Corporate Risk Management Policy

1. General Requirement

1.1 Purpose

     The Company performs systematic risk management across the organization in accordance with international standards, covering all core activities and risks in all aspects. The risk management encompasses the identification of risk factors and causes, followed by the evaluation, analysis, and prioritization of those risks, as well as the management, monitoring, and assessment of risk management outcomes. This is to ensure that the Company's operations meet their objectives and goals while remaining within their respective risk appetites.

1.2 Scope

     The policy must be communicated across all functions. Executives and employees must acknowledge its importance and contribute to risk management in strict compliance with the policy.

1.3 Effective Date

     This policy shall be effective from the date of approval by the Board of Directors.

1.4 Review Frequency and Revision

     This policy must be reviewed annually, or when a significant change arises.

     Any significant revisions, review, or renewal of this policy are subject to approval by the Board of Directors. Meanwhile, any insignificant revisions are subject to approval by the Management Committee (MC) and/or relevant subcommittees before being submitted to the Board of Directors for acknowledgement.

1.5 Responsible Function

     The Risk Management Department is the responsible function of this policy.

2. Main Requirement

2.1 Definition

• 2.1.1 The Company means Bangkok Life Assurance Public Company Limited.
• 2.1.2 Subsidiary means a company in which the Company holds shares directly or indirectly of more than 50%.
• 2.1.3 Business Continuity Plan (BCP) means a document that compiles procedures and information to ensure their availability in the event of an incident so that core activities or processes can be carried out at the specified level.
• 2.1.4 Key Risk Indicators (KRIs) mean indicators that show the status or trend of risks. They can serve as early warning signals if there are increasing risks in various areas of the Company. Some of them may be presented in the form of important ratios for the management to use as indicators to monitor the related risks as well as the possibility of future risks.

2.2 General Principle

     This policy is designed to ensure that the Company's operations comply with the established objectives, laws, and regulations.

2.3 Role, Duty, and Responsibility

• 2.3.1 The Board of Directors is responsible for approving the Corporate Risk Management Policy and supporting its implementation so that the Company achieves the specified objectives, as well as monitoring to ensure that the policy is regularly reviewed.
• 2.3.2 The Advisory Board is responsible for giving advice, guidance, supervision, and decisions to solve problems during the implementation to the emergency management committee and working group.
• 2.3.3 The emergency management committee and working group are responsible for:
  1. Establishing risk management guidelines to prevent, control, and/or reduce damage resulting from disruptions to operations and customer services caused by internal or external risk events. These events may include disasters, as well as climate and environmental changes, that affect the head office, branch offices nationwide, and all alternate operation centers. The guidelines aim to ensure that all offices are adequately prepared to respond according to the severity of the situation and can resume normal operations properly and promptly.
  2. Planning and allocating budgets for the management of physical infrastructure, environment, and workplace safety in alignment with occupational health standards at the head office, branch offices nationwide, and all alternate operation centers.
  3. Preparing and reviewing manuals for the business continuity plans devised for the event of disasters and using them as procedures, as well as disseminating knowledge to directors, executives, employees, agents, and service recipients at the head office and branch offices nationwide.
  4. Monitoring situations and assessing risks from events that may cause damage and/or significant changes, and to report them to the Advisory Board regularly.
  5. Considering, monitoring, and communicating new applicable laws, orders, and notifications and to analyze and assess their impact and likelihood, in order to ensure proper preparation and business continuity management.
• 2.3.4 The Risk Management Department has the following roles and responsibilities:
  1. Regularly reviewing the Corporate Risk Management Policy or when a significant change arises to ensure alignment with changing environments and circumstances, and making relevant presentations to the Management Committee for consideration and approval.
  2. Coordinating with business functions across the Company to ensure they develop business continuity management manuals, and compiling those manuals.
  3. Conducting Business Continuity Plan exercises at least once a year, ensuring that relevant persons strictly follow the manuals, and reporting the results to the Management Committee for acknowledgement.

     In addition, the policy owner is responsible for ensuring that relevant departments and/or divisions establish procedures to comply with the policy, and the procedure owners are also responsible for developing manuals that are consistent with the respective procedures.

2.4 Requirement

• 2.4.1 Risk Management Governance Structure

       The Company has established a risk management governance structure that meets internationally accepted standards for financial institutions. This structure ensures that appropriate risk management and internal controls are in place, along with governance and support to promote efficient and effective risk management and independent auditing and evaluation. The governance structure consists of the following components:

  • 2.4.1.1 Persons direct responsibility for managing and controlling risks (Risk Owner / Business Line), including the Board of Directors, the Investment Committee, the President and CEO, division heads, executives from all functions, and working groups appointed by the Company.
  • 2.4.1.2 Persons responsible for administrating and overseeing the efficiency of risk management (Risk Oversight / Risk Function), including the Risk Management Committee, the Risk Management Department, and the Compliance Office.
  • 2.4.1.3 Persons responsible for providing assurance and reviewing the effectiveness of risk management (Risk Assurance / Audit), including the Audit Committee and the Internal Audit Department.
  •  
• 2.4.2 Risk Management Guidelines

       The Company has communicated the policy across all functions and assigned executives and employees at all levels to acknowledge its importance and contribute to risk management in strict compliance with the policy. Corporate and operational key performance indicators (KPIs) are established as tools to measure and evaluate performance in key aspects, including the management of climate and environmental risks, to reflect the efficiency and effectiveness at the corporate and functional levels. The heads of responsible functions are required to report their performance results to senior executives on a monthly basis. Risk factors and risks according to the Key Risk Indicators (KRIs) that may affect the performance and KPIs are managed in alignment with the Company's business plans and strategies to ensure competitiveness, profitability, and appropriate capital adequacy. The policy, guidelines, operational measures, internal controls and/or plans related to risk management are appropriately established, covering all core activities, to ensure financial stability and provide assurance to policyholders that policy benefits will be paid in full and on time. This will result not only in a positive image for the Company, but also a favorable reputation and image for the insurance business as a whole.

• 2.4.3 Internal Control under Risk Management Guidelines

       In addition to the risk management governance structure, which defines the roles and responsibilities of stakeholders at all levels within the organization, the Company also recognizes the importance of having an effective internal control system. Therefore, internal control has been established as an integral part of work processes, embedded in the operations of executives and personnel at all levels. The Company also has various measures to ensure that internal control is efficient and effective in accordance with the Company's risk management framework and risk appetites.

2.5 Penalty

     Employees who violate this policy will be subject to disciplinary penalty in accordance with the Company's regulations and may be subject to other penalty imposed by applicable laws, rules, regulations, or requirements.