​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

Business Continuity Management Policy

1. General Requirement

1.1 Purpose

     This policy is intended to provide guidelines for preparing appropriate and adequate emergency response plans (ERPs) and business continuity plans (BCPs) to ensure that the Company can return to normal business operations and minimize the duration of disruptions.

1.2 Scope

     The policy applies organization-wide, covering senior executives, service-providing functions, customer-facing functions, support functions, and all individuals involved in related processes.

1.3 Effective Date

     This policy shall be effective from the date of approval by the Board of Directors.

1.4 Review Frequency and Revision

     This policy must be reviewed annually, or when a significant change arises.

     Any significant revisions, review, or renewal of this policy are subject to approval by the Board of Directors. Meanwhile, insignificant revisions are subject to approval by the Management Committee (MC) and/or relevant subcommittees before being submitted to the Board of Directors for acknowledgement.

1.5 Responsible Function

     The Risk Management Department is the responsible function of this policy.

2. Main Requirement

2.1 Definition

• 2.1.1 Business Continuity Management encompasses guidelines for establishing policies, standards, and work processes for an organization to ensure that in the event of incidents or disasters that result in operational disruptions, critical activities can continue.
• 2.1.2 Business Impact Analysis (BIA) is a process of analyzing and measuring the impact or business loss resulting from the disruption to operations, both qualitatively and quantitatively.
• 2.1.3 Emergency Response Plan (ERP) is a written plan for use in the event of an incident or disaster, specifying details about the personnel involved, resources, services, and required actions to manage the incident.
• 2.1.4 Business Continuity Plan (BCP) is a document that compiles procedures and information to ensure their availability in the event of an incident so that core activities or processes can be carried out at the specified level.

2.2 General Principle

This policy is designed to ensure that the Company's operations comply with the established objectives, laws, and regulations.

2.3 Role, Duty, and Responsibility

• 2.3.1 The Board of Directors is responsible for approving the Business Continuity Management Policy and supporting its implementation so that the Company achieves the specified objectives, as well as monitoring to ensure that the policy is regularly reviewed.
• 2.3.2 The Advisory Board is responsible for giving advice, guidance, supervision, and decisions to solve problems during the implementation to the emergency management committee and working group.
• 2.3.3 The emergency management committee and working group are responsible for
  1. Establishing risk management guidelines to prevent, control, and/or reduce damage resulting from disruptions to operations and customer services caused by internal or external risk events. These events may include disasters, as well as climate and environmental changes, that affect the head office, branch offices nationwide, and all alternate operation centers. The guidelines aim to ensure that all offices are adequately prepared to respond according to the severity of the situation and can resume normal operations properly and promptly.
  2. Planning and allocating budgets for the management of physical infrastructure, environment, and workplace safety in alignment with occupational health standards at the head office, branch offices nationwide, and all alternate operation centers.
  3. Preparing and reviewing manuals for the business continuity plans devised for the event of disasters and using them as procedures, as well as disseminating knowledge to directors, executives, employees, agents, and service recipients at the head office and branch offices nationwide.
  4. Monitoring situations and assessing risks from events that may cause damage and/or significant changes, and to report them to the Advisory Board regularly.
  5. Considering, monitoring, and communicating new applicable laws, orders, and notifications and to analyze and assess their impact and likelihood, in order to ensure proper preparation and business continuity management.
• 2.3.4 The Risk Management Department has the following roles and responsibilities:
  1. Regularly reviewing the Business Continuity Management Policy or when a significant change arises to ensure alignment with changing environments and circumstances, and making relevant presentations to the Management Committee for consideration and approval.
  2. Coordinating with business functions across the Company to ensure they develop business continuity management manuals, and compiling those manuals.
  3. Conducting Business Continuity Plan exercises at least once a year, ensuring that relevant persons strictly follow the manuals, and reporting the results to the Management Committee for acknowledgement.

     In addition, the policy owner is responsible for ensuring that relevant departments and/or divisions establish procedures to comply with the policy, and the procedure owners are also responsible for developing manuals that are consistent with the respective procedures.

2.4 Requirement

• 2.4.1 Business Impact Analysis (BIA)

       The business impact analysis is conducted to evaluate the potential business impact of operational disruptions, determine the maximum acceptable downtime, and establish recovery time objectives for each process or activity. It also involves setting acceptable risk levels for business continuity management to ensure that at least the minimum required objectives for business continuity are achieved. The scope of business impact analysis aligns with the Company's risk management framework and policy, covers the Company's core activities, and groups critical activities with appropriate consideration for operational recovery and restoration timelines.

• 2.4.2 Preparation of Business Continuity Management Guidance

       Business continuity management depends on the nature and severity of emergencies, control and containment measures, and recovery times of affected activities. The emergency response and timeline are divided into two stages as follows.

  1. Emergency response plans (ERPs) provide guidelines for management, implementation, coordination, and operations in response to emergencies in order to effectively contain incidents, minimize loss of life and property, and enable the Company to activate business continuity plans for core activities.
  2. Business continuity plans (BCPs) provides guidelines to ensure the Company’s readiness to address emergencies that prevent all or some employees from working as usual, enabling the Company to continue its core activities or processes as planned.

       The Company has established business continuity management manuals at both the corporate and unit levels. These manuals contain details of emergency response plans and business continuity management plans, including their scope, core structures, responsible functions, hierarchical emergency alert procedures and systems, and activation of the alternate operation centers. Additionally, it is required that business continuity plan exercises be conducted at least once a year, ensuring that relevant persons strictly follow the manuals.