Risk and Crisis Management
Supporting the SDGs Goals
Stakeholders Directly Impacted
Employees
Supplier and Business Partners
Shareholders
Commitment, Challenges, and Opportunities
MR. D.I.Y. operates in a rapidly changing environment across economic, social, and environmental dimensions. These include volatility in product and transport costs, changing consumer behaviour, and workforce- and reputation-related risks. Without appropriate management, these factors may affect the Company’s competitiveness and stakeholder confidence, as well as its operations and long-term growth.
At the same time, the Company sees systematic risk and crisis management as an important opportunity to strengthen business resilience. Comprehensive preparedness helps reduce potential impacts, control costs, and maintain business continuity, while reinforcing confidence among customers, employees, business partners, and all stakeholder groups. It also creates opportunities for the Company to develop innovation and expand into new markets, thereby diversifying business risks and enhancing long-term competitiveness.
Management Approach and Value Creation
The Company has established a clear risk management policy covering all dimensions of its business operations. Its approach is aligned with the Corporate Governance Code 2017, ISO 31000:2018 Risk Management, and the internationally recognised framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The Company adopts a systematic and effective approach to identifying, assessing, and managing risks, while promoting a risk-aware culture at all levels of the organisation to strengthen stakeholder confidence and support stable and sustainable growth.
Risk Management Structure and Responsibilities
Role and Responsibility
Responsibility
- Sets the organisation’s vision, objectives, and strategic direction for risk management
- Promotes an organisational culture and transparent governance in line with good corporate governance principles
- Oversees business operations, internal control systems, finance, and risk management
- Defines the organisation’s Risk Appetite
- Delegates authority and responsibilities for risk management across the organisation
- Regularly reviews and approves the enterprise risk management framework (COSO ERM Framework)
Responsibility
- Oversees the risk management policy and framework to ensure alignment with the Company’s Risk Appetite
- Assesses and monitors risks associated with the Company’s operations
- Supports appropriate resource allocation for risk management
- Assesses risks under stressed scenarios through stress testing
Responsibility
- Establish operating standards, organisational structure, and clear responsibilities
- Drive implementation of the Company’s enterprise risk management framework
- Review and improve operational processes in line with risk management requirements
- Allocate appropriate resources to support risk management
Responsibility
- Prepares and reports risk status to the Audit and Risk Management Committee (ARMC) on a quarterly basis
- Supports the ARMC in carrying out its risk management responsibilities
Responsibility
- Identify, assess, and monitor risks within their respective areas of responsibility
- Report and update risk information to the risk management function on an ongoing basis
- Carry out operations in line with the Company’s risk management policies and practices
Responsibility
- Coordinate risk-related information among various departments within the organization.
- Collect and manage risk information from each department to ensure it is complete, accurate, and up to date.
- Support the preparation of summary reports on the organization’s overall risk profile.
Responsibility
- Provides independent assurance to the Board of Directors and the ARMC on the effectiveness of risk management.
- Reviews the adequacy of the internal control system.
- Recommends improvements to strengthen control effectiveness.
Risk Management Process
The Company promotes awareness, understanding, and recognition of risks that may arise or are likely to arise across the organisation, together with appropriate measures to reduce risks to an acceptable level in line with the Company’s Risk Appetite. This is carried out under a systematic risk management process based on the COSO framework, with the following key steps:
Risk Identification and Analysis
The Company identifies and analyses existing and potential risks by considering both internal and external factors relevant to its business. This covers strategic, operational, financial, regulatory, and compliance risks, as well as emerging risks and ESG-related risks.
Risk Assessment
The Company assesses and prioritises risks by considering Risk Exposure based on the likelihood of occurrence and the potential impact on the business. This enables the Company to define appropriate responses, mitigation measures, and management strategies for risks at each level, and to bring them within acceptable limits in line with the Company’s Risk Appetite.
Risk Response and Control
The Company applies a range of risk response measures, including risk avoidance, risk reduction/mitigation, risk transfer/sharing, and risk acceptance, to ensure that risks remain within acceptable levels. The Company assigns responsible persons for each risk and prepares a clear Risk Management Plan.
Risk Monitoring and Review
The Company continuously monitors, reviews, and evaluates the effectiveness of its risk management measures. This helps ensure that its risk management approach remains relevant to changing circumstances and can be improved or updated in a timely manner. Risk management reports are prepared and presented regularly to management and the Board of Directors on an annual basis.
In 2025, the Company identified a number of emerging risks and ESG-related risks that may affect its business operations. Examples of key risks are set out below.
Emerging Risks
Business Impact
Geopolitical uncertainty may affect the Company’s operations in terms of operational safety and volatility in global supply chains. In particular, unrest in certain areas of Thailand may affect the safety of employees, customers, and Company assets. In addition, trade tensions and changes in international regulations may affect product sourcing, transport, and business costs.
Risk Management Measures
The Company has implemented risk management measures to enhance safety and supply chain resilience, such as security measures for branches in higher-risk areas, crisis management planning, and relevant insurance coverage. The Company also diversifies sourcing across multiple countries to reduce dependence on a single source, while continuously monitoring changes in trade regulations and overseeing compliance with relevant requirements.
Business Impact
The retail industry is facing changes in workforce expectations and labour availability. Attracting and retaining capable employees amid labour market competition may be challenging. If the Company is unable to manage its workforce effectively, this may affect operational efficiency, business continuity, and the organisation’s long-term growth potential.
Risk Management Measures
The Company places importance on attracting, developing, and retaining employees through career path planning, skills and leadership development, and the promotion of internal career growth. Compensation and benefits are also reviewed regularly to remain competitive in the labour market. In addition, the Company promotes an organisational culture based on equality, non-discrimination, and a fair working environment.
ESG Risks
Business Impact
Severe weather events, such as flooding, may affect the Company’s branches and warehouses, causing damage to assets, loss of inventory, operational disruption, and risks to the safety of employees and customers.
Risk Management Measures
The Company maintains insurance coverage for damage caused by natural disasters and has developed an Emergency and Crisis Management Plan to respond to severe weather events. It also establishes employee safety measures, such as evacuation procedures and emergency communication systems.
Business Impact
Sourcing products from suppliers around the world may expose the Company to risks related to labour rights or human rights violations within the supply chain, which may in turn affect its reputation and the confidence of customers and investors.
Risk Management Measures
The Company has established a Supplier and Business Partner Code of Conduct to require suppliers and business partners to comply with ethical and labour standards. Supplier performance is also monitored and assessed regularly.
Business Impact
Retail operations involving a large branch network, cash handling, and relationships with multiple business partners may increase the risk of fraud or misconduct. This may affect stakeholder confidence, the organisation’s reputation, and overall business operations.
Risk Management Measures
The Company applies a zero-tolerance approach to corruption and enforces its Code of Business Ethics for all employees. It also maintains internal controls, segregation of duties in financial processes, and independent review by the internal audit function. In addition, the Company provides a whistleblowing channel and a whistleblower protection policy to support transparency in business conduct.
Business Continuity Management
The Company has developed a Business Continuity Plan (BCP) to respond to unexpected events that may affect business operations. The plan aims to enable the business to continue operating, reduce the risk of disruption, and minimise impacts on stakeholders. It covers emergency response, crisis communication, and operational recovery, and is supported by regular emergency drills and employee training to strengthen preparedness for potential incidents.
In 2025, the Company implemented initiatives to strengthen business continuity, with a focus on regularly reviewing and testing its BCP in order to improve readiness for emergency events that may affect business operations.
Examples of plans covering key risks include:
Natural disaster response plans, such as for floods and earthquakes
IT Continuity Plan, including cyber-attacks and data theft or loss
Safety and emergency response plans for business premises, such as building fires, and power or utility disruptions
These measures enhance the organisation’s preparedness for unexpected events and support continuous and sustainable business operations. The Company reviews and updates its Business Continuity Plan at least once a year.
Strengthening a Risk Management Culture
The Company is committed to embedding risk management into its organisational culture and promoting awareness of its importance among employees at all levels in line with COSO international standards. This is supported by communication from senior management through a Tone from the Top approach. The Company promotes a risk management culture through the following actions:
Establishing a clear risk management policy and framework, and reviewing them annually to ensure alignment with the changing business environment.
Defining risk management roles and responsibilities across functions in line with the Three Lines of Defence model to strengthen checks and balances, reduce risks and operational errors, and support the achievement of organisational objectives and stakeholder confidence.
The three lines of defence are as follows:
-
First Line of Defense
The Chief Executive Officer, management committees, risk owners, and operating units are responsible for overseeing their own activities to ensure compliance with established requirements and the implementation of appropriate internal controls and risk management measures.ม
-
Second Line of Defense
The risk management function supports the work of operating units.
-
Third Line of Defense
The internal audit function assesses the effectiveness of the Company’s risk management framework.
Preparing and continuously reviewing the Company’s Risk Profile, while allowing each function to raise new risk issues in a timely manner so that material organisational risks can be identified and managed appropriately.
Providing guidance and knowledge-sharing support to risk owners in order to strengthen understanding and awareness of risk management on an ongoing basis.
Organising training and communicating information on risk management and business continuity planning to help employees at all levels understand the risk management framework and risk assessment process, and to prepare for organisational risks.
