Risk and Crisis Management

Management Approach


Corporate Risk Management Structure

The Company established a Risk Management Committee to determine risk management policies, plans, and acceptable risk appetite in conjunction with the risk management department and regulatory agencies. This approach enables effective risk operations and alignment with good corporate governance principles. The Risk Management Committee is also tasked with reporting operational performance to the Audit Committee and the Board of Directors twice a year for risk management review, follow-ups, and resolution of identified organizational risk issues. The mentioned practices support an internal control mechanism, enable efficient risk monitoring, and ensure conformity to international standards.

In addition, the Risk Management Committee has conducted self-assessments and group assessments using an assessment form adapted from the Thai Institute of Directors Association in conjunction with the charter. In 2024, the Risk Management Committee received an excellent performance score for 94% of operations and a good performance score for 6% of operations.

1. Board level risk oversight

The board of directors oversees the risk management system, providing independent recommendations for critical risks. It also establishes a risk management policy, considering significant risk factors, including risk management guidelines and monitoring the performance of risk mitigation plans.

2. Operational risk management functions

  • Operational risk Ownership (first line): The organizational risk assessment committee is the risk owner and manager in daily operations. The risk manager and unit risk champions are responsible for executing the controls set by the risk management committee
  • Risk management and compliance oversight (second line): The Risk Management Committee is responsible for developing the organization’s risk management plan, setting the risk appetite, and overseeing and advising on risk management and regulatory compliance. It ensures that departments adhere to established policies and procedures, and reports to the Audit Committee and the Board twice a year. The committee reviews the effectiveness of the risk management process, monitors results, and identifies ways to improve performance and mitigate risks more effectively. The Risk Management Unit serves as the secretariat
  • Independent Audit Unit (third line): The Internal Audit function, comprising the Internal Audit Team and the Audit Office, is responsible for assessing whether the organization’s operations align with the company’s risk strategy and policies. The Internal Audit function reports directly to the Audit Committee and the Board twice a year

Roles and responsibilities in risk management

Level Responsible Roles and responsibilitie
Third Line Internal Audit Division / Internal Auditor 1.Monitor, review, and audit against risk-based standards
2.Ensuring the organization has appropriate risk management practices
Second Line Risk Management Committee (RMC) 1.Identify and assess significant business risks, including strategic, financial, operational, regulatory, and reputational risks. Propose risk mitigation strategies and develop policies and procedures to manage these risks effectively. Provide recommendations to the board and management on risk management practices
2. Develop a comprehensive risk management plan and processes to achieve the organization’s objectives and goals.
3. Oversee and support the risk management program. Monitor and evaluate the effectiveness of the risk management framework throughout the organization. Review and update risk management policies, systems, and plans on an ongoing basis to ensure they remain appropriate to the changing business environment.
4. Communicate with the audit committee regarding significant risks to assess the adequacy of the company’s internal control system.
5. Report the results of risk assessments and risk mitigation efforts to the board of directors at least twice a year. In case of any significant events that could materially impact the company’s financial position or operating results, the board of directors shall be informed immediately.
6. Perform such other duties as may be assigned by the chairman of the board.
First Line Risk Filter Team (Risk Manager , Risk Champion , Risk Owner)
-Risk Manager 1. Define a risk management strategy to maintain risks at an acceptable level, known as Risk Acceptance, to achieve departmental objectives and align with the organization’s goals
2. Review significant departmental risks, monitor them, and assign Risk Owners to take necessary actions.
3. Effectively communicate departmental risks to management and employees to promote a culture of identifying new or emerging risks
4. Appoint a departmental Risk Champion to coordinate with the enterprise risk management function and ensure compliance with established policies.
5. Propose improvements to enhance the risk management process, aligning it with the department’s mission
-Risk Champion 1. Manage the identification, review, analysis, and reporting of risk profiles for relevant departments or units. Present these findings to the department’s senior management (Risk Manager) for consideration and subsequent presentation to the Risk Management Committee
2. Support the development of departmental/unit Business Continuity Management (BCM) plans, ensuring alignment with the organization’s and business group’s BCM plans
3. Coordinate with the Risk Management Committee to ensure compliance with established risk management policies
4. Execute risk management activities as assigned by the department’s Risk Manager
-Risk Owner 1. Manage and control departmental risks, as assigned by the Risk Manager, to maintain them at an acceptable level
2. Review, assess, and document departmental risks in relevant risk registers in collaboration with the Risk Champion
3. Identify, monitor, and report significant risk indicators to the Risk Manager on a regular basis
4. Report on the progress of assigned risk mitigation plans and maintain emergency response plans
5. Participate in various activities as assigned by the Risk Manager and Risk Champion

Risk Analysis and Assessment

The Company prioritizes risks through assigning the respective Risk Owner to analyze the risk Probability Rating Scale and Impact Rating Scale utilizing a Risk Matrix with principles and guidelines described in the following text.

Risk Matrix

The Company creates a risk control plan according to risk prioritization based on risk matrix analysis, which assesses both the likelihood and impact of each risk, including risks related to fraud and corruption. This plan requires continuous monitoring of the Key Risk Indicator (KRI) for risk management effectiveness in addition to mitigation contingencies and preparedness to manage impending situations with the aim of supporting organizational business operations in achieving sustainable goals.

In addition, the Company determines guidelines and frameworks for risk and crisis management consisting of enterprise-wide level risk management to focus on planning and managing risks which may affect general operations and operational risks associated with processes in each department. Risk information is communicated to employees at all levels for complete understanding.

The Company has prepared a Business Continuity Plan (BCP) in anticipation for rapidly changing situations with goal to ensure Company operations remain continuous and uninterrupted. In addition, a progress report for operations is prepared by the Risk Management Committee every 6 months and presented to the Audit Committee and the Board of Directors.

The Internal Audit Office is responsible for inspecting and evaluating operations according to risk reduction measures as a means to ensure operations are aligned with good corporate governance principles, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework and the international standard for business continuity management ISO 22301: Business Continuity Management (BCM). The key objective is to manage the Company’s risks at an acceptable and manageable level. In 2024, the Company received business continuity management certification (ISO 22301: BCM) for 2 additional locations, including the Khon Kaen Distribution Center and Hat Yai distribution center.

Risk and Incident Management Framework for Sustainable Business Operations

The Company conducts risk assessments and reviews risk management continuously through considering organizational strategic plans and business goals combined with results from the Materiality Analysis of important sustainability issues to develop risk management guidelines which cover all 4 important types of risks: Business Risk, Sustainability Risk, Black Swan, and Emerging Risk. Effective risk management processes not only determine measures to prevent and reduce potential impact from various risk issues but also bolsters organizational drive to achieve goals and create value for all stakeholder groups.

The Company conducts risk assessments on a quarterly basis to ensure effective risk management according to determined goals. Risks which may impact business operations are identified are categorized into 4 groups as follows:

  • Business Risk
  • Sustainability Risk
  • Emerging Risk
  • Black Swan or unexpected risks

To encourage employee participation in risk management, mitigate changes within the business environment promptly, as well as support organizational strategy implementation, the Company organizes training to provide knowledge about relevant risk reduction measures to various departments, with a risk coordinator (Risk Champion) responsible for providing knowledge every quarter. Specified mechanisms for controlling and monitoring risks are as follows:

Internal control and risk monitoring mechanisms

Assessing high-risk activities

  • Operated by Risk Champion
  • Evaluating risks, which are
    – Compliance with the Personal Data Protection Act (PDPA)
    – Adherence to process standards, laws, regulations, and Company policies related to business continuity planning (BCP) activities
    – Stakeholders’ grievance









Selecting high-risk processes

  • In 2024, there were 44 high-risk processes identified out of a total of 228 processes assessed. These covered processes across Operations Division, Product Management Division, Human Resources Division, Information Technology Division, CAF-M Division, Accounting Division, Sustainability Development Division, and Strategy Division






Establishing risk control measures

  • In 2024, high-risk processes were addressed through the implementation of 3 control measures: a comprehensive risk review by developing the ARI application to enable real-time monitoring and reporting of key risks, crisis communication to enhance response strategies during critical situations, and BCM (Business Continuity Management) drills to ensure training and simulations are aligned with current risks. Additionally, risk control measures were directly communicated to relevant stakeholders to ensure awareness and compliance.

Randomized assessment of control measures by auditors

  • The auditors comprise the Risk Management Unit, Corporate Process
    Simplification Unit, and Audit Unit















Ongoing Project: Risk Management and Business Continuity Management Training Program for Risk Champion

The Risk Management unit, in collaboration with Panyatara Co., Ltd. and All Training Co., Ltd., organizes the online training course “Risk Management and Business Continuity for Risk Champion 2024”. The training objective includes skills development, new learning experiences applicable as guidelines for risk management within the CP ALL business group, and increased capability to evaluate organizational risk management according to the Risk Score criteria. Project participants will undergo post-training assessments to verify comprehension and enhance awareness of processes to determine risks and subsequent prevention methods to ensure continuous and uninterrupted operations. Over 317 Risk Champions from the CP ALL business group participated this year.

Ongoing Project: Black Swan Search continuation

The Company has continued the Black Swan project for the 11th consecutive year to raise awareness of risks for the Company’s personnel. Management and employees are encouraged to take part in identifying enterprise risks that could potentially impact the Company’s operations and goals through the submission of risk topics in a contest available at various channels. The risks topics are related to the below 6 issues, as follows:

Continuous Business Operations

Work Process

Products and Services

Outsources Hiring

Corporate Sustainability

Activities Related to the Company’s Subsidiaries

The awarded risk issues will be considered for further development of appropriate support measures and management strategies to effectively implement them. In 2024, there were a total of 1,460 risk issues submitted by employees for competition. The top five risk issues with the highest number of submissions are: 1.)Health and Safety Risks 2.) Cybersecurity Risks 3.) Environmental Risks 4.) Customer Service Risks 5.) Regulatory Compliance Risks .

Furthermore, the Company conducts Risk Score evaluations to measure the overall risk management effectiveness of each department. The Company welcomes suggestions for further development and improvement of risk management systems in all areas to enhance efficiency. This covers over 80 departments on a quarterly basis, along with providing guidance and knowledge exchange through online systems. Additionally, exemplary risk management practices are showcased to elevate capabilities through the Risk Score Clinic project weekly. Departments demonstrating consistent excellent performance will be publicly acknowledged by the Chief Risk Officer and the CEO as role models for the organization, fostering pride among the department’s risk management personnel.

Emerging Risks

The Company considers risks toward business operations important, thus, measures and guidelines for management and administration have been established to promptly respond to risks. This includes regular annual reviews of issues and various trends to analyze new risks which may affect business operations. Moreover, the Company can identify 3 new risks and analyze the impact of these risks
on business operations, along with outlining preliminary management measures and guidelines as follows:

Risks from rapid changes in Generative 1 AI technology in the e-Commerce business

Online sales trends in 2024 include increased utilization of Generative AI technology in e-commerce businesses, specifically through Live Commerce and Cross-border e-Commerce, Chinese products increasingly penetrate the Thai market with predictions of new e-Commerce players contending established players. The anticipated new player, an overseas online shopping platform which focuses on cheap products, could fuel growth potential in the Thai e-Commerce market where growth is expected at 19% according to Google’s Southeast Asia Digital Economy Report summary last year. The robust growth resulted in CP ALL’s e-commerce business growth reaching 11% of total sales.

However, the integration of Generative Al technology will most likely impact new investment projects, investments in subsidiaries and distribution centers, and lead to more business operations within group companies in a manner which preserves and creates a good service experience at 7-Eleven stores in a sustainable way.

The rapid introduction of Generative AI technology in the e-Commerce business has impacted new investment projects, investment in subsidiaries and distribution centers in CP ALL’s group business operations. It helps maintain and create sustainable customer experiences at 7-Eleven stores. In 2024, investments will account for approximately 31% of the total 13,000 million Baht budget. In the scenario where Generative Al technology is introduced and fully adopted as an aid in analyzing products and services for consumers within the next 3-5 years, a significant increase in investments can be observed in new projects, subsidiaries, and distribution centers. Examples of potential investments include developing work processes throughout the value chain at branch stores, at warehouse systems, and at support units within the head office to enhance the purchasing experience throughout all channels, AI Ordering to replenish inventory appropriately according to various situations and environmental factors. The developments mentioned increase the average revenue per store per day and sustainably maintains good customer experience for 7-Eleven store patrons in the future.

CP ALL aims to invest in Generative Al technology as a tool to assist in analyzing product and service needs of individual customers. This approach which identifies products or product categories customers are personally interested in (Personalization) to be appropriately selected and ordered (AI Ordering) while taking into account various situations and environmental factors, yielded an increased average revenue per store per day of approximately 6-7%. Other developments include initiating communication channels with the diverse customer base while considering customer communication behavior, especially via online channels through popular social media comprising TikTok, Instagram, X (Twitter), Line, YouTube and Facebook, including live streaming. The in-depth analysis targets and recognizes customer needs quickly and accurately though technological applications to enable product and service presentation which satisfies customer requirements in the future.

CP ALL closely monitors Generative Al technology advances which affect the Company’s business strategy through defining business strategy, focus on growth from current strengths, and responses to new living norms and the digital society. In managing the changing trends and improving formats for good customer experience, the Company has introduced new products, sales promotions in conjunction with the signature service of employees within the store who double as product organizers and product deliverers, etc. The interactions create customer bonds and trust and allow store employees to understand customer needs, thus building capabilities to provide offerings which align with customer requirements. Interactions encompass the various customer contact points, channels to product and service, services through branch stores, vending machines, and online platforms. The online platforms include 7Delivery, an on-demand delivery service, and All Online which represents a department store near home. The mentioned strategy has received consistently good customer response, especially at branch stores where foreign tourists often frequent.

The risk from transitioning into a Completely Aged Society increases the demand for health products

Thailand is transitioning into a Completely Aged Society, according to data from the Department of Provincial Administration, Ministry of Interior, in 2023. It was found that Thailand has a population of people aged 60 and above, or the elderly, accounting for 1 in 5 (13 million people) of the total population (66 million people), with a continuous upward trend projected over the next 5-10 years. It is estimated that Thailand will evolve into a Super Aged Society, with the elderly population increasing to 28% of the total population. This will directly impact the demand for health-related products and services, resulting in greater need for healthfocused food products, functional foods, and foods with modified ingredients. This trend may influence CP ALL’s strategies, budget planning, research in product and service development, as well as procurement of health-enhancing products.

CP ALL has been actively managing health and nutrition products through various support programs and promoting research in health products internally and externally. However, with the transition into a Completely Aged Society and the trend towards becoming a Super Aged Society, CP ALL needs to adapt and prepare to deliver products and services which can fulfill future needs. The effect and risk of losing opportunities in selling health products and the elderly group, which accounts for 12.88% of total sales compared to all food and beverage products sold in 7-Eleven stores, may also impact organizational direction-setting and strategy. Additionally, CP ALL is preparing to respond by increasing its budget for research on products and services suitable for the elderly. The budget has been raised to 44 million Baht, an increase of 42% compared to 2023, to support the procurement of health-related products by 25%.

In 2024, the Ministry of Public Health announced policies to reduce chronic non-communicable diseases (NCDs), which include high blood pressure, high blood cholesterol, obesity, cardiovascular disease, etc., among the population. According to the National Statistical Office Health and Welfare Survey in 2023, Thailand found NCDs among people aged 60 years and over, with a 56% incidence of illness when compared to other age groups. To reduce new cases and promote sustainable health for Thai people, the Food and Drug Administration (FDA) collaborates with network partners in both the public and private sectors, including the Ministry of Public Health, Institute of Nutrition Mahidol University, Health Promotion Support Office (Thai Health Promotion Foundation) and private food SMEs to promote and strive for food products with modified formulas which reduces sweetness, oil, and saltiness. The offered alternatives for consumers are identified by the symbol “Healthier Choice” as a means to help consumers notice and make consumption decisions more conveniently. Currently, products certified with the Health Choice Symbol cover 14 groups: main meals, beverages, condiments, dairy products, instant foods, snacks, ice cream, oils and fats, bread, breakfast cereals, baked goods, snack products, fish and seafood products, and meat products The health alternative products identifiable with the symbol “Healthier Choice” may have an impact towards purchasing decisions among elderly people with NCDs.

In addition, campaigns from the government sector have motivated the Company to source healthy products to fulfill the “Healthier Choice” category and meet demands for health-conscious product alternatives, especially among the elderly. Product manufacturers are required to apply for product registration with certification costs of 10,000 Baht per time per product and symbol renewal of 5,000 Baht per renewal per product by January 1, 2025, when the regulation comes into effect. Product manufacturers have to accept increased costs for product registration and certification, thus impacting supply chains and CP ALL. The expected increase in product cost amounts to 10-15 million Baht accounts for costs forwarded to good health and well-being food, and other food and beverage groups.

CP ALL develops products through researching food innovations and continually increasing nutritional value in collaboration with CP Food Lab Co. Ltd., Product Development and Quality Assurance Office (PDQA) CP ALL Public Company Limited, and external organizations
with expertise including the Thailand Institute of Scientific and Technological Research (TISTR) and the Department of Product Development, Faculty of Agro-Industry, Kasetsart University. The Company concurrently determines criteria for health products within the Company’s Private Brands in line with certification standards of external agencies and international standards.

The Company aims to promote and support food and beverage product groups which reduce sugar, fat, sodium, additives inclusive of preservatives, food coloring, sweetener substitutes, antibiotics, etc. and product groups which increase nutritional value, including fortification with vitamin A, zinc, iodine, fiber, iron, etc. The Company has promoted CPRAM’s elderly food project which emphasizes the importance of health under the “Creator” brand. The brand focuses on foods with specific nutritional value and amount, food properties or raw materials conducive for chewing, digestion and absorption, nutrition suitability according to age, and high protein foods not specifically designed for the elderly. Customers can choose to eat
“Creator” to gain complete nutrients while experiencing a “easy to chew, easy to digest” product with high nutritional value and good taste to fulfill the needs of the aging society in Thailand and globally.

In addition to the food and beverage product group, the Company carefully selects quality raw materials from responsible sources for its products which contain Genetically Modified Organisms (GMOs) and ensures its certification and traceability. The Company has established
a process to continuously monitor and review operating results to ensure continued promotion of health and well-being, and capabilities to fulfill the organization’s short-term and long-term goals. This process entails compiling a database for policy development, operation plans and various research plans in the future to support trends of changing products and services for the elderly group in the future. The service level has been elevated to cater to customer groups with difficulty visiting 7-Eleven stores through ordering products from the application ‘7App’ with delivery service. The elderly who are not comfortable accessing digital systems or customers without a smartphone or mobile internet can opt for CP ALL’s new ordering service via the Call Center by dialing 1371. The Chat & Shop and Line OA services also facilitate ordering of various products in 7-Eleven stores.

The Risk of Failing to Achieve Net Zero Target due to Scope 3 emissions

CP ALL assigned the Sustainability Development Subcommittee to oversee climate change management and specialized operations teams for instance, teams to manage energy efficiency and energy conservation, the solar installation team, environmentally friendly packaging development team, etc. The subcommittee performs administrative duties related to managing climate change under the strategy “7 Go Green”, which focuses on reducing greenhouse gas emissions from business operations to meet stipulated targets. With aims for carbon neutrality (Carbon Neutral) by 2030 and net zero greenhouse gas emissions (Net Zero Emission) by 2050, greenhouse gas management is divided into 3 categories: direct greenhouse gas emissions (Scope 1), indirect greenhouse gas emissions from energy usage (Scope 2), and other indirect greenhouse gas emissions (Scope 3). The Company has considered establishing goals to reduce the organization’s greenhouse gas emissions to net zero through a validation process according to the guidelines of the Science Based Targets initiative (SBTi). In addition, the Company has established a framework for operations and guidelines to conduct business responsibly in terms of climate change throughout the supply chain in alignment with Task Force on Climate-related Financial Disclosure (TCFD) guidelines with climate change information disclosures (IFRS S2 Climate-related Disclosures).

Achieving the stipulated goal is critical as the majority of the Company’s greenhouse gas emissions come from other indirect activities (Scope 3) arising from activities within the supply chain, inclusive of greenhouse gas emissions occurring from production processes of intermediary products used by the Company, internally produced products, transportation, distribution, product utilization and garbage disposal. The mentioned processes account for the highest proportion of greenhouse gas emissions, reaching 88% of all greenhouse gases or equivalent to 13,030,541 tCO2e in 2030.

Achieving the established climate goals affects business practices within CP ALL’s supply chain whereby the Company aims for both small and large suppliers to adapt to a low-carbon society. In adopting low-carbon measures, production processes are modified and the cost of production increases. Smaller suppliers are confronted with limitations in collecting and reporting greenhouse gas emissions data thus requiring additional financial support and knowledge from the Company. CP ALL’s internal operations require investment in additional projects to reduce greenhouse gas emissions, including employee transportation modifications and waste management, etc. which contributes to an overall business operating costs of 8,976 million Baht. Successful adoption of this initiative not only requires Company commitment but also stakeholder cooperation and their varying capabilities. The inability to proceed accordingly may impact the realization of goals and affect corporate image in the form of “greenwashing” accusations and potential societal resistance in the future, etc.

CP ALL is committed to operating under sustainability strategies covering the dimensions of good governance and economics, society and the environment, including: 7 Go Green, 7 Go Together and 7 Go Right strategies. In risk assessments of material impacts toward all
stakeholder groups, encompassing positive and negative impacts in reducing greenhouse gas emissions from suppliers, CP ALL has established a policy and manual for sustainable procurement used to select and promote business suppliers. Instance of policies include sourcing from sustainable agriculture and utilizing environmentally friendly products, etc. To reduce greenhouse gas emissions generated by suppliers, the Company established initiatives and prepared capacity assessments and supplier readiness assessments for low-carbon society adoption appropriate for each supplier group. For instance, two events to enhance awareness and basic knowledge on reducing greenhouse gas emissions for small suppliers were organized in 2024. Incentives were provided to suppliers who cooperate with the Company in driving the country’s greenhouse gas emissions reduction goals, etc.

CP ALL has invested in developing the production systems in addition to managing and reducing waste within business operations, a means to reduce indirect greenhouse gas emissions associated with the Company. Executives involved in overseeing the Company’s sustainability policy are tasked with regularly monitoring developments regarding missions of Thailand Carbon Neutral Network (TCNN) and the Global Compact Network of Thailand (GCNT). Awareness of updates keeps the Company informed of trends, including participation in expressing opinions and driving forward the agenda for climate change management at the national level, modifying organizational policies consistent with national policies, as well as allowing the organization’s business activities to proceed continuously while taking into account the positive and negative impacts on all relevant stakeholder groups.

Managing cyber security and data protection

In tandem with standards adoption, the Company has conducted a cyber threat risk assessment in accordance with international guideline NIST (Cyber Security Framework). The guidelines are reviewed in conjunction with business goals and the current environmental situation to determine the most appropriate information technology systems security policies and appropriate application which considers personnel, processes, and technology through various projects as follows:

Ongoing Projiect: Cyber Security

In the digital era, where businesses increasingly rely on online systems, cybersecurity has become a critical priority. The Company constantly face cyber threats and must implement proactive measures to mitigate risks. To address this challenge, the company has planned and implemented comprehensive security measures across all dimensions, including training employees to raise awareness of cyber threats, strengthening cybersecurity protection systems, and ensuring that software is continuously updated to remain effective against emerging threats.

Cultivating an organizational culture with cybersecurity wellness

Cyber Hygiene Culture

Control cyber security standards

Cyber Assurance

Operations for surveillance and cyber threat prevention

Cyber Operation

In 2024, the Company underwent cyber security assessments and ratings from BITSIGHT Security Rating Service, a third-party organization which analyzes cyber security levels and corporate cyber. Through utilizing the Security Ratings scoring method and continuous assessment to measure cyber security level for listed companies and securities companies (Cybersecurity Resilience Survey 2024), Cybersecurity Levels which reflect management, data administration, and cyber security are determined. Enhanced security levels promote credibility and corporate image thus the Company proceeds according to the following important guidelines:

  • Promote important policies regarding cyber security, instill awareness regarding imminent cyber threats and provide recommended guidelines for correct and secure use through various channels including the company website, email, CPALL Connect Cyber Security Portal, etc
  • Organize cyber security awareness training on a variety of topics to all employees, both online and onsite, in addition to communicating through various channels and including arranging cyber vaccine assessments for 101,160 Company employees and executives
  • Review policies to maintain consistency with international standards for information security management systems (ISO 27001) and personal data management systems (ISO 27701)
  • Assess risks from cyber threats and review security measures once a year, integrate security technology according to the Cyber Security Roadmap to maintain confidentiality, accuracy, integrity and availability of all information.
  • Organize a Data Breach & Cyber Security Incident Response Workshop for operational and management level employees according to live scenarios to simulate appropriate responses to developing situations and determine improvements, twice a year.
  • Organize training and instill cyber security awareness comprising:
    – 1,938 new employees, equivalent to 100% of new employees, signed acknowledgment of policies and guidelines through the On-boarding Program
    – 116,179 current employees, equivalent to 100% of employees, at all levels of CP ALL and its subsidiaries received training
    – 48 suppliers, equivalent to 100% of suppliers, received communication and support on the safe usage of data when connected to the Company’s IT system, and signed acknowledgment to comply with safety procedures prior to working
    – Educate customers on the cyber security topic, “Cyber vaccine, recognize scams, resist online dangers”, which emphasizes key cautionary issues relevant to online services and cyber threat protection though social media channels
  • Organize Cyber Security Drills Test every quarter through simulating a virtual situation as outlined in the Phishing Simulation Test for all employees at all levels to enhance awareness of cyber threats, reduce the risk of becoming a victim, and develop correct and prompt response capabilities
  • Organize training, assessments, and support security practitioners to pass international standard certifications including CISSP, CISA, CDPSE, C|HE (Certified Ethical Hacker), CompTIA Security+, etc
  • The Security Operation Center (SOC) adheres to the Incident Management process according to ISO20000 standards, with operating teams working 24 hours a day to monitor and manage security systems, thus users can report Security Incidents or others threats through the Call Center by dialing 1500 at any time
  • Conduct a Data Breach & Cyber Security Incident Response orkshop for operational and administrative level employees as planned in a virtual environment in order to develop correct and prompt response capabilities and determine improvements, twice a year

Impacts and Benefits

of the Company’s network information systems comply with the Information Security Management System (ISO 27001) certification through installations

of employees passed the Phishing Simulation Test

of employees working in cyber security systems (33 people) passed training and knowledge testing on cyber security topics

of Company internet network systems and websites have undergone Vulnerability Assessment by a third-party company and the internal system hacking expert unit (Red Team), with results considered in future improvements by the operating team to enhance security

Personal Data Protection Management

The Company is cognizant of the importance of data privacy, a key privacy right upheld by the Constitution of the Kingdom of Thailand and the principles of the Universal Declaration of Human Rights. In an approach to increase confidence among stakeholders throughout the value chain, supervision is provided as follows:

  • Establishing and reviewing personal data protection policies
  • Supervision of personal data protection includes:
    – Managing records of personal data processing activities and determination of legal bases
    – Notification of personal data processing
    – Consent management
    – Rights management and personal data owner complaints
    – Managing personal data processing agreements
    – Assessment of personal data protection impacts
    – Procedures upon occurrence of personal data breach
  • Review and improve activities to maintain consistency with the PDPA law and secondary laws at least 1 time per year
  • Developing and applying information technology systems to business operations while considering maintenance of security and protection of personal data through Security and Privacy by Design, inclusive of the automatic Privacy by Default system
  • PDPA on Tour (site visit) to review relevant operations of activities which contain personal data to ensure compliance with PDPA laws and secondary laws
  • Expanded request for certification to international standards in information security management system ISO 27001 and personal information management standards ISO 27701 for 24Shopping Co., Ltd. warehouses
  • Review processes and simulate incidents of breaches and personal data leaks with senior executives and the data breach incident response team, in addition to performance reviews to determine improvements 1 time per year

Ongoing Project: Raising Awareness of Personal Data Protection

The Company is committed to raising awareness regarding personal data protection among employees at all levels through adhering to guidelines established in the organization’s key strategies and plans as an approach to reducing risks which may occur to the Company.
In 2024, the Company implemented steps to raise the level of personal data protection to international standards. The details are as follows:

  • Communicate and promote awareness of PDPA laws to employees at all levels in addition to disseminating and promoting PDPA Mindsets to employees, consisting of 1) Respect the privacy of others (Respect) 2) Be honest and transparent (Transparency) and 3) Be responsible for
    your actions (Accountability) through offline and online channels inclusive of posters, Company website, email, PDPA Portal, CPALL Connect, etc.
  • Organize activities to support personal data protection to employees at all levels, inclusive of training with knowledge assessments, seminars, workshops, webinars, etc. to provide knowledge and create awareness regarding PDPA to employees in the Company and
    its subsidiaries, including suppliers and business allies handling personal data. The training curriculum/seminar content is tailored to respective participants, for instance general employees, employees with access to personal information, executives, administrators/developers of information systems, etc
  • Create a PDPA Champion capable of communicating, educating, and monitoring personal data protection

Impacts and Benefits

of activities managing personal data comply with the Personal Data Protection Act

of employees passed PDPA guidelines training and knowledge assessment

of respondents exercised the rights of personal data owners within the specified time

serious grievances reported

in value of the damage caused by personal information leaks or violations

Other Information


Sensitivity Risk

1.Business Environment Risk

According to business expansion continuously, the Company is aware of development of GHG emissions reduction initiatives for various operations, including research, pilot projects, and applied to the business as well as collaboration program with stakeholders thought value chain. Under continuously development principle, the Company has preliminary studied on advance sustainability targets, being a carbon neutral organization or net zero carbon 2030 afterward. The Company has simulated 3 GHG emissions reduction scenarios (shown in diagram 1) which all cases are linked with the business growth. Additionally scenario has been performed by limiting volume of carbon offsetting at 20% of projection BAU case in 2030. The offsetting cost of all remaining carbon emissions will be used for range determination.

Results are indicating cost that associated climate change mitigation and linkage with business case which reflect effort and preparations required for co-mitigating the global issue.

Diagram 1 GHG emissions and carbon offsetting

Data Analysis
(inputs and factors used for the analysis)
Voluntary Emission Reduction 42.72 Euro / tonne
Exchange rate 38.37 Bath / Euro
Carbon emissions forecasting 2030 (CEF2030) 3,042,632.71 tCO2e
Target limited GHGs growth at 4% 2,086,322.77 tCO2e
Target GHG reduction at 4.2% each year 1,764,726.97 tCO2e
1% of revenue 2020 5,465.90 MTBH

Table 1: Sensitivity analysis for carbon offsetting on target year 2030 scenario

Unit (million THB)
Carbon pricing valuation -10% -5% +-0% +5% +10%
Carbon emission (CEF2030) 4,488.64 4,738.01 4,987.38 5,236.75 5,486.12*
Targeting Limit GHG emission at 4% growth against BAU 3,077.85 3,248.84 3,419.83 3,590.82 3,761.81
Target GHGs reduction at 4.2% each year 2,603.41 2,748.05 2,892.68 3,037.32 3,181.95

* exceeded threshold at 1% of revenue

2. Compliance Risk and Operation Risk

Sensitivity Analysis of Future Salary Growth and Employee Turnover Rate

Consolidated Financial Statements
  1% increases in assumption 1% increases in assumption 3% increases in assumption 3% increases in assumption 5% increases in assumption 5% increases in assumption
2023 2024 2023 2024 2023 2024 2023 2024 2023 2024 2023 2024
At 31 December (in million Baht)
Future Salary Growth 488 570 -436 -509 1,464 1,710 -1,308 -1,527 2,440 2,850 -2,180 -2,545
Employee Turnover Rate -781 -928 952 1,143 -2,343 -2,784 2,856 3,429 3,905 -4,640 4,760 5,715

Separate Financial Statements
  1% increases in assumption 1% increases in assumption 3% increases in assumption 3% increases in assumption 5% increases in assumption 5% increases in assumption
2023 2024 2023 2024 2023 2024 2023 2024 2023 2024 2023 2024
At 31 December (in million Baht)
Future Salary Growth 247 300 -221 +268 741 900 -663 -804 1,235 1,500 -1,105 1,340
Employee Turnover Rate -463 -565 595 728 -1,389 1,695 1,785 2,184 -2,315 -2,825 2,975 3,640

3.Market Risk

Sensitivity Analysis of Discount Rate

Consolidated Financial Statements
  1% increases in assumption 1% increases in assumption 3% increases in assumption 3% increases in assumption 5% increases in assumption 5% increases in assumption
2023 2024 2023 2024 2023 2024 2023 2024 2023 2024 2023 2024
At 31 December (in million Baht)
Discount Rate -453 -527 518 603 -1,359 -1,581 1,554 1,809 -2,265 -2,635 2,590 3,015

Separate Financial Statements
  1% increases in assumption 1% decrease in assumption 3% increases in assumption 3% increases in assumption 5% increases in assumption 5% increases in assumption
2023 2024 2023 2024 2023 2024 2023 2024 2023 2024 2023 2024
At 31 December (in million Baht)
Discount Rate -223 -273 254 311 -669 -819 762 933 -1,115 -1,365 1,270 1,555

Regular risk management education for all non-executive directors

Training Non-Executive Directors on risk management is pivotal to strengthening an organization. A deep understanding of risk management enables the board to effectively oversee operations, monitor and assess potential risks, and make strategic decisions based on risk information. In 2026, the company invited external experts to provide training to Non-Executive Directors on sustainability trends, risk challenges, and their impact on CP All Public Company Limited. All Non-Executive Directors participated in this training.

Financial incentives which incorporate risk management metrics

CPALL to enhance an effective risk culture throughout the organization, KPIs are linked to senior executives of the risk function and the performance of each KPI will be applied during the evaluation process. Part of senior executive’s incentive will be assessed by considering the evaluation result. KPIs that are used for performance evaluation of risk function are separated as follows:

– Dissemination of departmental risk management policies (Score 10%)
– Arrangement of internal risk reviews and reporting (Score 30%)
– Revision and improvement of BCM plan and BCM Team list (Score 25%)
– Ushering intra-agency participation in discovery for hidden corporate threats (Score 20%)
– Participation in risk management activities established by the Company (Score 15%)

Corporate KPIs related to risk management have been cascaded down from senior executives to line managers. Similar to senior executives, performances under these KPIs are linked to annual merit increase.

Incorporation of risk criteria in the development of products and services

CPALL values the integrity and safety of our products and services for consumers and customers. Integrating risk management practice into company-wide has become a corporate culture, Therefore, risk criteria have been incorporated into the product development and approval process. In addition, regulatory risks, product quality and safety, and product quality assurance risks are integrated into the product selection process via the “Pre-Audit Supplier” tool. The QA department will use the tool to assess the facilities, production potential, and product development of the new private brand suppliers.

Related Policy and Guideline

Risk Management PolicyDownload
Risk Management ManualDownload
External Audit on Risk Management ProcessesDownload

เว็บไซต์ cpall.co.th มีการเก็บคุกกี้ซึ่งเป็นการจัดการข้อมูลส่วนบุคคลและช่วยเพิ่มประสิทธิภาพการใช้งานเว็บไซต์ คุณสามารถอ่านข้อมูลเพิ่มเติมได้ที่หน้า นโยบายการใช้คุกกี้

Privacy Preferences

Allow All
Manage Consent Preferences
  • คุกกี้ที่จำเป็น
    Always Active

    ประเภทของคุกกี้มีความจำเป็นสำหรับการทำงานของเว็บไซต์ เพื่อให้คุณสามารถใช้ได้อย่างเป็นปกติ และเข้าชมเว็บไซต์ คุณไม่สามารถปิดการทำงานของคุกกี้นี้ในระบบเว็บไซต์ของเราได้

  • คุกกี้ในส่วนวิเคราะห์

    คุกกี้ประเภทนี้จะทำการเก็บข้อมูลการใช้งานเว็บไซต์ของคุณ เพื่อเป็นประโยชน์ในการวัดผล ปรับปรุง และพัฒนาประสบการณ์ที่ดีในการใช้งานเว็บไซต์ ถ้าหากท่านไม่ยินยอมให้เราใช้คุกกี้นี้ เราจะไม่สามารถวัดผล ปรับปรุงและพัฒนาเว็บไซต์ได้

Save