The company places importance on having in place an internal control system, a risk management system, and good corporate governance system in order for the Company's operations to achieve the goals. The internal control system covers all aspects including financial and accounting, information technology, and compliance with the laws and regulations. Also, the Company has formulated explicit corporate governance policy and anti-corruption policy and measures.

Furthermore, the Company also prioritizes personal data protection with an integrated data management process from obtaining consent, collecting, accessing, using and disclosing data to ensure that it is properly handled in compliance with directions according to the law.

The Board of Directors allows the Audit Committee to supervise the internal control system, the risk management system, the Corporate Governance system, and follow the Company’s policy and anti-corruption measures so that they are appropriate and efficient, including the compliance of related laws, orders and regulations, preventing conflicts of interest, related transactions to control and utilizing assets. To prevent corruption or misconduct and to supervise the Company's and subsidiaries' operations to ensure that their assets are not misappropriated or unauthorizedly used, and to adequately prevent transactions with persons who may have conflicts of interest and related persons, the Company sets up an auditing mechanism for checks and balances by establishing the internal audit division which is independent and reports directly to the Audit Committee. It performs audit, evaluates the efficiency and sufficiency of the internal control system, the risk management system and the Corporate Governance system in the performances of all units in the Company and its subsidiaries. The division also audits compliance with the anti-corruption policy and measures, the laws and regulations so that the Company’s efficiency and effectiveness are maximized. The internal control assessment framework can be categorized according to the COSO international standards as follows:

The Environment of Control

The Company provides a good atmosphere in the internal control. The roles and responsibilities of various committees and management functions are clearly specified. The duties compliance is supervised. The organization structure and definite line of command to balanced. In addition, the policy and procedure on Good Corporate Governance and the policy on anti-corruption are established, and the Board of Directors, executives, and employees must comply with them accordingly in order that a system of the internal control is appropriate.

From a policy on Good Corporate Governance, business ethics and a code of conduct for the Company’s directors, executives, and employees, a policy and its anti-corruption measures, a policy on notification of clues or complaints, the imposition of penalties for discipline violations and serious mistakes. The Company has monitored that aforementioned policies which are implemented. Its performance is efficient, transparent, and equitable. There is ongoing communication so that all employees acknowledge these policies and seriously implement them. It has also launched a campaign to promote every employee to have awareness and continuously act on this practice by providing the employees with knowledge training, reviewing and improving a manual of authority and a manual of operation systems which are used as guidelines on performance and help with flexible and systematic business operations. The scope of duties and responsibilities, and the internal control system are taken into consideration in order that a system of the internal control is appropriate.

Moreover, the Company underscores the importance of continuous people development by arranging training and development of the skills and capabilities to match the assigned tasks, and succession planning for key positions so that the Company’s business can continue.

The Risk Assessment

The Company puts great emphasis on risk management under changes that affect the business from both internal and external factors. The Board of Directors has assigned the Risk Management Committee (RMC) to be responsible for defining the organization-wide risk management policy and supervising the implementation of corporate risk management in line with business strategies and goals. The RMC assesses and manages risks covering various aspects such as strategic, operational, financial, regulatory compliance, etc., Its duty is to set policies and risk management guidelines of the MBK GROUP so that the group companies achieve their objectives and targets, and risks that may affect business operations are reduced. It is considered that risk management and control are the responsibility of every department.

The Operational Control

The Company has established a policy framework, regulations, and operational procedures to lead to practice guidelines. The authorities, duties and responsibilities and the scope of approval authority of each level of employees are clearly defined in writing, and they are reviewed and communicated regularly to employees. The internal audit team regularly reviews the control system adequacy by requiring the audit plan to cover important operational processes. Audit results are regularly reported to the Audit Committee so that the Committee can consider important audit findings and monitor the results of the suggested corrective actions in the audit reports and measures to prevent possible errors.

The Information Technology System and the Communication

The Company realizes the importance of IT system and communication, which is an important part to support the efficiency of the internal audit, and always encourages the improvement of the system continuously in order to ensure that all information is accurate, sufficient, up-to-date, and catching up with expanding and changing circumstances of business operations. The efficient and modern IT system, as well as information security from the process of collecting, processing, and storing, to following-up to bring such data, is adopted for work performance and important information are used for management by directors, executives, employees, shareholders, customers, or stakeholders. The information is complete, accurate, sufficient, and within an appropriate time so that it can be used in the business decision making. The policy regarding the security in the information technology is also specified the level of information secrecy and guideline to store important documents and controlled documents in order to ensure that the Company has appropriate safety measures of information that are in line with the Cybersecurity Act B.E. 2562 and the Personal Data Protection Act B.E. 2562. Various channels of communication are opened from both inside and outside the organization in order to have access easily and rapidly. Due to COVID-19, the Company has digital management to support the business to be able to adapt and respond to changes on time and be able to continually operate the business with efficiency and safety of the employees who work from home, such as providing a notebook computer to employees and providing software to support working at home or teleconference via electronic media. There are guidelines for properly conducting meetings via electronic means (online meetings) of MBK Group to prevent data leakage. In the part of reporting corruption clues, the Company provides a channel for whistleblowing. Employees and stakeholders can be directly notified through various channels to the Audit Committee, CEO and President, and the Internal Audit Division, including providing protection for whistle blowers or informants.

The System of Monitoring Activities

The Company prepares performance reports compared against the targets and reports them to the Executive Committee and the Board of Directors on a monthly basis. The Audit Committee is assigned to check the internal control system through the Internal Audit Division which is an independent division with responsibility for checking and verifying the performance, evaluating the sufficiency of the internal control system for risk management, regulating the operation of various functions and consulting on the Good Corporate Governance procedures, monitoring divisions and following up the results of corrections made by checked divisions in every issue until they are already corrected; in order to ensure that the internal control system appropriately and fully operates as specified and can manage the changing risks in each period in time. Any issue impacting on the internal control will be reported to the persons in charge. Significant issues will be reported to top executives, the Executive Committee, the Audit Committee, and the Board of Directors within proper period.

For internal audit for accounting and finance is carried out by certified accountants and presented to the Audit Committee for consideration on a quarterly and yearly basis. As a result of reviews conducted by certified accountants, no significant fault is found.

The Audit Committee and the Board of Directors have assessed the sufficiency of the Internal Control System in accordance with guidelines stipulated by Securities and Exchange Commission (SEC). Has not found drawbacks which are significant to the Company’s Internal Control System. It is concluded that the Company has the sufficient and appropriate internal control and risk management for business operations which is consistent with the auditors’ opinions.

Internal Audit provides assurance and consulting services by assessing the efficiency and effectiveness of the internal control system, risk management system and corporate governance to enable the Company to achieve its business objectives and goals. The division reports to the Audit Committee and monitors the implementation of the suggestions found from the audit, especially in important or high-risk issues. Internal Audit acknowledges reports of abnormal events to ensure that the Company's operations have an adequate internal control system that is appropriate and efficient in conjunction with managing the risks at an acceptable level and corporate governance. The Charter of the Audit Committee, the Internal Audit Charter, and the code of conduct for internal auditors serve as a clear operational guideline are reviewed annually.

Internal Audit encourages internal auditors to improve themselves continuously so that they are equipped with knowledge and skillsets necessary and relevant to the operations. Individual self-development plans are formulated according to the Company’s people development framework so that the auditors can perform audits more efficiently by means of encouraging them to receive training such as knowledge, professional expertise in internal audits, businesses of the Company Group, knowledge of other professionalism, and self-development by taking examinations to get professional certificates of auditing or other auditing-related professions, for instance.

Head of the Internal Audit

The Audit Committee has approved Ms.Yupapun Paritranun to take the position of Chief Internal Audit Officer to control the operation of the internal audit function. The Audit Committee views that she understands MBK GROUP's business with knowledge, skills, and experiences in internal auditing. She is responsible for internal auditing and overseeing the internal control system of the Company and its subsidiaries under the professional practice of internal auditing, the charter of the internal audit function, and the code of Conduct for internal auditors. Board of Directors and high-level executives of the Company and its subsidiaries will be reported continuously. The approval for the appointment, removal, transfer, and evaluation of the internal audit supervisor's performance must be approved by the Audit Committee.

In 2022, the Company did not find any wrongdoing or action in violation of the Public Company Limited Act and regulations of regulatory agencies such as the Securities and Exchange Commission (“SEC”) and the Stock Exchange of Thailand.

The Company Group of MBK Public Company Limited realizes the importance of enterprise risk management which is part of a business operation based on good corporate governance according to the international standard called “COSO” (the Committee of Sponsoring Organizations of the Treadway Commission), as well as conforming to the organization’s anti-corruption policy and measures. The MBK GROUP then makes the enterprise risk management policy in order that all employees are acknowledged and practice in the same guidelines as follows:

1. To focus on the development of a risk management system following the good corporate governance by providing the integrated risk management throughout the organization systematically and continuously and focusing on employees in order that they follow the organization’s anti-corruption policy and its measures seriously.
2. To use the risk management as part of decision making, strategic planning, project plan and the organization’s performance so that the organization achieves its objectives, goals, vision, missions, and set strategies, under an acceptable risk level or the risk appetite, in order to create the excellence of the performance and to build confidence of stakeholders.
3. To support supervision and assessment of the risk management, review and improve it regularly, and submit a report to the Board of Directors for acknowledgement.
4. To cultivate employees’ awareness of the importance of the risk management and to cultivate the risk management as part of the organizational culture.
5. To promote the risk management in order to add organizational values.

The Risk Management

The Risk Management Committee of MBK GROUP

Duties and Responsibilities of the Risk Management Committee

• To formulate the policy and risk management approaches of the MBK GROUP in order that the MBK GROUP’s operating results are achieved as set by objectives and goals.
• To continuously and annually analyze and assess risks which occur or possibly in group company.
• To consider the approval and review of the risk management of the MBK GROUP annually.
• To review and follow up the MBK GROUP’s performance of risk management regularly.
• To submit a report to the Board of Directors and communicate the risks and important risk management to the Audit Committee.
• To support, follow up, and develop the risk management operations of the MBK GROUP continuously.

The MBK GROUP places significance on the risk management which is a key mechanism and tool for management which will help the organization achieve objectives and goals by formulating the risk management policy, focusing on the development of the risk management system according to guidelines on good corporate governance and anti-corruption measures, by risks are integratedly managed throughout the organization in order to be align with the quality management system called “ISO 9001:2015”. They are operated systematically and continuously.

The MBK GROUP manages the risks to align with its strategies and performance by covering all levels— the MBK GROUP level, the Business Unit (BU) level, the key line of work level, the Sub Business Unit level (SBU), the risk level of MBK Center as well as the Operation level— in order that the organization achieve its objectives and goals set at each level.

For the type of risks at all levels of the organization, the risks which probably have an effect on business operations directly can be divided into 4 risks as follows:

• The Strategic Risk It is a risk relevant to strategies and important policies of the Company. It is probably caused by the formulation and the implementation of strategic plans inappropriately, as well as inconsistency between policies, strategic goals, the organizational structure, competitive situations, resources, plan-based performance, and the environment. The Company follows up strategies and policies which probably have an effect on the organization’s performance regularly in order that the organization achieves the strategic goals. One of risks that the Company determines management guidelines is readiness and potential for the appointment of a successor by preparing a plan to select and develop a successor and for an executive who is critical position for the secure business management and continuous development.
• The Operational Risk It is a risk caused by operations in every step— covering factors relevant to procedures, tools, information technology, and personnel in charge— which probably have an effect on the organization’s performance. The Company determines a clear process of operations, including measures to supervise the performance or units which probably cause damage to the organization continuously, for accurate and appropriate operation by referring to the operational risk and guidelines on the risk management of each business, including the safety risk which probably has an effect on lives and properties of customers and employees is included in terms of practice and prevention according to the safety policy and its measures in the systematic working.
• The Financial Risk It is a risk caused by unreadiness for the budget, financial problems, and a risk affecting the performance and financial position of the organization. The Company always takes sufficient and timely funds raising in order to reduce risks which probably have an effect on investments of the Company. Thus, the Company specifies the risks and guidelines on the liquidity management of the MBK GROUP in order that the MBK GROUP has liquidity and can operate business continuously.
• The Compliance Risk It is a risk caused by inability to comply with rules or relevant law; or unsuitable existing rules or law; or obstacles to performance. The Company takes compliance with rules inside and outside the organization, including important law, into consideration by supervision and verification for the sake of compliance with guidelines on relevant rules and law seriously. Compliance with the Personal Data Protection Act B.E. 2565 (2022) is considered the most important issue by the Company, therefore, the risks of the MBK GROUP is specified and guidelines on concrete management for the whole system is set by establishing the Personal Data Management Committee for the personal data protection and appointing Data Protection Officers (DPOs) having a duty to give counsel and recommendations for personal data protection, verification the operation related to personal data analyzed in order to control, supervise all personal data of the Company and clearly determining a working process in terms of operations of personal data management in order to consistent with the Personal Data Protection Act and not to have any effect on business operations and reputation of the Company.

Moreover, in terms of investments the projects, the Risk Management Committee (RMC) at each level (the MBK GROUP/ BU/ SBU) specifies to request for approval investment budgets in any project with agreement, the risks have to both of analysis and request for approval from the involved committee and reported to the involved Risk management Committee (RMC) every time in order to prevent risks of investment of the MBK GROUP.

As well as, the Company Group holds the ideology of virtuous business operations, persisting in responsibilities for all involved stakeholders in terms of anti-corruption in order to comply with the organization’s anti-corruption policy and its measures. Currently, several subsidiaries of the MBK GROUP are certified as members of Thai Private Sector Collective Action Against Corruption (CAC), signifying purpose and determination of anti-corruption in every form through transparent management based on corporate governance and building confidence for all stakeholders.

The MBK GROUP follows up the risk management operations continuously at all levels and submits a risk management report regularly in order to supervise the risk level to be reduced to the risk appetite. Also, determine the review of risks is annually specified in order to consistent with situations.