Importance
AOT places strong emphasis on risk management as a key mechanism for supporting stable and sustainable airport business operations. The Company has implemented an integrated enterprise-wide risk management approach in line with internationally recognized practices, with the objective of achieving its strategic goals, enhancing business continuity, and strengthening confidence among all stakeholder groups.
Policy
Risk Management Policy
AOT has established comprehensive policies on risk management, internal control, and business continuity management to ensure that executives and employees at all relevant levels adopt and implement consistent practices across the organization. These policies are aligned with AOT’s enterprise plan, operational plans, and project management framework, as well as applicable laws, regulations, and organizational policies relevant to the Company’s operations.
The policies related to risk management, internal control, and business continuity management include:
- AOT Risk Management Policy
- AOT Integrated Governance, Risk Management, and Compliance (GRC) Policy
- Business Continuity Management Policy
- Internal Control Policy
In fiscal year 2025, AOT continuously reviewed and enhanced its risk management policy, with a focus on implementing integrated enterprise-wide risk management in alignment with good corporate governance principles and the organization’s core values, while strengthening value creation and operational resilience.
The policy establishes key implementation approaches as follows:
- Defining risk management as the responsibility of all employees across the organization
- Promoting the integration of corporate governance, risk management, and compliance (Integrated GRC) as part of day-to-day operations
- Developing risk management and business continuity management systems in accordance with international standards, including COSO-ERM 2017 and ISO 22301:2019
- Maintaining an appropriate balance between risks and returns within acceptable risk appetite levels
- Continuously managing risks that may affect strategic objectives
- Identifying risks comprehensively across the organization
- Assessing likelihood and impacts, and managing risks within acceptable levels
- Monitoring and reporting risks on a regular basis
- Linking risk management practices with AOT’s “5 Hearts” core values and fostering a strong risk management culture
- Continuously improving risk management and business continuity management systems, including the adoption of information technology to support reporting processes and operational efficiency
See More Details
Management Approach
AOT adopts the Three Lines of Defense principle in governing and controlling enterprise risk management operations to ensure alignment with the Company’s risk management framework. The structure consists of operational units (First Line), oversight and compliance functions (Second Line), and internal audit functions (Third Line). Each line of defense contributes to reducing and preventing risks, enabling the organization to achieve its objectives effectively while strengthening confidence among all stakeholder groups. The structure comprises the following levels:
- Board Level
Role: Establish enterprise risk management policies and directions, including the organization’s Risk Appetite and Risk Tolerance levels, while overseeing risk management and internal audit functions to ensure transparency and accountability. - Senior Management Level
Role: Implement the organization’s risk management policy and framework, oversee and monitor risk management practices across all business units, and ensure that adequate resources, processes, and internal controls are in place to support effective risk management and business continuity throughout the organization. - First Line: Operational Units
Role: Act as “risk owners” by identifying and assessing risks, as well as designing and implementing risk control measures within their areas of responsibility as part of normal operational processes. - Second Line: Oversight and Compliance Functions
Role: Establish risk management frameworks and systems, provide technical guidance and support, and monitor the implementation of risk management practices by the First Line to ensure compliance with established frameworks and procedures. - Third Line: Internal Audit Function
Role: Operate independently and provide assurance to the Board of Directors that the risk management systems implemented by both the First Line and Second Line are functioning effectively.
AOT Risk Management Structure
AOT’s risk management structure comprises the following levels:
Board Level
- Board of Directors of AOT
The Board of Directors serves as the highest governing body responsible for overseeing and supporting enterprise-wide risk management to ensure its effectiveness across the organization. Oversight is carried out through two subcommittees appointed by the Board, namely the Risk Management Committee and the Audit Committee. - Risk Management Committee
The Risk Management Committee is responsible for overseeing enterprise risk management operations, establishing risk management policies, frameworks, and guidelines, including the organization’s Risk Appetite and Risk Tolerance levels. The Committee also approves AOT’s enterprise risk management plans and performance results and reports them to the Board of Directors. - Audit Committee
The Audit Committee is responsible for reviewing good corporate governance practices, internal control systems, and risk management systems to ensure that they are aligned with international standards and operate effectively, efficiently, and appropriately. The Committee receives audit reports directly from the Internal Audit Office and reports the results to the Board of Directors.
Senior Management Level
- AOT Risk Management Working Committee
The AOT Risk Management Working Committee, appointed by the Risk Management Committee, comprises the President of AOT as Chairperson, together with Executive Vice Presidents of each business line, Directors of all six airports, the Corporate Secretary, Assistant Executive Vice President–Legal Affairs, Assistant Executive Vice President–Strategy, and Director of the President Office.
The Committee is responsible for translating AOT’s risk management policies, frameworks, and guidelines established by the Risk Management Committee into operational practices. It also reviews and endorses risk management plans and performance results before reporting them to the Risk Management Committee.
First Line: Operational Units
- Risk Management and Internal Control Working Committees of Business Units, Offices, Departments, and Airports
These committees, appointed by the President of AOT, are responsible for implementing risk management in accordance with the Company’s risk management policy, framework, and processes established by the Risk Management Committee and the AOT Risk Management Working Committee. They also monitor and report risk management performance for risks under their ownership (Risk Owner) to the AOT Risk Management Working Committee. - Internal Control and Risk Management Working Committees of Operational Units
These committees are responsible for implementing risk management in accordance with the Company’s risk management policy and participating in risk management processes, including supporting the monitoring and reporting of risk management results to the Risk Management and Internal Control Working Committees of business units, offices, departments, and airports.
Second Line: Oversight and Compliance Functions
- Risk Management Department
The Risk Management Department, under the Strategy Division, serves as the organization’s center of expertise in risk management. Its responsibilities include establishing enterprise risk management frameworks, providing guidance and consultation, and promoting understanding of risk management processes across AOT’s operational units. The Department also fosters the integration of risk management into daily operations and organizational culture, while monitoring and reporting enterprise-level and business-unit-level risk management performance to the AOT Risk Management Working Committee and the Risk Management Committee. - Risk Agent
Risk Agents assigned to all six airports are responsible for providing consultation, guidance, and understanding regarding risk management processes to operational units under their respective airports or business lines. They also support the collection and consolidation of airport risk management information for the Risk Management Department and monitor and report airport-level risk management performance to the respective airport or business-line working committees.
Third Line: Internal Audit Function
- Internal Audit Office
The Internal Audit Office independently reviews the effectiveness of AOT’s risk management and internal control systems. It also provides recommendations and consultation to the Audit Committee, management, and operational units to promote effective, efficient, and compliant practices, while reporting audit results directly to the Audit Committee.
Key Operational Responsibilities
| Highest operational-level executive responsible for risk management to ensure implementation in accordance with the established risk management policy |
Mr. Danai Puchada Director of Risk Management Department |
| Highest operational-level executive responsible for internal audit |
Mr. Thanya Siangcharoen Director of Internal Audit Office Served as Director of Internal Audit Office from 1 October 2020 – 30 September 2025 Ms. Sirinthorn Khambun Director of Internal Audit Office Serving as Director of Internal Audit Office from 1 October 2025 – Present |
Risk Management Framework
AOT has developed the Risk Management Manual for Fiscal Year 2026 to serve as an integrated enterprise risk management guideline in alignment with the framework of the Committee of Sponsoring Organizations of the Treadway Commission – Enterprise Risk Management Integrating with Strategy and Performance (COSO-ERM 2017), the Ministry of Finance’s Criteria on Standards and Guidelines for Risk Management Practices for Government Agencies B.E. 2562 (2019), as well as guidelines issued by the Securities and Exchange Commission of Thailand (SEC).
The Company integrates risk management processes into the development of AOT’s enterprise plan and the management of significant projects to ensure timely and continuous management of risks and potential crises that may affect business operations. This approach also supports AOT in achieving its strategic objectives and organizational goals effectively.
Integrated enterprise risk management in accordance with the COSO-ERM 2017 framework consists of five components and twenty principles, as follows:
- Governance and Culture
- Strategy and Objective-Setting
- Performance
- Review and Revision
- Information, Communication, and Reporting
See More Details
Risk Management Processes
AOT has established a structured Risk Management Process to identify and analyze potential events, changes, or uncertainties—both internal and external—that may affect the organization’s operations. This process is conducted regularly twice a year as part of the Risk Exposure Review: one prior to the start of the fiscal year, and another as a mid-year review. Additional reviews are conducted immediately when significant changes that may impact AOT occur.
1. Analysis of Potential Changes That May Affect AOT’s Operations (Uncertainty)
AOT has conducted an analysis of information derived from eight key areas of change, along with other relevant factors. The information obtained has been used to assess the severity of risk issues in terms of both Likelihood and Impact in order to determine appropriate risk management approaches and plans.
The results of this analysis are utilized in formulating risk management strategies, as well as enhancing the annual operational plan and organizational management guidelines to effectively respond to long-term changes. In addition, the analysis serves as an important foundation for supporting AOT’s future growth and risk management efforts.
2. Definition and Review of Key Risk Indicators (KRIs)
AOT establishes and reviews Key Risk Indicators (KRIs) to identify and monitor significant risks that may affect the organization. The KRIs are designed to align with the organization’s strategic objectives and serve as tools for risk tracking, as well as early warning signs for potential significant risks in the future.
The KRIs are categorized into three levels to support analysis and decision-making for improving the risk management process. The establishment of KRIs enables AOT to effectively monitor and manage risks in alignment with the organization’s strategic objectives.
| Color | Results of Key Risk Indicators (KRIs) | Action |
|---|---|---|
| Green | KRI results meet the target | Monitor as scheduled |
| Yellow | KRI results show signs of deviation from target | Review and Improve existing control measures. |
| Red | KRI results exceed the defined target threshold | Develop additional risk response plans and report to AOT Risk Management and Compliance Committee for policy-level. |
3. Preparation of Risk Management Plans
3.1 Analysis of Potential Changes and Uncertainties Affecting AOT’s Operations
AOT has analyzed potential risks that the organization may encounter through the development of a Risk Universe as an input for preparing the Risk Management Plan. The analysis considered six key sources in accordance with the State Enterprise Assessment criteria on Core Business Enablers, Aspect 3: Risk Management & Internal Control (RM&IC), as follows:
1. Laws and government policies
2. Strategies
3. Board and management policies (Tone at the Top)
4. Supply Chain
5. Key Performance Areas (KPAs) / Performance Agreement (PA)
6. AOT’s enterprise risk factors from the previous fiscal year
3.2 Enterprise Risk Factor Identification and Selection
Based on the Risk Universe information above, the identified risk issues will be assessed in terms of severity using the evaluation criteria for Likelihood (L) and Impact (I) in order to determine the level of risk severity should such events occur.
| Impact Assessment Criteria | Score | |||||
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| Service | Risk occurs but does not affect service operations | Risk occurs and has only a minor impact on service operations | Risk occurs and affects service operations, resulting in complaints submitted to AOT | Risk occurs and significantly affects service operations, resulting in complaints publicly disseminated through traditional and social media | Risk occurs and causes service disruption | |
| Support | Risk occurs but operational or action plan objectives can still be achieved | Risk occurs and has an insignificant impact on operational or action plan objectives | Risk occurs and has a significant impact on operational or action plan objectives | Risk occurs and results in failure to achieve operational or action plan objectives | Risk occurs and results in cancellation of the operational or action plan | |
| Safety | Hazardous events occur with minor consequences |
Hazardous events occur resulting in:
|
Hazardous events occur resulting in:
|
Hazardous events occur resulting in:
|
Hazardous events occur resulting in:
|
|
| Security |
No acts of unlawful interference occur
|
Acts of unlawful interference occur resulting in:
|
Acts of unlawful interference occur resulting in:
|
Acts of unlawful interference occur resulting in:
|
Acts of unlawful interference occur resulting in:
|
|
| Reporting | Accuracy | No errors | Minor non-material errors | Errors with minor material impact on the report | Errors with significant material impact on the report | Errors affecting the credibility of the report |
| Timeliness | Completed ahead of schedule | Completed on schedule | Completed slightly behind schedule | Completed significantly behind schedule | Completed behind schedule, affecting audits or operations of related entities | |
| Compliance | No violations of laws, regulations, rules, contracts, or agreements | Minor non-compliance with laws, regulations, rules, contracts, or agreements | Significant non-compliance with laws, regulations, rules, contracts, or agreements without causing damage | Significant non-compliance with laws, regulations, rules, contracts, or agreements causing damage, but compensation can be negotiated | Significant non-compliance with laws, regulations, rules, contracts, or agreements causing damage and potentially leading to legal action | |
| Financial | No expenses or compensation required | Expenses or compensation incurred, but financial performance remains in line with targets | Expenses or compensation incurred, resulting in profits below target | Expenses or compensation incurred, resulting in profits lower than the previous year | Expenses or compensation incurred, resulting in financial losses and critically low liquidity leading to business interruption | |
| Reputation | No impact on reputation or corporate image | Damage to internal reputation or corporate image | Damage to reputation or corporate image with negative publicity through social media and other channels spreading to limited domestic public media | Damage to reputation or corporate image with negative publicity through social media and other channels escalating into a social issue in public media | Damage to reputation or corporate image with widespread negative publicity through social media and other channels across both domestic and international public media | |
Risk issues assessed as having a high or very high level of severity will be subject to a review of the adequacy of control measures. The criteria for evaluating the effectiveness of control measures will be considered from three perspectives: (1) performance results compared with targets, (2) control measures, and (3) monitoring. If the evaluation result in any one of these perspectives scores below Level 3, the effectiveness of the control measures will be considered “inadequate.”
Since the severity level of the risk issue exceeds the organization’s acceptable risk threshold, regardless of whether the existing control measures are adequate, the risk issue will be further assessed for its organizational impact across four dimensions: (1) impact on strategic objectives or enterprise-level goals, (2) scope of impact propagation, (3) level of decision-making or governance required, and (4) impact on reputation and relationships with key stakeholders.
If the overall average assessment score is greater than or equal to 4, the risk issue will be selected as an enterprise risk factor. However, if the overall average score is below 4, the issue will be further considered as a Risk Universe issue at the division, department, office, or airport level.
3.3 Risk Management Strategy & Objectives Setting
To ensure effective enterprise risk management, Airports of Thailand Public Company Limited (AOT) has established goals and objectives as the starting point of its risk management process to provide reasonable assurance that risk management activities achieve the intended objectives. AOT defines its risk management objectives through the establishment of Risk Appetite (RA) and Risk Tolerance (RT) levels.
| Risk Appetite (RA) | The level of risk that the organization is willing to accept in order to achieve its objectives. This can be determined based on the organization’s overall objectives, including vision and mission, strategic objectives, and key performance indicators, as well as targets aligned with the agreement between the Government of Thailand and AOT. AOT defines its Risk Appetite (RA) in alignment with its mission and strategic objectives or the performance indicators specified in the State Enterprise Performance Agreement (PA), whichever is higher. |
| Risk Tolerance (RT) | The acceptable level of deviation from the established objectives or Risk Appetite (RA), aligned with the organization’s acceptable risk level. Historical data and future projections may be used in determining the Risk Tolerance (RT). AOT defines its RT in alignment with the “Level 3” threshold of the performance indicators specified in the Performance Agreement (PA) or values approved by the AOT Board of Directors, whichever is lower. |
Furthermore, AOT has established Risk Appetite (RA) and Risk Tolerance (RT) separately for four categories of risk: Strategic Risk, Operational Risk, Financial Risk, and Compliance Risk.
3.4 Root Cause Analysis: RCA
In addition to establishing risk management goals and objectives, AOT has also conducted root cause analysis by considering factors or causes that may give rise to risks, including both internal organizational factors and limitations or uncertainties arising from external factors. In this regard, Risk Owners are assigned to identify and analyze the causes of relevant risk factors in order to determine appropriate and effective risk management approaches.
3.5 Existing Controls and Mitigation Plans
Following the completion of the root cause analysis, the Risk Management Department, together with the Risk Owners, identified the existing controls, which refer to plans or activities already implemented to help reduce the severity level of each risk cause. The severity level of each individual risk cause was then assessed to determine which risk causes still remained above the organization’s acceptable risk level despite the implementation of existing controls.
For risk causes that continue to exceed the acceptable risk level, additional risk mitigation plans must be developed. These mitigation plans consist of new plans or activities that have not previously been implemented and are intended to serve as supplementary measures to further reduce risk levels. This process is designed to ensure that the overall risk severity, after implementing both existing controls and additional mitigation plans, is reduced to a level acceptable to the organization.
3.6 Risk Assessment
AOT conducts risk analysis and prioritization by considering the likelihood and impact levels of risks through the use of a Risk Profile to assess the severity level of risks. This assessment is based on historical statistical data, operational performance data, as well as trend analysis and future forecasting to ensure that the assessment criteria are appropriate, aligned with the operational context, and reflective of the organization’s actual risk exposure.
In addition, the risk assessment criteria are established in alignment with organizational objectives, laws and regulations, Key Performance Indicators (KPIs), operational performance results, and other critical factors affecting operations, including the organization’s acceptable risk level (Risk Boundary). This ensures that the assessment results can be effectively utilized in preparing appropriate risk management actions or control measures for potential risks and in reducing impacts to an acceptable level.
In assessing risk severity levels, AOT has established three levels of risk assessment to support risk analysis, monitoring, and management in alignment with the organization’s acceptable risk level, as follows:
- Inherent Risk Assessment
This refers to the assessment of the level of risk inherently associated with business operations or activities, both current and future, prior to the implementation of any control measures. (In the illustration, this is represented by the blue bar. - Residual Risk Assessment This refers to the assessment of the remaining level of risk after existing control measures have been implemented to reduce the likelihood or impact of risks. Examples include the preparation of action plans or operational plans to support the achievement of organizational objectives, as well as the improvement of operational activities to ensure effective process control. (In the illustration, this is represented by the red bar.
- Target Risk Determination
This refers to the establishment of the desired level of risk after implementing existing control measures and additional risk mitigation plans (if any), taking into consideration the acceptable risk level. (In the illustration, this is represented by the green bar.
3.7 Risk Response
AOT has established four risk response approaches: (1) Risk Acceptance (Take/Acceptance), (2) Risk Reduction (Treat/Reduction), (3) Risk Transfer (Transfer/Sharing), and (4) Risk Avoidance (Terminate/Avoidance). These approaches serve as guidelines for managing risks appropriately in accordance with the context and severity level of each risk.
In cases where the Residual Risk level exceeds the organization’s acceptable risk level, particularly for risks classified as High (orange) and Very High (red), the Risk Owner is required to consider and select the most appropriate risk response approach by taking into account the cost-effectiveness and efficiency of the measures to be implemented for managing such risks.
The selection of risk response approaches is based on a Cost and Benefit Analysis (CBA), considering at least two alternative options in both monetary and non-monetary terms, in order to support decision-making and identify the most appropriate and cost-effective measures. The organization may choose to apply a single risk response approach or a combination of approaches to effectively reduce the likelihood and/or impact of risks to a level acceptable to the organization.
In addition, AOT requires the preparation of additional risk mitigation plans for cases where further measures beyond existing controls are necessary to reduce risk levels to within the organization’s acceptable range. Such plans must clearly demonstrate that, upon full implementation, they will effectively reduce the likelihood of occurrence and/or mitigate the impacts of the identified risk factors in a concrete and measurable manner, with outcomes that can be clearly monitored and evaluated.
3.8 Risk Management Reporting
AOT requires the monitoring and reporting of enterprise-level risks as well as risks at the division, department, office, and airport levels on a quarterly basis, or immediately upon the occurrence of any significant event that may materially affect AOT.
To support this process, AOT prepares an annual risk management reporting plan through the operational plan of the Risk Management Division under the Risk Management Department. The plan is communicated to Risk Owners and personnel responsible for risk management, internal control, and business continuity management functions (Risk Agents) during meetings of the AOT Risk Management Working Committee (AOT-RMC).
This reporting framework serves as the timeline and guideline for Risk Owners and Risk Agents to report risk management results to the AOT Risk Management Working Committee (AOT-RMC) and the Risk Management Committee (RMC), respectively.
4. AOT Business Continuity Management
AOT’s risk management system is aligned with the framework of The Committee of Sponsoring Organizations of the Treadway Commission – Enterprise Risk Management Integrating with Strategy and Performance (COSO-ERM 2017), as well as the Business Continuity Management System (BCMS) framework in accordance with the international standard ISO 22301:2019 – Security and Resilience – Business Continuity Management Systems Requirements.
Risk management processes are integrated into the preparation of AOT’s Enterprise Plan and the management of significant projects to ensure that risks and potential disasters that may affect AOT’s business operations can be managed in a timely and continuous manner. This also supports AOT in achieving its established objectives and targets.
AOT has established BCMS processes and operational procedures that are linked and aligned with the strategies set out in the AOT Enterprise Plan. These processes are developed with reference to the nature of the business, organizational context, vision, strategies, SWOT analysis results, and critical business processes in order to define the scope of the BCMS to comprehensively cover AOT Headquarters and all six AOT airports.
AOT conducts Business Impact Analysis (BIA), risk assessments, prepares Business Continuity Plans (BCP), and carries out annual plan exercises in collaboration with relevant external agencies. In addition, AOT places importance on promoting knowledge, understanding, and awareness of BCMS among executives and employees through regular training programs and communication campaigns. These efforts help reinforce stakeholder confidence that AOT is well prepared to respond to emergency situations and capable of restoring critical services to normal operations in a timely manner.
5. AOT BCMS Certification
AOT has continuously improved and enhanced the Business Continuity Management System (BCMS) of AOT Headquarters and all six AOT airports. The organization has successfully undergone recertification audits for BCMS: ISO 22301:2019 conducted by an accredited Certification Body (CB), with the certification valid for a three-year period from fiscal years 2025 to 2028.
This certification provides assurance that AOT Headquarters and all six AOT airports have fully implemented the BCMS in compliance with all requirements specified under ISO 22301:2019.
See More Details
Implementation
In 2024, AOT carried out enterprise risk management by assessing and prioritizing risk issues identified by risk owners in order to develop appropriate plans and control measures. The following is an example of the risk assessment and prioritization process:
| Risk Factor | Risk Level | Mitigation Actions | ||
| Before Mitigation | Target | After Mitigation | ||
| Regulatory Compliance (RF1) AOT may be unable to integrate collaboration in managing emergency situations and towing disabled aircraft. |
Very High | Medium | Low |
|
| Strategic Risk (RF2) Risk associated with AOT’s capacity expansion projects |
Very High | Medium | Medium |
|
| Strategic Risk (RF3) AOT may not be adequately prepared to restore the operational capacity of apron services and ground support equipment at Suvarnabhumi Airport (BKK) |
High | Medium | Medium |
|
| Financial Risk (RF4) Risk arising from the inability to manage investment plans in alignment with established targets |
High | Medium | Low |
|
| Strategic Risk (RF5) AOT’s performance indicators for fiscal year 2024 may not meet the established targets |
High | Medium | Medium |
|
Emerging Risks
Emerging risks present new challenges stemming from various changes and are considered significant threats to airport business operations. These risks may have a material impact on both the airport business and society, depending on each specific issue. Such risks encompass factors related to environmental, social, and governance (ESG) dimensions, including climate change, resource scarcity, regulatory shifts, and technological disruptions.
The management of emerging risks requires a proactive strategy to ensure organizational resilience, minimize potential negative impacts, and capitalize on opportunities for sustainable growth. Identifying and addressing these risks will enable the organization to better align with global sustainability goals and preserve long-term business value.
| Misinformation and Disinformation | Cyber Espionage and Welfare |
|---|---|
| Description | |
| Misinformation and disinformation arising from the transformative shift in digital technology pose a significant long-term risk to airport operations, which serve as a major public service such as widespread passenger confusion and travel disruptions, reputational damage, eroding public trust, and potential safety and security breaches, and operational challenges. At the same time, as these technologies continue to evolve and integrate, the rapid advancement of digital tools and the proliferation of the Internet of Things (IoT) introduce new cyber threats. Stemming from the ease of accessing and sharing information — often without specialized skills — these threats can enable the unintentional spread of misinformation and disinformation, or even the deliberate manipulation of data. AOT seeks to establish preventive measures through its business continuity plan to ensure airports can operate normally and to address the impacts of these risks. | As AOT operates major airports in Thailand, large volumes of passenger and aviation data flow through its digital systems, making the company highly dependent on digital infrastructure for operations and service delivery. With rapid technological advancement, cyberattacks are evolving beyond traditional methods. Attackers now leverage artificial intelligence (AI), cloud-based infrastructures, and digital platforms to increase the scale and sophistication of attacks. This represents a new and emerging external risk beyond AOT’s direct control. While the immediate effects may not always be significant, the long-term and uncertain impacts could disrupt critical operations such as flight control, flight information systems. The potential impact is significant, as these threats could affect core business functions, cause service suspension or flight delays, and erode passenger and investor confidence. Such risks may require AOT to adapt its strategy and business model to ensure resilience. |
| Business Impact | |
|
|
The impacts of cyberattacks may range from minor damage to severe disruptions that affect the organization’s overall business operations, depending on the sensitivity of the compromised data. If critical information—such as strategic plans, partner lists, or sensitive organizational data—is stolen or disclosed to the public, the organization may face competitive disadvantages as well as a loss of confidence from investors and shareholders. Moreover, if the attack is intended to disrupt organizational systems, critical technologies could be targeted, such as flight control systems, automated check-in systems, baggage handling systems, and flight information display systems. When such essential passenger service systems are compromised, operations may come to an immediate halt, leading to consequences such as flight delays, stranded passengers, and, in the case of a severe attack, temporary suspension of airport services until systems can be restored. |
| Mitigation Actions (Mitigation Actions) | |
|
|
Promotion of Risk Culture
AOT promotes a positive risk culture by fostering an environment that supports effective risk management to all non-executive directors. Regular meetings of the AOT Risk Management Working Group and the Enterprise Risk Management Committee are held on a monthly basis. These meetings serve as platforms for regularly reviewing the company’s risk exposure, discussing emerging risk situations, enhancing collective understanding of risk interdependencies and impacts prior to decision-making, and raising organizational risk awareness. Examples of AOT’s risk culture promotion initiatives include: AOT e-Learning Platform for risk management knowledge and awareness. Cross–departmental meetings involving Airport Standards and Aviation units. Risk awareness surveys to assess and strengthen employee understanding of risk–related issues
1. Risk Management Education
AOT conducts an annual survey to assess employees’ awareness of risk management. The objective is to evaluate the effectiveness of risk communication through both internal and external media channels, and to utilize the survey findings to enhance the efficiency of communication methods for promoting risk awareness across the organization.
In addition, AOT integrates risk criteria into service development initiatives (Incorporation of Risk Criteria in AOT Services) and establishes risk management metrics for relevant departments. These metrics are directly linked to financial incentives and performance evaluations.
AOT has implemented the “Triple A” Risk Management Program, a collaborative initiative between the Risk Management Department and the Human Resources Department. The program aims to promote desired risk management behaviors among executives and employees, thereby strengthening the organization’s risk culture. The Triple A Program is an outcome of the Risk Awareness Survey and the Risk Management Performance Evaluation, reflecting AOT’s commitment to fostering a resilient and proactive risk management environment.
2. Risk-Focused Training
Based on AOT Risk Management Handbook, AOT organizes training programs and activities designed to enhance the skills and expertise of participants in risk management and in implementing prescribed practices. These initiatives aim to strengthen the preparedness of all six airports for international standard assessments, while also promoting a deeper understanding and heightened risk awareness among personnel at all organizational levels.
| Risk Management Training Course | Participants |
|---|---|
Risk Culture Development Seminar for Practitioners in Risk Management, Internal Control, and Business Continuity at Airports (Risk Agent Program)
|
|
|
AOT Employee |
| The Internal Auditor Team Leader Development Workshop on Business Continuity Management System (BCMS) According to ISO 22301:2019 Standard – Fiscal Year 2024. AOT organized the internal auditor team leader development workshop under the course “Development of Internal Auditor Team Leaders on Business Continuity Management System (BCMS) According to ISO 22301:2019 Standard” for the fiscal year 2024. The objective was to develop qualified internal auditor team leaders who meet the ISO 22301:2019 requirements and are eligible for international certification from institutions such as the Chartered Quality Institute (CQI) and the International Register of Certificated Auditors (IRCA). | Risk Agents from AOT headquarters and all six airports |
Business Continuity Management System (BCMS) training in accordance with the international ISO 22301:2019 standard for the fiscal year 2024 includes key workshop training programs as follows:
|
Internal auditors and BCMS employees of AOT headquarters and all six airports. |
Workshop training program on “Internal Audit of Business Continuity Management System (BCMS) in accordance with the international ISO 22301:2019 standard,”
focusing on personnel readiness and systematic process management. The training also aims to prepare internal BCMS auditors to operate effectively according to the standard.
The program includes two sub-courses:
|
Internal auditors and BCMS employees of AOT headquarters and all six airports . |
3. Risk Management Performance Evaluation
AOT undergoes performance evaluation in risk management in accordance with the State Enterprise Assessment Model (SE-AM). This assessment supports the ongoing development and enhancement of AOT’s risk management operations. The results serve as key indicators for identifying both strengths and areas for improvement across five key dimensions:
- Governance and Organizational Culture
- Information, Communication, and Reporting
- Risk Management Review
- Risk Management Processes
- Strategic Planning and Objective Setting