Risk Management Policy

In order to enhance supervision, the Board of Directors has established the Audit and Risk Committee to assist the Board in promoting risk management and corporate governance. The Committee shall report its implementation status to the Board at least once a year to ensure stable business operations and progress toward the goal of sustainable development.

Through the analysis of internal and external environments, the risk management policy defines four major risk management facets: operational, strategic, financial, and hazard pillars. To determine the risk level of each pillar, there are a total of 14 risk factors, and the process of identification, assessment, control, and supervision is clearly documented. Furthermore, to review the status of each aspect, the PDCA cycle (Plan, Do, Check, Act) is utilized for daily measurement.

To achieve the goal of sustainable development, the company analyze the potential impacts and challenges it may face during the transformation process, and continuously formulate strategies to address the challenges of sustainable operations. According to the "Global Risks Report" released by the World Economic Forum on January 14, 2026, shifts in the international political and economic situation pose a severe threat to corporate sustainability among the top ten emerging risks of the past two years, covering issues such as interstate armed conflict, societal polarization, inequality, and involuntary migration. Furthermore, the risk of "misinformation and disinformation" cannot be ignored. It is defined as the widespread circulation of persistent false information (whether intentional or unintentional), which exerts a significant influence on public opinion, leading to a distrust of facts and authority, and involves forgery, impersonation, and manipulation. These risks serve as a reminder for us to navigate various challenges with greater prudence amidst an unpredictable global environment.

According to the Risk Management Policy, the implementation results in 2025 were reported to the Board of Directors and the Audit and Risk Committee on March 12, 2026, and to the Sustainability Executive Committee on April 16, 2026.

Risk Management Responsibilities

1. Board of Directors: Accountable for approving risk management policies, procedures, and frameworks, as well as supervising the alignment of goals between operational strategies and risk management.
2. Audit and Risk Committee:
● Review risk management policies, procedures, and frameworks according to risk management strategy by the Board of Directors.
● Review the implementation of risk management, provide necessary recommendations for improvement, regularly assess the applicability and execution of the process, supervise the risk management mechanism to effectively address the risks faced by the company, and report to the board of directors at least once a year.
3. Business Units and Functional Departments:
● Responsible for identifying, analyzing, assessing, and responding to risks within each business unit and functional department, and establishing relevant crisis management mechanisms when necessary.
● Ensure that the risk management and associated control procedures of the department are effectively implemented in accordance with the risk management policy.
● Regularly provide risk management information to the Risk Management Executive Task Force.
4. Risk Management Executive Task Force:
● Establish risk appetite (tolerance levels) and develop qualitative and quantitative measurement criteria.
● Analyzing and identifying sources and categories of company risks, and reviewing their applicability regularly.
● Compile and submit reports on the company's risk management implementation.
● Assist and supervise the implementation of risk management activities in departments.
● Coordinated risk management operations involve interdepartmental communication and interaction.
● Implementing risk management decisions made by the Risk Management Committee.
● Plan risk management training courses to enhance overall risk awareness and culture.

Risk Management Procedure

To improve the risk management function, the Group's risk management is carried out through (1) risk identification, (2) risk assessment, (3) risk control, and (4) risk monitoring and communication to clearly grasp the scope of each risk. Through CAPDCA (Plan, Do, Check, Act) management measures, we will continue to improve and manage the risk factors to reduce the chance and degree of risk loss, and take appropriate measures to efficiently implement risk management. To comply with the principle of sustainable development and fulfill global citizenship responsibilities, we refer to the changes in the international situation and the emerging risks raised by the World Economic Forum, review the risk issues that the Group may face in long term, identify them early and take appropriate regulatory measures, and control risks at any time to respond to:

III. Risk Control

● Risks related to daily operations of each business unit shall be managed by the risk controls of each business unit through rolling CAPDCA.
● For important crisis events that cross-departmental or cross-plant, cross-departmental or cross-plant risk assessment should be carried out. The Chief of Risk Management Executive Committee or a designated representative is responsible for coordinating and negotiating, in order to identify feasible strategies for preventing crisis incidents.
● The supervisor shall formulate crisis handling procedures, recovery plans according to the crisis incident and provide the risks and countermeasures to Risk Management Executive Task Force for review and tracking.

IV. Risk Monitoring

To effectively address the aforementioned areas, it is essential to conduct regular reviews and maintain comprehensive documentation of the outcomes of risk management implementation. This practice will help assess the effectiveness of risk management strategies and associated control operations. The Risk Management Executive Task Force is mandated to submit an annual plan and progress report to the Risk Management Executive Division. Additionally, the Task Force must hold at least two meetings each year to present reports and provide explanations regarding the implementation results to the Audit and Risk Committee. Internal audit personnel should periodically review the risk management procedures and the status of control implementation across various risk levels, subsequently reporting their findings to the Board of Directors annually. Furthermore, the Group invites third parties for external audits of risk management annually and maintains its certification of ISO 31000:2018 Risk Management.

2025 Risk Management Conclusion

In 2025, the company conducted risk identification and assessment in accordance with the ISO 31000:2018 Risk Management guidelines, with an overall self-assessment result of "Low Risk." By measuring risk probability and severity (Low, Medium, High, Very High), a Risk Matrix was developed. Based on the matrix results, four major response measures were defined: (1) Immediate Improvement Projects, (2) Submission of Improvement Plans, (3) Key Indicator Monitoring, and (4) Ongoing Rolling Supervision. The 2025 control matrix analysis shows that most identified risks remain under "Rolling Supervision." For certain "Medium Risk" items, respective business units have set up monitoring to mitigate impact. Risk items requiring indicator-based monitoring will continue to be tracked and reported in 2026. To further understand the financial impact of each risk, the company quantified potential financial losses based on the previous year's revenue. The consolidated results indicate that the potential financial loss across the four major risk dimensions has been controlled within 3% of revenue. 2025 General risk implementation full results