Governance, Risk Management and Compliance

Governance, Risk Management and Compliance

The increasing uncertainty, volatility, and complexity across economic, technological, social, and environmental dimensions are compelling organizations to enhance their Corporate Governance, Risk Management, and Compliance (GRC) frameworks in order to remain aligned with a rapidly changing context. Ineffective GRC systems that lack transparency and auditability may adversely affect strategic decision-making, business stability and continuity, as well as stakeholder confidence. Furthermore, inadequate governance may create or exacerbate risks to the rights, safety, and well-being of employees and other relevant stakeholders.

An effective GRC system enables organizations to anticipate and manage risks prudently, supports informed and data-driven decision-making, and promotes ethical business conduct.

Integrating GRC into organizational management, together with encouraging and engaging business partners and suppliers in such practices, serves as a critical tool and mechanism for sustaining and enhancing competitive capabilities while creating long-term, sustainable value for all stakeholders.

Management Approach

CPF is committed to achieving sustainable growth while maintaining a balance across economic, social, and environmental dimensions. This commitment is realized through the establishment of a robust and effective Governance, Risk, and Compliance (GRC) structure and management system, encompassing governance oversight, the promotion of compliance practices, monitoring, and performance assessment. Such an approach supports transparent and responsible business operations and fosters confidence among all stakeholders.

Corporate Governance
To establish effective policies, structures, and management mechanisms to govern business processes and activities in order to achieve organizational objectives and ensure compliance with relevant requirements.
Risk Management
To establish a risk management framework that provides a structured approach for identifying, assessing, and managing risks that may affect the achievement of the organization’s objectives.
Compliance
To promote and ensure strict compliance with applicable laws, rules, and regulations, thereby ensuring that operations are conducted in a lawful, transparent, and auditable manner.

Corporate Governance

Good corporate governance is a fundamental foundation for stable and sustainable growth. CPF therefore promotes ethical organizational management that respects rights and upholds accountability to shareholders and stakeholders by integrating operations at all levels—from the Board of Directors and management to operational functions. This is carried out under corporate governance policies and structures that take into account competitiveness, adaptability to change, stakeholder responsibility, and the creation of shared and sustainable long-term value.

Corporate Governance and Sustainable Development Policies and Practices

The Company applies the principles of good corporate governance as established by the Stock Exchange of Thailand, the Securities and Exchange Commission, the Organisation for Economic Co-operation and Development (OECD), as well as corporate governance assessment frameworks of international sustainability indices, in formulating its corporate governance and sustainable development policies. The implementation of these policies is regarded as a shared commitment of the Board of Directors, management, and employees of the Company and its subsidiaries.

Corporate Governance and Sustainable Development Policy

Covering five main categories

01
Shareholder Rights
02
Equal Treatment of Shareholders
03
Roles toward Stakeholders
04
Disclosure of Information and Transparency
05
Responsibilities of the Board of Directors

Related Documents

Anti-Corruption Policy
Download
Code of Conduct
Download
Conflict of Interest Policy
Download
Corporate Governance and Sustainable Development Policy
Download
Human Rights Policy
Download
Information Security Policy
Download
Personal Data Protection Policy
Download
Safety, Health, Environment, and Energy Vision, Mission and Policy
Download
Sustainability Policy
Download
Sustainable Sourcing Policy and Supplier Guiding Principle
Download
Tax Policy
Download
Use of Inside Information and Securities Trading Policy
Download
Whistleblowing Policy
Download

The Company promotes strict adherence by all directors, executives, and employees to the Code of Business Conduct, which serves as a key corporate governance mechanism to reinforce ethical operating standards across the organization. The Code also functions as an oversight tool for the Board of Directors and is integrated with risk management and regulatory compliance, enabling Governance, Risk, and Compliance (GRC) to operate in a coordinated and systematic manner.

To ensure the effectiveness of governance mechanisms and compliance practices, the Company conducts evaluations of compliance with relevant policies and regulations and reports the results to the Board of Directors at least once a year. In addition, the Company promotes organization-wide learning on corporate governance and sustainable development across all levels of employees through regular training programs, including fundamental corporate governance courses, Code of Business Conduct training, anti-fraud and anti-corruption courses, and ESG training on an annual basis.

Corporate Governance Structure

The Company has established a corporate governance structure in which the Board of Directors operates independently from management. The Board of Directors, acting as representatives of the shareholders, has the duties and responsibilities to oversee and monitor management’s performance to ensure that operations are carried out in accordance with the objectives, strategies, and plans approved by the Board, on the basis of compliance with applicable laws, rules, and regulations, in order to achieve the greatest benefit for the Company and all stakeholders.

In addition, the Board of Directors has appointed five specialized subcommittees to review and scrutinize specific areas of operations as delegated, prior to submission to the Board of Directors for consideration and approval, thereby enhancing the effectiveness and efficiency of the Board’s oversight functions.

  1. The Audit and Risk Management Committee
  2. The Corporate Governance and Sustainable Development Committee
  3. The Remuneration and Nominating Committee
  4. The Technology and Cyber Security Committee
  5. The Executive Committee
Corporate Governance Structure

The Company regularly reviews its Board structure, including the number of directors, the proportion of independent directors, as well as the directors’ qualifications in terms of knowledge, competencies, and experience, to ensure alignment with the Company’s business operations on an annual basis. At present, the Board of Directors comprises a total of 15 members.

Board of Directors

In 2025, the Board of Directors comprised

members
Non-Executive Directors
%
Independent Directors
%
Male
members
Female
members

Remark: Further details on corporate governance can be found in the Annual Report 2025 (Form 56-1 One Report), Part 2: Corporate Governance.

Risk Management

The Company has developed its risk management system in alignment with the internationally recognized COSO Enterprise Risk Management (COSO-ERM) 2017 framework (The Committee of Sponsoring Organizations of the Treadway Commission). The system is implemented in an integrated manner across the entire organization and encompasses all types of risks and all business activities. This approach provides assurance that the Company’s risk management is sufficiently effective and efficient, enables risks to be managed within the acceptable level of risk appetite, and supports sustainable business operations. The Company has also establised a risk management and oversight structure that is interconnected at all levels, including the Board level, management level, and operational level.

Board Level
  • The Audit and Risk Management Committee is entrusted by the Board of Directors with reviewing the adequacy and effectiveness of the risk management framework, as well as overseeing compliance with the Company’s risk management policies, strategies, and risk appetite.
  • The Executive Committee is responsible for overseeing and monitoring the status of key risks and risk management practices, as well as promoting a risk management culture throughout the organization.
Management Level
  • The Risk Management Working Team, which is independently established and separate from business units, is chaired by the Chief Financial Officer. This subcommittee plays a key role in driving the Company’s risk management by reviewing the Company’s key risks, monitoring the implementation of risk mitigation measures and key risk indicators, and working collaboratively with all relevant functions in their capacity as risk owners. The Risk Management Subcommittee convenes on a quarterly basis.
  • Business unit executives and heads of functions are directly responsible for assessing and managing risks within their respective areas of responsibility and for reporting the results of risk management to the Risk Management Subcommittee.
Operational Level
  • Risk Champions serve as intermediaries facilitating coordination between business units and the Risk Management Office.
  • All Employees Across the Organization are expected to actively participate in risk management as an integral part of their responsibilities, act in accordance with the Company’s risk management culture, and promptly report identified risks through the established reporting channels.
Central Function for Driving and Coordinating Collaboration
  • The Risk Management Office is responsible for promoting and disseminating knowledge, as well as providing guidance to relevant functions on risk management, and for monitoring the progress of risk mitigation activities.
  • The Internal Audit Office reviews risk assessment processes to ensure alignment with the risk management policy, monitors the implementation of risk mitigation measures by relevant functions in their capacity as risk owners, and provides recommendations to enhance the effectiveness of the risk management system.

The Company requires risk assessments to be conducted on a quarterly basis or whenever there are significant changes in the operating environment. The Risk Management Subcommittee reports the results of such assessments to the Executive Committee and the Audit and Risk Management Committee, respectively. In addition, the assessment outcomes are communicated to the Management Committee for acknowledgement and implementation of the prescribed risk mitigation measures.

Risk Management Process

The Company has developed a Risk Management Manual to consolidate the framework, procedures, and tools used in risk management. The key components are as follows:

01
Assessment of the Business Environment
Consideration of the business environment at the macroeconomic, industry, and company levels in order to understand the current situation as well as future trends.
02
Risk and Opportunity Identification
Identification of risks and opportunities that may affect the achievement of the Company’s objectives, including existing risks, emerging risks, and business opportunities. This process covers both internal and external factors and utilizes various tools and techniques, such as the identification of potential internal and external issues and cause-and-effect analysis under hypothetical scenarios.
03
Risk Assessment, Risk Prioritization, and Determination of Risk Responses and Key Risk Indicators (KRIs)
  • Establishment of risk assessment criteria based on the Company’s acceptable level of risk (Risk Appetite) across the following dimensions:
    • Investment returns must exceed financial costs.
    • Business operations must be conducted fairly toward stakeholders and in compliance with laws, ethics, and the corporate culture.
    • No deficiencies in safety matters, with due consideration for environmental protection and social responsibility.
    • Production of goods in accordance with defined quality standards.
    • Preservation of corporate image and reputation.
    • Accurate and reliable disclosure of information.
  • Risk assessment through data collection via risk assessment questionnaires and workshops, applying the defined assessment criteria, with results presented in a Risk Heat Map.
  • Risk prioritization based on the relationship between impact and likelihood. Risks exceeding the acceptable level are classified as key risks, for which the root causes must be clearly identified.
  • Determination of appropriate risk responses and key risk indicators, taking into consideration efficiency and effectiveness prior to implementation.
04
Reporting and Monitoring
Reporting and monitoring of progress in implementing risk response measures and the status of key risk indicators in accordance with the prescribed reporting cycle.

Risk Management Culture

The Company communicates roles and responsibilities and promotes awareness to ensure that directors, executives, and employees act responsibly in considering potential risks and opportunities through the following initiatives:

Enterprise-wide Risk Culture

The Company is committed to fostering a risk management culture across the entire organization through the following approaches:

Environmental (Governance and Framework) Dimension
  • Integrating risk management into the formulation of the Company’s strategies, action plans, and budgeting processes.
  • Communicating the risk management policy, including the roles and responsibilities of personnel.
  • Systematically embedding risk management principles into the Company’s policies, rules, and operational procedures.
Awareness and Capability Building
  • Communicating risk events, together with prevention and mitigation measures and risk management principles, through various media such as posters, short videos, and knowledge-based games designed to enhance understanding and practical application.
  • Enhancing risk management capabilities of directors, executives, and employees through appropriate training programs.
Operational Practices
  • Assessing business risks and opportunities, defining risk response measures, establishing key risk indicators (KRIs), and regularly monitoring progress.
  • Conducting risk assessments for specific activities and issues, including climate change, flooding, drought, human rights, mergers and acquisitions, large-scale investments, workplace safety, and new product development.
  • Utilizing risk assessment results to continuously improve work processes.
  • Reporting risk incidents through designated reporting channels.
  • Promoting the inclusion of risk-related agenda items in business unit meetings and encouraging the sharing of risk management experiences among business units.
Financial Incentives
Consideration of executive and employee remuneration based on defined performance indicators, such as occupational health and safety, environmental and energy risk management, and compliance with applicable regulations.

Remark: Further details on risk management can be found in the Annual Report 2025 (Form 56-1 One Report), Part 1: Business Operations and Performance, Section 2: Risk Management.

Compliance

CPF places a strong focus on following all laws and regulations that apply to its business, as well as complying with the Code of Business Conduct. To support this, the Company has implemented a Compliance Policy that all directors, executives, and employees at every level must follow. This policy helps promote sustainable growth and strengthens the trust and confidence of shareholders and other stakeholders.

The Corporate Compliance Office serves as the central function responsible for coordinating compliance-related matters with relevant units. In addition, Compliance Champions have been appointed for each business and key function, both domestically and internationally1, to facilitate coordination and support effective governance. The Company’s compliance management process can be summarized as follows:

  1. Identification and Monitoring of Regulatory Requirements: Compilation of key laws, regulations, and requirements relevant to business operations, corporate-level key policies, and significant business license conditions, as well as monitoring newly issued or amended regulatory requirements in Thailand and overseas that may impact the business, and communicating such information to the management of each business unit.
  2. Compliance Risk Assessment: Assessment of compliance risks to prioritize regulatory requirements with which the Company must comply.
  3. Communication and Awareness: Communication to enhance knowledge, understanding, and awareness of the importance of regulatory compliance in business operations.
  4. Compliance Review: Review of compliance with applicable regulations through self-assessment questionnaires and other appropriate methods.
  5. Reporting: Regular reporting of compliance performance summaries to the Executive Committee, the Audit and Risk Management Committee, and/or relevant executives.
  6. Monitoring and Continuous Improvement: Follow-up on identified issues to ensure improvements are implemented in accordance with established action plans, together with providing additional recommendations to enhance work processes in compliance with applicable regulations.
  7. Management of Non-Compliance Cases: Management of identified non-compliance cases to mitigate impacts and prevent recurrence.

1 Covers operations in Thailand, Vietnam, India, Cambodia, the Philippines, Malaysia, Laos, Sri Lanka, the United Kingdom, Russia, Türkiye, Belgium, the United States, and Canada (excluding the business of Hylife Group Holding Ltd. in Canada).

Compliance Management Process

Compliance Management Process Compliance Management Process
Click to Enlarge

To ensure employees follow the Company’s policies and meet legal and regulatory requirements, CPF requires all employees to take the CPF Fundamental Courses. Current employees must complete five required courses every year. New employees must complete eleven required courses within 60 days before their probation evaluation.

Five Fundamental Courses for Existing Employees
1. CPF Code of Conduct
2. Personal Data Protection Act
3. CPF Compliance
4. Fairtrade Competition
5. Cybersecurity

Eleven Courses for New Employees

01
CPF Code of Conduct
02
Personal Data Protection Act
03
CPF Compliance
04
ESG Fundamental
05
CPF Integrated Value Chain
06
Net-Zero SBT 101
07
CPF SHE&EN Standard
08
Basic Digital Literacy
09
Basic Risk Management
10
Be Aware of Cyber Threats
11
AI Basic by Microsoft

Remark: Further details on regulatory compliance can be found in the Annual Report 2025 (Form 56-1 One Report), Part 2: Corporate Governance, under the section “Regulatory Compliance.”

CPF Code of Conduct

The Code of Business Conduct serves as a key corporate governance mechanism that reinforces ethical operating standards across the organization. It also functions as an oversight tool for the Board of Directors and is integrated with risk management and regulatory compliance, enabling Governance, Risk, and Compliance (GRC) to operate in a coordinated and systematic manner.

The Company communicates and provides training on its Code of Business Conduct to all executives and employees through multiple communication channels, including business unit meetings and online platforms such as HR-eXp, CPF Connect, and CPF Family, as well as through new employee orientation programs and e-learning systems.

CPF’s Code of Business Conduct

is structured into four categories comprising 17 key topics.

01
Integrity
  • Avoidance of Conflict of Interest
  • Prevention of Fraud, Bribery and Corruption
  • Handling Gifts and Hospitality
  • Fairtrade Competition
  • Maintaining Transparency
02
Quality
  • Delivery of Quality Products and Services
  • Sustainable Resource Management
  • Ethical Procurement
  • Responsible Sales and Marketing
03
People
  • Promoting Mutual Respect and Fair Treatment
  • Promoting Equal Opportunity, Diversity and Inclusion
  • Personal Information Protection
  • Occupational Health and Safety Management in the Workplace
  • Human Resource Development
04
Assets
  • Corporate Information Management
  • Insider Trading
  • Anti-Money Laundering Practices

In 2025, 100% of current employees have completed training in business ethics under the Fundamental Corporate Governance Program.

Anti-Corruption and Anti-Bribery

The Company has established an Anti-Corruption and Anti-Bribery Policy to serve as a strict framework for personnel to adhere to, with the aim of fostering an organizational culture and core values free from corruption and bribery, thereby supporting sustainable business operations. Compliance with the policy is regularly reviewed to ensure alignment with evolving business conditions and applicable laws and regulations at both national and international levels. The Company also communicates its Anti-Corruption and Anti-Bribery Policy to employees at all levels through a variety of channels, including orientation programs for directors and new employees, electronic newsletters (e-newsletters), the CPF Connect mobile application, internal communication media, and e-learning platforms. In addition, both online and offline learning materials are made available to personnel in all countries where the Company operates to ensure proper understanding and effective implementation of the policy. All personnel are required to review and refresh their knowledge and understanding of the policy at least once a year.

As of 2025, 100% of employees—from operational-level staff to the highest level of executives—in both Thailand and overseas operations had completed anti-corruption training.

In addition, the Company has established channels for whistleblowing and the submission of complaints in cases where inappropriate conduct or violations of the Code of Business Conduct are identified, as well as for receiving feedback from employees. The Company ensures fairness and protection for employees who refuse to engage in acts involving corruption or bribery, or who report corruption-related matters associated with the Company.

In 2025, the Company received two complaints related to corruption. Appropriate disciplinary actions were taken against the offenders in accordance with the Company’s regulations, and internal control measures were reviewed and strengthened as deemed appropriate. Furthermore, no cases of fraud or corruption involving an amount exceeding 5% of shareholders’ equity as of 31 December 2025 were identified in relation to any significant subsidiary that would have a material adverse impact on the Company’s reputation or financial position.

As a member of the Thai Private Sector Collective Action Against Corruption (CAC), the Company’s operations in Thailand have been certified under the CAC program since 18 August 2017. The Company renewed this certification for the second time on 31 March 2024. Each certification lasts three years from the date it is approved by the CAC Steering Committee. In addition, the Company received the CAC Change Agent Award 2025 in recognition of its support for and capacity-building of business partners, particularly small and medium-sized enterprises (SMEs), to participate in the CAC SME Program, thereby strengthening collective efforts to combat corruption.

CPF places strong emphasis on anti-corruption and anti-bribery practices and therefore encourages its business partners to operate based on good corporate governance, ethical conduct, and compliance with applicable laws and international standards. These efforts contribute to the development of a transparent food supply chain, which is essential to enhancing the Company’s credibility and trust among all stakeholder groups, both internal and external. Furthermore, such initiatives help expand opportunities and strengthen the competitiveness of SMEs, enabling them to achieve stable and sustainable growth.

Anti-Corruption Participation

Employees joined forces in demonstrating their commitment to anti-corruption efforts at the International Anti-Corruption Day 2025 event, held on Saturday, 6 September 2025, under the theme “No Corruption, No Progress… Is It Really True?”. The event aimed to raise awareness and encourage society to recognize the challenges posed by corruption in Thailand, as well as to foster collaboration in various forms to help eradicate corruption in a sustainable manner.

Remark: Further details can be found in the Annual Report 2025 (Form 56-1 One Report), Part 2: Corporate Governance, under the section “Anti-Corruption and Anti-Bribery.”

Cybersecurity and Information Protection

Cybersecurity and Information Protection
Click to Enlarge

The Company places strong importance on cybersecurity and information protection to reduce risks that could disrupt business operations. To support this, the Company has established a Technology and Cybersecurity Committee to review and regularly update its cybersecurity risk management policy. This helps ensure the policy remains aligned with the Company’s business goals and operating environment, addresses emerging threats, and complies with applicable laws and international standards.

The cybersecurity risk management policy provides a framework for the Company to manage cybersecurity and technology risks for its IT, operational systems, and AI systems. It is based on the NIST CSF 2.0, which focuses on five main areas: governance, understanding risks, preventing attacks, detecting threats, and responding and recovering when incidents happen.

The Company has obtained certifications for information security management systems under ISO/IEC 27001 and ISO/IEC 27701. In addition, the Company actively promotes cybersecurity awareness among employees through regular cybersecurity awareness training programs, with content tailored to the nature of work and responsibilities of different employee groups (role-based training). The Company also conducts simulated phishing attacks (including phishing, smishing, and quishing) and organizes virtual cybersecurity incident response exercises, such as cyber drills and incident response tabletop exercises, to enhance employee preparedness in preventing and responding effectively to cybersecurity threats.

In addition, the Company is committed to safeguarding the personal data of customers, business partners, employees, and other stakeholders. The Company has established a Personal Data Protection Policy to clearly define the roles and responsibilities of personnel at all levels in protecting personal data.

Furthermore, the Company has appointed a Data Protection Officer (DPO) to monitor, audit, and oversee compliance with applicable personal data protection laws, as well as to promote awareness and understanding of personal data protection across the organization.

Remark: Further details can be found in the Annual Report 2025 (Form 56-1 One Report), Part 2: Corporate Governance, under the section “Cyber Security and Information Protection.”

Whistleblowing and Complaint Mechanisms

The Company has established a Whistleblowing and Grievance Policy, together with clearly defined procedures for the submission and management of whistleblowing reports and complaints. These procedures are designed to ensure integrity, transparency, and alignment with international standards. The Company has also implemented measures to protect whistleblowers, complainants, and reporting parties, thereby providing employees, stakeholders, and external parties with appropriate channels to report concerns or complaints regarding legal violations, breaches of the Code of Business Conduct, corruption or bribery, or violations of rights through channels designated by the Company.

Internal Party

Reporting Non-Compliance Cases
Complaint Handling Process
  • The Corporate Compliance Office, in collaboration with relevant functions related to the reported case, reviews the information and evidence as reported.
  • For issues not involving employee disciplinary matters, the Corporate Compliance Office works with relevant functions to manage each case in order to mitigate impacts, provide remediation to affected parties (if any), and improve work processes to prevent recurrence.
  • For cases involving employee disciplinary matters, the case is referred to the Internal Audit Office for further action in accordance with the Whistleblowing and Grievance Policy.
  • A summary report is submitted to the Board of Directors and/or relevant executives for acknowledgement and further consideration.

Internal and External Parties, and Stakeholders

Whistleblowing and Complaint Reporting Channels
Complaint Handling Process
  • The Internal Audit Office, or an assigned function, collects facts and reviews information and evidence related to whistleblowing reports or complaints.
  • Where the allegations are found to have reasonable grounds, the matter is referred to the Company’s fact-finding investigation and disciplinary process.
  • A summary report is submitted to the Audit and Risk Management Committee and/or relevant executives for acknowledgment and further action.

In 2025, the Company received a total of 150 complaints through various channels. The breakdown of complaints is as follows:

  • Corruption-related issues: 2 cases
  • Non-compliance with regulations or inappropriate behavior: 18 cases
  • Product issues: 7 cases
  • Community/environmental impact issues: 16 cases

The Company has taken disciplinary action, in line with its internal rules, against the individuals involved in the violations. The Company has also reviewed and strengthened its internal controls to ensure employees follow operating procedures and to prevent misconduct, including corruption, bribery, discrimination, harassment, conflicts of interest, money laundering, and misuse of insider information. The details and actions taken are outlined below:

Category Number of Cases Management Measures
Verbal Warning (Employee) Written Warning (Employee) Suspension (Employee) Dismissal (Employee)
1. Fraud 2 - - - 2
2. Non-compliance with work regulations 18 21 7 1 3
3. Corruption and Bribery - - - - -
4. Discrimination and Harassment - - - - -
5. Conflict of Interest - - - - -
6. Money laundering and insider trading - - - - -

Related Topics

Human Rights
Human Rights