Risk Management Policies and Procedures
Risk Management Organizational Structure
The Company has established a multi-layered risk management organizational structure, approved by the board of directors. The "Risk Management Team" is composed of the highest executives from various functional units and is subordinate to the Audit Committee, consisting of three independent directors. The team regularly reports on the Company's risk environment, risk management priorities, risk assessment, and mitigation measures during risk management meetings. The Risk Management Team reports the Company's risk management execution to the Audit Committee and the Board of Directors at least once a year.
Risk Management Policy
The Company has formulated the "Risk Management Policy" based on the framework of ISO 31000, which was approved by the board of directors in 2023. This policy serves as the overarching guiding principle for the Company's risk management. The Risk Management Committee conducts regular risk factor identification each year to identify potential risks that may affect the sustainable development of the business. Specific risk management policies are developed for various risks, covering mechanisms such as management objectives, organizational structure, authority allocation, and risk management procedures. These mechanisms are implemented to effectively identify, assess, and control various risks within acceptable limits.
Risk Management Scope
The Company identifies risk items with a focus on three key areas: environment, social, and corporate governance. The risk management encompasses four major dimensions related to company operations: "environmental safety," "information security," "legal compliance," and "corporate governance." The main categories of risks include strategic risk, operational risk, financial risk, information risk, legal compliance risk, integrity risk, and other emerging risks (such as climate change, biodiversity, forest, water, or infectious disease-related risks).
To implement a balanced risk management mechanism, the Company integrates and manages various potential risks that may impact operations and profitability, including strategic, operational, financial, and hazardous risks. By establishing corporate risk management procedures, the goal is to provide appropriate risk management for all stakeholders. A risk matrix is employed to assess the frequency of risk events and the severity of their impact on company operations. This process helps define the priority and level of risk and enables the implementation of corresponding risk management strategies based on the identified risk levels.
Operational situation
The Company's risk management process includes risk identification, risk analysis, risk assessment, risk response, and risk monitoring and review. In addition to cross-departmental communication and data collection to consolidate the overall impact of various risks on the Company, the severity of each risk is linked to the Company's short, medium, and long-term operational goals to determine the Company's tolerance for risk impact.
The Company holds regular risk management team meetings each year and reports its operations to the board of directors annually. To actively promote the implementation of the risk management mechanism, the Audit Committee oversees risk management starting in 2023. The main operational details are as follows:
Ø Each operating unit identifies potential risks for the upcoming year in the fourth quarter based on significance principles, considering environmental, social, and corporate governance issues, and aligning with stakeholder concerns. Subsequently, a risk assessment is conducted, and risk management strategies and plans are developed.
Ø For risks of moderate severity, in addition to regular reporting on risk status and reinforcing control plans at risk management team meetings, reports are submitted to the Audit Committee for supervision and review.
Ø The Audit Committee reports to the board of directors at least once a year. On December 20, 2023, the committee reported on the activities of the risk management team, including assessing the scope of risks, the risk environment, implemented risk control measures, and the supervision of risk management.