Risk and Business Continuity Management

The uncertainty and volatility caused by external factors, whether economic, social, or environmental, and climate change are becoming more intense and constantly changing. As a result, the Company prioritizes risk and business continuity management to support operations and enable the achievement of its objectives, strategy, and goals. This has also increased its flexibility, allowing the Company to quickly adapt and respond to changes without affecting its main operations or goals, both under normal conditions and in the event of unexpected occurrences in the short and long term. The Company is able to respond appropriately to stakeholders' needs while mitigating the impact of the Company’s operations on the environment and stakeholders in the value chain. Furthermore, it enhances the organization’s capability and resilience in projecting and managing future events or changes from both internal and external factors that may impact the Company’s business operations in a timely manner.

Risk Management Plan and Policy

The Company has also established a risk management policy, along with a business continuity management policy in the same direction, to ensure that appropriate risk management and effective control systems are implemented throughout the organization, enabling the Company to achieve its strategic objectives and various key goals. The risk management policy and risk appetite are reviewed and approved annually by the Board of Directors.

To ensure that enterprise risk management remains effective and aligned with international standards, the Company has adopted risk management principles based on COSO-ERM 2017 (The Committee of Sponsoring Organizations of the Treadway Commission: Enterprise Risk Management), integrating strategy and performance for sustainable risk management, ensuring that enterprise risk management is efficient and aligned with international standards. The Company conducted a study on COSO-ERM 2017: Guidelines for Applying Enterprise Risk Management (ERM) to Environmental, Social, and Governance (ESG) – Related Risks, to gain a comprehensive understanding and effectively identify ESG risks, integrating them with strategies and business management.

Enterprise Risk Management Structure

• The Board of Directors has assigned the Executive Committee to establish and review the risk management policy, oversee enterprise risk management in alignment with the Company’s strategy and objectives, and provide guidance to the Management Team in maintaining risk appetite to ensure effective enterprise risk management. In addition, the Audit Committee is responsible for monitoring and ensuring that risk management is aligned with the risk management policy and plan
• The Board of Directors has scheduled regular joint meetings of the two committees at least twice a year to discuss material risks and ensure alignment between risk management and internal control systems, provide perspectives on enterprise risk management, review the Company's risk management policy and risk appetite before presenting to the Board of Directors for consideration and approval, and provide comments and suggestions on risk management prior to submission to the Board of Directors for approval. This includes submitting enterprise risk management reports to the Board of Directors regularly, twice a year.
• The Executive Committee established comprehensive risk management, enabling the Company to effectively conduct business and achieve its objectives, strategies, and goals. The Company’s enterprise risks are categorized into six areas: strategic risk, operational risk, financial risk, compliance risk, ESG risk, and emerging risk. The Chief Executive Officer and Managing Director are responsible for leading enterprise risk management at the management level.
• The Chief Executive Officer and Managing Director established the Sustainability and Risk Management Working Team, comprising senior executives from all departments and employee representatives, to oversee the management of both business and sustainability risks in an integrated manner. This structure supports efficient risk management from both top-down and bottom-up risk management approaches. Furthermore, the Working Team is responsible for identifying emerging risk factors, assessing risk impacts, reviewing risk appetite and key risk indicators, as well as monitoring the effectiveness of risk mitigation plans to maintain risk tolerance. It also promotes the continuous development of a risk management culture among executives and employees across the organization. Moreover, Chief Corporate Sustainability Officer is responsible for driving and overseeing the organization’s risk management and sustainability initiatives.
• The enterprise risk management process is reviewed by the Internal Audit Department and further reviewed by the Audit Committee to ensure that risk management is adequate and effective.
• The Company maintains a Business Continuity Management (BCM) and conducts annual emergency response drills based on key risk factors. In 2025, new drills were incorporated and conducted, such as earthquake drills, food defense drills, etc.
• The Company has also established a risk control system by using the Three Lines of Defense Model to ensure effective risk management and internal control. Under the first line of defense, all employees are responsible for managing their risks. The second line requires executives to report to their supervisors, the Sustainability and Risk Management Working Team, and the CEO. The third line requires an Internal Audit Department, which is an independent department, to conduct audits to ensure that the Company’s regulations, policies, and internal control systems are appropriately implemented to manage risks effectively

Risk Management Processes and Tools

The Company has prepared an Enterprise Risk Management (ERM) Manual to provide guidance on risk management in accordance with the COSO Enterprise Risk Management Framework (2017), an internationally recognized standard. The manual defines risk management processes covering both operational and sustainability risks. This aligns with sustainability strategies and objectives as well as international standards. Enterprise risk appetite and Key Risk Indicators (KRIs) were determined for each identified risk. Bow-tie analysis is applied for risk assessment and evaluation of risk likelihood. Risk mitigation plans are developed and continuously monitored to ensure that enterprise risks are effectively mitigated and controlled within the risk appetite of operational risk factors.

Enterprise risk management process

The Company has prepared an Enterprise Risk Management (ERM) Manual to provide guidance on risk management in accordance with the COSO Enterprise Risk Management Framework (2017), an internationally recognized standard. The manual defines risk management processes covering both operational and sustainability risks. This aligns with sustainability strategies and objectives as well as international standards. Enterprise risk appetite and Key Risk Indicators (KRIs) were determined for each identified risk. Bow-tie analysis is applied for risk assessment and evaluation of risk likelihood. Risk mitigation plans are developed and continuously monitored to ensure that enterprise risks are effectively mitigated and controlled within the risk appetite of operational risk factors.

1. Set objectives and goals: Set objectives and goals for business operations, and review risk appetite annually to ensure it aligns with operational goals.
2. Identify risks: Identify the impact of actual and potential risks on the achievement of its goals and strategies, taking into account both internal and external factors. Enterprise risks are classified into six groups: strategic risk, financial risk, operational risk, compliance risk, ESG risk, and emerging risk.
3. Assess risks: Assess and analyze risks by evaluating their impact and likelihood in the risk assessment process. In the event of any changes to policies or goals, the Company reviews risk factors to ensure alignment, considering risks both before and after the implementation of risk control measures.
4. Prioritize risks : Prioritize risks based on their significance and impact, identifying key risk factors to gain a comprehensive understanding of enterprise risks and the urgency of risk management.
5. Respond to risk: Respond to risks by managing their causes or potential impacts within risk appetite or have the least impact by considering the cost-benefit analysis of risk management.
6. Monitor and report: Monitor the performance after implementing the risk management plan and report the results to the Audit Committee and the Executive Committee for review and recommendations before presenting them to the Board of Directors for consideration.  This ensures that the risk management plan is effective and capable of managing risk appetite in a timely manner.

Impact and Significance

Disruptions to business operations from unforeseen events, such as natural disasters, fires, floods, raw material shortages, international transportation disruptions, cyber threats, or disease outbreaks, can significantly affect production and delivery capabilities, food safety, and customer confidence, as well as the Company’s reputation and business value. Without appropriate support systems, this may lead to financial losses, strained business relationships with suppliers, and a loss of stakeholder confidence in the Company. Effective Business Continuity Management (BCM) enables the Company to respond to crises in a systematic manner, minimize the duration of business disruptions, control potential damage, and ensure the continuity and timely delivery of products to customers.

Operational Guidelines and Measures

To mitigate risks, the Company has established a Crisis Management and Response for Business Continuity and Contingency Plan to serve as a guideline for assessing potential risks and the severity of events that may impact operations. The framework includes preventive, response, and recovery measures designed to ensure business continuity, minimize supply chain risks, and control potential losses not only in operations but also in food safety, consumer protection, customer relationships, assets, and the Company’s image and branding. This ensures that all departments operate in a consistent and effective manner. The Company has established a clear crisis management structure, appointing the Chief Executive Officer (CEO) as the Crisis Director and designating executives from relevant departments to be in a working team responsible for managing emergencies in accordance with clearly defined roles and responsibilities.

Furthermore, the Company established post-incident recovery guidelines and conducts emergency response drills annually. In some cases, these drills are conducted in collaboration with customers and suppliers to test the readiness of communication processes, raw material procurement, production, and product delivery during a crisis.

The Company's business continuity plan covers material risks, including natural disasters, fire, floods, supply chain risks, transportation disruptions or shortages of raw materials, cyber threats, climate change risks, and labor shortage risks due to epidemics or infectious diseases. This structure ensures that the Company is well prepared and able to respond promptly to emergency situations. In 2025, the Company conducted emergency response drills based on identified enterprise risks and in compliance with applicable law and requirements as follows:

• Fire and earthquake evacuation drill
• Chemical spill drill
• Gas and boiler leak emergency drill
• Ammonia spill drill
• Flood evacuation drill
• Scenario-based drills regarding food safety and consumer rights, such as product recalls due to quality issues or food crime, etc.
• IT Disaster Recovery Plan (IT DRP) drill

The implementation of this framework enabled the Company to mitigate supply chain disruptions, control financial and operational losses, maintain food safety standards, and protect consumers, while reinforcing the confidence of customers, suppliers, and stakeholders. Therefore, there were no significant disruptions impacting the Company's business operations.

Enterprise Risk Management and Controls Awareness

The Company is committed to fostering a risk culture throughout the organization, ensuring that every employee understands risks in all aspects related to their responsibilities and transactions. Employees must actively contribute and commit to prioritizing enterprise risk management before making investments or conducting transactions. To raise awareness, the Company communicates with employees as follows:

• The Sustainability and Risk Management Working Team held 4 meetings in 2025 to discuss risk management, report on newly identified annual risks, review progress on risk management plans, monitor risk management performance, and assess risks in response to events.
• The Executive Committee and the Audit Committee held 2 meetings and submitted enterprise risk management reports to the Board of Directors twice.
• Set risk indicators (KRI) that are consistent with organizational goals and strategies to connect risk management with the performance evaluation of executives and employees.
• Integrate Department KPI into Corporate KPI to serve as a risk monitoring tool.
• Incorporate some significant risk indicators and sustainability indicators into the KPIs of the organization or risk owners, including risk appetite, to ensure that risk and sustainability management are consistent with the goals of the organization or risk owner. These indicators are then used in the annual performance evaluation of directors. For example, the environmental dimension includes key indicators such as reducing energy consumption, waste management, and greenhouse gas emissions. The social dimension includes indicators such as customer satisfaction, safety & security, and personnel development, etc.
• Include an agenda item for information in meetings of directors or executives to share or update on relevant laws, regulations, requirements, and current situations related to risk management, corporate governance, and sustainability.
• Organize a meeting of the Risk Management Team to report the progress on the risk management plan. Follow up on risk management results and assess risks based on the situation at least twice a year. In 2024, the Risk Management Team held four meetings.
• Ensure all employees have access to policies, the enterprise risk management manual, and Crisis Management and Response for Business Continuity and Contingency Plan through internal communication channels, such as the intranet, shared drive, and email.
• Organize training programs on “Enterprise Risk Management, Internal Control, and Anti-Corruption” for executives and employees at all levels to enhance their understanding and capability in managing enterprise risks. The Company plans to expand these training programs to cover employees at other levels.
• Organize “Anti-Corruption” training program
• Communicate risk management and anti-corruption policies internally and externally

Key Risk Factors

To identify key risk factors, the Company analyzes the business environment, considering both internal and external factors, including the sustainability impact on stakeholders and emerging risks. This process includes establishing a mitigation plan and continuously monitoring the performance. While monitoring enterprise risk management, some risks are related to material topics. Therefore, the Company is able to manage both operational risks and ESG risks that may impact business operations, the environment, and society, as well as be flexible in handling and mitigating potential impacts to achieve the goals set in the strategic plan and effectively oversee stakeholders, society, and the environment.

Enterprise risks are divided into 6 groups as follows:

KCG Sustainability Performance Data 2025 - Governance and Economic Performance