Risk and Crisis Management

Target 2029

Ensure 100% compliance with all applicable regulatory requirements.

Provide risk management training to 100% of employees and non-executive directors.

Target 2024

Ensure 100% compliance with all applicable regulatory requirements.

Provide risk management training to 100% of employees and non-executive directors.

Performance 2024

Achieved 100% compliance with regulatory requirements.

Achieved 100% training coverage on risk management for all employees and non-executive directors.

Challenges and Opportunities

In today’s rapidly changing business environment, companies must navigate uncertainties arising from various factors such as society, the environment, the economy, politics, and technology, all of which can have significant impacts. Failure to prioritize risk management may result in inadequate risk mitigation, leading to potential damage to business performance and reputation. Therefore, an effective and systematic approach to risk and crisis management is essential. Efficient risk management not only ensures business continuity but also enhances stakeholder confidence, ultimately driving the organization toward sustainable growth.

Key Achievements

Environmental, social, and governance risks were assessed as part of the enterprise risk management
Risk management is in compliance with Krungthai Bank financial business group’s risk management policy and guideline, and the Bank of Thailand’s Consolidated Supervision guidelines
Risk management training on risk management principles for 100% of the Board of Directors, management, and employees

KTC has implemented a comprehensive risk management in accordance with the requirements of the Bank of Thailand (BOT) and COSO ERM Risk Management Framework to ensure that risks are managed systematically and effectively across the organization. Furthermore, the Company has established a monitoring and performance evaluation system to proactively identify and address any emerging risks. Training programs were also provided to all employees, including the Board of Directors to raise awareness and strengthen risk management capabilities.

Risk Management Policies

The Company recognizes the importance of effective risk management and has developed risk management policies grounded in strong corporate governance principles and covering significant risks. The policies are considered by the Risk Management Committee before being proposed to the Board of Directors for approval on an annual basis. Once approved, the policies are communicated to all employees, ensuring its implementation across the organization. The risk management policies were developed for the following risks.

Strategic Risk

Credit Risk

Financial Risk

Liquidity Risk

Reputation Risk

Information Technology Risk

For additional information, please refer to Form 56-1 One Report 2024 under “Risk Management” topic. 

Risk Governance

Management Committee

Establishes, considers, evaluates, recommends, and determines policies and guidelines in the areas of finance and accounting, budgeting, treasury, marketing, company performance, human resource management, and other aspects impacting business operations
Approves various of the Company’s products (that have surpassed comprehensive risk assessment) prior to launching to the market, including strategic planning.
Establishes the Company’s marketing directions, including corporate image and brand positioning
Appoints sub-committees or working groups to study various matters that may impact the Company and/or to implement actions based on the resolutions of the Management Committee
Upholds the authority to oversee the business operations of subsidiary companies
Performs other tasks that are assigned by the President & Chief Executive Officer and/or the Board of Directors

Risk Management Committee

Considers and approves risk management policies at the organizational level before the policies are proposed to the Board of Directors for consideration, approval, and announcement
Monitors and evaluates risk management performance to ensure risks remain within acceptable levels in accordance with Krungthai Bank financial business group’s risk management policy and guideline and the Bank of Thailand’s Consolidated Supervision guidelines
Establishes credit policies and considers risks associated with products prior to launch
Appoints the Crisis Management Committee to manage the Business Continuity Plan (BCP) as well as deciding whether to activate or deactivate the BCP. The Crisis Management Committee is also responsible for communicating with employees, media, and stakeholders during the event of crises that disrupt business operations

Information Security Committee

Oversees the Company’s information security and information technology (IT) related strategic plans and budgets.
Establishes and enforces IT policies aligned with standard guidelines that ensures their effective utilization within the organization.
Governs IT risk management, plan and manage projects to ensure transparency and efficiency
Acts as the Data Protection Officer, ensuring compliance with the Personal Data Protection Act, B.E. 2562 (2019)
Manages IT services, including govern policies related to planning system enhancements to keep the system up to date
Evaluates and improves Service Level Agreements (SLAs) between IT business unit and other business units

Market Conduct Committee

Establishes and oversees policy frameworks, strategic plans, and guidelines to ensure that the operating procedures align with Market Conduct Regulations aiming at fair customer treatment for consumer protection

All committees report to the Board of Directors at specified time intervals to keep the Board of Directors informed of the Company’s performance and receive recommendations from the Board of Directors. Furthermore, KTC has adopted a comprehensive risk governance framework which aligns with the Three Lines of Defense model to define the Company’s overall risk management structure, as follows.

Straight Arrow Connector 8, ShapeRisk Owners

Risk owners are responsible for managing and maintaining risks within their respective business units, ensuring the risks remain at appropriate levels.

Enterpirse Risk Management Division

The Enterprise Risk Management Division oversees the organization’s overall risk management and develops an enterprise risk management framework that aligns with the established risk management policies. The division also provides regular reports to the Risk Management Committee and the Board of Directors at specified time intervals. 

Compliance Business Unit

  The Compliance Business Unit is accountable for monitoring and reviewing compliance with regulatory requirements, and offering guidance and information on regulations set by governing bodies. 

Internal Audit Business Unit

The Internal Audit Business Unit is independent and is accountable for evaluating the effectiveness of the 1^st and 2^nd Lines of Defense, as well as the efficiency of the internal control, risk management, and corporate governance systems. Findings are reported directly to the Audit, Environmental, Social Responsibilities, and Corporate Governance Committee, where management will use the results from the internal audits to improve relevant matters. 

 For risk management process auditing, the Internal Audit Business Unit is responsible for conducting an annual assessment of the effectiveness and sufficiency of the risk management process to ensure that the Company has adopted an appropriate risk management system. Additionally, external auditors conduct financial audit and certification while also verifying compliance with information security and personal data protection standards, including ISO/IEC 27001:2013 and ISO/IEC 27701:2019, as well as the Payment Card Industry Data Security Standard (PCI DSS). This ensures that the Company implements an appropriate risk management system, covering various aspects of risk management to help the organization understand risks and control processes systematically.

Risk Management

Risk Identification

Risk Assessment

Oversee, Control and Manage Risk

Risk Monitoring
and Reporting

Crisis Management

Managing business operations necessitates addressing significant risks across various domains. To mitigate these risks, the Company employs a systematic approach to crisis management at the organizational level, which includes the following.

The Company has in place a Business Continuity Management (BCM) system and has prepared a Business Continuity Plan (BCP), which encompasses emergency response procedures for scenarios such as natural disasters including fires, earthquakes, floods, rallies, and epidemics. The BCP also includes victim evacuation guidelines. To ensure operational resilience, the Company has in place an alternate site and adequate resources to sustain critical business functions in the event that primary worksite operations are disrupted. Additionally, an IT Disaster Recovery Plan (DRP) has been established, which is reviewed and tested annually to ensure the security and operational availability of the Company’s information technology systems.
The Company reviews and monitors its crisis management plan by conducting annual surprise tests of the communication tree (Call Tree) and the BCP. Moreover, KTC also participates as an observer at the BCP testing of the Company’s core business operations that are performed by third-party providers.

In 2024, the results of the surprise tests are within the set recovery time objective.

Emerging Risk

In addition to considering the risks from current business environment, KTC also considers emerging risks that may impact the Company’s business.

1. Geopolitical Risk

Description

Geopolitical risks arise from conflicts between nations involving politics, geographical boundaries, and economic resources. These incidents may escalate into military operations or various forms of trade wars, negatively affecting regional and global economies.

Ongoing conflicts such as the Russia-Ukraine war and Middle East tensions continue to pressure the global economy. Additionally, evolving economic policies of major economies have increased uncertainty across the broader economic system. Trade conflicts between major powers may intensify in the future. Therefore, the Company places great importance on closely monitoring these situations to assess their impact and adjust its strategies accordingly.

Impact

Intensifying conflicts and competition among global superpowers may cause volatility in various economic factors, including:

Interest rates, exchange rates, tax rates
Prices of goods and services.
Tourist travel patterns and spending from affected countries
Customer purchasing power and debt repayment ability due to rising living costs
Additional trade conditions and increased operational requirements

These factors could significantly impact the Company's strategic plans and overall business performance.

Mitigating actions

Economic Intelligence and Monitoring

Monthly seminars with Thailand Development Research Institute covering global economic outlook, regional developments, and Thailand-specific trends
Senior executives attend sessions featuring expert analysis and Q&A on financial sector impacts
Quarterly company-wide seminars translating economic trends into business implications
Department-specific workshops on customer impact, risk adjustments, and product opportunities
Monthly economic dashboards distributed to managers with key indicators and market analysis
Integration of economic insights into planning cycles and business reviews

Risk Assessment and Planning

Regular stress testing and simulation scenarios based on economic forecasts and assumptions
Comprehensive analysis of various risk factors, including geopolitical risks, to assess potential impacts on Company performance
Development of customer support measures based on ability to repay debt

Strategic Diversification

Infrastructure development to support diverse international partners: Visa, Mastercard, JCB, UnionPay, and Alipay+
Enhanced payment options and convenience for all customers
Risk mitigation through partner diversification to reduce dependency on any single region or system

2. Artificial Intelligence (AI) Risk

Description

KTC recognizes the importance of adopting artificial intelligence (AI) technology for its capability to learn and process vast datasets to enhance operational efficiency. The Company currently implements Generative AI to support various operations, including data analysis and issue resolution recommendations. KTC has established a strategic technology roadmap utilizing AI for consumer behavior analysis and user interaction enhancement to improve customer experience.

However, the Company acknowledges the risks associated with AI technologies, including data privacy breaches, ethical concerns, and cybersecurity threats. Therefore, AI development and implementation must incorporate effective controls and governance to ensure appropriate use.

Impact

Inadequate AI governance and controls may result in:

Cybersecurity vulnerabilities and potential data breaches
Leakage of confidential information
Reliance on AI-generated content that may be inaccurate, outdated, or biased
Increased susceptibility to AI-enabled cybercrimes (phishing, deepfakes, impersonation)
Potential customer asset loss and reputational damage
Regulatory compliance violations

Mitigating actions

Governance and Policy Framework

Comprehensive policy suite reviewed annually or upon significant changes:
- Information Technology Policy
- Information Security Policy
- AI Policy
- Personal Data Protection Policy

Security Standards and Certifications

Implementation of IT security standards:
- System Configuration Standard
- Password Control Standard
- Cryptographic Standard
Compliance with international standards:
- ISO/IEC 27701:2019 (Privacy Information Management)
- ISO/IEC 27001:2013 (Information Security Management System)
- PCI-DSS standards

Technical Controls and Testing

AI technologies sourced from certified service providers with robust security measures
Annual penetration testing on all external-facing systems
Vulnerability assessments for internal and external networks with immediate remediation of critical findings
Regular testing of Information Technology Disaster Recovery Plan (DRP)
Annual Incident Response Plan (IRP) exercises for cyber threats

Monitoring and Assurance

Regular reviews by Compliance Business Unit and Internal Audit Business Unit to ensure policy compliance

Training and Awareness

Annual training programs to raise awareness on information security, personal data protection, payment card data security, and cyber threat risks for executives, employees, and external service providers

For additional information about emerging risks, please refer to Form 56-1 One Report 2024 under “Risk Management” topic. 

Risk culture

KTC recognizes that fostering a strong corporate risk culture is essential to the success of organizational risk management. The Company actively promotes risk awareness among employees at all levels to emphasize that risk management is a shared responsibility.

Risk-related Financial Incentives

The Company is committed to raising risk awareness among management and employees at all levels and preventing risks that may have a significant impact. To achieve this, Key Risk Indicators (KRIs) are integrated into the annual performance evaluation for management and all employees. These indicators include compliance with the Market Conduct principles and personal data breach incidents. Additionally, for business units with specific risk exposures, performance indicators are aligned with the risks associated with the respective Risk Owners. These indicators directly influence financial incentives.

Comprehensive Risk Management throughout Organization

Collaboration between the Risk Owners and the Enterprise Risk Management division, in that all business units are required to have a Risk Manager and an Operational Risk Officer (ORO) to carry out operational risk management within their respective departments, consisting of the following.

All business units are required to perform a Risk Control Self-Assessment (RCSA) twice a year. This process involves management and employees at all levels to identify and evaluate risks and controls within their operations.
All business units must submit monthly reports on Operational Loss Data, detailing actual losses, potential losses, and near-misses, including comprehensive information on all relevant values.

The development or release of the Company’s financial products and/or services requires compliance with regulations re: issuance/change/cancellation of financial products and/or services. This is to assess the risks of legal, overall, and budgeting before launching. This is to ensure the product and/or service has considered all risk factors.

Risk Management Knowledge

The Company is committed to fostering a deep understanding of risk management among all employees by offering comprehensive education and training programs. These efforts include structured orientation programs for new hires and regular annual reviews to ensure that all employees are aware of the risk management practices and regulatory requirements. KTC utilizes a variety of communication channels to deliver risk management knowledge, including informative emails, engaging seminars featuring both internal and external speakers, and interactive workshops designed to enhance practical skills.

Risk Management Training Programs	Target Group	Arrangement
Importance of Risks and Management (Risk Awareness)	All employees	Self - learning
Anti-Money Laundering and Counter-Terrorism and Proliferation of Weapon of Mass Destruction Financing (AML/CFT&WMD) 2024	All employees	Self - learning
ISO (ISO/IEC 27001:2013 and ISO/IEC 27701:2019) 2024	All employees	Self - learning
Corporate Governance and Sustainability Development 2024	All employees	Self - learning
Responsible Lending Requirement 2024	All employees	Self - learning
Cybersecurity Awareness 2024	All employees	Self - learning
RCSA (Risk Control Self-Assessment) and PII Data List 2024	Operational Risk Officers (ORO)	Classroom: On-site
Global and Thai Economies: Opportunities and Challenges in 2025	Interested employees	Classroom: On-site
Remark: All employees refer to both management and employees

Risk Awareness Course

In 2024, the Company organized an e-Learning course on effective risk management. All employees, including management, surpassed this training course, and attained 100% score on the post-assessment test. Furthermore, the training contents were communicated to the Board of Directors including non-executive directors. The course was divided into four episodes as follows.

Innovations to Enhance Risk Culture

The Company has leveraged innovations designed to enhance the efficiency of risk management and reporting that aligns with the Company’s Core Values. These improvements have streamlined workflows, simplified information retrieval, minimized paper consumption, and reduced the need for physical document storage, while fostering a strong risk-awareness culture. Notable examples include the following.

Utilizing an operational loss data report system to optimize the reporting process.
Have in place a reporting system for KRI on operational risk via the internal SharePoint system. This system optimizes the reporting process, which fosters more convenient information collection and ensures that relevant data is stored safely and efficiently.
Establishing an online platform for reporting various risk events, such as personal data breaches and equipment malfunction in the workplace.
Deployment of the KTC e-Library system which allows employees to borrow e-Books, including resources focused on risk management.
Development of risk management training via e-Learning platform, and mandating all employees to surpass the course and post-training assessment test.