บรรษัทภิบาล
The elements of risk management level of the organization

Risk Management for the organization level according to the guidelines of risk management level of the organization of the committee of sponsoring organizations of the tread way commission (COSO) which contains the elements of risk management, as follows:

  1. Internal Environment
  2. Objective Setting   
  3. Risk Identification
  4. Risk Assessment
  5. Risk Responses
  6. Control Activities
  7. Monitoring
  8. Information and Communication

1. Internal Environment

The Environment within the organization and the culture of risk management is an important factor that makes it risk management is a culture of an organization.

1) The Organizational Management and culture in risk management is an important factor that the risk to the culture of the organization.

2) The role of the Board of Directors in the compliance of the management to the Risk Management and coverage.

3) To Structure The Right Organization.

4) The selection and developing people who have the unique opportunity, and the mosquito net promise to the Responsible.

5) To encourage employees to have the integrity and ethical.

6) The empowerment of the functions and responsibilities of the employees to achieve the goals of the organization.

2. Objective Setting

The target is to understand the mission Objectives goals and strategies in the performance of the organization as well as the environment of performance that these things are specified in the plan that includes performance objectives with the record such an agreement to evaluate the performance with.

The effect of the target to know the success factors that have an impact on the success of the target of the success measures and the level of expected moves from the unit of measure for the accepted the goals set for managing the risk will determine the performance objectives as defined in the plan, enterprises and other targets by the Executive Committee Further Defined.

3. Risk Identification

To specify the risk is to consider the events that lead to the damage that before the process to identify risks will be required to perform is to determine the goals of the performance first and then to analyze the events that, it will not be able to perform according to the goal.

 

To specify the risk will need to consider factors from both inside and outside an organization. These factors have an impact on the goals and the performance of the organization by external factors is the external environment. The company does not control such as the government policies to the city of economic conditions the interest rate exchange rate the performance of the relevant authorities to natural disasters Legal Contract competitors and the "life style) The internal factors as the environment in which can control or change such as the strategy policy management systems, the organization structure the work processes the culture of the organization and the technology used.

 

To specify the risk should start from the events that are clear or significant before and you will need to include the events that are low or high-risk impact the important goals by identifying the risk can have several guidelines include the Interview ( interviews) discretion of experience brainstorming ideas from the (brainstorming) a workshop (workshops) the establishment of the working group that contains the people who have the unique opportunity to be in the range of the analysis of the data in the past, etc. There may also specify the risks from external sources, such as compared to the criteria or International Standards to use the information from the business the same way as a consultant, advice, etc.

In the risk management of the company is divided into the risk out into 4 categories as follows:

  1. The risk of strategic (strategic risk: S) 

    Refers to the risk associated with the strategy and the strategic decision, which include the match between the policy strategic objectives organization structure. Nevertheless competition and environment of the impact on the organization including the risk associated with the policy of the state the risk associated with the economic and political risk associated with the reputation at risk associated with the stakeholder the risk of competitive Business Risk Management, etc.
     
  2. The Risks of the work (operational risk: O)

    Refers to the risk that the operation in both the management of the personnel and the technology used in the work are the risk associated with the operation of risk management on the property the risk of corruption risk about the people the risk of information technology, etc.
     
  3. The risk of Dan Finance (financial risk: F)

    Refers to the risk of the policies and procedures for managing the financial and investment include the risk on the structure of capital the risk of of financial accounting and reporting the risk of financial liquidity risk from exchange rate / Interest Rate/inflation rate, etc.
     
  4. The Risks to the regulatory (compliance risk: C)

    Refers to the risk of violates or does not comply with the laws and regulations of the law or the rules that are not appropriate or as a challenge in operation.
4. Risk assessment

After the grease has identified the risks that may occur in Step 4.2.2, the next step is to assess the risk that is forecasting the opportunity and the impact that will occur from the risks. And that the risks to occur the severity level is in any order to be applied to prioritize by in a risk assessment to assess the level of risk before the management of the risks inherent (capital accord and assess the level of risk that changes after the control / management of the capital accord correcting that if the risk is still higher than the acceptable level. It is necessary to Manage More Information to reduce down to an acceptable level.

1) To assess the level of risk.

A risk assessment will be considered from two elements are potential risks (likelihood) and the impact of (impact) to remove both components to consider together to make note of the level of risk (level of capital accord which is used as a measure of the importance of the risk.

  1. The chance that there will be a risk (likelihood)
    Refers to the risk or event will occur in which to consider the level of opportunities that will happen often use the historical data. However, in the case of the event that does not occur before it may use the information of the event in the same manner that have occurred in the organization of the information from the research or the experience of the assessment by the criteria in an assessment of the potential risks
  2. The Impact (impact). Refers to the impact or damage from the risk that will occur which may be the value of the damage should be a significant Target Sensitivity (sensitive) to the people in which to consider the impact that that are expected to be considered to cover the Impact 5:
    1. The financial impact is the impact that causes damage to a financial or other damage that can be converted to the image of the money.
    2. The Impact of the performance is the impact that cause a delay in the performance of the company are affected by the production projects and from the service.
    3. The Impact of reputation is the impact that caused the damage to the reputation and the image of the group of companies and the application of Telecom Limited as a result of the performance from both direct and indirect.
    4. The Impact of information technology is the impact that cause the problem or damage to the information system in the system tasks and information.
    5. The Impact of the management within the organization is the impact that cause the problem or dissatisfaction at work.

A measure of the opportunity and the impact can be selected using the analysis techniques, together as appropriate for each risk include qualitative analysis (not defined as a number by assessment as described.) The Analysis, semi-quality semi-Quantity (the numbers instead of the cases of quality to expand to describe Qualitative data), and the quantitative analysis (to use the metrics to a number, such as the amount of the loss of the number of complaints by the delay to the plan, etc.) Technical Quantitative Analysis do want and need to be based on the collection of information and statistics related to the use of the model or a mathematical method allows you to configure the number must be defined for the measurement of the risk of that the risk is a measure?

The Company has set the criteria to assess the level and the impact on level 5. However, there may be a risk that is not appropriate to use the criteria of the opportunity and level the impact on the council to assess the risks in the Board of Directors shall be determined by the criteria Assess level opportunities and the impact for the risk that the following specific.

2) The risk level (level of capital accord Is a measure that is used to determine the importance of the risk by the level of risk from the potential risks and the impact of the risk to consider them as follows:

The risk level (R) = level the chance that there will be a risk (L) X LEVEL OF THE IMPACT OF (I)

The level of risk from the calculation based on the formula above if there is a low value means that the risk level is low and if there is a high value on the risk will have a higher level by the meaning of each level of risk.

The meaning each Risk Level

The level of risk

Meaning

1-3

Low

4-9

Medium

10-16

High

More than 16

Very high

 

The chart shows the level of risk and profile.

The Impact The Chance

Very Low (1)

Least (2)

Medium (3)

High. (4)

Very high (5)

Very high (5)

5

10

15

20

25

High (4)

4

8

12

16

20

Medium (3)

3

6

9

12

15

At least 2)

2

4

6

8

10

Very Low (1)

1

2

3

4

5

 

5. Risk Responses

After the risk assessment in step 4 and the priority of the risk and then there will be considered in the Manage risk by using one of the strategies or multiple strategies. The level of risk reduction to an acceptable level that strategies to manage the risks include:

1) To avoid the risk (terminate) Get rid of the risk to or avoid risk because there is the chance of high and high impact such as change the target to cancel the program or the program to change the format of a project, etc.

2) The transfer of the Risk (transfer). To reduce the chance of risk and/or reduce the impact that will occur from the risks associated with the transfer or burden, some people accountable for such as insurance to transfer the love to the contractor to transfer the work to the concession to hire Mao (outsourcing), etc.

3) The Risk Control (great) To reduce the chance of risk and/or the impact that will occur from the risk by changing the work or prepare plans to support such as how to work the follow up measures to check the adjustment of the structure of the unique opportunity to employees, etc.

4) To accept a (take) To agree to the risk that will occur. This strategy will not take any action to reduce the chance or impact because the level of risk that is left in the level or is in the acceptable level or there is a cost for the management of high-risk than the secret to. The decision to lift the strategy to manage the risk will need to be aware of the risk factors that cause the risk and cost or resources that must be used in a selection. Compared to the results that will be that the jailer or not to select the strategy. When you select a strategy to manage the risk of appropriate, the tasks that are related to the risk will be required to create a plan for managing the risk to be able to track and assess the risk management is to select how to manage the risk can choose how to one or several ways. So the risk is in the range of acceptable deviance and tolerance, the plan of the Risk Management has the following components.

1) The strategy and how to perform

2) Define the responsible for the plan of the Risk Management.

3) To Be Completed

6. Control Activities

The activities of controls means that the policy and how to set up to help the management to ensure that the management of the Risk is the right to the image by the activity to control both the control, discover the ล edit which includes

  • To set the policy and how to perform such as the manual
  • Approval/Certification / Approval of the job.
  • The result of the operation.
  • Security / Access to Data Information Technology Systems
  • Segregation of duties responsibilities/assignments.

The Company has defined the control activities by the policies and procedures of the Risk Management in accordance with the instruction manual of the Risk Management define who is responsible for the action plan for managing the risk to the Risk Management Operations level manager is determined by the persons responsible for the Risk Management at the organization level. The Board of Directors will determine the that the work which should be a primary responsibility for the period completed and a report on the results of the plan for managing the risk to the auditor as the distance.

7. Monitoring
  1. To track the performance

    When the Exchange Environment on how to manage the risk that may not be suitable control activities may be my brother down or Performance Objectives, there may be a change, so it must be to monitor that the Risk Management in each of the steps are still effective or not.

    Monitoring can be done in two ways to track during operation (ongoing monitoring and assessment at periodic intervals (separate evaluation).

    Monitoring during operation is to monitor continuously in every step of the Risk Management while the assessment at periodic intervals are made of time according to a specified period of time, so the track during operation is more efficient. In addition, if there is a check between the very much to check in the assessment is less only.

    To monitor may be used to one of the above or both. However, divide the use of how to Evaluate periodically will need to use to make the assessment of risk management every 6 months at least.

    In the track will be used after the self-assessment (self-assessment) by the primary responsibility for managing the risk of the task will be responsible for the performance of the risk management of their own however really appreciate the check is the one that will follow up to check by the routine of work or may be to check with the order of the Committee or the Board of Directors.
     
  2. The Report

    The primary responsibility for managing the risk is responsible for ensuring that the report on the results of the Risk Management organization level, the Executive Committee. Every 6 months at least, however, if there is a risk that a significant or to manage the risks associated with does not have the performance will be required to report to the Executive Committee in a timely manner.

    The Executive Committee is responsible to report the risk management at the organization level, the company knew every 6 months at least, or when there is a risk that is significant.
     
  3. The assessment of the frame of the Risk Management ( framework appraisal)

    The steps and the various components in the management of the risk above as well as a guide for risk management will be an assessment must be appropriate and effective in the bikini division of risk management is periodically by the assessment may be performed in the appearance of the self-assessment (self-appraisal) or may provide external person as the Assessment (independent appraisal).
8. Information and Communication

The essential information and communication means that the communication and information systems for risk to ensure that all management and employees understand the process and the role of their about the Risk Management:

  1. The Board of Directors and high level executives to communicate about the policy of risk management and the status of the sound to all employees understand and perform the risk management by Role
  2. To have a channel in the two-way communication with the performance between employees and management
  3. The coordinator between work and risk management to the work in order to check that the exchange of information is a remarkable between them.
  4. There is a communication information related to the Risk Management from both within and outside the organization through the system information and communications within the organization so that employees find information about the risk management as well as the details about the unique opportunity for risk management regularly and timely