Risk Management Policies and Procedures
Risk Management Organizational Structure
To fulfill the principles of corporate sustainability, our company adheres to organizational management systems and internal control frameworks at all levels to manage risks inherent in operational processes. We are committed to implementing systematic management through Board-level involvement and in alignment with the spirit of ISO 31000. This approach evaluates the potential impacts of various risks on the company's operations, ensuring sound corporate governance, achieving sustainable operation goals, and safeguarding the rights of stakeholders.In accordance with the Financial Supervisory Commission's "Regulations Governing the Establishment of Internal Control Systems by Public Companies" and the Taiwan Stock Exchange's "Practical Guidelines for Risk Management by Listed Companies," the "Risk Management Policy and Procedures" were established with Board approval in 2020 and revised in 2023. These policies serve as the highest guiding principles for the company’s risk management.Each year, the Risk Management Task Force identifies risk factors to pinpoint potential risks that may affect corporate sustainability. Risk response strategies are then formulated for each identified risk, encompassing management objectives, organizational structure, roles and responsibilities, and risk management procedures. These mechanisms are rigorously implemented to effectively identify, assess, and control risks, ensuring that significant risks remain within acceptable thresholds.
The Company has established and implemented a comprehensive risk management policy with the primary objectives of identifying, assessing, monitoring, and controlling risks that could impact the company's operations, finances, and reputation. The risk management process involves several key steps, including cross-departmental communication and data collection to consolidate the overall impact of risks on the company. Furthermore, the degree of risk impact is linked to the company’s short-, medium-, and long-term operational goals to ensure a clear understanding of the company’s risk tolerance.
l Risk Identification: Identify potential risks through regular risk assessments and internal reviews.
l Risk Analysis: Analyze the likelihood and impact of identified risk events.
l Risk Assessment:Quantify and prioritize risks based on their probability and impact.
l Risk Response: Develop specific response measures for each type of risk.
l Risk Monitoring and Review: Continuously monitor risk conditions and regularly update the risk management plan.
Risk ManagementScope
The Company identifies risk items with a focus on three key areas: environment, social, and corporate governance. The risk management encompasses four major dimensions related to company operations: "environmental safety," "information security," "legal compliance," and "corporate governance." The main categories of risks include strategic risk, operational risk, financial risk, information risk, legal compliance risk, integrity risk, and other emerging risks (such as climate change, biodiversity, forest, water, or infectious disease-related risks).
To implement a balanced risk management mechanism, the Company integrates and manages various potential risks that may impact operations and profitability, including strategic, operational, financial, and hazardous risks. By establishing corporate risk management procedures, the goal is to provide appropriate risk management for all stakeholders. A risk matrix is employed to assess the frequency of risk events and the severity of their impact on company operations. This process helps define the priority and level of risk and enables the implementation of corresponding risk management strategies based on the identified risk levels.
Risk Management Organizational Structure
The Company has established a multi-layered risk management organizational structure, approved by the board of directors. The "Risk Management Team" is composed of the highest executives from various functional units and is subordinate to the Audit Committee, consisting of three independent directors. The team regularly reports on the Company's risk environment, risk management priorities, risk assessment, and mitigation measures during risk management meetings. The Risk Management Team reports the Company's risk management execution to the Audit Committee and theBoard of Directors at least once a year.
1. Board of Directors:The highest authority for the company's risk management, responsible for approving risk management policies and related regulations. It oversees the overall implementation of risk management to ensure effective risk control.
2. Audit Committee:Assists the Board of Directors in fulfilling its risk management responsibilities. A Risk Management Task Force is established under the Audit Committee, chaired by the CEO. This task force conducts comprehensive evaluations of operational and emerging risks and reports the status of risk management operations to the Audit Committee and the Board of Directors annually.
3. Risk Management Task Force:Comprising the highest-ranking officers of each functional unit as members, the task force handles matters assigned by the convener. It also assists in establishing, promoting, maintaining, and reviewing the risk management mechanism. Unit personnel are designated as risk management officers and, together with relevant personnel from operational units, are responsible for implementing risk management procedures.
4. Internal Audit Office:As an independent unit under the Board of Directors, the Internal Audit Office develops an annual audit plan in accordance with the company's "Risk Management Policies and Procedures." It conducts independent audits of the effectiveness of risk management activities and provides recommendations for improvement. Audit results are reported to the Board of Directors periodically to ensure that critical business risks are properly managed and the internal control system operates effectively.
Operational situation
The Company is actively implementing a robust risk management mechanism, supervised by the Audit Committee, which reports annually to the Board of Directors. The most recent report to the Board was presented on December 18, 2024. The key activities for 2024 are summarized as follows:
1. Enhancing Sustainability Performance and Climate Risk Governance. In 2023, the company began addressing climate risk identification and management. Based on the TCFD framework, we developed a comprehensive list of climate-related risks and opportunities. This includes assessing the potential operational impacts of climate change across short-, medium-, and long-term timeframes. A complete environmental management and climate governance structure has been established to address these challenges effectively.
2. Each operational unit, in alignment with the materiality principle, identifies the following year’s risk factors in the fourth quarter of each year. This process considers environmental, social, and governance (ESG) risk issues alongside stakeholders’ primary concerns. Subsequent evaluations are conducted to develop appropriate risk management strategies and plans. The 2024 risk matrix is illustrated below.
3. To address the growing ESG risks, the company established a Sustainability Development Office in 2024, which has been integrated into the risk management organizational structure. This office is responsible for overseeing the assessment and management of risks related to environmental, social responsibility, and governance. Additionally, a timeline for sustainability information and risk management has been developed, encompassing the setting of annual strategic goals, risk assessments, identification of material issues, preparation of the sustainability report, and assurance activities. This ensures the effective integration of risk management strategies with sustainability development goals.
4. In May 2024, the company engaged Ernst & Young to conduct a TCFD project course. The program covered topics such as climate risk and sustainability disclosure standards, identification of significant climate risks and opportunities, and climate-related risk and scenario analysis. A total of 75 participants attended, completing 112.5 hours of training collectively. In 2024, the company organized 21 risk-related educational training sessions for employees across the group, with 342 participants completing a total of 927 training hours.