Risk Management

AOT establishes and reviews Key Risk Indicators (KRIs) twice annually on a continual basis to identify and monitor key risks that may affect the organization. These KRIs are designed to align with AOT’s strategic objectives and function as tools for risk tracking and early warning signals in cases of potential future risks. KRIs are categorized into two groups:
- Operational KRIs, which cover AOT’s core operations
- Management KRIs, which are linked to internal management processes.
Each KRI is assessed using a three-tier indicator system, and the results are presented on a KRIs Dashboard for analysis and decision-making in improving risk management processes. The establishment of KRIs enables AOT to effectively monitor and manage risks in alignment with its strategic goals.

1. 3.1 Risk Universe Analysis +

   In the risk assessment phase of risk management operations, AOT has developed a comprehensive Risk Universe as a database of potential risk factors. This analysis is based on 13 identified sources, aligned with the updated 2023 assessment criteria for Core Business Enablers under the State Enterprise Assessment Model (SE-AM), specifically Dimension 3: Risk Management and Internal Control (RM & IC). The 13 sources are as follows:
   
   

   1. 1. AOT’s enterprise-level risk factors from the previous fiscal year with unsatisfactory risk management results
   2. 2. Organizational environment analysis (SWOT Analysis)
   3. 3. Strategic Objective (SO) indicators and targets
   4. 4. Strategic Challenges (SC)
   5. 5. Indicators under the AOT Corporate Plan
   6. 6. Value Driver
   7. 7. Indicators and targets under the draft Performance Agreement (PA) between AOT and the State Enterprise Policy Office (SEPO) for FY2024, and the actual/forecasted results from FY2023 PA that did not meet performance targets
   8. 8. Policies set by the Board of Directors (Board Policy)
   9. 9. Action Plans, Work Plans, and Public-Private Partnership (PPP) projects
   10. 10. Results from Uncertainty Analysis regarding emerging risks affecting AOT operations
   11. 11. Intelligence Risk Assessment for business opportunity identification
   12. 12. Stakeholder Management
   13. 13. Results of the organization-wide Control Self-Assessment (CSA)

   Criteria for Risk Universe Assessment and Analysis
   Risk Universe with a 1–2-Year Time Horizon:	Risk factors that AOT may face within the next 1–2 years are considered as key inputs for the development of the annual Risk Management Plan. These are assessed alongside the Effectiveness Evaluation Criteria of Control Measures. Control effectiveness is deemed "insufficient" if the evaluation result scores below level 3 in any assessed dimension. If a risk issue is evaluated as "sufficient", it will be monitored by the relevant department. In contrast, risk issues evaluated as "insufficient" will be included as inputs in the development of AOT’s Risk Management Plan.
   Risk Universe with a Time Horizon of Over 3 Years:	The Risk Management Department will analyze and categorize these risk issues as potential Uncertainty that could impact AOT’s operations. These issues will be submitted to the Corporate Planning Department as key inputs for the review of AOT’s Corporate Plan.

   
   
   

   • Strategic Risk Refers to the risk of financial loss or loss of competitive capability resulting from inappropriate strategic decision-making processes.
   • Operational RiskRefers to the risk that may affect the organization’s operations due to failures arising from personnel, systems, or internal processes.
   • Financial RiskRefers to the risk arising from volatility in financial variables such as exchange rates, interest rates, liquidity, and commodity prices, which can lead to financial losses.
   • Compliance Risk)Refers to the risk arising from violations or failures to comply with established policies, procedures, or controls intended to align with relevant regulations, contractual obligations, and applicable laws governing the organization’s operations.
   • Human Capital RiskRefers to the gap between the organization's goals and employees' capabilities, which may hinder the achievement of targets. This may stem from either intentional or unintentional employee actions, such as underperformance or lack of required competencies.
   • Safety Risk Refers to the risk resulting from unintentional human actions or process failures that may cause harm to individuals or damage to property.
   • Security RiskRefers to unlawful or intentional acts of interference that may result in harm to individuals, damage to property, prolonged service disruptions, or reputational damage.
   • Hazard and Environmental RiskRefers to the risk arising from natural or man-made hazards, such as floods, pandemics, or acts of terrorism, which may affect business operations.
   • Fraud RiskRefers to the risk of deliberate actions undertaken to obtain unlawful benefits for oneself or others (e.g., family members), typically involving deception or abuse of power.
   • IT RiskRefers to the risk arising from events that may cause damage to AOT’s IT assets or information, such as data corruption from malware, failure of core server systems, or unauthorized access to sensitive information.
   • Reputation RiskRefers to the risk arising from events that may negatively affect AOT’s image, leading to public criticism and potential reputational damage.
   • Emerging RiskRefers to the risk of potential future loss arising from factors not currently manifested but which may occur due to changing circumstances. These risks often emerge slowly, are difficult to identify, and occur infrequently—but when they do, the impact is often severe. Emerging risks are typically identified through forecasting based on existing evidence and are often associated with political, legal, social, technological, physical environmental, or natural changes. In some cases, the impact of such risks cannot yet be determined. Examples include risks associated with nanotechnology, climate change, and emerging infectious diseases.

   Note: Risks identified from both internal and external environmental analysis can support value creation for the organization. This refers to risk management that helps minimize the “loss of business opportunities,” enabling the organization to transform crises or adverse events into opportunities that enhance competitive advantage. Business opportunities are identified through the organization’s SWOT analysis and further assessed to identify associated risk factors. These factors are then integrated into the risk management process to reduce the overall risk level.

2. 2. Identification of Corporate Risk Factors (Identifies Risk)+
   

   Corporate risk factors are selected based on short-term risk issues (within 1–2 years) extracted from the Risk Universe, particularly those assessed as having “insufficient” effectiveness of control measures. These risk issues are compiled and analyzed to identify AOT’s corporate risk factors, taking into consideration:
   

   - Their impact on the Strategic Objectives
   - Their effect on key Work Processes
   - Their potential to act as root causes or common root causes of other risks.
   
   Risk issues assessed as having a moderate (yellow) or high (red) impact level will be selected as AOT's corporate risk factors. Risk issues assessed as low (green) will be managed through internal control processes.
   
   Based on the selected corporate risk factors, the Risk Management Department, in collaboration with the relevant Risk Owners, prepares detailed risk management plans for each corporate risk factor for the fiscal year 2024. This process includes key steps such as:
   - Strategy and Objectives Setting for risk management
   - Development of a Risk Correlation Map

3. 3. Strategy and Objectives Setting in Risk Management +

   To ensure effective organizational risk management, AOT initiates its risk management efforts with the clear articulation of goals and objectives, which serve as the foundation for risk management implementation. This approach supports the achievement of risk management targets in a rational and structured manner. The objectives are defined across several levels:
   - Corporate level: including Vision and Mission, leading to overall corporate objectives
   - Departmental level: objectives or targets set for each division and department
   - Process and project level: objectives defined for specific operational processes or projects
   
   AOT defines risk management targets through two levels of risk thresholds:
   -Risk Appetite (RA): the level of risk the organization is willing to accept in pursuit of its objectives
   - Risk Tolerance (RT): the acceptable level of deviation from the defined risk appetite
   
   In general, achieving organizational objectives and expected returns may require the acceptance of certain levels of risk. By setting a risk appetite, AOT can determine what types of risk, in what form, and at what magnitude the organization is prepared to accept in order to accomplish its goals.

   Risk Appetite: RA

   Risk Appetite refers to the overall level of risk (Board-Based Amount) that the organization is willing to accept in pursuing its vision and mission. It may be defined as a single target value or a range, and should align with the organization’s strategic goals. The determination of the risk appetite is typically the responsibility of senior management, under the oversight of the organization’s executive board.

   Risk Tolerance: RT

   Risk Tolerance must be defined in alignment with the organization’s Risk Appetite. It may be specified in financial projections or in the organization’s annual Performance Agreement (PA). In cases where no such specification exists, the tolerance level should be determined and approved by senior management and the organization’s executive board.

4. 4. Root Cause Analysis : RCA+
   
   

   In addition to setting strategic objectives and targets for risk management, AOT conducts root cause analysis to identify the sources of risk, categorized into internal factors and external uncertainties. The analysis is performed by designated Risk Owners through the following methods: นี้
   
   

   1. • Operational Staff Identification: Risk causes are identified by operational staff, who possess the relevant knowledge and understanding of the work processes and are best positioned to recognize risk events and their sources.
   2. • Interviews or Risk Perception Surveys: Since staff may not always be aware of their own risk sources, collecting perspectives from others through interviews and questionnaires can help reveal more comprehensive causes. Data collected from such methods can serve as a basis for discussions during risk workshops.
   3. • Process Flow Analysis: Understanding current operations and best practices helps identify potential risk causes. This is often done using process maps, process descriptions, or both.
   4. • Workshops: Workshops are a widely used method for risk cause identification and should be facilitated by experienced coordinators to ensure that objectives are met within the given process and timeframe. It is essential to select participants with relevant knowledge and engagement in the process or issue being discussed.
5. 5. Existing Control and Mitigation Plan+
   

   Mitigation Plan AOT’s enterprise risk management includes the development of plans or measures to control and mitigate risks to an acceptable level, as defined by the organization’s strategic objectives and targets. These actions are implemented by the respective departments and units. Concurrently, an assessment of the adequacy of existing controls is conducted for each identified risk cause. The assessment is based on three dimensions:
   - Performance against objectives
   - Control processes
   - Monitoring mechanisms
   If any of these dimensions receive a rating below Level 3, indicating inadequacy, the risk will require the development of a Mitigation Plan to ensure that the risk is controlled within the acceptable level

6. 6. Risk Assessment+
   

   AOT conducts risk assessment by prioritizing identified risks through the evaluation of their likelihood of occurrence and potential impact. This process is visualized using a Risk Matrix, which helps identify risks with a high probability of occurring and significantly affecting AOT’s operations. Risk prioritization may be based on historical statistical data or future forecasts, and the assessment criteria are set accordingly. These criteria are aligned with factors such as:
   - Organizational objectives
   - Applicable laws and regulations
   - Key performance indicators (KPIs)
   - Actual performance outcomes
   - Critical factors impacting operations
   The outcome of the risk assessment supports AOT in preparing appropriate control measures or risk mitigation strategies to minimize potential adverse effects to an acceptable level.

   
7. 7. Risk Response+

   For risk factors with current control measures assessed as “inadequate,” a Mitigation Plan must be developed. This plan refers to new actions that must be initiated by the responsible units to bring the risk level within an acceptable range. However, the organization must evaluate the cost-effectiveness of the selected risk response measures, considering whether they are worthwhile relative to the acceptable risk level. The Risk Owner is required to conduct a Cost and Benefit Analysis (CBA)—both in monetary and non-monetary terms—to ensure the effectiveness of the risk management approach. The organization may choose one or more types of risk responses in combination, with the objective of reducing the likelihood and/or impact of the risk event to an acceptable level.

8. 8. Risk Correlation Map+

   The Risk Correlation Map is a visual representation of the relationships among risk factors and their impacts—both quantitative and qualitative—on the organization’s strategic objectives. This tool enhances the effectiveness of risk management planning by ensuring that all relevant risk factors are comprehensively addressed. Once risk factors and their root causes have been identified, assessed, and response strategies have been analyzed, the Risk Management Department conducts a comprehensive review of all identified risk factors and develops a Risk Correlation Map. This map includes each risk factor, its underlying causes, and assigned weightings. It serves as the basis for evaluating and analyzing the interrelationships among all risks, illustrating the potential impacts and severity levels of each risk cause.

9. 9. Monitoring and Reporting of Risk Management Performance (Reporting)+

   AOT Risk Management Performance Reporting Plan for Fiscal Year 2024
   
   
   Airports of Thailand Public Company Limited (AOT) has established a structured risk management performance reporting plan for Fiscal Year 2024, which encompasses the monitoring of risk levels, the implementation results of existing control measures, and the development of additional risk management plans. This ensures that the risk management process remains effective and appropriate, with the flexibility to adapt should the additional measures prove insufficient.
   Risk Owners are responsible for reporting the outcomes of organizational and airport-level risk management activities. This includes progress updates on existing control measures, newly proposed risk mitigation plans (if any), and a quarterly assessment of risk severity based on likelihood and impact. In cases of significant change, immediate reporting is also required via the “AOT Risk Management Performance Report Form (Form RM-2).”
   Risk Agents and secretaries of the Risk Management Working Committee (RMWC) at the line, department, and airport levels are tasked with compiling and analyzing the results. These are then submitted to their respective RMWCs for review and endorsement before being forwarded to AOT’s Corporate RMWC and the AOT Risk Management Committee (RMC) for acknowledgement.
   To facilitate this process, the Risk Management Division has formulated an operational plan for FY 2024 and communicated it to Risk Owners and personnel responsible for risk management, internal control, and business continuity (Risk Agents) during a dedicated briefing session held on 11 October 2023. This session was conducted to ensure all parties understand and follow the specified timeline and reporting procedures to support AOT’s integrated risk management framework.
   

   ตัวอย่างการรายงานผลการดำเนินงานด้านความเสี่ยงให้แก่คณะกรรมการ 2567