Internal Control and Risk Management

Nan Pao is committed to establishing a robust risk management framework. The Audit Committee and the Sustainability Development Committee serve as the highest-level bodies for risk management, assisting the Board of Directors in fulfilling its risk management responsibilities. These committees oversee different categories of risk through clear professional division of responsibilities to ensure effective risk control across various dimensions. Overall risk analysis is coordinated, consolidated, and managed by the Risk Management Task Force, which reports directly to the CEO. In addition, the Audit Team, which reports directly to the Board of Directors, is responsible for monitoring and auditing the entire risk management mechanism. Through internal audit activities, it ensures the effectiveness of risk controls and the proper management of potential risks. Senior management is required to report the evaluation results of risk management indicators at the relevant risk management meetings and is subject to sustainability KPI assessments, which directly impact their variable compensation.

The Board of Directors has established the "Risk Management Policy and Procedures" to define and regulate operational risks. To integrate sustainability risks into the overall risk management system, Nan Pao identifies ESG issues based on internationally recognized topics and the United Nations Sustainable Development Goals (SDGs). Stakeholder surveys are used to incorporate diverse perspectives, and a double materiality analysis approach is applied to identify operational risks. The Sustainability Office confirms the impact drivers, affected areas, assessment methods, and corresponding risks and management measures for nine material topics.At the same time, the Company references the overall Risk Assessment Analysis Report provided by the Risk Management Task Force to identify risk factors related to material topics and key sustainability management priorities. The execution effectiveness of risk mitigation measures by responsible units is subsequently tracked and disclosed in the Sustainability Report. The processes for materiality identification and sustainability goal setting are conducted annually.

 

Figure – Risk Management Organizational Structure

 

A. Board of Directors: The highest authority responsible for the Company’s risk management. The Board approves risk management policies and related regulations, oversees the overall implementation of risk management, and ensures that risks are effectively controlled.

B.   Audit Committee: Composed of independent directors of the Board, the Committee is responsible for overseeing and managing financial and internal control risks.

C.   Sustainability Development Committee: Composed of three or more directors, with more than half being independent directors. The Committee is responsible for managing sustainability, compliance, and information security risks.

D.  Audit Team: Each year, based on the five components of the COSO internal control framework, past audit experience, the proposed budget for the following year, and the existing organizational structure, the Audit Team formulates an audit plan. The audits assess management’s control over internal and external environmental risks, the management of operational risks across business divisions, and the effectiveness of the design and implementation of internal control systems. Upon completion of audits, audit reports are issued and regularly submitted to the Audit Committee and the Board of Directors.

E. Risk Management Task Force: Composed of the heads of each functional unit, members of the Task Force handle assignments from the Task Force Convener and assist in the establishment, implementation, maintenance, and review of the risk management framework. They also designate personnel within their units as risk management executors and work with relevant personnel from operating units to ensure the effective execution of risk management procedures.

F.    Sustainability Office: The Chief Sustainability Officer (CSO) serves as the highest-level management authority responsible for sustainability. A dedicated Sustainability Planning Team is established to carry out full-time implementation, supported by cross-functional teams comprising representatives from business units/plants and staff functions including R&D and Innovation, Financial Management, Strategic Procurement, Information Management, Human Resources, and Legal Affairs. The Sustainability Office reports work progress to the CSO on a monthly basis. Climate-related and sustainability risks and opportunities are consolidated by the Sustainability Office based on inputs from all members and reported, along with recommendations, to management and the Board of Directors.

 

Risk Identification and Management

Nan Pao’s risk management process encompasses key steps including risk identification, risk analysis, risk assessment, risk response, and risk monitoring and review. Each year, the Risk Management Task Force conducts regular assessments and discussions of the Company’s potential and emerging risks across the three ESG dimensions—Environmental protection (including climate and natural resources), Social inclusion, and Corporate governance. These assessments take into account the likelihood of occurrence, severity of impact, and effectiveness of controls, and are periodically reported to the Audit Committee and the Board of Directors. In addition to consolidating the overall potential impacts of various risks on the Company, the Company also links the level of impact of each risk to its short-, medium-, and long-term operational objectives. 

 

Figure – Risk Management Process

The Nan Pao Risk Management Task Force includes representatives from the Business Divisions, Operations Management, R&D and Innovation, Financial Management, Strategic Procurement, Information Management, Human Resources, and Legal Affairs. In 2025, through the use of risk assessment forms—considering the likelihood of occurrence, impact severity, and effectiveness of controls—the Task Force identified a total of 28 potential risk items. For the 14 medium-to-high-level risks, corresponding risk response strategies and risk mitigation plans were developed. Risk management personnel then periodically tracked the implementation of these measures with each operating unit and maintained proper records.

 

Figure – Risk Matrix

 

Figure – Risk Mitigation Measures

Risk Event	Response Measures
Israel-Palestine Conflict	•      Strengthen customer credit management in conflict-affected areas by implementing advance payment before shipment. •      Redirect certain orders to be shipped from China to avoid significant fluctuations in freight costs.
Improper Waste Management	•      Actively promote waste recycling and reuse. •      Select compliant disposal facilities, supervise waste management outcomes, and conduct annual on-site inspections.
Dumping of Products from China	•      Strengthen brand differentiation to increase product added value. •      Enhance technology capabilities and after-sales service.
Carbon Fees / Carbon Tariffs	•      Transition to low-carbon processes and optimize energy efficiency. •      Select low-carbon suppliers for green procurement. •      Expand renewable energy capacity and replace outdated equipment with energy-efficient devices.
Labor Shortage	•      Promote production line automation to reduce manual labor dependency. •      Implement training programs to strengthen internal knowledge transfer and mitigate talent attrition.
Supply Chain Disruption	•      Continuously monitor and manage the footwear supply chain status. •      Establish subsidiary factories to diversify production bases.
Overreliance on a Single Supplier	•      Identify alternative suppliers for critical raw materials. •      Conduct supply chain disruption simulation drills.
Excessive VOC Treatment Concentration	•      Use condensation methods to collect VOCs. •      Plan and install RCO (Regenerative Catalytic Oxidizer) or RTO (Regenerative Thermal Oxidizer) control equipment.
Declining Competitiveness of Traditional Customers	•      Analyze industry changes and implement corresponding response measures, establishing clear performance indicators. •      Develop strategies to capture emerging brands.
Slow Pace of New Product Development	•      Establish a clear R&D roadmap and allocate resources to key development priorities. •      Introduce external technologies to overcome product development bottlenecks.
Geopolitical Risks	•      Diversify production locations. •      Establish a pricing system to control and protect profit margins.
Raw Material Supply Disruption	•      Enter into long-term supply agreements with key suppliers to ensure supply stability. •      Conduct annual sourcing/origin investigations.
Product Quality Issues	•      Implement the CIT (Continuous Improvement Team) project to enhance production quality stability. •      Strengthen technical support to prevent incorrect product usage by customers.
Employee Violations of the Code of Ethics	•      Establish and regularly update the Code of Ethics and Employee Conduct Guidelines. •      Implement a clear reporting mechanism and ensure whistleblower protection.

 

Emerging  Risks and Response Strategies

To align with sustainability principles, Nan Pao conducts annual reviews of emerging risks by referencing the World Economic Forum's Global Risks Report and MSCI's Annual ESG and Climate Trends to Watch. Core management units discuss and confirm industry context and risk assessments, followed by the implementation of risk responses and monitoring. Through this process, the Company identifies and manages emerging risks, evaluates potential operational impacts and challenges, and develops mitigation measures.

 

Operational situation 

Nan Pao has implemented a comprehensive risk management process, which includes assessing the company’s risk appetite and its capability to control risks, enabling systematic identification and management of potential risks. Through this process, the Company evaluates the major risks it faces and incorporates them into the overall risk management framework. Reports on the operation of this process are submitted to the Board of Directors annually, with the most recent report presented on March 14, 2025. The report covers the assessment of risk scope, risk environment, implemented risk control measures, and the supervision of risk management.