ESG report
Governance toward sustainable development
Applying international standard governance processes
Well-established governance processes serve as an important tool for the Corporation to ensure compliance and efficiency in achieving sustainable development objectives, enhancing competitiveness and corporate standing, and creating value for stakeholders.
In 2025, FPT continued to accelerate the implementation of the Objectives and Key Results (OKRs) management approach across the Corporation. This approach ensures alignment between the objectives of each individual and those of departments, subsidiaries, and the Corporation thereby supporting the consistent execution of the overall strategy and direction while improving operational efficiency and labor productivity. The Corporation’s online OKRs management platform regularly updates, monitors, and evaluates objectives and results at all levels, which enables accurate performance measurement against the plan. The proportion of employees completing the establishment and reporting of their objectives remained consistently high, ranging from 95% to 97% across evaluation periods.
Additionally, the Group’s operations and each core business segment have adopted and obtained internationally recognized certifications and standards, including ISO 9001:2015, ISO/IEC 27001, ISO 22301, ISO/IEC 27017, CMMI-DEV Level 5, Uptime Institute Tier III Design, and ISO 21001:2018.
Toward sustainable procurement
To contribute to the achievement of the Corporation’s sustainability goals on a global scale, FPT aims to build a sustainable supply chain by establishing and strictly complying with internal guidelines on green procurement. The Corporation commits not to cooperate with suppliers whose operations adversely affect occupational health and safety or the environment.
The Corporation has issued a key supplier evaluation process to ensure that suppliers not only meet requirements in terms of quality and cost but also comply with standards related to ethics, labor, environmental protection, and governance.
In parallel, to ensure the effective implementation of sustainable procurement, FPT continues to maintain:
- A sustainable procurement policy with fundamental principles aimed at creating the most positive effects on the environment, economy, and society, while ensuring fairness, transparency, and compliance with applicable laws and the Corporation’s internal regulations throughout the procurement process;
- Sustainability criteria applied in the search, evaluation, and selection of suppliers, in which criteria related to energy efficiency and environmental friendliness account for up to 5% of the total evaluation score for procurement options involving electricity-consuming equipment;
- A “Non-Bribery Commitment” clause and compliance with human rights, labor, and environmental standards included in all standard contract templates;
- Training courses on sustainable procurement objectives and policies have been provided to 100% of dedicated procurement staff.
In 2025, the Corporation promoted sustainable procurement practices across its supply chain, achieving the following notable results:
- 42% of key suppliers participated in CSR assessments on the FPT Procurement System Portal, a significant increase from 18% in 2024;
- 97% of suppliers met the evaluation criteria, with an average score of above 4 out of 5;
- 18% of key suppliers signed framework agreements incorporating clauses related to environmental protection, labor, and human rights.
ESG assessments of suppliers are one of the key measures to advance sustainable procurement across FPT’s supply chain. Through periodic and transparent evaluations, FPT supports suppliers in comprehensively reviewing their governance and operational processes using a systematic approach, thereby progressively enhancing their ESG practices. This activity enables FPT to build a centralized database to support ESG management, monitoring, and reporting in a comprehensive, consistent, and efficient manner.
Leveraging its technological strengths, the Corporation continues to accelerate the digitalization of procurement processes and the application of AI in procurement activities, including: enhancing and upgrading the centralized procurement system and online bidding platform; enabling suppliers to submit quotations online; automating internal procedures; and applying AI to support procurement transactions, provide instant procurement-related Q&A, recommend suppliers, and monitor price variances, thereby improving transparency and ensuring fairness for suppliers.
Data governance and information security
Governance approach and general principles
The Corporation uniformly regulates the collection, processing, storage, and use of stakeholders’ data within the data governance framework to ensure key attributes, including confidentiality, integrity, availability, accessibility, and data quality.
The Corporation’s collection, processing, storage, and use of data comply with the following principles:
- Legality principle: All activities carried out within the data governance system must comply with applicable laws and regulations;
- Purpose limitation principle: Competent authorities may only approve the use of data for legitimate purposes;
- Data quality principle: Data must ensure availability, integrity, and suitability for its intended purposes throughout its lifecycle;
- Security principle: Information security must be ensured throughout the processes of data collection, processing, storage, and use. Confidential information must not be disclosed to any external parties, except where required for work purposes and appropriate safeguards are implemented, such as signing confidentiality agreements with relevant parties prior to disclosure;
- Governance principle: Customer-related data of subsidiaries are collected, utilized, managed, and centrally stored by the Corporation to support the adjustment, updating, protection, and improvement of products, services, solutions, applications, and devices that FPT currently provides or will provide to customers.
The data governance operating system performs functions including data collection and storage from various sources; analysis and extraction of critical and valuable data; and data processing aligned with intended purposes and applications.
The Corporation also continues to strengthen the application of technology in data governance and implement data governance consistently across subsidiaries, ensuring that data is provided for the right purposes and in the most flexible manner.
FPT’s data governance model is established to ensure the following elements simultaneously:
- Strong leadership accountability for the collection, processing, storage, and use of data;
- Clear designation of authorities responsible for decision-making related to the Corporation’s data;
- Defined standards, procedures, and processes to guide data management and utilization;
- Unified technologies and infrastructure across the Corporation to ensure security and confidentiality in data usage;
- Strict implementation of issued policies across the Corporation;
- Monitoring compliance and identifying risks in the event of data leakage.
Customer data privacy and security
The Corporation and its subsidiaries consistently apply appropriate technical measures to ensure that customers’ personal information is properly collected, processed, and protected. In addition, the Corporation implements necessary information security measures to prevent any unauthorized access, collection, use, disclosure, copying, or processing of customers’ personal data.
FPT has issued a Personal Data Protection Policy governing the processing of customer information, ensuring transparency regarding the purposes and scope of data collection and use, the measures applied to protect personal information, and customers’ rights. FPT’s regulations on information security management and its procedures for incident response, handling, and remediation allow them to detect and address risks promptly. This maintains the stability and security of information systems.
In 2025, the Corporation continued to strengthen its information security governance capabilities across the entire system, with the objective of proactively preventing, early detecting, and promptly addressing risks that could affect the Corporation’s operations and reputation. Key results include:
- 100% of identified information security vulnerabilities were detected, risk-assessed, and promptly remediated, ensuring that no serious incidents occurred that could affect the Corporation’s systems or brand;
- A comprehensive set of policies, standards, and regulations on information security strengthened the information security policy and standards framework, thereby providing a unified foundation for implementation, monitoring, and compliance across subsidiaries;
- 100% of employees participated in and completed phishing simulation exercises to enhance awareness and skills in preventing information security risks;
- 100% of dedicated information security personnel received advanced training through periodic training programs, specialized workshops, and incident response drills;
- 100% of new employees were trained in fundamental information security knowledge;
- Three rounds of internal information security audits were conducted for all critical information systems;
- 100% of information and risk indicators related to the FPT brand on the Internet were monitored, detected, and alerted to enable proactive handling and communication risk control.
Thanks to the synchronized implementation of governance measures, technical solutions, and awareness-raising activities, in 2025 the Corporation recorded no information security incidents that affected its reputation and brand. This result continues to affirm FPT’s strong commitment to protecting digital assets and maintaining the trust of customers, partners, and society.
Scope of the policy and incident response plan
Plans for responding to incidents related to data security are strictly implemented by FPT at two levels:
- Remediation: Any breach of confidentiality is immediately contained, and specialized teams promptly addressed security vulnerabilities. Impact assessments are also conducted to examine affected data areas and ensure that the incident does not spread further.
- Prevention: Based on root cause analysis, preventive measures are developed and strictly implemented.
The core of these data security assurance plans lies in a system of policies and measures that are designed and implemented in a synchronized and systematic manner across the entire Corporation. In this system, the roles, duties, and responsibilities of each unit are clearly defined, while implementation is supervised, monitored, and reported by dedicated departments.
Risk Management
Based on the specific characteristics of each business sector, the Corporation’s risk management framework is directed, approved, and periodically improved on an annual basis by the Chief Executive Officer. In relation to sustainable development, the Corporation identifies five main groups of risks, including: strategic risks, operational risks, financial and legal risks, and environmental – natural disaster – pandemic risks.
In 2025, the Corporation and its subsidiaries continued to strengthen risk control through enhancing the internal control system and risk management policies; monitoring legal compliance in business operations; conducting periodic and ad hoc inspections; ensuring transparency in relationships with partners and suppliers; and proactively proposing solutions to prevent potential risks in the future.
Strategic risks
Strategic risks
| Type of risk | Content | Risk management measures |
|---|---|---|
| Strategy and vision risks | - Misidentification of development directions, leading to inappropriate investment and resource allocation, failure to develop potential new business segments, or inability to introduce new high-technology products and services that meet market demand; - The rapid development of AI leading to changes in the IT industry. | - Participating in major economic and technology events in Vietnam and around the world to capture emerging technology trends and identify development opportunities for the Corporation; - Organizing annual strategy conferences to update the latest trends in business and technology; - Proactively making significant investments in AI and providing AI training for all employees to become an “AI-First Company”; - Quickly adapting and remaining ready to respond to the rapid development of AI, turning potential risks into opportunities for strong and sustainable growth. |
| Risk of declining competitiveness | Competitive pressure from foreign companies or emerging and dynamic domestic companies, as the Corporation’s business sectors generally have relatively low barriers to market entry. | - Continuously improving and strengthening competitiveness by delivering comprehensive services, mastering technologies, and gradually enhancing the Corporation’s position in the IT services value chain; - Enhancing training and development of employees, particularly technology professionals, to strengthen capabilities in new technologies and meet competitive demands; - Continuously improving the business model, as well as information systems and internal processes, to optimize management and operations; - Accelerating internal digital transformation to ensure the Corporation’s operations are coordinated, seamless, and transparent, moving toward a real-time enterprise operating model. |
Operational Risks
Operational Risks
| Type of risk | Content | Risk management measures |
|---|---|---|
| Information disclosure risk | Disclosed information may not be timely, complete, or accurate. | - Fully updating relevant regulations on information disclosure applicable to listed companies; - Establishing internal procedures for information provision and disclosure to ensure that disclosed information is reported accurately, promptly, and within the required timelines; - Maintaining regular communication with the officials responsible for information disclosure at the State Securities Commission of Vietnam and the Ho Chi Minh Stock Exchange to verify the completeness and accuracy of disclosed information. |
| Human resource risks | Competition for talent; workforce quantity and quality may not keep pace with growth demands. | - Building FPT as a learning organization, developing a highly qualified workforce and planning the management talent pipeline with a long-term orientation; - Establishing a remuneration policy based on the principles of “higher contribution – higher reward,” ensuring income is commensurate with job performance and value contributed to FPT; maintaining fairness and transparency; ensuring market competitiveness; and implementing housing and vehicle support policies for employees; - Developing a positive working environment to strengthen competitiveness in attracting talent; - Expanding and enhancing the FPT education system in both scale and depth, while strengthening cooperation with partners and universities to train and research new technologies (AI, semiconductor chips), thereby developing a high-quality talent pipeline for the long term. |
| Reputation and brand risks | Negative reputation may significantly affect the Corporation’s brand and business operations. | - Establishing systems to collect and analyze customer feedback in order to promptly adjust and improve services to meet customer needs, while conducting periodic surveys to measure the satisfaction of stakeholders; - Developing communication crisis management procedures; - Establishing regulations on spokespersons and the sharing and provision of information through media channels; - Monitoring and tracking information about the Corporation and its subsidiaries across media channels and social media platforms in order to take timely actions when inaccurate information or content that may adversely affect the Corporation’s reputation and brand appears. |
| Information security and cybersecurity risks | Leakage, alteration, or loss of information may affect the Corporation’s operations, reputation, and strategy. | - Implementing comprehensive data loss prevention measures and system security controls to ensure the Corporation’s information security; - Strengthening investment in information security systems and solutions, while updating processes in line with the latest security standards. In addition to third-party systems, FPT has also invested in developing several cybersecurity products such as CyRadar and FPT.EagleEye and others; - Conducting periodic inspections and assessments across the entire system. |
Financial risks
Financial risks
| Type of risk | Content | Risk management measures |
|---|---|---|
| Foreign exchange risk | Exchange rate fluctuations in key markets. | - Closely monitoring fluctuations in key factors affecting exchange rates, while diversifying sources of foreign currency revenue; - Applying foreign exchange hedging policies, particularly for the Japanese yen; - Using currency swap contracts to hedge exchange rate risks for foreign currency–denominated loans; - Implementing flexible sales policies based on exchange rate movements. |
| Normal business risks | Uncontrolled bad debts and rising inventory levels. | - Standardizing business processes and contracts, while strictly controlling receivables and inventory to limit potential risks; - Applying technology and AI in demand forecasting, payment management, procurement optimization, and detection of unusual transactions; - Automating processes and proactively managing customer care, thereby improving governance efficiency and minimizing operational risks. |
Legal and regulatory risks
Legal and regulatory risks
WordPress database error: [MySQL server has gone away]INSERT INTO `skwp_options` (`option_name`, `option_value`, `autoload`) VALUES ('_transient_tablepress_ff0dd424a18362f9fc00e8cf88eb87e3', '\n<table id=\"tablepress-60\" class=\"tablepress tablepress-id-60 table_16\">\n<thead>\n<tr class=\"row-1\">\n <th class=\"column-1\">Type of risk</th><th class=\"column-2\">Content</th><th class=\"column-3\">Risk management measures</th>\n</tr>\n</thead>\n<tbody class=\"row-striping row-hover\">\n<tr class=\"row-2\">\n <td class=\"column-1\">Policy-related risks</td><td class=\"column-2\">- Ensuring compliance with laws and regulations, particularly those related to immigrant labor in the countries where FPT operates.<br />\n- Differences in culture and labor practices among a multinational workforce and partners.<br />\n</td><td class=\"column-3\">- Closely monitoring policies, directions, resolutions and decisions issued by the Government and relevant ministries and organizations, while proactively conducting research and making recommendations to competent authorities to promote the role of information technology in driving economic growth;<br />\n- Studying, updating and complying with legal regulations, as well as the cultural and business environments of relevant foreign markets;<br />\n- Providing employees with training on the culture and laws of host countries.</td>\n</tr>\n</tbody>\n</table>\n', 'off') ON DUPLICATE KEY UPDATE `option_name` = VALUES(`option_name`), `option_value` = VALUES(`option_value`), `autoload` = VALUES(`autoload`)
| Type of risk | Content | Risk management measures |
|---|---|---|
| Policy-related risks | - Ensuring compliance with laws and regulations, particularly those related to immigrant labor in the countries where FPT operates. - Differences in culture and labor practices among a multinational workforce and partners. | - Closely monitoring policies, directions, resolutions and decisions issued by the Government and relevant ministries and organizations, while proactively conducting research and making recommendations to competent authorities to promote the role of information technology in driving economic growth; - Studying, updating and complying with legal regulations, as well as the cultural and business environments of relevant foreign markets; - Providing employees with training on the culture and laws of host countries. |
Environmental – Natural disaster – Pandemic risks
Environmental – Natural disaster – Pandemic risks
| Type of risk | Content | Risk management measures |
|---|---|---|
| Environmental – Natural disaster – Pandemic risks | - Climate change leading to abnormal weather conditions, affecting infrastructure, employee health, etc; - Business disruptions caused by natural disasters; - Declining employee health and labor productivity due to epidemics or pandemics. | - Identifying potential risks arising from environmental factors, natural disasters and pandemics, and assessing their impacts on infrastructure, human resources and supply chains; - Applying IoT, AI and Big Data to monitor and provide early warnings of abnormal weather events, natural disasters and disease outbreaks; - Investing in the development of solutions and tools that support secure remote working, ensuring the Corporation’s operations remain continuous under all circumstances. |
Preventing conflicts of interest, fraud and corruption
Rules for avoiding conflicts of interest
To prevent conflicts of interest, the Corporation adopts preventive measures and requires employees to proactively follow the following codes of conduct:
- Avoiding conflicts of interest in external investment and business activities that may affect decision-making or negatively impact on the interests of the Corporation;
- Avoiding conflicts of interest related to investments of employees’ relatives, requiring employees to declare and report to their direct managers if their relatives contribute capital to or hold executive positions in companies that are customers, suppliers, or competitors of the Corporation;
- Avoiding conflicts of interest in giving and receiving gifts within the Corporation;
- Avoiding conflicts of interest in recruitment and the use of human resources, ensuring transparency and fairness in recruitment and employment decisions based on clear criteria regarding qualifications, experience and relevant skills in line with the Corporation’s actual needs.
Anti-corruption and anti-fraud policy
As a large corporation operating in multiple countries, FPT has issued a Code of Conduct applicable to employees, management and related parties, serving as a foundation for ensuring legal compliance and preventing conflicts of interest, fraud and corruption, thereby promoting transparency, integrity and fair competition across all operations of the Corporation.
All acts of bribery, abuse of position, use of the Corporation’s name or personal relationships for personal gain are strictly prohibited, including the giving or receiving of gifts in any form that is inconsistent with regulations. Gift-giving activities may only be conducted by authorized Corporation representatives and for official purposes.
For suppliers and partners, FPT consistently applies a zero-tolerance policy toward corruption and bribery. We carry out procurement and supplier selection activities based on actual needs, quality, price, and transparent criteria. Suppliers are required to comply with applicable laws, refrain from offering or receiving improper benefits, maintain complete records and supporting documents, and cooperate in inspection and supervision activities. FPT reserves the right to terminate or restrict cooperation in cases of violations.
Compliance with tax regulations
FPT strictly complies with tax regulations in Vietnam and in the countries and territories where the Corporation operates by establishing a transparent and efficient governance system and accelerating the digital transformation of its internal finance and accounting systems. The Global Corporate Income Tax (CIT) Management System, completed and implemented by the Corporation since 2022, allows its units to accurately identify, manage, and monitor tax obligations. This includes temporary differences that result in deferred corporate income tax assets and/or liabilities. This helps minimize the risk of tax penalties and the loss of tax assets. In addition, FPT regularly conducts internal inspections and audits to ensure compliance with tax regulations in Vietnam and globally.
Internal control
To strengthen its organizational structure, enhance the governance capacity of the Corporation and its subsidiaries, and ensure transparency and the protection of the rights of shareholders and other stakeholders, FPT has designed an internal control system that complies with relevant legal regulations and aligns with international standards.
To ensure the effective implementation of the internal control system, FPT focuses on strengthening its organizational structure, developing supporting tools, accelerating the application of technology, and establishing detailed plans for each area of production, business, and service activities. In addition, FPT promotes the supervisory role of employees and its internal channel networks, alongside independent and ad hoc monitoring conducted by the Corporation.
Internal control model
| Subjects | Responsibility |
|---|---|
| Chief Executive Officer | - Approving the compliance control plan; - Directing the resolution of identified issues and the improvement of the system; - Developing, approving, implementing and overseeing the Corporation’s risk management framework. |
| Head of Compliance Supervision | - Planning and organizing the control of compliance with legal requirements, and overseeing high-risk areas and activities within the Corporation’s governance system; - Organizing ad hoc inspection activities at the request of the Executive Board. |
| Chief Quality Officer | - Planning and organizing the control of compliance with the requirements of the Corporation’s governance system; - Organizing inspection activities at the request of the Executive Board. |
| Heads of functional vertical departments | - Reviewing and updating the Corporation’s governance documentation system within their areas of responsibility to ensure compliance with relevant legal requirements, national/international standards, and alignment with operational practices; - Coordinating with the Quality Assurance Department and the Compliance Supervision Department in control activities, as well as in addressing identified issues and improving the system. |
During the year, the Corporation continued to maintain key control activities, including:
- Monitoring compliance with legal regulations and operational policies in the management and administration of the Corporation’s and its subsidiaries’ business operations;
- Conducting thematic assessments through coordination with the Corporation’s specialized departments;
- Supervising and governing interactions between the Corporation/subsidiaries and suppliers and partners to ensure fairness and transparency for partners and suppliers, in the spirit of mutually beneficial cooperation while preventing and minimizing risks in business operations;
- Recommending solutions to manage potential risks that may arise in the future in relation to the operations of the Corporation and its subsidiaries.
