Risk and Crisis Management

Challenges and Opportunities

Risk and crisis management play a crucial role in business operations, as risk factors such as cost volatility, changes in consumer behavior, exchange rate fluctuations, and environmental issues can impact liquidity, competitiveness, and customer confidence. Additionally, human rights risks, including unfair employment practices and unsafe working conditions, may affect employees' well-being and the company’s reputation.

Effective risk management helps minimize financial losses, control costs, and enhance operational resilience. Environmental measures, such as reducing greenhouse gas emissions and implementing efficient waste management, further strengthen corporate sustainability. From a human capital perspective, policies that prioritize labor rights and a safe working environment contribute to higher employee satisfaction and engagement.

With a diverse business portfolio spanning domestic and international markets, Central Retail has established comprehensive risk management and business continuity practices across the organization. Central Retail continuously enhances risk management awareness across all business units and instills a risk-conscious culture among employees at all levels, ensuring long-term stability and sustainable growth.

Management Approach

Risk Governance

Central Retail has established its structure, roles, and responsibilities in the risk management process as follows:

The Risk Policy Committee (RPC) comprises independent directors, with the Chief Executive Officer (CEO) playing a role in aligning risk management policies with the Company's objectives and strategies. The RPC is tasked with supervising, advocating, and encouraging Central Retail to effectively manage risks in accordance with established policies and international standards. This includes continuous monitoring and assessment of the efficacy of risk management policies, along with providing ongoing advisory support on risk-related matters. The RPC is mandated to regularly report to the Board of Directors and the Audit Committee (AC), convening at least biannually. Additionally, it delegates the Risk Management Unit to liaison with AC to assess the adequacy of Central Retail's internal control systems and extending oversight to its subsidiaries.
The Risk Management Committee (CRC RMC) is appointed by the RPC, with the Chief Executive Officer (CEO) serving as Chairman and the Chief Financial Officer (CFO) as Vice Chairman. The committee comprises the Chief Digital Officer (CDO), Chief Business Unit Officer, and the Assistant Managing Director of Investor Relations and Risk Management as directors. Operating as the second line of defense in alignment with the principles of the three lines of defense, the CRC RMC is tasked with deliberating on strategies, risk items, frameworks, and risk assessment criteria. Moreover, it oversees the reporting of risk management outcomes at both organizational and departmental levels by convening with RPC at least semi-annually to report progress on risk management outcomes.
The Risk Management Unit comprises proficient individuals with specialized knowledge and experience in risk management, operating as the second line of defense in alignment with the principles of the three lines of defense, its primary responsibility is to conduct risk assessment and analysis. Additionally, it plays a role in compiling a list of key organizational risks (Corporate/CRC Risk), its degree, and Key Risk Indicators (KRI), as well as developing Risk Management Plans (Risk Mitigation Plans/Risk Management Plans). These plans are then reported to the Risk Management Committee (CRC RMC) for approval and ongoing monitoring. The outcomes and the performance of risk management activities are reported to both CRC RMC and RPC respectively, according to predefined intervals or, at minimum, semi-annually.
The Risk Owner, appointed by CRC RMC, comprises executives from each business unit, support unit, division, or department, serving as the first line of defense in adherence to the three lines of defense principles. Their primary responsibility is to identify, analyze, and evaluate risks within their respective areas of operation. Additionally, they are tasked with developing guidelines for responding to risks and overseeing the monitoring, the controls execution, and reporting of risk management outcomes to the Risk Management Working Team.
The Internal Audit Department comprises specialized expertise in internal auditing field, performing its duty independently from other business units to maintain the principle of the three lines of defense. Functioning as the third line of defense, which responsible to assess internal controls, ensuring that Central Retail achieves its objectives and goals efficiently and effectively within the risk management framework. Additionally, it also provides insights regarding inspection, risk management, internal control, and essential operational processes. The department evaluates the sufficiency and efficacy of risk management within its designated mandate and scope of work, presenting periodic progress reports and synthesizing key issues for review by the Chief Executive Officer and the Audit Committee on a quarterly and annual basis.

Click to enlarge

Central Retail recognizes and acknowledges that risk management is an essential tool that enables the organization to identify and manage various uncertainties that may present opportunities and/or obstacles affecting the achievement of the Company's goals or objectives. Effective risk management under the principles of Good Corporate Governance and appropriate Checks and Balances will ensure that the company remains vigilant, flexible, and prepared to operate in changing situations and to cope with uncertainties effectively. This will continuously increase confidence among all stakeholders and help create sustainable added value for the organization.

Therefore, the Company's Board of Directors and Management have thus decided to implement risk management in the Company's operations and establish a risk management policy that the Company's personnel must adhere to, as follows:

Risk management is defined as the responsibility of the Company's personnel, who must be aware of risks in projects, departments, business units, subsidiaries, or the Company and prioritize adequate and appropriate responses to various risks according to defined strategies, guidelines, measures, or methods. The Company's personnel are also required to monitor performance and report results regularly.
Establish an appropriate structure, define risk management roles and responsibilities, and governance, as well as build and promote a risk culture.
Establish risk management that aligns with the Company's vision, mission, goals, objectives, and strategies.
Conduct regular reviews, updates, monitoring, development of efficiency, effectiveness, and evaluation of risk management.
Establish an information system, communicate risk management information to personnel and stakeholders as appropriate, and report risks to management, the Board of Directors, and various stakeholders as approved by management and/or the Board of Directors continuously and appropriately.

Enterprise Risk Management (ERM) Process

Central Retail manages risks according to COSO ERM 2017 standards that adopts an integrated approach to enterprise risk management process, encompassing the concepts as follow:

Governance & Culture

Establishing a structure, roles and responsibilities of risk management
Fostering an organizational culture of risk awareness

Strategy & Objective-Setting

Formulation an integrated strategy on risk management
Developing strategies in accordance with an acceptable risk level and risk appetite

Performance

Setting and assessing risk level, risk appetite, and sensitivity analysis
Prioritization of risks based on magnitude and likelihood of potential risks

Review & Revision

Regularly monitoring of operating results and review of risk exposure
Review risk mitigation measures for continuous improvement

Information, Communication, and Reporting

Promoting use of information technology system in risk management
Raising awareness through proper communication and reporting

Central Retail identifies and assesses risks, including ESG risks, that are deemed as detrimental to the achievement of corporate strategies and business objectives. The risks are then prioritized into low, medium and high based on impact criteria and likelihood criteria. Central Retail’s risk matrix for 2024 is shown below.

Risk Assessment Criteria and Matrix

Risk Level	Impact Criteria	Likelihood Criteria
High Risk (Unacceptable) Need to manage immediately and report the results to Top Managements	High impact on the business operation	High chance of occurrence
Medium Risk (Acceptable) But need to be controlled and monitored regularly by Risk Owners or set additional mitigating actions	Moderate impact on the business operation	Moderate chance of occurrence
Low Risk (Acceptable) The risk is controlled by the existing process as usual, risk owners are required to regularly monitor the effectiveness of their controls and Key Risk Indicators (KRIs).	Low impact on the business operation	Low chance of occurrence

Risk Level

Impact Criteria

Likelihood Criteria

High Risk (Unacceptable)

Need to manage immediately and report the results to Top Managements

High impact on the business operation

High chance of occurrence

Medium Risk (Acceptable)

But need to be controlled and monitored regularly by Risk Owners or set additional mitigating actions

Moderate impact on the business operation

Moderate chance of occurrence

Low Risk (Acceptable)

The risk is controlled by the existing process as usual, risk owners are required to regularly monitor the effectiveness of their controls and Key Risk Indicators (KRIs).

Low impact on the business operation

Low chance of occurrence

2024 Risk management performance

In 2024, Central Retail convened quarterly meetings of the Risk Policy Committee and Risk Management Committee to oversee the risk management practices of the organization and review the effectiveness of the risk management process. The report will be regularly presented to the Board of Directors and published on the company’s website. Additionally, in 2024, the Internal Audit Department of Central Retail conducted a comprehensive review of the risk management process. These encompassed the methodologies, tools, and procedures employed for risk identification, risk analysis, risk control, risk tracking, and risk reporting. The audit concluded that no significant issues were identified.

Leading up to the end of 2023, the risk management team conducted a thorough analysis of significant risk profiles, utilizing Central Retail's vision, mission, values, and objectives as central pillars in their risk assessment process. In addition, they considered various internal and external factors, business context, economic trends, political climate, societal influences, technological advancements, environmental considerations, legal regulations, as well as insights from reputable international organizations such as the World Economic Forum, CRO Forum, and Internal Audit Foundation. Furthermore, risk data from business units was utilized to create a preliminary framework for risk appetite, risk tolerance, risk indicators, and risk assessment criteria. This framework considered statistical data on events and operational outcomes that have had a direct impact on Central Retail and similar businesses. Following this, a summary of the data was updated to senior management through surveys to identify key risks, levels of risk severity, risk appetite, risk tolerance, Key Risk Indicators (KRI), and risk assessment criteria for approval by CRC RMC and RPC. Subsequently, Risk Owners were assigned to oversee and manage risks within their respective departments. Risk exposures are then assessed based on the impact and likelihood criteria as shown in the risk matrix. Risk exposures is regularly reviewed and updated at least twice a year to ensure risks are well managed throughout the organization. The risks are categorized into seven groups: Strategic Risk, Operational Risk, Financial Risk, Compliance Risk, IT Risk, ESG Risk, and Black Swan Risk.

Risk	Description	Risk tolerance	KRI	Mitigation action	Responsible person
Operational Risk: O1 Risk from existing business operations	Risk of potential possibility that the existing business units under Central Retail Corporation may perform below an acceptable level.	The Company accepts the impact from the operations of its existing business units under the Central Retail Group could be no less than 5% of its financial targets.	Sales EBIT	Enhance the shopping experience for targeted customer segments. Improve the accuracy of demand forecasting. Continuously improve operational processes. Enhance communication efficiency at branch level. Optimize space management for product displays. Increase the effectiveness of promotions and campaigns. Improve cost management and expense control.	Corporate strategy & Special project Unit Financial and Accounting BUs
Operational Risk: O3 Risk from supply chain management	Risk of the tendency for supply chain management performance to fall below an acceptable level, which may affect the company’s financial position and its ability to sell and deliver products, potentially leading to negative impacts on stakeholder confidence and the organization’s image.	The Company accepts impact from efficiency and effectiveness of inventory management not exceeding 5% of target.	Inventory day Obsolescence Supplier dependency Supplier deliverable CRC deliverable	Utilize data analytics to optimize order amounts, minimize excess inventory, and avoid obsolescence. Provide sales Promotion to release stock. Consistently examine and revise the Planogram.	Supply Chain management and related functions of all BUs
Compliance Risk: C1 Fraud & corruption risk ^*	Risk from any misconduct from regulatory compliance and good corporate governance. This risk could impact on legal, financial, reputational, and operational aspects of the Company.	According to good corporate governance, Central Retail will not tolerate any risks from fraud, corruption, and any regulatory non-compliance.	No. of Fraud or Corruption case Control effectiveness	Enforce stringent internal controls by establishing clear policies, monitoring effectiveness of controls, and maintaining a clearly defined reporting hierarchy. Establishing a culture centered on ethics and compliance by informing the Anti-Corruption Policy to employees. Establish whistleblowing channels formally.	Internal Audit Department Compliance Loss Prevention

Risk

Description

Risk tolerance

KRI

Mitigation action

Responsible person

Operational Risk:

O1 Risk from existing business operations

Risk of potential possibility that the existing business units under Central Retail Corporation may perform below an acceptable level.

The Company accepts the impact from the operations of its existing business units under the Central Retail Group could be no less than 5% of its financial targets.

Sales
EBIT

Enhance the shopping experience for targeted customer segments.
Improve the accuracy of demand forecasting.
Continuously improve operational processes.
Enhance communication efficiency at branch level.
Optimize space management for product displays.
Increase the effectiveness of promotions and campaigns.
Improve cost management and expense control.

Corporate strategy & Special project Unit
Financial and Accounting
BUs

Operational Risk:

O3 Risk from supply chain management

Risk of the tendency for supply chain management performance to fall below an acceptable level, which may affect the company’s financial position and its ability to sell and deliver products, potentially leading to negative impacts on stakeholder confidence and the organization’s image.

The Company accepts impact from efficiency and effectiveness of inventory management not exceeding 5% of target.

Inventory day
Obsolescence
Supplier dependency
Supplier deliverable
CRC deliverable

Utilize data analytics to optimize order amounts, minimize excess inventory, and avoid obsolescence.
Provide sales Promotion to release stock.
Consistently examine and revise the Planogram.

Supply Chain management and related functions of all BUs

Compliance Risk:

C1 Fraud & corruption risk ^*

Risk from any misconduct from regulatory compliance and good corporate governance. This risk could impact on legal, financial, reputational, and operational aspects of the Company.

According to good corporate governance, Central Retail will not tolerate any risks from fraud, corruption, and any regulatory non-compliance.

No. of Fraud or Corruption case
Control effectiveness

Enforce stringent internal controls by establishing clear policies, monitoring effectiveness of controls, and maintaining a clearly defined reporting hierarchy.
Establishing a culture centered on ethics and compliance by informing the Anti-Corruption Policy to employees.
Establish whistleblowing channels formally.

Internal Audit Department
Compliance
Loss Prevention

Remark: ^* Central Retail has established specific criteria for assessing fraud and corruption risks. These criteria designate the likelihood of occurrence and the acceptable level of impact as very low. Consequently, this risk is considered more sensitive than other risks, frequently resulting in a risk level classified as medium (yellow) or high (red). These measures are implemented to ensure the prevention, monitoring, and close oversight of such risks.

Risk Culture

Central Retail is dedicated to fostering a culture of risk awareness across the entirety of the organization, encompassing key personnel within Central Retail as outlined below:

Central Retail is committed to cultivating an environment where risk consciousness is integral throughout the organization, particularly among the essential personnel of Central Retail as delineated herein.

Board of Directors and Executive level: Inviting experts from various institutions specializing in risk management. These lectures will provide valuable insights into important risk data and trends, ultimately enhancing the skills and knowledge of senior management and the board of directors. This initiative aims to improve our ability to effectively manage risks within the organization.
Employee level: Central Retail provides the CRC-Risk Management and GRC E-Learning Course in an online format, making it accessible for employees at all levels to study and learn at their convenience. This comprehensive course covers a wide range of topics, starting from the fundamentals of risk management, good governance, and compliance to the principles of integrated GRC (Governance, Risk, and Compliance) management. The program is designed to enhance awareness, deepen knowledge in risk management, and instill the principles of integrated GRC management among all employees.

In addition, Central Retail has established risk management performance as a Key Performance Indicator (KPI) for employees and executives engaged in risk management. For instance, the management of Health & Safety risks has been implemented as a KPI for the Occupational Safety, Health and Work Environment Committee in some business units.

Furthermore, Central Retail places significance on diverse risk factors stemming from the implementation of business models and services, as well as the integration of tools, equipment, or technologies into its operational framework. Such risks include security concerns related to branch renovations or upgrades, challenges associated with the unsuccessful expansion of branches as projected, and the uncertainties accompanying the development of innovative business models. To effectively address these risks, Central Retail has devised comprehensive frameworks and risk management protocols for its projects, alongside establishing a New Business Checklist specifically tailored for ventures like Tops Care, Tops vita, Pet & Me. These resources serve as guidelines for enhancing risk management practices within the organization.

Emerging Risk

Central Retail has been consistently identifying and assessing emerging risks, or those that appear low level of impact in the short term but gradually become significant in the long term. Central Retail has identified risk from AI (Artificial Intelligence) and biodiversity risk as significant emerging risks specific to the Company’s context, which are also considered as a risk item of the Global Risk Report of the World Economic Forum 2024. To mitigate the impact of these emerging risks, the Company places importance in strengthening its resilience.

Risks Arising from Artificial Intelligence (AI) Technology

Category	Technology
Description	Artificial intelligence (AI) constitutes a transformative technology with the potential to reshape economic and social paradigms. While AI offers numerous advantages across diverse sectors, including workplace efficiency, enhanced convenience, healthcare advancements, military applications, agricultural optimization, and industrial automation, it is imperative for organizations to recognize that a failure to integrate AI technologies expeditiously may result in diminished business opportunities. However, alongside its benefits, AI also brings unintended consequences. These include misuse leading to terrorism or new forms of cyberattacks, AI's capability to produce or access weapons, and increased access to suicide methods. Furthermore, AI-driven automation may result in the displacement of human labor, thereby altering existing social structures and potentially contributing to the dissemination of misinformation. Reference: https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf
Impact	Central Retail may lose business opportunities if it fails to integrate AI into its operations promptly. However, misuse of AI implementation may lead to unintended consequences. Employees may become dissatisfied if AI replaces their roles, potentially leading to severe conflicts or protests. Apart from that, customers might also receive incorrect AI-generated recommendations, posing risks to their safety. Furthermore, AI could facilitate copyright-infringing content creation, decrease operational efficiency due to reliance on inaccurate AI-generated analytics (e.g., overstocking inventory), and pose data leakage risks if AI security is not adequately managed.
Timeframe	2024 - 2026
Mitigation Action	Workforce Training & AI Integration: Central Retail develops AI knowledge and skills among employees and ensures Human-in-the-loop alongside AI development. AI-Driven Customer Experience: Enhancing shopping and service experiences beyond basic transactions through AI-driven insights. AI-Powered Operations: Implementing AI to enhance operational efficiency, such as forecasting product demand during various periods or developing engaging product catalogs to attract customers. AI-Enhanced Employee Capabilities: Utilizing AI to enhance the capabilities of employees across the organization, such as summarizing large volumes of customer data or feedback to help employees analyze customer demand trends for various promotions. Central Retail stores its data within the company's own ecosystem, rather than dispersing it among contracted vendors, to prevent data leaks that may occur if vendor systems experience disruptions due to hacking or system failures. Central Retail engages multiple vendors to diversify risk in the event that any single vendor experiences a system disruption. Vendors are required to sign a joint business agreement committing to refrain from using company data for personal gain, which could lead to third-party risks.

Risks of Biodiversity Loss

Category	Environment
Description	Human activities and economic development have led to the destruction of natural resources and habitats, causing displacement and even extinction of various species. This risk ranks among the top concerns in the World Economic Forum Global Risks Perception Survey 2023-2024. Reference: https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf
Impact	Habitat displacement and the extinction of various species may cause changes in natural ecosystems, potentially leading to a shortage of natural resources vital for cultivation and livestock farming. This would impact the quality and quantity of agricultural products, which are core commodities for Central Retail. Additionally, climate instability and increased natural disasters could result in financial and operational losses for the company.
Timeframe	2024 - 2034
Mitigation Action	Setting goals to reduce biodiversity loss (No Net Loss: NNL), create a net positive impact on ecosystems (Net Positive Impact), and achieve zero net deforestation (No Net Deforestation). Establishing risk assessment, monitoring, and biodiversity management processes throughout the value chain, covering areas of significant biodiversity importance. Conserving and restoring biodiversity through collaboration with external partners such as WWF Thailand, Thai Organic Agriculture Foundation, and Thaicom Public Company Limited. Responsibly sourcing raw materials and products, and increasing the number of eco-friendly stores to promote sustainable consumption choices. Providing transparent disclosure of product sourcing information to customers, including producer and nutritional information, in accordance with international best practices. Selecting products that have received sustainability standard certifications to enhance the quality of the company's sourcing. Establishing environmental and social criteria in the Supplier Code of Conduct to screen suppliers who may pose high sustainability risks. Engaging with local communities and providing education on environmental solutions to support efficient resource utilization.

Project Highlights

Risk Trend Related to the Retail Business

On June 19, 2024, the CRC Risk Management Unit (RMU) invited Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd., a leading accounting consulting firm, to conduct an online knowledge-sharing session. The objective was to enhance the organization's risk management culture and processes. The session was attended by the company's board of directors and senior executives.

RM Workshop Training 2024

On June 28, 2024, the Risk Management Unit invited a special expert from Chulalongkorn University to conduct a training session and workshop. The workshop aimed to enhance knowledge and skills in risk management for Risk Champions and selected executives.

RM Newsletter

In 2024, the Risk Management Unit developed 12 monthly infographic-based learning materials to communicate and disseminate risk management knowledge to employees at all levels via email.

CRC-Risk Management and GRC E-Learning

In 2024, the Risk Management Unit developed an e-learning platform to raise awareness, enhance risk management knowledge, and instill an integrated Governance, Risk, and Compliance (GRC) mindset among employees at all levels. The course consists of two key sections which include fundamentals of risk management and integrated GRC concepts.