The Company aims to strengthen risk management as part of the corporate culture through the formulation of the Risk Management Policy and risk appetite statement as well as the implementation of the risk management guidelines as a tool for formulating the Company’s strategies and conducting business affairs. The purposes were to achieve business growth and generate a sustainable return to stakeholders in the long term. The Company believes that efficient risk management is an extremely important factor for achieving sustainable growth and maintaining the Company’s profitability.
The Company’s Board of Directors and senior executives attach great importance to risk management practices which respond to changes in a timely manner. In this connection, they continuously oversee, monitor, and develop risk management systems, ensuring that the various measures remain appropriate and keep pace with changing risk factors, both internal and external. The Company puts in place the organizational structure to support risk management, ensuring that it is in line with the established framework, through the various committees’ supervision. The related details are as follows:
The Company’s Risk Management Structure
The Company’s Board of Directors has a role in policy determination and establishes guidelines for an efficient enterprise-wide risk management including risk management and business continuity management of Thanachart Group, ensuring that it is efficient and in line with the Company’s operations by taking into consideration the impact of risks on the Company’s operational goal and financial position.
Executive Committee has a role in considering and approving all activities to be in line with the Company’s Risk Management Policies, as well as, assessing the business continuity management of Thanachart Group to present to the Company’s Board of Directors for approval.
Risk Oversight Committee has a role in proposing the Company’s Risk Management Policy and the Group’s Risk Management Policy to the Company’s Board of Directors for approval. The Committee also establishes risk management strategic plans to be in line with the Risk Management Policy and revises the sufficiency of the Company’s Risk Management Policy including the efficiency of the system and practice of the specified policy. Furthermore, it has a role to control, monitor, and supervise the Company and the companies under the Group to comply with the Risk Management Policy as well as regularly report the result of the compliance to the Board of Directors including the adjustments to conform to specified policies and strategies.
Audit Committee has a role in determining the supervisory guidelines for the operation, ensuring that the Company and the Group are operating in compliance with measures of related authorities. The Committee also has a role in assessing the effectiveness and competency of the overall Group’s risk management process and sufficiency of overall internal control system.
The Company’s Risk Management Structure Chart
As at 31 December 2023
- The conduct of business affairs is under a system of check and balance with Middle Office comprising of the Risk Control Unit and Back Office, being separated from the Front Office.
- The Company puts in writing of all the established policies and guidelines regarding the risk management that specifies responsibilities of related unit as the operational guidelines for the employees. Moreover, the Company has established a four-step guideline for risk management. The guideline includes
1) the identification of the characteristics of risk as well as risk factors,
2) the development of appropriate tools and models for risk measurement,
3) the control of risks within acceptable limits, and
4) the close monitoring of risk status in order to properly manage any possible risks in a timely manner. - The differences in size and risk ratios determined for each exposure measured by tools and models allowed the Company to be able to perceive the degree of severity from the possible risks. These risk variables could also be used as a ceiling or the acceptable risk level as well as to provide warning signals before severe losses occur.
- The risk management report is presented to the board of directors of each subsidiary company and the overview report is presented to the Company’s Board of Directors in a periodic and timely manner.
The aforementioned risk management systems are developed based on prudent principles and will be reviewed regularly to suit prevailing situations. The systems are designed to be transparent, explicit, and examinable, and to take into consideration the interests of shareholders, customers, and staff.
Credit risk arises from a situation in which the debtors or counterparties fail to repay or fulfill their agreed obligations. This might be contributed by the fact that the debtor’s financial position is under distress due to volatilities of economic conditions that pose adverse impact on businesses or the debtors’ mismanagement, which as a result, may adversely affect the Company and its subsidiaries’ earnings and capital. The credit risk may arise from ordinary financial transactions such as credit lending, financial obligations in the form of avals or guarantees, other transactions related to credit lending, as well as investment in debt instruments issued by state agencies or state enterprises with neither guarantee from government nor the BOT and private debt instruments such as debentures.
Under its credit risk management policies and guidelines, the Company and its subsidiaries have successfully established a credit culture. To start with, the credit risk of the borrowers or counterparties or issuers of debt instruments will be independently assessed by the model developed specifically to each type of borrowers or counterparties by the Credit Analysis Unit. At this juncture, authorized Credit Committee would then consider and determine the level of credit risk of borrowers or couterparties, appropriate credit lines and investment budget, as well as terms and conditions on loans or other obligations. The Committee also controls the overall risk status by appropriately diversifying credit risk into various business sectors and groups of customers within the established risk ceilings. In addition, the Committee closely monitors the quality of loans to ensure proper and vigilant management by emphasizing on business capability and repayment ability under the supervision of an independent risk control unit-ensuring that credit transactions are in line with the policies and guidelines of credit risk management.
Key Credit Risk Factors
1.1 Credit Concentration Risk
The Company and its subsidiaries aim to appropriately diversify its loans to various groups of customers, focusing on high potential customers and attempt to prevent concentration of loans to a particular group of customers. Group limits and single limits are set in accordance with risk level of the borrowers. Analyzing and monitoring are carried out, and results are regularly reported to relevant committees to minimize risks from uncontrollable factors. Furthermore, the Company and its subsidiaries has loan portfolio management and analyzes the loan portfolios in general, and manages the portion of the portfolios in correlation with circumstantial changes for maximum return under acceptable risk levels. As of 31 December 2023, the company and its subsidiaries had granted loans totaling 67,191 million baht to debtors, marking a 3.57 percent increase from the previous year’s 64,876 million baht. The majority of these loans, accounting for 79.37 percent in 2023 and 82.39 percent in 2022, were hire purchases and financial leases. These loans were allocated across various industries including commerce, agriculture, transportation and logistics, construction contracting, and services. The remaining portion of loans, comprising 20.63 percent in 2023 and 17.61 percent in 2022, primarily consisted of secured business loans, which were allocated appropriately.
1.2 Risk of Non-performing Loans
Non-performing loans are debtors with impaired credit and debtors with purchased or originated impaired credit. They have been the major concerns of each financial institution. They have adverse effect on earnings and capital of the Company. At this juncture, the Company and its subsidiaries have focused efforts on controlling credit quality through appropriate policies and procedures to regularly monitor the quality of the loans. At the end of 2023, the ratio of non-performing loans to total loans was 3.94 percent, compared to 3.59 percent at the end of 2022. The majority of these non-performing loans were from subsidiaries engaged in high purchases and asset management. Overall, the level of non-performing loans within the group was deemed acceptable.
1.3 Risk from Collaterals
For collateralized loans, the Company and its subsidiaries carefully assess and classify quality of each type of collateral by taking into account the liquidity and overall risk from that collateral. The assessment result is one of the important factors applied in the classification of each credit exposure. In this regard, the collateral, both in the form of immovable and movable whose value could be appraised, is subject to appraisal or valuation complying. The Company and its subsidiaries significant types of collaterals are marketable equity securities, commercial immovable property, immovable property from housing, vehicles, machinery, etc. The Company and its subsidiaries have determined guidelines, standards, and frequency of appraisal and valuation of each type of collateral. Furthermore, a report of the appraisal and valuation is made which includes clear and sufficient data and analysis to determine the price. In case that it cannot be specified whether the collateral price has decreased or depreciated over time, the impairment of the asset must be considered by a concerned official.
1.4 Risk from Impairment of Property Foreclosed
The Company and its subsidiaries consider setting aside allowance for impairment of property foreclosed, by using the guidelines on setting aside allowance for impairment of property foreclosed and also by exercising discretion in estimating impairment loss when it is found that the value expected to be received from the property would be lower than the book value, taking into account the most recent appraisal value of the property, as well as type and characteristics of the property.
The market risk arises from movements in interest rates, exchange rates, and prices of instruments in money market and capital market, which may adversely affect earnings and capital of the Company and its subsidiaries. It could be divided into two main risks including price risk and interest rate risk. In this connection, the Company and its subsidiaries had adopted a risk oversight and management policy aiming at keeping the risk at an appropriate level and in compliance with the Risk Management Policy of the Company and its subsidiaries.
2.1 Price Risk
Price risk is the risk arising from the decrease in revenue or from negative impacts on the value of financial assets or liabilities. When the prices of debt instruments or equity instruments change, the available-for-sale investments and trading investments of the Company and its subsidiaries may be reduced in value.
The Company and its subsidiaries have developed risk measurement tools based on the Value-at-Risk model (VaR Model) to estimate the maximum loss amount at a certain confidence level and over a given asset holding period. The Company and its subsidiaries had imposed various ceilings in relation to of transaction in order to control risk to remain in an acceptable level, for example, Position Limit and Loss Limit. The Risk Control Unit separated from the front office and back office, has the duty of risk control and reporting on the status of the ceilings imposed on various risks to the Board of Directors and departments and executives associated to the risk management in order to respond to the risk in a timely manner. The Company and its subsidiaries had designated the Executive Committee to be responsible for overseeing and monitoring this type of risk.
2.2 Interest Rate Risk
Interest rate risk is the risk that earnings or capital are adversely affected by changes in interest rates that pose impact on its rate-sensitive items including assets, liabilities, and off-balance sheet items. These changes may have a negative impact on net interest income and capital fund of the Company and its subsidiaries.
It is a goal of the Company and its subsidiaries to run their business operatings under a long-term effective interest rate risk management system, in other words, to maintain an appropriate structure of assets and liabilities which are rate-sensitive at different time intervals. To ensure maximum benefits of the Company and its shareholders, the Company and its subsidiaries have developed the Repricing Gap Analysis Model as a tool for measuring interest rate risk by assessing the impact that may arise from the mismatch of the repricing periods of assets, liabilities, and obligations at different time intervals, which is used for risk measurement every month. In order to ensure that the risk of the Company and its subsidiaries business operation is within an acceptable limit, they have also established an acceptable risk ceiling and an early warning risk level, taking into consideration the structure of assets, liabilities, and obligations as well as interest rate repricing which are expected to take place in each period of the Company and its subsidiaries’ business plan. The Executive Committee is responsible for monitoring and controlling such risk very closely. To effectively design appropriate measures to accommodate the risks, the committee has to monitor economic conditions, development in the money market and capital market, and the interest rate trend which could become important interest rate risk factors.
Liquidity risk arises from the inability of the Company and its subsidiaries to repay their debts or obligations upon the delivery date due to the lack of ability to convert assets into cash or to mobilize adequate funds or to mobilize funds at an acceptable cost. This could adversely affect the current and future earnings and capital of the Company and its subsidiaries. The liquidity risk management mechanism starts with the assessment of the cash flows and liquidity position over particular time horizons of the Company and its subsidiaries when the different levels of funds may be required to accommodate borrowings upon maturities, to reduce other types of liabilities, or to acquire of assets by using Liquidity Gap Analysis, various liquidity ratios, and “What If” scenarios to evaluate the sufficiency of the cash flow liquidity depending on customer behavior in extending contracts upon maturity and estimate the need of liquidity in various “What If”scenarios.
Meanwhile, the Company and its subsidiaries develop an emergency plan in the case of a liquidity problem and there will be a revision of the significant occurrences that affect working operations. In this regard, the Company and its subsidiaries have assigned the Executive Committee in controlling and managing the liquidity risk to monitor and manage risk on a regular basis.
The operational risk is the risk that arises from the damage that occurs from lack of good corporate governance within the organization. Risk may arises from the inadequate efficiency of the internal audit and internal control systems which could be relating to internal operation process, personnel, systems or external events and adversely affect the Company and its subsidiaries’ operating income and capital. This also includes legal risks such as litigations, exploitation by the government, and also damage from settlements outside the courtroom. Such risk can pose an adverse impact on other risks, especially strategic risk and reputation risk.
The Company and its subsidiaries are well aware that efficient operational risk management is crucial to the business to achieve goals sustainably. Under current uncertainties, the Company and its subsidiaries, thus, place importance on efficient and effective operational risk management that is sufficiently comprehensive across the Company and its subsidiaries, so that timely preparations can be made in unexpected situations and increasingly stringent regulations are followed. The Company and its subsidiaries set Operational Risk Policies and management that gear toward risk protection and monitoring. In addition, as internal control is a key mechanism in controlling and mitigating possible damage, the Company and its subsidiaries ensure that there is a strong internal control system: an organization structure that has counterbalance, transaction-supporting units with a specialized skill set and independence to reduce possible errors, practice regulations applicable to all types of transactions, information technology system management and data security system, including the business continuity plan.
The Company and its subsidiaries determine a principle, form or condition of the process used in the measurement and assessment of internal risks of the Company and its subsidiaries. In the determination of this process, the Company and its subsidiaries consider the circumstantial factors such as supervising guidelines of the government units associated with the Company, state and complexity of the business, the capability of the Company in accepting risks. The Company has also put in place the tools for important operational risk management e.g. Risk and Control Self-Assessment, Key Risk Indicators (KRIs), in case of disaster and loss storage (Loss Data), the use of external service providers for Thanachart Group (Outsourcing Policy), incident management, and business continuity plans (BCP).
In addition, to monitor operational risk, the Company and its subsidiaries determine a policy for executives of each department to be responsible for monitoring the risk by considering this as a part of their regular duties. This will help identify all risks and problems that occur in order to respond to the changes in an appropriate and timely manner and not damaging to the Company and its subsidiaries. Nevertheless, to be informed of the result of business operations and problems that occur, as well as trends and changes in information of risk factors, the Company and its subsidiaries organize a filing and reporting of the information associated with operational risk management to be continually and regularly reported to the Board of Directors, the Risk Oversight Committee, and high-level executives to use in the determination of policies, to develop a sufficient risk management system, and to be a tool in aiding the Company and its subsidiaries to evaluate the capability and efficiency of the internal control system.
Today, information technology plays a very important role in the business operations of the Company and its subsidiaries, particularly in increasing efficiency in providing customers with financial services which are accurate, efficient, safe and meet customer needs at a lower cost. The Company and its subsidiaries recognize that the use of information technology which is changing rapidly all the time, may pose risks to service-related security, customer information, service continuity and impacts on the business operations of the Company and its subsidiaries. As a result, the Company and its subsidiaries pay great attention to the management of information technology risks, ensuring that they are managed in line with international standards. Emphasis is placed on protecting information and interests of customers, taking into consideration three key principles including 1) Confidentiality - security of systems and information, 2) Information integrity - trustworthiness and dependability of systems and information, and 3) Availability - ability to make systems and information accessible as needed.
To enable the Company and its subsidiaries to manage information technology risks in an efficient and continuous manner and also in line with the nature of their business operations, volume of transactions, information technology complexity, and related risks such as operational risk, strategic risk, reputational risk and legal risk, the Company and its subsidiaries have established a risk governance framework based on the fundamental principle of the three lines of defense - a guide to how responsibilities should be clearly divided and segregated. These include the following: 1) operations of information technology, 2) management of information technology risks, and 3) audit of information technology. Moreover, the Company and its subsidiaries have established the policy and standards for ensuring information technology security, the policy on information technology management, regulations as well as procedures and processes related to risk management. Importantly, they provide Directors, executives and staff with knowledge and awareness of information technology risks on a continuous basis.
The Company and its subsidiaries have put in place the following processes for managing the information technology risks in line with international standards.
- The risk assessment consists of 1) risk identification, 2) risk analysis, and 3) risk evaluation. The objectives are to estimate the likelihood that the risks may arise and to assess the extent of effects on business operations.
- As regards risk treatment, the Company continues to manage, control and prevent the risks in an appropriate manner, in line with the risk assessment results. The objective is to keep the remaining IT risks at an acceptable level. In this connection, the Company has established a number of IT key risk indicators.
- The Company has put in place a process for monitoring, reviewing and reporting the risk, ensuring that the IT risk is at an acceptable level. In this connection, reports are presented regularly to the committee concerned.
This type of risk arises from the inappropriate formulation of strategies, business planning, and implementation which are not compatible with internal setups and external environment, resulting in an adverse impact on earnings, capital or the existence of the Company and its subsidiaries. In managing the strategic risk, the formulation of strategies of the Company and its subsidiaries will be considered over the three years ahead, with the review required annually or in the case of an external event that may impact the achievement of the Company’s business goals. The Executive Committee is responsible for regular monitoring and evaluating the performance of the work units upon the established targets stated in the annual operation plan.
The reputational risk means a risk that occurs when the public i.e. customers, strategic or alliance partners, investors, and regulators have a negative perception of or lose confidence in the Company and its subsidiaries. This risk may impact the Company and its subsidiaries’ revenue and/or capital at present and in the future. Reputational risk may arise from noncompliance with corporate governance and business ethics, or nonconformity to the laws, regulations, as well as the Company and its subsidiaries practice rules.
The Company and its subsidiaries have continuously taken into account the importance of the reputational risk. The policy consists of reputational risk framework and reputational risk management processes which entail reputational risk assessment and measurement divided into 5 levels of impact and likelihood, reputational risk prevention by raising awareness and devising measures to prevent reputational risk events, regular monitoring and reporting to relevant committees, including risk management in case of high and very high risk levels. The Company and its subsidiaries set up a main working unit to be directly responsible for risk management processes.
The regulatory risk arises from incompliance to laws, regulation, requirements, standards, and guidelines in the Company and its subsidiaries transactions which can lead to financial loss, reputation damage, and interference by state entities. Also, there are risks from the amendments or changes in regulations, laws or requirements of the authorities especially the SEC, the SET, the OIC, the AMLO, the BOT, etc. Such changes may affect the strategies and business operations of the Company and its subsidiaries.
The Compliance Unit of each member company of Thanachart Group is the department responsible for ensuring that the companies are incompliance with regulations and requirements from related various state agencies and the Code of Business Ethics. The department also provides advices and disseminates knowledge to executives and employees. Furthermore, it helps high-level executives to effectively manage risk of regulatory violation. The role and responsibilities do not overlap with the Internal Audit Department. As well, its specific responsibilities Among others, these included work related to participation in Thailand’s Private Sector Collective Action Coalition Against Corruption (CAC) and collaboration with the regulators or state agencies concerned. In this connection, related reports would be sent to the top management as well as the Audit Committee of each company in parallel.
In evaluating regulatory risk, the Compliance Department assesses incompliance risks in various transactions by considering all related internal and external factors for the Company. These include regulatory climate and outlook of the authorities, auditing assessment by the officials, business policies, debates and complaints, internal audit, and internal work procedures. The consideration is placed on the magnitudes of possible impact and likelihood of occurrence in each aspect of incompliance risks. Random review is executed to comply with Control and Monitor standard, and a recommendation is proposed to correct errors and improve performance.
New Potential Risk Factors
Emerging risks are the risks that may have both short-term and long-term impacts, resulting from changes in various dimensions including the economy, society, demographics, environment, and technology. The Company and its subsidiaries remained vigilant and prepared to address these emerging risks, which included significant global mega-trends. This involved continuous monitoring of evolving situations marked by increasing volatility and analysis of various risk factors that could harm or affect business operations. Risk management focused on adapting to prepare and develop responsive measures for potential future risks. The Company had identified significant emerging risks and outlined its risk management strategies as follows:
| Emerging Risks | Risk Description | Potential Impacts of Risks | Measures |
|---|---|---|---|
| Risks from Climate and Environmental Changes | These are risks stemming from newly emerging or recurring infectious diseases with significantly increased rates of transmission, including drug-resistant infections or those trending towards higher future prevalence. Examples include avian influenza, SARS virus, and the spread of COVID-19. | Despite the improving trend in the COVID-19 pandemic situation in the year 2023, with the economy showing signs of recovery as life gradually returned to normal under the endemic status of COVID-19, businesses in the tourism and related sectors were beginning to resume operations. However, the continuous spread of COVID-19 mutations remained a persistent challenge. | The Company and its subsidiaries had established measures to manage risks from epidemics and infectious diseases. Additionally, they continued to adhere to the Business Continuity Plan (BCP) to ensure preparedness in the event of COVID-19 infections, both within the office and in customer service scenarios. This was to ensure uninterrupted business operations and service provision to customers, partners, and other stakeholders. These measures included comprehensive plans covering prevention, monitoring, and response. Furthermore, the Company and its subsidiaries had implemented measures to assist customers affected by the aforementioned impacts. |
| Risks from Epidemics and Infectious Diseases | These are risks stemming from newly emerging or recurring infectious diseases with significantly increased rates of transmission, including drug-resistant infections or those trending towards higher future prevalence. Examples include avian influenza, SARS virus, and the spread of COVID-19. | Despite the improving trend in the COVID-19 pandemic situation in the year 2023, with the economy showing signs of recovery as life gradually returned to normal under the endemic status of COVID-19, businesses in the tourism and related sectors were beginning to resume operations. However, the continuous spread of COVID-19 mutations remained a persistent challenge. | The company and its subsidiaries had established measures to manage risks from epidemics and infectious diseases. Additionally, they continued to adhere to the Business Continuity Plan (BCP) to ensure preparedness in the event of COVID-19 infections, both within the office and in customer service scenarios. This was to ensure uninterrupted business operations and service provision to customers, partners, and other stakeholders. These measures included comprehensive plans covering prevention, monitoring, and response. Furthermore, the company and its subsidiaries had implemented measures to assist customers affected by the aforementioned impacts. |
Risks to Shareholders
The investment in Company’s shares can give investment risk to shareholders as the return on investment may not meet shareholders expectations. The return varies in line with share prices, share liquidity, and investment conditions. In addition, the return in the form of dividend will depend on the Company's performance in each period. As a result, shareholders may receive more or less returns than expected. In this connection, the Company has already specified the key risks and the risk management. However, the Company may be faced with risks other than those already specified.
Nevertheless, shareholders must always be aware of the investment risk as there is no guarantee of the return to be received. As a result, shareholders should study the risk and exercise cautious discretion when making investment decisions by acknowledging that the Company may not be able to prevent all the risks which may arise as well as the surrounding factors such as domestic and international economic conditions, political situations, capital inflows and outflows, changes in the state policies as well as events that cannot be predicted in advance. They may have impacts on the Company’s performance and dividend payments.