Risk Management Policy

In order to enhance risk governance and strengthen the operation of risk management within the company, the board of directors established the "Risk Management Committee" on December 18, 2023. The committee is the highest-level risk management unit that is part of the board of directors. This committee is responsible for supervising and executing risk control, assisting the board of directors in promoting risk management, and enhancing corporate governance. The committee will report to the board of directors at least once a year, providing an update on the results of risk management. This ensures the company's sustainable business operations and progress towards the goal of sustainable development.

Through the analysis of internal and external environments, the risk management policy defines four major risk management facets: operational, strategic, financial, and hazard pillars. To determine the risk level of each pillar, there are a total of 14 risk factors, and the process of identification, assessment, control, and supervision is clearly documented. Furthermore, to review the status of each aspect, the PDCA cycle (Plan, Do, Check, Act) is utilized for daily measurement.

To uphold the principle of sustainable development, the company evaluates emerging risks in accordance with the Global Risk Report and other international standards. Three long-term risks highlighted this year are "Structural changes in the labor market," "Global armed conflict and economic downturn," and "Misinformation and disinformation."

According to the Risk Management Policy, the implementation results in 2023 were reported to the Board of Directors and Risk Management Committee on March 13, 2024, respectively. The improvement plan was disclosed to the Sustainability Development Committee on May 30, 2024, and updated for the Sustainability Executive Committee on July 25, 2024, indicating that the company's risk exposure was reviewed more than twice a year. View the full regulation

Risk Management Responsibilities

1. Board of Directors: Accountable for approving risk management policies, procedures, and frameworks, and ensuring alignment between operational strategies and risk management.
2. Risk Management Committee: Assisting the board of directors in promoting risk management and enhancing corporate governance to achieve the objectives of risk management. Duties include the following:
● Review risk management policies, procedures, and frameworks.
● Review the implementation of risk management, provide necessary improvement recommendations, and report to the board of directors at least once a year.
● Implementing risk management decisions made by the board of directors.
3. Business Units and Functional Departments:
● Responsible for identifying, analyzing, assessing, and responding to risks within each business unit and functional department, and establishing relevant crisis management mechanisms when necessary.
● Regularly submit risk management information to the Risk Management Executive Task Force.
● Ensure that the risk management and related control procedures of the department are effectively implemented to comply with the risk management policy.
4. Risk Management Executive Task Force:
● Establish risk appetite (tolerance levels) and develop qualitative and quantitative measurement criteria.
● Analyzing and identifying sources and categories of company risks, and reviewing their applicability regularly.
● Compile and submit reports on the company's risk management implementation.
● Assist and supervise the implementation of risk management activities in departments.
● Coordinated risk management operations involve interdepartmental communication and interaction.
● Implementing risk management decisions made by the Risk Management Committee.
● Plan risk management training courses to enhance overall risk awareness and culture.

Risk Management Procedure

To improve the risk management function, the Group's risk management is carried out through (1) risk identification, (2) risk assessment, (3) risk control, and (4) risk monitoring and communication to clearly grasp the scope of each risk. Through PDCA (Plan, Do, Check, Act) management measures, we will continue to improve and manage the risk factors to reduce the chance and degree of risk loss, and take appropriate measures to efficiently implement risk management.

III. Risk Control

Risks related to the daily operations of each business unit shall be managed by the risk controls of each business unit. For important crisis incidents that are cross-departmental or cross-plant, cross-departmental or cross-plant risk assessment should be carried out. The Chief of Risk Management Executive Committee or a designated representative is responsible for coordinating and negotiating, in order to identify feasible strategies for preventing crisis incidents. The supervisor shall formulate crisis handling procedures and recovery plans according to the crisis incident.

IV. Risk Monitoring

For the 14 major risk management areas, regular rolling reviews and complete records of risk management executive results are kept to understand the effectiveness of risk management projects and related control operations. The Risk Management Committee reports and explains the implementation results to the Board of Directors every year. Furthermore, internal auditors review the risk management procedures and control implementation status on a regular and irregular basis and report to the Board of Directors depending on the level of risk at all levels as well. 2023 General risk implementation full results

2023 Risk Management Conclusion

The firm's overall risk self-assessment in 2023 is low. Some of the medium to low-level inspection items mainly involve risks associated with natural disasters and international situations. This year, privacy and business stress tests were added to the relevant business units. The number of inspection items increased from 61 in the previous year to 78. Projects were identified and evaluated in accordance with the management system of each operating unit. The inspection results were plotted in the risk assessment matrix, which further derived four key actions: 1) Emergent Improvement project 2) Improvement Plan 3) Incorporate risk reducing measures 4) Manage for continued improvement. After analyzing the control results in 2023, most of the risk detection items continue to be under ongoing supervision. In order to gain a deeper understanding of the financial implications of each risk factor, a quantitative assessment was conducted to estimate the potential financial losses associated with each risk item, using the previous year's revenue as a benchmark. The results revealed that the firm faced four major risks this year after the review. The risk of potential financial losses is kept below 3%.

2023 Implementation of Emerging Risk

To comply with the principle of sustainable development and to fulfill our responsibility as a global citizen, we review the risk issues of the Group's operational impacts and challenges in accordance with the emerging risk profiles proposed by the World Economic Forum's "Global Risks Report", and continue to focus on three key risks in the medium and long term: "Structural changes in the labor market," "Global armed conflict and economic downturn," and "Misinformation and disinformation." 2023 Emerging risk implementation full result