Page 203 - BAM ONE REPORT 2564 (ENGLISH VERSION)
P. 203
Form 56-1 One Report 2021
Bangkok Commercial Asset Management Public Co., Ltd. 201
1.16 Formulation and adoption of the personal management plan, and determination of the
data protection policy and the cyber security key risk indicators (“KRIs”) for regular risk
policy for supervising and ensuring that the monitoring.
operations are correct, complete and efficient 2.4 Integration of risk management with the
and conform to the authorities’ regulations. formulation of strategic plan of the Company
1.17 The Company’s preparation for operations in order for the strategic plan to cover risk
compliance with the Personal Data Protection assessment under the COSO ERM 2017
Act B.E. 2562 by establishing Data Protection framework and conform to the integration of
Office (DPO) and restructuring the structure GRC operations.
and scope of duties and responsibilities of 2.5 The Board of Directors’ approval of the risk
divisions in the departments under Corporate management policy, thereby classifying risks
Governance and Risk Management Group with into six categories which are strategic risk,
an additional formation of Data Protection operational risk, financial risk, compliance risk,
Support Division to be directly in charge of reputation risk, and information technology
personal data protection. risk.
2. Risk Assessment 3. Control Activities
The Company recognizes the importance of risk The Company establishes the operational
management under changes that affect its business control policy, operational procedures, and operational
operation, whether from internal or external factors. The handbook in writing, all of which are reviewed and
Company deems that risk management is an important part updated regularly or when there are significant changes.
of all of its business processes and must be inter-connected The overview of the Company’s performance in this regard
at all levels. Therefore, the Board of Directors establishes is as follows:
the risk management policy, which all employees
must adhere to and where risk assessment must be 3.1 Determination of the internal control process,
conducted at all levels. The overview of the Company’s both at the organizational level and the
performance in this regard is as follows: important sub-process level, in accordance
with the Company’s business operation and
2.1 Implementation of systemic risk assessment control environment.
at all levels of the organization and communi- 3.2 Creation of documented workflows of all
cation with all employees in order for them business transactions.
to realize the related risks and risk control of 3.3 Segregation of duties and responsibilities,
the organization and departments. including approval duty, account and
2.2 Appointment of the Risk Oversight Committee information recording duty, etc.
with duty to consider and provide opinion on 3.4 Determination of the enterprise-level KRIs and
the Company’s risk management. the Risk Alert Indicators for tracking and
2.3 Creation of tools for monitoring the enterprise containing the Company’s key risks at the
risk management plan, formulation of the risk acceptable level by defining the risk appetite
