Risk Management

To ensure sustainable operations, the Company has established a Group-wide risk management system through the implementation of the Risk Management Best Practice Principles. Risk management processes are conducted annually, focusing on external environmental changes (e.g., the Horizon Scanning Report and Global Risks Report) to identify priority issues and formulate responses. Each plant conducts risk reviews and adopts preventive measures in line with various management systems, such as ISO 9001, IATF 16949, ISO 14001, ISO 45001, ISO 22301, ISO 27001, ISO 50001, TIPS, and GMP, to enhance organizational resilience.

In response to the Taiwan Stock Exchange’s issuance of the Practical Guidelines for Risk Management of TWSE/TPEx Listed Companies on Aug 8, 2022, the Company, on Aug 8, 2024, resolved by the Board of Directors to elevate the “Risk Management Committee” to a functional committee under the Board. The committee consists of five directors, three of whom are independent directors.

Risk Management Organizational Structure & Responsibilities

Board of Directors

The Board of Directors is the highest governing body for risk management within the Company. In accordance with the Company’s Risk Management Best Practice Principles, the responsibilities of the Board are as follows:

(1) Approve risk management policies, procedures, and frameworks.
(2) Ensure alignment between business strategy and risk management policy.
(3) Ensure the establishment of appropriate risk management mechanisms and foster a risk management culture.
(4) Supervise and ensure the overall effectiveness of the risk management framework.
(5) Ensure the allocation and assignment of sufficient and appropriate resources to enable effective risk management operations.

Operations Units

The operations units, including the Operations Headquarters, business unit management teams, and heads of functional departments, serve as the executing bodies for risk management. Their responsibilities include:

(1) Identifying, analyzing, assessing, and responding to risks within their respective units, and establishing necessary crisis management mechanisms.
(2) Regularly reporting risk management information to the Risk Management Office.
(3) Ensuring the effective implementation of risk management and related control procedures within their units to comply with the risk management policy.

Internal Audit

The Company’s Audit Office is an independent unit under the Board of Directors. In accordance with the internal control system and related procedures, it formulates an annual audit plan and conducts unscheduled audits based on changes in internal and external environments. The Audit Office independently reviews the effectiveness of risk management activities, provides concrete improvement recommendations, and regularly reports audit results to the Board of Directors to help ensure that key operational risks are properly managed and that the internal control system remains effective.

Three Lines of Defense Framework for Risk Management

Risk Management Committee and Decision-Making Management Levels

The Company has set up a Risk management committee affiliated with the Board of Directors to supervise the operation mechanism related to risk management. The number of members of this committee shall not be less than three, and more than half of the members shall be independent directors. The independent directors shall elect one person from each other to serve as the chairman. The Risk Management Committee is responsible to the Board of Directors and submits proposed proposals to the Board of Directors for resolution. The responsibilities of the Risk Management Committee are as follows:

  1. Review risk management policies, procedures, and frameworks, and regularly assess their suitability and effectiveness of implementation.
  2. Approve risk appetite (risk tolerance) and guide resource allocation.
  3. Ensure that the risk management mechanisms are capable of adequately addressing the risks faced by the Company and integrate them into daily operating processes.
  4. Approve the priorities and levels of risk control.
  5. Review the execution of risk management, make necessary suggestions for improvement, and report to the board of directors regularly (at least annually).
  6. Implement the risk management decisions of the board of directors.

Risk ​​Management Office

The company has set up the Risk Management Office. The general manager convenes the heads of production, finance and other departments to participate in operations. It is responsible for planning, executing and supervising risk management related matters, and reporting to the Risk Management Committee. The responsibilities of the Risk Management Office are as follows:

  1. Develop risk management policies, procedures and structures.
  2. Formulate risk appetite and establish qualitative and quantitative measurement standards.
  3. Analyze and identify the sources and categories of company risks, and regularly review their applicability.
  4. Compile and submit company risk management execution reports regularly (at least once a year).
  5. Assist and supervise the execution of risk management activities of various departments.
  6. Coordinate cross-departmental interaction and communication for risk management operations.
  7. Implement the risk management decisions of the Risk Management Committee.
  8. Plan risk management-related training to enhance overall risk awareness and culture.

Risk Management Policy

The Company recognizes the rapidly changing global environment and, in order to mitigate operational risks and safeguard shareholder interests, has implemented a Risk Management Policy. This policy is designed to anticipate trends in the business environment, enhance company-wide risk awareness, and ensure sustainable business operations.

Risk Management Objectives

Through a comprehensive risk management framework, the Company manages various risks that may affect the achievement of corporate objectives. By integrating risk management into operational activities and daily management processes, the Company aims to achieve the following goals: (1) Achieve corporate objectives, (2) Enhance management effectiveness, (3) Provide reliable information, (4) Effectively allocate resources.

Scope of Risk Management

The Company adopts the COSO “Enterprise Risk Management – Applying Enterprise Risk Management to Environmental, Social, and Governance-Related Risks” framework. Risk management encompasses major categories such as strategic, compliance, financial, operational, and other risks. In compliance with relevant laws, regulations, and ISO standards, the risk management process follows a cyclical approach of identification, analysis, assessment, response, monitoring, and review for continuous improvement.

Risk Management Process

The Company has established its “Risk Management Best Practice Principles” with reference to ISO 31000:2018, the Corporate Governance Best Practice Principles for TWSE/TPEx Listed Companies, and Applying Enterprise Risk Management to Environmental, Social, and Governance-Related Risks. Each business unit is responsible for regularly (at least once a year) and upon significant changes in internal or external operational environments, assessing risks within their scope of business and short-, medium-, and long-term objectives according to the risk management procedures outlined in the Principles. The process includes risk identification, analysis, evaluation, reporting, response planning, documentation, and ongoing monitoring to minimize potential impacts.

1

Risk Identification

2

Risk Analysis

3

Risk Evaluation

4

Risk Response

5

Risk Monitoring and Review

6

Risk Reporting and Disclosure

Risk Management Operations

Each year, the business units and the “Risk Management Office” conduct comprehensive assessments of internal and external operational environments, identifying and analyzing potential risks based on risk categories using both quantitative and qualitative criteria. These risks are compared against the Company’s risk appetite, and prioritized material risks are reported to the “Risk Management Committee” for review and approval. In 2024, 50 material risks were approved by the committee.

For each approved material risk, operating units select appropriate response strategies (e.g., Avoid & Stop, Share/Transfer, Reduce/Minimize, Retain/Accept) based on the Company’s objectives, stakeholder perspectives, and available resources. Specific measures are proposed for implementation. For more details, please refer to the Sustainability Report.

The Executive Secretary of the “Risk Management Committee” reported to the Board on May 9 and Dec 12, 2024. The first report addressed 2024 key plans and climate-related risks, while the second focused on risks scoring ≥12 points, related mitigation measures, and BCM risks for 2024-2025.