Risk Management

Risk Management Policy

In order to enhance oversight, the Board of Directors resolved at its meeting on December 26, 2024, to merge the Audit Committee and the Risk Management Committee into a single entity known as the “Audit and Risk Committee”, which will assist the Board in promoting effective risk management and corporate governance. Additionally, it will report the implementation status to the Board at least once annually to ensure that the company's operations remain stable and aligned with the goal of sustainable development.

Through the analysis of both internal and external environments, the risk management policy delineates four primary facets of risk management: operational, strategic, financial, and hazard pillars. To assess the risk level associated with each pillar, a total of 14 risk factors have been identified, and the processes of identification, assessment, control, and supervision are thoroughly documented. Additionally, the PDCA cycle (Plan, Do, Check, Act) is employed for daily measurement to evaluate the status of each aspect.

With the goal of achieving corporate sustainable development, we examine the potential emerging risk issues that may impact and challenge the Group's operations. We continue to focus on the risks associated with the “Changes in the international political and economic downturn”and“Misinformation and disinformation”. According to the Global Risks Report released by the World Economic Forum on January 15, 2025, the threat posed by conflicts in the international political and economic landscape to corporate sustainable development constitutes the majority of the top 10 emerging risks identified over the past two years. These risks include international armed conflicts, social polarization, inequality, and involuntary migration. Additionally, misinformation and disinformation have emerged as significant risks during this period. This phenomenon is defined as the persistent presence of false information—whether intentional or unintentional—widely disseminated through media networks. Such misinformation significantly alters public opinion and fosters distrust in facts and authority, encompassing issues such as falsification, impersonation, and manipulation (WEF, 2025, pp. 98).

According to the Risk Management Policy, the implementation results for 2024 were reported to the Board of Directors and the Audit and Risk Committee on March 11, 2025. The improvement plan was disclosed and updated for the Sustainability Executive Committee on April 17, 2025. Risk Management Policy

Organization Structure of Risk Management

1. Audit and Risk Committee (Supervised by the Board of Directors): Composed of all independent directors, risk experts oversee the risk management mechanisms to effectively address the risks faced by the company.

2. Risk Management Executive Division (supervised by the Audit and Risk Committee): The division comprises top executives from each business unit, with the Director of the Chairman's Office serving as the convener to support and oversee the implementation of risk management activities across various departments. This role also promotes the Board of Directors' risk management policy to enhance the risk governance culture.

3. Risk Management Executive Task Force (supervised by the Risk Management Executive Division): Responsible for establishing the company's risk management policies and related standards, assisting various business units in implementing risk management-related operations, and summarizing and reporting the situation to the Risk Management Executive Division. Audit and Risk Committee Charter

Risk Management Responsibilities

1. Board of Directors: Accountable for approving risk management policies, procedures, and frameworks, as well as supervising the alignment of goals between operational strategies and risk management.
2. Audit and Risk Committee:
● Review risk management policies, procedures, and frameworks according to risk management strategy by the Board of Directors.
● Review the implementation of risk management, provide necessary recommendations for improvement, regularly assess the applicability and execution of the process, supervise the risk management mechanism to effectively address the risks faced by the company, and report to the board of directors at least once a year.
3. Business Units and Functional Departments:
● Responsible for identifying, analyzing, assessing, and responding to risks within each business unit and functional department, and establishing relevant crisis management mechanisms when necessary.
● Ensure that the risk management and associated control procedures of the department are effectively implemented in accordance with the risk management policy.
● Regularly provide risk management information to the Risk Management Executive Task Force.
4. Risk Management Executive Task Force:
● Establish risk appetite (tolerance levels) and develop qualitative and quantitative measurement criteria.
● Analyzing and identifying sources and categories of company risks, and reviewing their applicability regularly.
● Compile and submit reports on the company's risk management implementation.
● Assist and supervise the implementation of risk management activities in departments.
● Coordinated risk management operations involve interdepartmental communication and interaction.
● Implementing risk management decisions made by the Risk Management Committee.
● Plan risk management training courses to enhance overall risk awareness and culture.

2024 Risk Management Training

I. 2024 Awards and Highlights:
● The Group was awarded the ISO 31000:2018 Risk Management System Certificate, as well as the COSO ERM Compliance Report.
● In 2024, Shenzhen Park received the Shenzhen Manufacturing Enterprise Quality Control Capability Award for Excellence in Risk Management.
● On June 14, 2024, the Board of Directors approved the “Risk Whistleblower Reporting and Protection Regulation” to establish a Risk Reporting Center, providing stakeholders with a channel to identify potential risks. Until the end of December 2024, no risk reports were received.
● The risk management instructors' system was launched for the first time in 2024, and a total of 226 risk management instructors have been trained.

II. Risk Management Education in 2024:
In order to strengthen the risk management culture, we conduct annual education and training related to risk management, which requires the participation of all members, including the board of directors. Regular and ad-hoc internal and external risk management courses are offered each year and are integrated into the annual performance evaluation criteria for both employees and managers. The goal is to enhance risk awareness in daily operations, thereby effectively promoting and implementing risk management practices within the business. In 2024, there are 242 key executives, including members of the board of directors, the Risk Management Executive Division, the Risk Management Executive Task Force, and risk management instructors, who collectively completed a total of 5,423 hours of education. The breakdown is as follows:

Risk Management Procedure

To enhance the risk management function, the Group's approach encompasses (1) risk identification, (2) risk assessment, (3) risk control, and (4) risk monitoring and communication, ensuring a comprehensive understanding of each risk's scope. Utilizing the CAPDCA (Plan, Do, Check, Act) management framework, we will continuously improve and manage risk factors to minimize both the likelihood and impact of potential losses. We will also implement appropriate measures to efficiently execute risk management strategies. In alignment with the principles of sustainable development and our commitment to global citizenship, we will consider changes in the international landscape and the emerging risks identified by the World Economic Forum. We will review the long-term risk issues that the Group may encounter, identify them proactively, and implement suitable regulatory measures to manage risks effectively at all times in response to:

I. Risk Identification

The company performs risk identification based on the environmental, social, and corporate governance aspects of its operations, where 14 risk factors have been formulated based on the four major aspects defined in the risk management policy, and the management scope includes various risk items at different levels as follows:

II. Risk Assessment

All subsidiaries under the Group comply with the “Strategic Risk Control Procedures”. Each functional unit identifies the risk factors it may face, and may adopt Failure Mode and Effects Analysis (FMEA), SWOT or may develop its own identification and evaluation criteria to identify and evaluate the risk levels of different risk items and implement corresponding controls. According to the risk evaluation, the three characteristic exponent of “severity, frequency, and difficulty of detection” are summarized to express the possibility of risk occurrence and its impact, which serve as a reference for the subsequent formulation of risk control priorities and response measures.

III. Risk Control

● Risks related to daily operations of each business unit shall be managed by the risk controls of each business unit through rolling CAPDCA.
● For important crisis events that cross-departmental or cross-plant, cross-departmental or cross-plant risk assessment should be carried out. The Chief of Risk Management Executive Committee or a designated representative is responsible for coordinating and negotiating, in order to identify feasible strategies for preventing crisis incidents.
● The supervisor shall formulate crisis handling procedures, recovery plans according to the crisis incident and provide the risks and countermeasures to Risk Management Executive Task Force for review and tracking.

IV. Risk Monitoring

To effectively address the aforementioned areas, it is essential to conduct regular reviews and maintain comprehensive documentation of the outcomes of risk management implementation. This practice will help assess the effectiveness of risk management strategies and associated control operations. The Risk Management Executive Task Force is mandated to submit an annual plan and progress report to the Risk Management Executive Division. Additionally, the Task Force must hold at least two meetings each year to present reports and provide explanations regarding the implementation results to the Audit and Risk Committee. Internal audit personnel should periodically review the risk management procedures and the status of control implementation across various risk levels, subsequently reporting their findings to the Board of Directors annually. Furthermore, the Group invites third parties for external audits of risk management annually and maintains its certification of ISO 31000:2018 Risk Management.

2024 Risk Management Conclusion

In 2024, the group obtained the ISO 31000:2018 Risk Management Certificate and the COSO ERM Compliance Report. Following this, risk identification and assessment were performed, and the overall self-assessment of risk was determined to be low. The frequency and severity of risks (categorized as low, medium, high, or extreme) were measured and plotted on a risk matrix. Based on the results of the matrix, four major initiatives were established: 1) Emergent Improvement Project, 2) Improvement Plan, 3) Incorporation of Risk-Reducing Measures, and 4) Management for Continued Improvement. The 2024 Risk Matrix indicates that most risks are under management for continued improvement, while some medium-risk levels are being monitored by various business units to manage and mitigate their impacts. Risks that require risk-reducing measures will be tracked and reported continuously in 2025. To further understand the financial impact of each risk project, we estimated the potential financial losses associated with each risk factor based on the previous year's revenue. The summarized results indicate that the group's potential financial loss risk, after reviewing the four major risk aspects this year, is controlled within 3%. With mote details, please read the attachment on 2024 Implementation Result of Risk Management. 2024 General risk implementation full results

2024 Implementation of Emerging Risk

We continue to focus on the risks associated with the “Changes in the international political and economic downturn” and “Misinformation and disinformation”. According to the Global Risks Report released by the World Economic Forum on January 15, 2025, the threat posed by conflicts in the international political and economic landscape to corporate sustainable development constitutes the majority of the top 10 emerging risks identified over the past two years. These risks include international armed conflicts, social polarization, inequality, and involuntary migration. Additionally, misinformation and disinformation have emerged as significant risks during this period. This phenomenon is defined as the persistent presence of false information—whether intentional or unintentional—widely disseminated through media networks. Such misinformation significantly alters public opinion and fosters distrust in facts and authority, encompassing issues such as falsification, impersonation, and manipulation (WEF, 2025, pp. 98). With mote details, please read the attachment on 2024 Implementation Result of Emerging Risks. 2024 Emerging risk implementation full result