial management which may be arising from internal factors such as liquidity management and investment, or from external factors, such as changes in interest rates and exchange rates, which affect the existence or the efficiency of AOT's work processes. This also includes resulting in damage to AOT.

ความเสี่ยงด้านการปฎิบัติตามกฎระเบียบข้อบังคับ (Compliance Risk)

Compliance Risk
means the risk associated with compliance to rules, orders, regulations of regulatory agencies such as the Stock Exchange of Thailand, Civil Aviation Authority of Thailand, etc., including various legal risks relating to AOT's business operations. It will affect the reputation and the image of AOT.

ความเสี่ยงด้านทุนมนุษย์ (Human Capital Risk)

Human Capital Risk
The gap between the corporate goals and the employees' skills in performing their duties may impact the organization's ability to achieve its objectives. This gap can result from either intentional or unintentional actions by employees, such as when the efficiency of their work does not meet the expected standards.

ความเสี่ยงด้านความปลอดภัย (Safety Risk)

Safety Risk
Risks that may arise from unintentional human actions or processes, leading to harm to individuals or damage to property.

ความเสี่ยงด้านการรักษาความปลอดภัย (Security Risk)

Security Risk
an act of unlawful interference or intentional violation of the practice which can lead to personal harm, property damage or long-term interruption of service and reputation damage.

ความเสี่ยงด้านอันตรายและสิ่งแวดล้อม (Hazard and Environmental Risk)

Hazard and Environmental Risk
Risks arising from hazards or natural disasters that may impact operations, such as floods, pandemics, and threats from terrorists.

ความเสี่ยงดานการทุจริต (Fraud Risk)

Fraud Risk
Risks arising from intentional actions taken to seek benefits that are not legally justified for oneself or others, such as family members or friends.

ความเสี่ยงดานเทคโนโลยีสารสนเทศ (IT Risk)

IT Risk
Risk arising from the potential event and cause damage to AOT's information assets, such as data damage caused by virus, damage of the host computer system, unauthorized access to significant data, etc.

11reputational risk

Reputation Risk
Risk arising from a potential event that has an opportunity to occur and cause a negative image of AOT, resulting in being criticized in the society and may lead to the loss of its reputation.

ความเสี่ยงที่เกิดขึ้นใหม่ (Emerging Risk)

Emerging Risk
risk that emerges a loss arising from risks that have not yet occurred at present but may arise in the future, due to changing environment. This type of risk is a slow-occurring risk that is difficult to identify, have frequency of low occurrence, but will cause a serious impact once happening. This re-emergence of the risk is often identified by projections based on available evidence-based studies; this new risk is often the result of changes in the political, legal, social, technological, physical environment or natural changes. Sometimes, the effects of this type of risk may not be identifiable at the present. For example, problems that occur from Nanotechnology or climate change, etc.

Emerging Risks

Emerging risk 1: High Cost of Living & Social Division

Category = Soceital
Description = Due to geopolitical conflict (e.g., Russia and Ukraine), together with the aftermath of COVID-19, cost of living has been on the rise, and many are unemployed. In addition, social diversity has become a hot topic in Thailand. Each individual has voiced their preference.
Impact = The impact of High Cost of Living reduce AOT travel demands. That is, less passengers are travelling, affecting AOT revenue. The impact of Social Division is the cost and time of airport construction, where AOT has to consider the need of all individuals' preference.
Mitigation = AOT reduce fare for our supply chain to maintain the their business in the face of reduced passengers.

Emerging risk 2: Supply Chain Damage

Category = Economic
Description = AOT supply chain has financially suffered from the aftermath of COVID-19. Some have terminated their businesses. Some are recovering and working sub-optimal capacities.
Impact = AOT business cannot fully operate due to reliance on supply chain, some of which have terminated and worked sub-optimal capacities.
Mitigation = AOT provides funding to our supply chain in order for them to fully operate and maintain their business.

Promoting a risk culture

AOT has implemented a process to create an atmosphere and culture that supports risk management. The meeting of AOT's Risk Management Working Group and Risk Management Committee is scheduled every month as a platform to review risk situations that will help everyone to understand the relationship and impact of risk before making any decisions. This also includes stimulating the awareness of risks in the organization. The examples for risk management culture promotion activities are AOT e-Learning Platform, a joint meeting with Airports and Aviation Standards Group as well as risk awareness surveys.

Risk Awareness Survey & Education

AOT conducts regular survey on risk awareness and trainings. Out latest findings show that more than 75 of all employees acknowledge our risk management news and current practices. AOT continues to improve employees' awareness on risk management via several communication tools: AOT website, intranet, email, and dogotal dashboard. In terms of risk education, AOT provides all non-exectuive directors risk trainings (e.g., Intermediate Airport Management amd Airport Management in 2022 and Risk Management & Audit in 2023) that is based on our latest risk handbook (risk management principle) and align with AOT Master Plan. In addition, AOT promote risk culture by incorporating risk criteria into the development of our services and providing financial incentives for employees who achieve risk management metrics.


Risk Agents Training

Risk Management Performance Assessment

AOT participated in the risk management performance assessment under the State Enterprise Assessment Model (SE-AM) for the improvement of AOT’s risk management operations continuously. The results of the assessment will be indicative of the strengths and weaknesses of the operation in 5 dimensions

  1. Governance and organizational culture
  2. Information, communication, and reporting
  3. Risk management review
  4. Risk management process
  5. Strategy and objective setting

Triple A Risk Management Project (3A: Alert Analysis Agility)

Triple A Risk Management Project is a collaboration between AOT’s Risk and HR Department to create risk management behaviors for executives and employees and a strong corporate risk culture. Triple A Risk Management Projects are the product of risk awareness surveys and risk management performance audits.

Last Updated: April, 12 2024