Good Corporate Governance
Information Technology Risk Management Policy
1. General Requirement
Bangkok Life Assurance Public Company Limited (“the Company”) has integrated systematic information technology risk governance and management into the corporate risk management in alignment with international standards, covering risk activities in all aspects related to information technology.
1.1 Purpose
This policy is intended to ensure that information technology risk management achieves its objectives and goals and that risks remain within acceptable appetites. The risk governance and management structure is established in accordance with the three lines of defense principle and the principle of checks and balances. This structure ensures that operations, risk management, legal and regulatory compliance, and audit activities related to information technology align with the established information technology risk management framework and process. Related activities include the identification of risk factors and causes, as well as the assessment, analysis, and prioritization of risks based on defined risk assessment criteria. Additionally, risks are managed and monitored through appropriate tools and measures, and outcomes of risk management efforts are evaluated.
1.2 Scope
Personnel of Bangkok Life Assurance Public Company Limited and its subsidiary must study, understand, and strictly adhere to this Information Technology Risk Management Policy.
1.3 Effective Date
This policy shall be effective from the date of approval by the Board of Directors.
1.4 Review Frequency and Revision
This policy must be reviewed annually, or when a significant change arises.
Any significant revisions, review, or renewal of this policy are subject to approval by the Board of Directors. Meanwhile, insignificant revisions are subject to approval by the Management Committee (MC) and/or relevant subcommittees before being submitted to the Board of Directors for acknowledgement.
1.5 Responsible Function
The Information Technology Division is the responsible function of this policy.
2. Main Requirement
2.1 Definition
| 2.1.1 | “The Company” means Bangkok Life Assurance Public Company Limited. |
| 2.1.2 | “Subsidiary” means companies in which the Company holds shares directly or indirectly of more than 50%. |
| 2.1.3 | “Risk Management” means the process of reducing the likelihood or impact of damage caused by risk incidents and establishing methods to manage and control risks within acceptable appetites. |
| 2.1.4 | “Information Technology Risk” means any risk arising from the use of information technology, including risks related to cyber threats. |
| 2.1.5 | “Risk Appetite” is the type and criterion of risk or uncertainty that the Company is willing to accept in the pursuit of its business objectives. |
| 2.1.6 | “Three Lines of Defense Principle” means the segregation of duties and responsibilities related to information technology management, including (1) information technology operations, (2) information technology management, and (3) information technology audit. |
| 2.1.7 | “Information Technology Key Risk Indicator” means a risk metric used as a monitoring tool and early warning sign, enabling the Company to anticipate potential future risk incidents and implement preventive measures before damage occurs, based on information technology-related statistics and/or risk measurements. |
2.2 Requirement
The Company has defined the duties and responsibilities related to information technology risk governance and management. This Information Technology Risk Management Policy is communicated to executives and employees at all levels to inform them about information technology risk management. They are encouraged to prioritize information technology risk management, recognize its importance, and actively participate in related activities at both the functional and corporate levels, while strictly adhering to the policy. The goal is to ensure that information technology risk management is carried out consistently and effectively. Additionally, the head of the responsible function is required to submit a monthly report to their supervisor, incorporating an assessment of risk factors and levels in accordance with established information technology key risk indicators (KRIs) that may affect the Company’s plans or strategies. This is to ensure prompt management in response to potential information technology security and cyber risks as well as to enhance business efficiency and competitiveness.
