Risk and Business Continuity Management

Sea Oil Public Company Limited ("the Company"), The Company remains committed to its energy, procurement, and service businesses, with a focus on driving continuous organizational growth. It emphasizes management in accordance with sustainable development principles, striving to create balance across its value chain while integrating economic, social, and environmental considerations into its operations. Through this approach, the Company aims to create long-term value for the organization and all stakeholders, while ensuring sustainable growth and resilience in an evolving business environment.

The Company has reviewed and refined its strategic and business plans to enhance its readiness in responding to a rapidly changing business environment and to better meet the evolving expectations of customers, business partners, and all stakeholder groups. This includes addressing emerging risks and opportunities arising from the digital era, such as cybersecurity threats, technological innovation and disruption, as well as environmental challenges associated with global climate change. Through proactive planning and adaptive management, the Company aims to strengthen its resilience, maintain competitiveness, and ensure sustainable business growth in an increasingly dynamic operating environment.

Accordingly, the Company places significant emphasis on workforce development, operational transformation, strategic investment, and the adoption of appropriate technologies to enhance organizational capabilities and strengthen its readiness to respond to rapidly changing business conditions. The Company has also strengthened its proactive risk management approach to effectively address emerging and unforeseen challenges. This includes the regular assessment of key risks and the implementation of preventive measures and risk management plans that are aligned with the Company's strategic objectives and business goals. Through these efforts, the Company aims to ensure business continuity, operational efficiency, and organizational resilience, while minimizing potential impacts on stakeholders throughout the value chain and supply chain.

The Company recognizes the importance of enterprise risk management as an integral part of good corporate governance and a key mechanism for supporting effective management. Risk management enables the Company to achieve its strategic objectives, enhance operational efficiency, and strengthen its ability to respond to uncertainties and emerging challenges. By integrating risk management into its business processes and decision-making, the Company seeks to support sustainable growth, safeguard stakeholder interests, and create long-term value for the organization.

The Board of Directors encourage a risk-aware organizational culture by encouraging executives and employees at all levels to recognize the importance of risk management in their daily operations and decision-making processes. To support this commitment, the Board has established an Enterprise Risk Management (ERM) Policy, framework, and processes to ensure that risks are systematically identified, assessed, monitored, and managed throughout the organization. The ERM framework is integrated into the Company's business planning and operational activities to enhance resilience, support strategic objectives, and contribute to sustainable business growth. The ERM framework is designed to establish the organizational context, identify, analyze, and assess risks, as well as define appropriate risk mitigation measures. It also supports the continuous monitoring and review of risks that may affect the Company's business operations, considering both internal and external factors. The framework covers risks at both the enterprise and operational levels. The Company assesses risk levels based on the likelihood of occurrence and the potential impact of each risk, enabling the development of a Risk Map to prioritize risk management efforts. In addition, the Company defines its Risk Appetite and Risk Tolerance levels to provide clear guidelines for decision-making and risk management practices throughout the organization. These measures serve as a framework for risk management and the implementation of appropriate controls to maintain risks at an acceptable level. In addition, the Company has established Key Risk Indicators (KRIs) to monitor risk trends and provide regular reporting to management, the Audit and Risk Management Committee, and the Board of Directors. To ensure a consistent and systematic approach to risk management, the Company has established the following Risk Management Policy:

1. The Company shall establish a risk management system, risk management framework, and risk management processes that are aligned with internationally recognized standards and integrated across both the enterprise and functional levels. These processes shall be aligned with the Company's business strategies, objectives, and evolving business environment. The Company shall also ensure the continuous assessment, monitoring, and enhancement of risk management effectiveness to support proactive decision-making, strengthen organizational resilience, and enable the achievement of its strategic and operational goals.
2. The Company requires risk management to be the responsibility of all business units. Each unit is expected to recognize and understand the risks associated with its operations and those affecting the organization, while strictly adhering to the Company's risk management policy and framework. Under an adequate and appropriate system of internal controls, all units are responsible for effectively managing risks within acceptable levels. This approach supports the achievement of the Company's objectives and strategic goals, enhances operational efficiency, and contributes to sustainable business success.
3. The Company shall allocate appropriate resources and provide the necessary support to ensure that risk management activities are implemented effectively and efficiently. This includes providing adequate personnel, systems, tools, training, and other resources required to support risk management.
4. The Company continuously encourages and supports the development of knowledge and understanding of risk management processes and practices among executives and employees at all levels. This initiative aims to cultivate awareness of the importance of risk management and encourage active participation and shared responsibility in managing organizational risks. By embedding risk management principles into day-to-day operations and decision-making, the Company seeks to foster a risk-aware culture and establish risk management as an integral part of its organizational culture. This approach contributes to enhanced organizational resilience, sustainable growth, and long-term value creation for the Company and its stakeholders.

The Board of Directors has delegated responsibility to the Audit and Risk Management Committee to review and monitor the effectiveness and adequacy of the Company's risk management practices. The Committee is also responsible for reporting significant risks that may affect the Company's business plans and strategic objectives to the Board of Directors for acknowledgment and consideration. The Audit and Risk Management Committee performs its duties in accordance with the Company's Risk Management Policy and is responsible for the following:

1. Review and approve the risk management framework, including policies and procedures for risk identification, assessment, monitoring, and management.
2. Risk management activities, monitor compliance with the Risk Management Policy, and review reports on significant business risks to ensure that appropriate mitigation measures are implemented and that key risks are communicated to the relevant governing bodies in a timely manner.
3. Review significant risk reports and risk mitigation measures submitted by the Risk Management Committee to ensure that key risks are appropriately identified, assessed, managed, and monitored in alignment with the Company's risk management objectives.
4. Evaluate the overall effectiveness and efficiency of the Company's risk management system to ensure that risk management processes remain appropriate.
5. Assess the adequacy of the Company's overall internal control system.

The Audit and Risk Management Committee has appointed a Risk Management Committee to support the implementation of the Company's risk management processes across the organization, comprising:

1. One director appointed by the Audit and Risk Management Committee serves as the Advisory Chairman of the Risk Management Committee
2. The Executive Committee, appointed by the Chairman of Executive Committee, serves as the Chairman of Risk Management Committee
3. Risk management representatives from each business unit and functional department
4. Directors and/or appointed advisors assigned to specific investment projects

Risk Management Committee responsibilities:

1. Establish and review the risk management framework, risk appetite, risk assessment criteria, and risk management processes to ensure alignment with internationally recognized standards, the Company's strategic objectives, and evolving business conditions, and submit such matters to the Audit and Risk Management Committee for consideration.
2. Identify risk factors that may affect the Company's performance, evaluate the potential impact of risks, and consider appropriate and effective risk mitigation and management plans to ensure that risks are managed within acceptable levels.
3. Monitor the progress of risk management activities reported by risk owners and jointly review such reports to ensure that risks are being managed appropriately, effectively, and in accordance with the Risk Management Policy. The Committee shall report on its performance and key risk management developments to the Audit and Risk Management Committee on a quarterly basis.

The Internal Audit Department is responsible for reviewing the effectiveness of the Company's internal control system through internal audit activities. This includes auditing key business processes based on risk factors, evaluating the adequacy and effectiveness of internal controls, and monitoring the implementation of corrective actions for identified deficiencies in accordance with its recommendations. The results of internal audits and follow-up activities are reported to the Audit and Risk Management Committee on a quarterly basis.

The Company has established a risk management process to support the achievement of its business objectives and organizational goals. The process encompasses the systematic identification, analysis, assessment, and management of risks under the oversight of the Board of Directors and the Audit and Risk Management Committee. All functions and departments across the organization share responsibility for managing risks in accordance with their designated roles and responsibilities. The risk management process is implemented through a structured approach designed to ensure that risks are effectively monitored and managed throughout the organization.

Context Establishment: Consider internal and external factors relevant to the Company and define the scope and criteria for risk management.
Risk Identification: Identify events that may occur and have an impact on the Company's objectives.
Risk Analysis: Determine the potential impact and likelihood of identified risk events, including the effectiveness of existing internal controls.
Risk Evaluation: Assess risk levels and prioritize risks (Very High, High, Medium, Low), with each department responsible for managing risks within its area.
Risk Treatment: Select and agree on appropriate options to reduce the likelihood and impact of risks (Avoid, Accept, Transfer, Reduce) and determine how to implement the selected options.

• Define measures to manage risks
• Evaluate and select risk management measures
• Report on risk management outcomes and risk mitigation measures
• The risk owner implements the defined risk management measures

The Company has assessed various risk factors that may affect its business operations, including the level of risk exposure, potential impacts, and corresponding risk management measures. The assessment covers key risk areas that are considered material to the Company's operations and long-term sustainability, as follows:

• Strategic Risk
• Organizational Capability
• Financial Risk
• Operational Risk
• SSHE Risk
• Social & Community Risk
• Compliance Risk
• Corruption Risk
• Emerging Risk
• Climate Change Risk
• Geopolitical Risk
• Financial & Cybercrime Risk

For additional information, please refer to Form 56-1 One Report 2025 in "Risk Management" section.

Business Continuity Management Policy

Sea Oil Public Company Limited and Subsidiaries ("the Company") or ("the Group") recognize the importance of preparedness for potential crises and disruptive events that may affect its operations. To ensure that the Group can effectively respond to emergencies and crisis situations, recover critical operations within an appropriate timeframe, and return to normal business conditions as quickly as possible, this policy aims to ensure the continuity of business operations, minimize disruptions, and safeguard the interests of stakeholders. It also supports the protection of the Company's reputation, credibility, critical business activities, and operational resilience in the face of unforeseen events. Accordingly, the Company has established the following Business Continuity Management Policy:

1. Establish and maintain crisis prevention, preparedness, and response plans through a Business Continuity Management (BCM) system that is aligned with internationally recognized standards and tailored to the operational requirements of the Group.
2. Establish a Business Continuity Management Committee (BCM Committee) with the responsibility for developing and maintaining the Business Continuity Plan (BCP), as well as ensuring organizational preparedness to effectively respond to potential disruptions, emergencies, and crisis situations such as pandemics, fires, natural disasters, terrorism, and other disruptions by assessing their potential impacts and associated risks. The Committee is responsible for ensuring preparedness across key areas, including equipment, facilities, personnel, communications, and budget resources. In addition, the Committee shall monitor, review, and communicate the Business Continuity Plan (BCP) to relevant stakeholders, while overseeing the regular review, enhancement, and updating of the overall business continuity management framework to ensure its continued effectiveness, relevance, and alignment with changing business conditions.
3. Conduct testing and exercises of the Business Continuity Plan (BCP) at least once a year, or whenever significant changes occur, to ensure that relevant personnel understand their roles and responsibilities and are adequately prepared to respond effectively to business disruptions and crisis situations.
4. Executives of each business function are responsible for overseeing the effectiveness of business continuity management processes within their respective areas. They are also responsible for promoting awareness, knowledge, and understanding of business continuity management among employees, as well as ensuring that appropriate business continuity measures are established and maintained. These measures should be practical, effective, and capable of supporting the continued operation of critical business activities during disruptions, thereby enabling an effective and timely response to potential crisis situations.
5. All executives and employees are required to recognize their role in supporting and complying with the Business Continuity Management Policy. They are expected to actively participate in business continuity initiatives and fulfill their responsibilities to help ensure that the Company achieves its business continuity objectives and maintains resilience in the face of potential disruptions.

The Company places importance on developing knowledge, understanding, and awareness of risk management among directors, executives, and employees at all levels. This is intended to enhance their ability to effectively identify, assess, monitor, and manage risks that may impact business operations. In addition, the Company promotes the integration of risk management into daily operations and business decision-making processes to ensure that risk considerations are systematically embedded in organizational activities. This approach supports effective risk management practices and contributes to the Company's operational resilience and sustainable business growth.

In 2025, the Company organized a training program entitled "Risk Management for ESG-Driven Organizations" to enhance understanding of the relationship between Environmental, Social, and Governance (ESG) factors and enterprise risk management. A total of 26 directors, executives, and employees participated in the training. Participants gained knowledge on identifying and assessing ESG-related risks, analyzing their potential business impacts, and establishing appropriate risk management and mitigation measures. This initiative supports the Company's commitment to strengthening risk management capabilities and integrating ESG considerations into its overall risk management framework.

The post-training evaluation revealed that participants had an average satisfaction level of 88.64%, reflecting the effectiveness of the organization's human capital development initiatives. It also supports the cultivation of a Risk-Aware Culture, which serves as a fundamental foundation for sustainable growth and the creation of long-term value for all stakeholder groups.