Risk Management and Business Continuity
Risk management and business continuity are critical components of EGAT’s organizational governance. They serve to ensure that the organization can achieve its assigned mission effectively, respond promptly to emergencies or crises and maintain uninterrupted electricity operations for the benefit of all stakeholders.
| Targets for 2024 | Performance |
| ● Conducting an annual review and development of risk management plan | ● Reviewed and developed EGAT’s 2025 risk management plan |
| ● Quarterly monitoring and reporting of risk management performance, including issue analysis and corrective actions | ● Monitored and reported risk management performance including analysis of issues, challenges and corrective actions quarterly, and adjusted the risk management plan in alignment with changes to the annual operational plan |
Risk Management
To ensure effective organizational risk management, EGAT has established a risk management and internal control policy, along with implementation guidelines on good governance, risk management, and compliance (GRC). The risk management structure includes the EGAT Board of Directors, the Risk Management and Internal Control Committee, the EGAT Executive Committee, risk management committees at operational line level, the Audit Committee under the Office of Internal Audit, and all EGAT personnel. The Risk Management and Internal Control Department, under the Strategic Planning Division, supports enterprise-wide risk management by formulating policies, setting acceptable risk levels, developing risk management guidelines, and preparing an annual risk management manual and review.
As organizations transition into the digital era, EGAT has adopted digital technologies to enhance operational efficiency. However, this shift also introduces cybersecurity risks, such as server attacks, network intrusions, and other forms of cyber threats. To address these challenges, EGAT conducts annual assessments of cybersecurity and information risk.
In 2024, EGAT continued its enterprise-level cybersecurity risk management efforts from 2023, implementing both existing controls and mitigation plans to reduce risk severity to an acceptable level (Risk Appetite). Key measures included strengthening access control for critical systems, regularly reviewing and updating access rights to sensitive systems and data, and conducting phishing email simulations to raise cybersecurity awareness among employees. These simulations featured diverse email content and were accompanied by targeted communications before and after testing to reinforce learning.
As a result of implementing access control measures, EGAT reviewed system access rights and notified system administrators to restrict access in accordance with ISO/IEC 27001 standards. The enhanced phishing email content led to a reduction in the number of employees who fell for simulated attacks, meeting the organization’s targets. Consequently, EGAT’s cybersecurity risk management in 2024 achieved its objectives, with no severe cyber incidents impacting the organization.
Business Continuity Management
EGAT’s business continuity management aligns with the international standard ISO 22301:2019. The organization has established a policy, manual, and business continuity plan (BCP) as operational frameworks to support its mission of delivering uninterrupted electricity.
EGAT has formed a Business Continuity Management Committee, comprising division-level directors from all operational lines, responsible for conducting Business Impact Analysis (BIA) and developing continuity plans to address potential incidents. These plans ensure that EGAT can continue its core operations during crises within the Maximum Tolerable Period of Disruption (MTPD) and recover within the targeted Recovery Time Objective (RTO). The organization also monitors and analyzes preparedness for disasters and emergencies to maintain operational resilience.
EGAT communicates its business continuity management processes to both internal and external stakeholders through various channels, such as training sessions for relevant employees, information disclosure on the EGAT website, and annual presentations to the Provincial Electricity Authority (PEA), the Metropolitan Electricity Authority (MEA), and direct customers. Awareness assessments are conducted to gather feedback for improving future operational plans.
Additionally, EGAT conducts regular emergency response and business continuity plan (BCP) drills based on simulated risk scenarios, such as power plant fires, lightning strikes on transmission systems, and disruptions in natural gas supply pipelines. These drills are carried out at the unit, operational line, and organizational levels, and include joint exercises with external agencies and surrounding communities. The objective is to ensure organizational readiness and to confirm EGAT’s capability to respond swiftly and effectively to potential incidents.