Legal compliance is a fundamental principle to which BPP has adhered in operating its businesses. It is also a major challenge for the company since it has operated business in many countries where regulations are different and changing rapidly nowadays. This includes laws and policies relating to climate change and air quality improvement in large cities, which is an important driving force in the rapid change of environmental laws in the power industry. Respectively, if BPP cannot adapt itself promptly, it would affect the company’s business operations.
BPP’s business operations are involved with various laws and regulations the company must fully comply with, such as the environmental and safety laws, the labor laws, the trade and investment laws, the security and exchange regulations as well as various permits, etc. This also includes running businesses by adhering to business ethics, for example, anti-corruption, fair competition, human rights principle, and non-discrimination. Thus, a failure to comply with these laws will affect the company’s sustainable business operations.
To prevent risks possibly having a severe impact on business operations, and to create confidence among all groups of stakeholders that BPP has been operating its businesses in accordance with laws and regulations, the company has established the Internal Audit and Corporate Compliance as a major force to coordinate and monitor legal compliance with two main duties, including:
- The Corporate Compliance is responsible for promoting, monitoring and auditing operational performances in accordance with laws and external regulations.
- The Internal Audit is responsible for assessment of internal control systems including a compliance with policies, regulations and operational practice guidelines within the organization.
Auditing of Internal Control System and Compliance with Policies and Regulations Within the Organization
To ensure that all departments have operated in compliance with policies, laws, regulations and operational practice guidelines, BPP has frequently examined the operational performance and internal control systems within the organization and its subsidiary companies, covering major legal and regulatory compliance. The company’s internal audit has been conducted based on the framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), consisting of five areas. These include internal control, risks assessment, operational control, information and communication technology system, as well as monitoring system.
Additionally, BPP has established the Internal Audit Department as an independent body, with a duty to evaluate adequacy and efficiency of the internal control system as well as corporate compliance. It is reporting directly to the Audit Committee and the Board of Directors.
Monitoring of Environmental Quality, Safety and Labors Required by Laws
BPP has set up a system to monitor environmental qualities required by legislation and has monitored the possibility of changes related to laws in order to adjust itself promptly through a follow up of the central corporate compliance and internal departments among its business units. This is one of the requirements of the quality, safety, and environmental management system. Besides, the operating performances in the areas have also been regularly audited via following methodologies:
- Internal audits conducted through the company’s measurement systems, such as the continuous emission monitoring (CEM) and the water quality monitoring system, etc.
- Inspections by external agencies, such as examining water and air quality by external agencies, auditing the implementation of environmental impact mitigation measures in accordance with the environmental impact assessment (EIA) report, and the audits of environment and workplace safety, etc.
Quality Assurance Review (QAR)
BPP in collaboration with Banpu Group has assigned all supporting units under the supervision of Corporate Services Department, namely Health, Safety, Environment and Community Engagement (HSEC) Department, Information Technology Department, Legal Department, Procurement and General Administration Department as well as Business Process Management Department, to assess operational qualities and legal compliance. The QAR working group from Bangkok Office has been set up to inspect the operational performances of subsidiaries in each country. Meanwhile, the QAR working group of each subsidiary will conduct a regular review on all business units located in that country at least once a year. In the year 2021, the review benchmarks were revised to be in line with the international standards. In addition, remote audits in the form of self-examination and interviews, as well as remote evidence verification were used during the COVID-19 epidemic.
BPP has deployed the standardized criteria for reviewing the legal compliance quality to suit its business operations, covering five dimensions.
Operational Audits by the International Certified Body
BPP has continuously applied the international standards to its operational management in order to improve the operational standards and create confidence among all groups of stakeholders. Thus, the company has implemented the internationally recognized operating standard systems in its business units’ operations in order to create internal control and continual development, namely the ISO 9001 Quality Management System Standard, the ISO 14001 Environmental Management System Standard, the ISO 45001 Occupational Health and Safety Management System, the ISO 22301 Business Continuity Management Standard, and the ISO 27001 Information Security Management System. The legal compliance is part of the requirements for operating in accordance to these systems.
Legal Compliance Audits at Joint Venture Companies
Due to its no direct management control in the joint venture companies, BPP has cooperated with the business partners who have invested in that business to inspect the legal operation and internal management at least once a year. Moreover, the monitoring is required to be run through the risk reports covering legal compliance at least once a month.
Compliance Audits in Key Suppliers
BPP has audited legal compliance of suppliers who sell key products and services to the company, such as maintenance and operation contractors, engineering and construction contractors, by stipulating in the selection and hiring conditions. An inspection on suppliers when operating, has been carried out; and if finding any defects, the company will work with supplies in laying out corrective actions in accordance with the laws and best practices. This is considered as part of the company’s management system standards.
- Operating in accordance with the internal audit and compliance systems covering all business units where the company has management control.
- Conducting the internal audits and compliance assessments among the joint venture companies as well follow up deficiency resolutions in accordance with the common standards with partners.
- No significant incidents involved with non-legal compliance both in the businesses the company has direct management control, joint venture companies, and suppliers operating in the areas.
Key Activities and Projects
Currently, Thailand has announced the Personal Data Protection Act 2019 (PDPA), the legislation protecting personal data according to international standards and determining appropriate remedial measures for data subjects whose rights to the protection of personal data are violated.
During 2020 – 2022, Banpu Group took steps to protect personal data in accordance with the law and respect for human rights according to international principles, for example:
- Appointing a Data Protection Officer (DPO)
- Appointing a personal data protection working group, responsible for preparing personal data protection standards in accordance with the Thai and international laws and communicating to create awareness and understanding of personal data protection laws properly in order to prevent risks arising in the organization. BPP is planning to escalate the results by setting up working groups in countries where personal data protection laws have been announced.
- Privacy notice, recording processing activities, stating the purpose of collection/use/disclosure of information and determining the period for using and destroying data so that the personal data will not collect beyond necessity.
- Developing personal data protection standard practice manual.
- Establishing a data breach management procedure.
- Preparation of procedures regarding the rights of the data subject (Data Subject Rights Management Procedure).
- Practicing a crisis communication plan in the event of a breach of personal data under the established internal standards and procedures