Importance
AOT places strong emphasis on risk management as a key mechanism for supporting stable and sustainable airport business operations. The Company has implemented an integrated enterprise-wide risk management approach in line with internationally recognized practices, with the objective of achieving its strategic goals, enhancing business continuity, and strengthening confidence among all stakeholder groups.
Policy
Risk Management Policy
AOT has established comprehensive policies on risk management, internal control, and business continuity management to ensure that executives and employees at all relevant levels adopt and implement consistent practices across the organization. These policies are aligned with AOT’s enterprise plan, operational plans, and project management framework, as well as applicable laws, regulations, and organizational policies relevant to the Company’s operations.
The policies related to risk management, internal control, and business continuity management include:
In fiscal year 2025, AOT continuously reviewed and enhanced its risk management policy, with a focus on implementing integrated enterprise-wide risk management in alignment with good corporate governance principles and the organization’s core values, while strengthening value creation and operational resilience.
The policy establishes key implementation approaches as follows:
- Defining risk management as the responsibility of all employees across the organization
- Promoting the integration of corporate governance, risk management, and compliance (Integrated GRC) as part of day-to-day operations
- Developing risk management and business continuity management systems in accordance with international standards, including COSO-ERM 2017 and ISO 22301:2019
- Maintaining an appropriate balance between risks and returns within acceptable risk appetite levels
- Continuously managing risks that may affect strategic objectives
- Identifying risks comprehensively across the organization
- Assessing likelihood and impacts, and managing risks within acceptable levels
- Monitoring and reporting risks on a regular basis
- Linking risk management practices with AOT’s “5 Hearts” core values and fostering a strong risk management culture
- Continuously improving risk management and business continuity management systems, including the adoption of information technology to support reporting processes and operational efficiency
See More Details
Management Approach
AOT adopts the Three Lines of Defense principle in governing and controlling enterprise risk management operations to ensure alignment with the Company’s risk management framework. The structure consists of operational units (First Line), oversight and compliance functions (Second Line), and internal audit functions (Third Line). Each line of defense contributes to reducing and preventing risks, enabling the organization to achieve its objectives effectively while strengthening confidence among all stakeholder groups. The structure comprises the following levels:
- Board Level
Role: Establish enterprise risk management policies and directions, including the organization’s Risk Appetite and Risk Tolerance levels, while overseeing risk management and internal audit functions to ensure transparency and accountability. - Senior Management Level
Role: Implement the organization’s risk management policy and framework, oversee and monitor risk management practices across all business units, and ensure that adequate resources, processes, and internal controls are in place to support effective risk management and business continuity throughout the organization. - First Line: Operational Units
Role: Act as “risk owners” by identifying and assessing risks, as well as designing and implementing risk control measures within their areas of responsibility as part of normal operational processes. - Second Line: Oversight and Compliance Functions
Role: Establish risk management frameworks and systems, provide technical guidance and support, and monitor the implementation of risk management practices by the First Line to ensure compliance with established frameworks and procedures. - Third Line: Internal Audit Function
Role: Operate independently and provide assurance to the Board of Directors that the risk management systems implemented by both the First Line and Second Line are functioning effectively.
AOT Risk Management Structure
AOT’s risk management structure comprises the following levels:
Board Level
- Board of Directors of AOT
The Board of Directors serves as the highest governing body responsible for overseeing and supporting enterprise-wide risk management to ensure its effectiveness across the organization. Oversight is carried out through two subcommittees appointed by the Board, namely the Risk Management Committee and the Audit Committee. - Risk Management Committee
The Risk Management Committee is responsible for overseeing enterprise risk management operations, establishing risk management policies, frameworks, and guidelines, including the organization’s Risk Appetite and Risk Tolerance levels. The Committee also approves AOT’s enterprise risk management plans and performance results and reports them to the Board of Directors. - Audit Committee
The Audit Committee is responsible for reviewing good corporate governance practices, internal control systems, and risk management systems to ensure that they are aligned with international standards and operate effectively, efficiently, and appropriately. The Committee receives audit reports directly from the Internal Audit Office and reports the results to the Board of Directors.
Senior Management Level
- AOT Risk Management Working Committee
The AOT Risk Management Working Committee, appointed by the Risk Management Committee, comprises the President of AOT as Chairperson, together with Executive Vice Presidents of each business line, Directors of all six airports, the Corporate Secretary, Assistant Executive Vice President–Legal Affairs, Assistant Executive Vice President–Strategy, and Director of the President Office.
The Committee is responsible for translating AOT’s risk management policies, frameworks, and guidelines established by the Risk Management Committee into operational practices. It also reviews and endorses risk management plans and performance results before reporting them to the Risk Management Committee.
First Line: Operational Units
- Risk Management and Internal Control Working Committees of Business Units, Offices, Departments, and Airports
These committees, appointed by the President of AOT, are responsible for implementing risk management in accordance with the Company’s risk management policy, framework, and processes established by the Risk Management Committee and the AOT Risk Management Working Committee. They also monitor and report risk management performance for risks under their ownership (Risk Owner) to the AOT Risk Management Working Committee. - Internal Control and Risk Management Working Committees of Operational Units
These committees are responsible for implementing risk management in accordance with the Company’s risk management policy and participating in risk management processes, including supporting the monitoring and reporting of risk management results to the Risk Management and Internal Control Working Committees of business units, offices, departments, and airports.
Second Line: Oversight and Compliance Functions
- Risk Management Department
The Risk Management Department, under the Strategy Division, serves as the organization’s center of expertise in risk management. Its responsibilities include establishing enterprise risk management frameworks, providing guidance and consultation, and promoting understanding of risk management processes across AOT’s operational units. The Department also fosters the integration of risk management into daily operations and organizational culture, while monitoring and reporting enterprise-level and business-unit-level risk management performance to the AOT Risk Management Working Committee and the Risk Management Committee. - Risk Agent
Risk Agents assigned to all six airports are responsible for providing consultation, guidance, and understanding regarding risk management processes to operational units under their respective airports or business lines. They also support the collection and consolidation of airport risk management information for the Risk Management Department and monitor and report airport-level risk management performance to the respective airport or business-line working committees.
Third Line: Internal Audit Function
- Internal Audit Office
The Internal Audit Office independently reviews the effectiveness of AOT’s risk management and internal control systems. It also provides recommendations and consultation to the Audit Committee, management, and operational units to promote effective, efficient, and compliant practices, while reporting audit results directly to the Audit Committee.
Key Operational Responsibilities
| Highest operational-level executive responsible for risk management to ensure implementation in accordance with the established risk management policy |
Mr. Danai Puchada Director of Risk Management Department |
| Highest operational-level executive responsible for internal audit |
Mr. Thanya Siangcharoen Director of Internal Audit Office Served as Director of Internal Audit Office from 1 October 2020 – 30 September 2025 Ms. Sirinthorn Khambun Director of Internal Audit Office Serving as Director of Internal Audit Office from 1 October 2025 – Present |
Risk Management Framework
AOT has developed the Risk Management Manual for Fiscal Year 2026 to serve as an integrated enterprise risk management guideline in alignment with the framework of the Committee of Sponsoring Organizations of the Treadway Commission – Enterprise Risk Management Integrating with Strategy and Performance (COSO-ERM 2017), the Ministry of Finance’s Criteria on Standards and Guidelines for Risk Management Practices for Government Agencies B.E. 2562 (2019), as well as guidelines issued by the Securities and Exchange Commission of Thailand (SEC).
The Company integrates risk management processes into the development of AOT’s enterprise plan and the management of significant projects to ensure timely and continuous management of risks and potential crises that may affect business operations. This approach also supports AOT in achieving its strategic objectives and organizational goals effectively.
Integrated enterprise risk management in accordance with the COSO-ERM 2017 framework consists of five components and twenty principles, as follows:
- Governance and Culture
- Strategy and Objective-Setting
- Performance
- Review and Revision
- Information, Communication, and Reporting
See More Details
Risk Management Processes
AOT has established a structured Risk Management Process to identify and analyze potential events, changes, or uncertainties—both internal and external—that may affect the organization’s operations. This process is conducted regularly twice a year as part of the Risk Exposure Review: one prior to the start of the fiscal year, and another as a mid-year review. Additional reviews are conducted immediately when significant changes that may impact AOT occur.
1. Analysis of Potential Changes That May Affect AOT’s Operations (Uncertainty)
AOT has conducted an analysis of information derived from eight key areas of change, along with other relevant factors. The information obtained has been used to assess the severity of risk issues in terms of both Likelihood and Impact in order to determine appropriate risk management approaches and plans.
The results of this analysis are utilized in formulating risk management strategies, as well as enhancing the annual operational plan and organizational management guidelines to effectively respond to long-term changes. In addition, the analysis serves as an important foundation for supporting AOT’s future growth and risk management efforts.
2. Definition and Review of Key Risk Indicators (KRIs)
AOT establishes and reviews Key Risk Indicators (KRIs) to identify and monitor significant risks that may affect the organization. The KRIs are designed to align with the organization’s strategic objectives and serve as tools for risk tracking, as well as early warning signs for potential significant risks in the future.
The KRIs are categorized into three levels to support analysis and decision-making for improving the risk management process. The establishment of KRIs enables AOT to effectively monitor and manage risks in alignment with the organization’s strategic objectives.
| Color | Results of Key Risk Indicators (KRIs) | Action |
|---|---|---|
| Green | KRI results meet the target | Monitor as scheduled |
| Yellow | KRI results show signs of deviation from target | Review and Improve existing control measures. |
| Red | KRI results exceed the defined target threshold | Develop additional risk response plans and report to AOT Risk Management and Compliance Committee for policy-level. |
3. Preparation of Risk Management Plans
3.1 Analysis of Potential Changes and Uncertainties Affecting AOT’s Operations
AOT has analyzed potential risks that the organization may encounter through the development of a Risk Universe as an input for preparing the Risk Management Plan. The analysis considered six key sources in accordance with the State Enterprise Assessment criteria on Core Business Enablers, Aspect 3: Risk Management & Internal Control (RM&IC), as follows:
1. Laws and government policies
2. Strategies
3. Board and management policies (Tone at the Top)
4. Supply Chain
5. Key Performance Areas (KPAs) / Performance Agreement (PA)
6. AOT’s enterprise risk factors from the previous fiscal year
3.2 Enterprise Risk Factor Identification and Selection
Based on the Risk Universe information above, the identified risk issues will be assessed in terms of severity using the evaluation criteria for Likelihood (L) and Impact (I) in order to determine the level of risk severity should such events occur.
| Impact Assessment Criteria | Score | |||||
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| Service | Risk occurs but does not affect service operations | Risk occurs and has only a minor impact on service operations | Risk occurs and affects service operations, resulting in complaints submitted to AOT | Risk occurs and significantly affects service operations, resulting in complaints publicly disseminated through traditional and social media | Risk occurs and causes service disruption | |
| Support | Risk occurs but operational or action plan objectives can still be achieved | Risk occurs and has an insignificant impact on operational or action plan objectives | Risk occurs and has a significant impact on operational or action plan objectives | Risk occurs and results in failure to achieve operational or action plan objectives | Risk occurs and results in cancellation of the operational or action plan | |
| Safety | Hazardous events occur with minor consequences |
Hazardous events occur resulting in:
|
Hazardous events occur resulting in:
|
Hazardous events occur resulting in:
|
Hazardous events occur resulting in:
|
|
| Security |
No acts of unlawful interference occur
|
Acts of unlawful interference occur resulting in:
|
Acts of unlawful interference occur resulting in:
|
Acts of unlawful interference occur resulting in:
|
Acts of unlawful interference occur resulting in:
|
|
| Reporting | Accuracy | No errors | Minor non-material errors | Errors with minor material impact on the report | Errors with significant material impact on the report | Errors affecting the credibility of the report |
| Timeliness | Completed ahead of schedule | Completed on schedule | Completed slightly behind schedule | Completed significantly behind schedule | Completed behind schedule, affecting audits or operations of related entities | |
| Compliance | No violations of laws, regulations, rules, contracts, or agreements | Minor non-compliance with laws, regulations, rules, contracts, or agreements | Significant non-compliance with laws, regulations, rules, contracts, or agreements without causing damage | Significant non-compliance with laws, regulations, rules, contracts, or agreements causing damage, but compensation can be negotiated | Significant non-compliance with laws, regulations, rules, contracts, or agreements causing damage and potentially leading to legal action | |
| Financial | No expenses or compensation required | Expenses or compensation incurred, but financial performance remains in line with targets | Expenses or compensation incurred, resulting in profits below target | Expenses or compensation incurred, resulting in profits lower than the previous year | Expenses or compensation incurred, resulting in financial losses and critically low liquidity leading to business interruption | |
| Reputation | No impact on reputation or corporate image | Damage to internal reputation or corporate image | Damage to reputation or corporate image with negative publicity through social media and other channels spreading to limited domestic public media | Damage to reputation or corporate image with negative publicity through social media and other channels escalating into a social issue in public media | Damage to reputation or corporate image with widespread negative publicity through social media and other channels across both domestic and international public media | |
Risk issues assessed as having a high or very high level of severity will be subject to a review of the adequacy of control measures. The criteria for evaluating the effectiveness of control measures will be considered from three perspectives: (1) performance results compared with targets, (2) control measures, and (3) monitoring. If the evaluation result in any one of these perspectives scores below Level 3, the effectiveness of the control measures will be considered “inadequate.”
Since the severity level of the risk issue exceeds the organization’s acceptable risk threshold, regardless of whether the existing control measures are adequate, the risk issue will be further assessed for its organizational impact across four dimensions: (1) impact on strategic objectives or enterprise-level goals, (2) scope of impact propagation, (3) level of decision-making or governance required, and (4) impact on reputation and relationships with key stakeholders.
If the overall average assessment score is greater than or equal to 4, the risk issue will be selected as an enterprise risk factor. However, if the overall average score is below 4, the issue will be further considered as a Risk Universe issue at the division, department, office, or airport level.
3.3 Risk Management Strategy & Objectives Setting
To ensure effective enterprise risk management, Airports of Thailand Public Company Limited (AOT) has established goals and objectives as the starting point of its risk management process to provide reasonable assurance that risk management activities achieve the intended objectives. AOT defines its risk management objectives through the establishment of Risk Appetite (RA) and Risk Tolerance (RT) levels.
| Risk Appetite (RA) | The level of risk that the organization is willing to accept in order to achieve its objectives. This can be determined based on the organization’s overall objectives, including vision and mission, strategic objectives, and key performance indicators, as well as targets aligned with the agreement between the Government of Thailand and AOT. AOT defines its Risk Appetite (RA) in alignment with its mission and strategic objectives or the performance indicators specified in the State Enterprise Performance Agreement (PA), whichever is higher. |
| Risk Tolerance (RT) | The acceptable level of deviation from the established objectives or Risk Appetite (RA), aligned with the organization’s acceptable risk level. Historical data and future projections may be used in determining the Risk Tolerance (RT). AOT defines its RT in alignment with the “Level 3” threshold of the performance indicators specified in the Performance Agreement (PA) or values approved by the AOT Board of Directors, whichever is lower. |
Furthermore, AOT has established Risk Appetite (RA) and Risk Tolerance (RT) separately for four categories of risk: Strategic Risk, Operational Risk, Financial Risk, and Compliance Risk.
3.4 Root Cause Analysis: RCA
In addition to establishing risk management goals and objectives, AOT has also conducted root cause analysis by considering factors or causes that may give rise to risks, including both internal organizational factors and limitations or uncertainties arising from external factors. In this regard, Risk Owners are assigned to identify and analyze the causes of relevant risk factors in order to determine appropriate and effective risk management approaches.
3.5 Existing Controls and Mitigation Plans
Following the completion of the root cause analysis, the Risk Management Department, together with the Risk Owners, identified the existing controls, which refer to plans or activities already implemented to help reduce the severity level of each risk cause. The severity level of each individual risk cause was then assessed to determine which risk causes still remained above the organization’s acceptable risk level despite the implementation of existing controls.
For risk causes that continue to exceed the acceptable risk level, additional risk mitigation plans must be developed. These mitigation plans consist of new plans or activities that have not previously been implemented and are intended to serve as supplementary measures to further reduce risk levels. This process is designed to ensure that the overall risk severity, after implementing both existing controls and additional mitigation plans, is reduced to a level acceptable to the organization.
3.6 Risk Assessment
AOT conducts risk analysis and prioritization by considering the likelihood and impact levels of risks through the use of a Risk Profile to assess the severity level of risks. This assessment is based on historical statistical data, operational performance data, as well as trend analysis and future forecasting to ensure that the assessment criteria are appropriate, aligned with the operational context, and reflective of the organization’s actual risk exposure.
In addition, the risk assessment criteria are established in alignment with organizational objectives, laws and regulations, Key Performance Indicators (KPIs), operational performance results, and other critical factors affecting operations, including the organization’s acceptable risk level (Risk Boundary). This ensures that the assessment results can be effectively utilized in preparing appropriate risk management actions or control measures for potential risks and in reducing impacts to an acceptable level.
In assessing risk severity levels, AOT has established three levels of risk assessment to support risk analysis, monitoring, and management in alignment with the organization’s acceptable risk level, as follows:
- Inherent Risk Assessment
This refers to the assessment of the level of risk inherently associated with business operations or activities, both current and future, prior to the implementation of any control measures. (In the illustration, this is represented by the blue bar. - Residual Risk Assessment This refers to the assessment of the remaining level of risk after existing control measures have been implemented to reduce the likelihood or impact of risks. Examples include the preparation of action plans or operational plans to support the achievement of organizational objectives, as well as the improvement of operational activities to ensure effective process control. (In the illustration, this is represented by the red bar.
- Target Risk Determination
This refers to the establishment of the desired level of risk after implementing existing control measures and additional risk mitigation plans (if any), taking into consideration the acceptable risk level. (In the illustration, this is represented by the green bar.
3.7 Risk Response
AOT has established four risk response approaches: (1) Risk Acceptance (Take/Acceptance), (2) Risk Reduction (Treat/Reduction), (3) Risk Transfer (Transfer/Sharing), and (4) Risk Avoidance (Terminate/Avoidance). These approaches serve as guidelines for managing risks appropriately in accordance with the context and severity level of each risk.
In cases where the Residual Risk level exceeds the organization’s acceptable risk level, particularly for risks classified as High (orange) and Very High (red), the Risk Owner is required to consider and select the most appropriate risk response approach by taking into account the cost-effectiveness and efficiency of the measures to be implemented for managing such risks.
The selection of risk response approaches is based on a Cost and Benefit Analysis (CBA), considering at least two alternative options in both monetary and non-monetary terms, in order to support decision-making and identify the most appropriate and cost-effective measures. The organization may choose to apply a single risk response approach or a combination of approaches to effectively reduce the likelihood and/or impact of risks to a level acceptable to the organization.
In addition, AOT requires the preparation of additional risk mitigation plans for cases where further measures beyond existing controls are necessary to reduce risk levels to within the organization’s acceptable range. Such plans must clearly demonstrate that, upon full implementation, they will effectively reduce the likelihood of occurrence and/or mitigate the impacts of the identified risk factors in a concrete and measurable manner, with outcomes that can be clearly monitored and evaluated.
3.8 Risk Management Reporting
AOT requires the monitoring and reporting of enterprise-level risks as well as risks at the division, department, office, and airport levels on a quarterly basis, or immediately upon the occurrence of any significant event that may materially affect AOT.
To support this process, AOT prepares an annual risk management reporting plan through the operational plan of the Risk Management Division under the Risk Management Department. The plan is communicated to Risk Owners and personnel responsible for risk management, internal control, and business continuity management functions (Risk Agents) during meetings of the AOT Risk Management Working Committee (AOT-RMC).
This reporting framework serves as the timeline and guideline for Risk Owners and Risk Agents to report risk management results to the AOT Risk Management Working Committee (AOT-RMC) and the Risk Management Committee (RMC), respectively.
4. AOT Business Continuity Management
AOT’s risk management system is aligned with the framework of The Committee of Sponsoring Organizations of the Treadway Commission – Enterprise Risk Management Integrating with Strategy and Performance (COSO-ERM 2017), as well as the Business Continuity Management System (BCMS) framework in accordance with the international standard ISO 22301:2019 – Security and Resilience – Business Continuity Management Systems Requirements.
Risk management processes are integrated into the preparation of AOT’s Enterprise Plan and the management of significant projects to ensure that risks and potential disasters that may affect AOT’s business operations can be managed in a timely and continuous manner. This also supports AOT in achieving its established objectives and targets.
AOT has established BCMS processes and operational procedures that are linked and aligned with the strategies set out in the AOT Enterprise Plan. These processes are developed with reference to the nature of the business, organizational context, vision, strategies, SWOT analysis results, and critical business processes in order to define the scope of the BCMS to comprehensively cover AOT Headquarters and all six AOT airports.
AOT conducts Business Impact Analysis (BIA), risk assessments, prepares Business Continuity Plans (BCP), and carries out annual plan exercises in collaboration with relevant external agencies. In addition, AOT places importance on promoting knowledge, understanding, and awareness of BCMS among executives and employees through regular training programs and communication campaigns. These efforts help reinforce stakeholder confidence that AOT is well prepared to respond to emergency situations and capable of restoring critical services to normal operations in a timely manner.
5. AOT BCMS Certification
AOT has continuously improved and enhanced the Business Continuity Management System (BCMS) of AOT Headquarters and all six AOT airports. The organization has successfully undergone recertification audits for BCMS: ISO 22301:2019 conducted by an accredited Certification Body (CB), with the certification valid for a three-year period from fiscal years 2025 to 2028.
This certification provides assurance that AOT Headquarters and all six AOT airports have fully implemented the BCMS in compliance with all requirements specified under ISO 22301:2019.
See More Details
Operational Practices
In fiscal year 2025, AOT implemented a systematic enterprise risk management process by assessing and prioritizing risks identified by responsible business units in order to establish appropriate risk mitigation and control measures in line with acceptable risk levels.
Examples of significant risk issues and their management approaches are presented in the following table.
| Risk Category | Risk Description | Risk Management Measures |
|---|---|---|
|
Strategic and Sustainability Risk (RF5)
• Risk Level Before Mitigation: 6 (Likelihood 2, Impact 3)
• Risk Level After Mitigation: 4 (Likelihood 2, Impact 2) |
Risks associated with ESG operations that require continuous enhancement to meet stakeholders’ expectations and increasingly stringent sustainability standards. AOT aims to achieve a sustainability stock assessment rating of AA, with A being the minimum acceptable level. |
1. Prepare and ensure the readiness of information required for sustainability assessments. 2. Develop personnel capabilities and enhance understanding of sustainability-related operations. 3. Obtain external assurance for sustainability performance indicators. |
|
Compliance and Technology Risk (RF7)
• Risk Level Before Mitigation: 20 (Likelihood 4, Impact 5)
• Risk Level After Mitigation: 2 (Likelihood 1, Impact 2) |
Information and information technology system security risks within the organization. AOT recognizes the risks posed by cyber threats and focuses on preventing, detecting, and minimizing the impacts of information security incidents to avoid disruptions to systems and service delivery. |
Establish and implement an Information Security Management System (ISMS) in accordance with ISO/IEC 27001, alongside the development of an Information Technology Business Continuity Plan (IT BCP), while continuously enhancing personnel capabilities in Cybersecurity and ISMS. |
Emerging Risks
Emerging risks represent challenges arising from various changes that may pose risks to airport business operations and could significantly impact the airport business and society across different contexts depending on each risk issue. These risks encompass environmental, social, and governance factors, such as climate change, resource scarcity, regulatory changes, and technological disruptions, as well as international conflicts and political polarization.
Managing emerging risks requires proactive strategies to ensure resilience, mitigate potential adverse impacts, and capitalize on opportunities for sustainable growth. Identifying and addressing these risks enables the organization to better align with global sustainability goals and preserve long-term business value.
| Geopolitical Risk and Energy Cost Impact | Cyber Threats and AI Disruption |
|---|---|
| Description | |
|
Ongoing geopolitical tensions, including international conflicts, trade wars, and political polarization among major global powers, have affected energy systems and aviation supply chains worldwide. Fluctuations in energy prices caused by these geopolitical factors represent external risks that significantly impact operational cost structures, including airport energy consumption costs and airline fuel costs, which in turn affect flight frequency and passenger volume.
At the same time, pressure from the global energy transition movement, including Net Zero commitments and the shift toward Sustainable Aviation Fuel (SAF), has increased the complexity of long-term cost management. This is consistent with the FY2025 risk factor assessment, which identified “geopolitical conflicts and international trade wars” as one of AOT’s key risks (SWOT: T1). |
AOT operates six major airports in Thailand, with massive volumes of passenger and flight data continuously flowing through digital systems. As a result, AOT relies heavily on digital infrastructure for airport operations.
Highly connected digital systems inevitably increase exposure to cyberattacks that may cause severe operational disruption and damage. This risk consists of two interconnected dimensions: First Dimension: AI-driven cyberattacks Attackers increasingly use Artificial Intelligence (AI) to enhance the scale, speed, and sophistication of cyberattacks, making threats more advanced than traditional attack methods. This represents an external risk beyond AOT’s direct control. Second Dimension: AI disruption in the aviation industry Advances in AI are rapidly transforming airport operations worldwide. If AOT cannot adapt and effectively adopt AI technologies in a timely manner, it may affect competitiveness, service quality, and operational efficiency in the long term, as well as investor and shareholder confidence. This aligns with SWOT (W1), which identifies limitations in AOT’s ability to manage services and innovations competitively against leading global airport operators. |
| Impact | |
|
The impacts of this risk can be divided into two levels:
1. Operational Level: Energy price volatility directly affects airport operating costs, including electricity, air-conditioning systems, and utilities required for large passenger terminal buildings. In addition, if aviation fuel prices surge due to geopolitical events, airlines may reduce flight frequency or cancel routes, resulting in lower passenger and flight volumes. This would impact AOT’s core revenues, including aeronautical charges and commercial revenues within airports. Trade barriers and restrictions may also reduce air cargo transportation volumes. Meanwhile, geopolitical uncertainty may weaken confidence among key business partners and lead to more cautious investment decisions in the aviation industry. 2. Strategic Level: Delays in transitioning toward clean energy may cause AOT to lose competitive advantages and face stricter environmental regulations from international civil aviation organizations in the future. |
The impacts can be categorized into two levels:
1. Operational Level: Critical systems may become targets of AI-powered cyberattacks, including air traffic systems, self-check-in systems, baggage handling systems, and flight information display systems. Attacks on these critical service systems could immediately disrupt operations, resulting in service suspension and flight delays. AOT may also face risks related to unauthorized access to sensitive data, misinformation, and data manipulation, which could negatively affect passengers and damage stakeholder confidence. 2. Strategic Level: If sensitive organizational data is exposed, or if AOT adapts to AI disruption more slowly than competitors, it may result in a loss of passenger and investor confidence, competitive disadvantages, and the need for urgent business strategy adjustments. |
| Mitigation Actions | |
|
|
Risk Culture Promotion
AOT places importance on fostering an organizational environment and culture that supports systematic and continuous risk management in order to embed risk management into operational processes and decision-making at all levels of the organization. The Company adopts the Deloitte Risk Culture Framework as a guiding principle for cultivating risk culture, while also defining appropriate risk-related expected behaviors for the Board of Directors, executives, and employees within each target group. This approach aims to promote behaviors and work practices that align with AOT’s corporate values and operational objectives in an efficient and sustainable manner.
In addition, AOT has implemented activities to promote and strengthen a tangible risk management culture throughout the organization, including:
- Enhancing awareness and understanding through the development of communication materials, knowledge-sharing media, and ongoing engagement activities related to risk management; and
- Organizing training programs to strengthen knowledge, understanding, and skills in risk management in order to enhance personnel capabilities, enabling employees to manage risks appropriately and effectively in alignment with the organization’s current operational context.
Risk Culture Promotion Activities in FY2025
Strengthen Risk Awareness (Risk Management Education)
AOT has defined desired risk-related behaviors under the “3A” concept to promote organizational values and drive a comprehensive risk management culture across the organization. This initiative aims to ensure that the Board of Directors, executives, and employees at all levels demonstrate work behaviors that align with the organization’s risk management approach. The details are as follows:
Furthermore, AOT has integrated risk considerations into its service development processes and established risk-related performance indicators for relevant departments, which directly influence financial incentives. In fiscal year 2025, AOT also implemented various projects and initiatives to continuously and concretely promote risk awareness, enhance understanding, and encourage risk-conscious behaviors among executives and employees at all levels in accordance with the organization’s expectations. These initiatives were jointly carried out by the Strategy Division and the Human Resources and Administration Division. Key activities included the following:
1) Risk, Internal Control, and Business Continuity Exhibition Project (Risk Day 2025)
Objective: To enhance awareness among targeted AOT executives and employees regarding desired risk management behaviors, internal control, and business continuity management under the “3A” concept. The initiative aims to ensure that all target groups are able to communicate and apply these behaviors within their respective units, ultimately fostering a risk culture aligned with the organization’s Core Values.
2) AOT Core Values Day 2025: Embracing DEI&B Activity Project
Objective: To promote knowledge and understanding of the DEI&B concept in supporting organizational values and culture, as well as to facilitate the exchange of experiences related to AOT’s core values and organizational culture among AOT personnel. The initiative also aims to enhance awareness among executives, employees, and staff regarding the importance of organizational values and culture as a fundamental foundation for operational practices and organizational development in support of achieving AOT’s vision.
3) Dissemination of AOT Risk Management Communication Materials through the AOTStaff Application
Objective: To enable employees at all levels to access accurate, timely, and up-to-date information regarding risk issues, management approaches, and related measures. The initiative also aims to encourage employees to recognize the importance of risk management and continuously apply risk management principles in their daily work practices.
In addition, AOT conducts annual surveys on employees’ levels of awareness and understanding of risk management in order to assess the effectiveness of risk management communication and information dissemination through various channels, both internal and external to the organization. The survey results are also utilized to further develop and improve communication formats and channels, with the aim of continuously enhancing awareness, understanding, and an effective risk management culture throughout the organization.
Risk-Focused Training
AOT organized training programs and activities to enhance participants’ skills and expertise in risk management and compliance with prescribed operational guidelines. These initiatives aimed to prepare all six airports for international standard assessments, while also promoting understanding and raising awareness of risk management among personnel at all organizational levels.
| Risk Management Training Programs | Participants |
|---|---|
Training Program on “AOT Risk Management Knowledge through the e-Learning System”
|
Executives and employees at all levels |
Workshop on AOT Risk Management Process and Risk Management Plan Preparation
|
Departments, divisions, offices, and airports responsible for AOT enterprise risk factors for Fiscal Year 2026 |
Lectures on Risk Management under two personnel development programs:
 |
Employees at Levels 4–6 |
| Workshop Training Program on “Lead Internal Auditor Development for Business Continuity Management System (BCMS) in accordance with ISO 22301:2019” for Fiscal Year 2025, aimed at developing BCMS lead internal auditors certified by internationally recognized institutions, namely the Chartered Quality Institute (CQI) and the International Register of Certificated Auditors (IRCA) | Personnel responsible for Business Continuity Management at AOT Headquarters and all six airports (Risk Agents) with at least one year of BCMS experience |
Workshop Training Programs related to BCMS Internal Control and BCMS in accordance with ISO 22301:2019 for Fiscal Year 2025, including key courses as follows:
|
Employees involved in BCMS operations AOT employees BCMS Internal Audit Committee Members |