The Company has implemented appropriate risk and crisis management practices that align with its business operations and the rapidly changing business environment. The Company continuously manages and controls key risks at both the strategic and operational levels, covering environmental, social, and governance (ESG), to anticipate potential risks and prepare appropriate mitigation measures. In addition, the Company has established a crisis management plan and conducts regular testing to ensure timely and effective responses to unforeseen events, minimize impacts on stakeholders, and effectively maintain business continuity. Furthermore, the Company places strong emphasis on fostering a risk management culture across all levels through knowledge development, employee engagement, and the integration of risk assessment into operational processes. This approach ensures that risk management serves as a fundamental foundation for sustainable business operations.
Positive Impacts: Effective risk management strengthens the Company’s financial stability, enhances confidence among investors, shareholders, and stakeholders, and helps reduce losses from unforeseen events such as economic crises or operational risks. It also supports inclusive, secure, and sustainable access to financial services, which is a key factor for long-term economic growth.
Negative Impacts: Ineffective or insufficient risk management may adversely affect the operating performance. It may also lead to inefficient allocation of the Company’s resources, including financial capital, technology, and human resources.
Positive Impacts: The integration of environmental and climate-related risks into the risk management processes and crisis management plans enhances the Company’s ability to respond effectively to environmental incidents. It also enables the Company to align its strategies and operations with sustainability standards, reduce environmental impacts and build long-term confidence among investors, shareholders, and stakeholders.
Negative Impacts: Severe and unpredictable environmental and climate-related events may affect the operational sites, technology systems, and supply chain. Without appropriate risk assessments and response plans, such events may lead to business disruptions and reputational damage.
Positive Impacts: Effective risk management enables customers to access financial services in a safer and more convenient manner. It also reflects the Company’s commitment to responsible business practices, strengthening stakeholder confidence and enhancing the Company’s positive social reputation.
Negative Impacts: Highly stringent and complex risk management practices may reduce the Company’s flexibility in business decision-making, which could result in limited access to financial services for certain customer groups.
Positive Impacts: Comprehensive human rights due diligence (HRDD), together with effective risk management processes, help prevent and mitigate the risk of the Company being involved in human rights violations affecting customers, employees, and stakeholders. It also contributes to fostering a fair, equitable, and inclusive working environment that respects diversity.
Negative Impacts: Risk management that does not adequately address stakeholders’ human rights such as the absence of appropriate workplace safety and working environment measures, or insufficient protection of customers’ and employees’ personal data may result in reputational damage to the Company or penalties from regulatory authorities.
The Company places importance on risk management by establishing risk management policies that align with good corporate governance principles and cover key risk categories. The risk management policies are reviewed and endorsed by the Risk Management Committee before being proposed to the Board of Directors for annual approval and are communicated to all employees for organization-wide implementation. The risk management policies cover the following key risks.
For additional information, please refer to Form 56-1 One Report 2025 under “Risk Management” topic.
The Company has established a risk governance structure in line with good corporate governance principles. The Board of Directors is responsible for setting risk management policies and overseeing the Company’s overall risk management to ensure its appropriateness. The Board of Directors has also assigned the Audit, Corporate Governance and Sustainability Committee, which consist entirely of independent and non-executive board members, to oversee the adequacy and effectiveness of the Company’s internal control system and risk management system, as well as ensuring compliance with applicable laws and regulatory requirements. In addition, the Company has appointed various sub-committees to manage and monitor risks, with each sub-committee reporting to the Board of Directors in accordance with the prescribed reporting schedule to present performance results and receive further guidance and recommendations.
Furthermore, the Company has assigned risk management responsibilities to employees at all levels by applying the Three Lines of Defense approach as part of its overall risk management structure, as follows:
The Risk Owners are responsible for controlling and maintaining risks within their respective business units to remain at an appropriate level.
The Internal Audit business unit is independent and is accountable for evaluating the effectiveness of the 1st and 2nd Lines of Defense, as well as the efficiency of internal control, risk management, and corporate governance systems. Findings are reported directly to the Audit, Corporate Governance and Sustainability Committee, where management will use the results from the internal audits to improve relevant matters.
For additional information, please refer to Form 56-1 One Report 2025 under “Risk Governance Structure” topic.
The Company manages risks in accordance with the risk management policies and guidelines of Krungthai Bank’s financial business group and in compliance with the Bank of Thailand’s (BOT) Consolidated Supervision guidelines. This approach aligns with the COSO ERM Risk Management Framework to ensure that risks are managed systematically and effectively. The Company’s risk management approaches are as follows:
The Company evaluates and identifies company-specific risk exposure that occurs due to changes in internal and external factors that may cause potential impacts on business operations. These risks cover key risk categories, including strategic risk, credit risk, interest rate risk, liquidity risk, operational risk, reputational risk, and information technology risk, as well as ESG risks.
The Company assesses the risk levels and creates a risk map that illustrates the interconnection between various risk factors in order to prioritize and define appropriate management strategies. Additionally, key risk indicators (KRIs) are established, including both leading indicators which provide early warning signals before a risk event occurs, and lagging indicators which reflect data from risk events that have already taken place. The Company also defines its risk appetite and risk tolerance for each risk factor. The KRI, risk appetite, and risk tolerance are reviewed annually.
The Company oversees, controls, and manages risks to ensure that they are within acceptable risk level.
The Company monitors and reports the risks to the Risk Management Committee, the Board of Directors, and Krungthai Bank in accordance with the prescribed reporting schedule.
The Company conducts self-risk assessments every six months in accordance with the Bank of Thailand’s Consolidated Supervision Guidelines. These assessments cover key risks, including the following:
The assessment process covers the evaluation of risk levels, the quality of risk management, and risk trends, as well as the identification of appropriate risk management or control measures. The results of these assessments are reviewed by the Risk Management Committee and subsequently submitted to Krungthai Bank for reporting to the Risk Oversight Committee.
The Company places importance on responding to and managing emergency incidents that may have a significant impact on business operations and has therefore established a corporate level crisis management approach as follows:
The Company is committed to fostering an effective risk-aware culture by encouraging employees at all levels to participate in risk management, enabling the organization to respond to change in a stable and sustainable manner.
The Company is committed to raising risk awareness among management and employees at all levels and preventing risks that may have a significant impact. To achieve this, Key Risk Indicators (KRIs) are integrated into the annual performance evaluation for management and all employees. These indicators include compliance with the Market Conduct principles and the occurrence of personal data breach incidents. In addition, for business units exposed to specific operational risks, performance indicators are aligned with the risks under the responsibility of the respective risk owners, and such indicators are taken into account in determining financial compensation.
Collaboration between the Risk Owners and the Enterprise Risk Management division, in that all business units are required to have a Risk Manager and an Operational Risk Officer (ORO) to carry out operational risk management within their respective departments, consisting of the following:
For the development or launch of the Company’s financial products and/or services, compliance with the procedures for the introduction, modification, or discontinuation of financial products and/or services is required in order to assess legal risks, overall risk exposure, and budgetary considerations. This ensures that all products and/or services developed or offered are subject to comprehensive risk considerations
The Company is committed to fostering a deep understanding of risk management among the Board of Directors, management, and all employees by offering comprehensive education and training programs. These efforts include structured orientation programs for new hires and regular annual knowledge reviews to ensure awareness of risk management practices and relevant rules and regulations.
In addition, the Company utilizes a variety of communication channels to disseminate risk management knowledge, including informative email communications, training seminars conducted by both internal and external experts, and practical workshops to enable employees to effectively apply risk management principles in daily operations.
In 2025, the Company provided comprehensive risk management training to all management and employees to enhance the knowledge, understanding, and skills necessary for risk prevention and enterprise-level risk management, as well as to foster a sustainable risk management culture. All management and employees participated in the training, representing 100% of the target group, on the following training topics.
In addition, the Company developed an online risk management training program to enhance risk management knowledge among management and employees, and to communicate key content to the Board of Directors and non-executive directors. The training covered ESG risk, AI risk, the Business Continuity Plan (BCP), and the Emergency Plan. A total of 1,818 participants completed the program, representing 100% of the target group, with a 100% post-training pass rate. This reflects the Company’s commitment to strengthening risk awareness and fostering a strong risk management culture to support stable, transparent, and sustainable long-term operations.