Corporate Governance
Risk Management Policies and Procedures & Operational Situation
Home Corporate Governance Risk Management Policies and Procedures & Operational Situation
The Company has formulated the "Risk Management Best-Practice Principles" and "Risk Management Policies and Procedures", which were approved by the Board of Directors as the highest guiding principle for the Company's risk management; The Company regularly evaluates risks every year, and formulates risk management policies for various risks, covering management objectives, organizational structure, ownership of rights and responsibilities, and risk management procedures and other mechanisms and implement them to effectively identify, measure and control the Company's various risks, control the risk to an acceptable range.
 
Risk Management Scope

The Company integrates and manages all potential risks of various hazards, operations, finance, strategies, information security, legal compliance, integrity and others that may affect operations and profits, and evaluates the frequency of risk events and the severity of the impact on the Company's operations, and defines the priority of risks, and risk level, and adopt corresponding risk management strategies according to the risk level.
1.Hazard risk: Refers to the risk of loss to the Company caused by the occurrence of major natural or man-made disasters (such as earthquakes, fires, chemical spills, and epidemics).
2.Operational risk: Refers to the risk that uncertain factors in the Company's operation process affect the normal operation of the Company, such as operation risk (material shortage, improper scheduling, etc.), quality risk, contract performance risk and safety risk.
3.Financial risk: The Company's financial and business impacts, such as interest rate, exchange rate, liquidity and credit risks, are caused by factors such as domestic and foreign economic and industrial changes.
4.Strategic risk/political risk: Risk of loss due to business strategy considerations, such as the risk of excessive customer concentration, the risk of not obtaining contracts, and the risk of cooperating with policy investment capacity to prepare for development and other risks, and regularly arrange activities to enhance risk awareness.
5.Information security risk: Refers to the risk of harm to the network, system, application program, data encryption security, etc.
6.Legal compliance risk: Refers to the risks that may arise from failure to comply with relevant regulations and various legal norms, or various legal risks that may infringe upon the Company's rights and interests.
7.Integrity risk: Refers to the risk of dishonest behavior, such as conflicts of interest, insider trading, etc.
8.Other risks: Refers to the risks that are not included in the above, but the risks will cause the Company to have significant losses, such as long-term emerging risks, major external, uncontrollable or non-human harmful events. In addition, if there are other risks, appropriate risk control and processing procedures should be established according to the risk characteristics and the degree of impact.
 
Risk Management Committee Organization

The Company's risk management organizational structure includes the Board of Director, the Risk Management Committee, the risk management team (including the President, Vice Presidents, SRB meetings and Audit Office) and the Company's various Divisions. The relevant authority and responsibility are as follows:

Hierarchy Scope of responsibility
Board of Director → Risk Oversight The highest decision-making unit of the Company's risk management, with the following responsibilities:
1.Approve risk management policies, procedures and structures.
2.Ensure that the operational strategic direction is aligned with the risk management policy.
3.Ensure that appropriate risk management mechanisms and risk management culture are in place.
4.Supervise and ensure the effective operation of the overall risk management mechanism.
5.Allocate and assign adequate and appropriate resources to enable effective risk management.
Risk Management Committee → Risk Review 1.Review risk management policies, procedures and structures, and regularly review their applicability and performance.
2.Assess risk appetite (risk tolerance) and guide resource allocation.
3.Ensure that the risk management mechanism can adequately handle the risks faced by the Company and integrate it into the daily operation process.
4.Approve risk control priorities and risk levels.
5.Review the implementation of risk management, make necessary improvement suggestions, and report to the Board of Directors on a regular basis (at least once a year).
6.Execute the risk management decisions of the Board of Directors.
Risk management team (including the President, Vice Presidents, SRB meetings and Audit Office) → Risk management The risk management team is the authority responsible for the implementation of risk management, and is mainly responsible for the monitoring, measurement and evaluation of corporate risks and other executive-level affairs. The risk management team conducts risk management through various meetings, including:
1.Assist in the formulation of the Company's risk management policies, procedures and structures.
2.Formulate risk appetite (risk tolerance), and establish qualitative and quantitative measurement standards.
3.Analyze and identify sources and categories of company risks, and review their applicability regularly.
4.Regularly (at least once a year) compile and submit a report on the implementation of the Company's risk management.
5.Assist and supervise the implementation of risk management activities of various Divisions.
6.Coordinate cross-departmental interaction and communication of risk management operations.
7.Implement the risk management decisions of the Risk Management Committee.
8.Plan risk management related training to enhance overall risk awareness and culture.
9.The Audit Office supervises the execution units to follow the approval authority and related management methods and procedures, and should carry out risk control and management operations every year, and require each unit to issue a self-assessment report. In addition, according to the risk assessment of the appointed managers, the annual audit plan is formulated accordingly, and audits are conducted regularly and an audit report is issued, which is reported to the Board of Director.
Divisions of the Company → Risk control 1.Responsible for identifying, analyzing and monitoring the relevant risks within the affiliated unit, and when necessary, establish relevant crisis management mechanisms to ensure the effective implementation of risk management and control mechanisms and procedures.
2.Conduct self-assessment and response to risk control activities, and regularly report risk management information to risk management promotion and execution units.
 
Operational situation

In 2024, various risks of the Company and the risk control measures adopted have been reported to the Board of Directors on Feb. 29, May 9, Aug. 6 and Nov. 5 respectively, and reported to the Risk Management Committee every half year. The reporting date is Feb. 26 and Aug. 5.
In 2024, with SMS training, a total of 270 people have completed the SMS General Introduction training (540 hours), a total of 640 people have completed the SMS General Introduction Recurrent training (640 hours), a total of 1,112 people have completed the Information Security General Education Training (3,336 hours), Professional Courses related to Information Security: 4 information security professionals (159 hours), and Information Security-related Courses: 7 non-information security personnel (176 hours).
In 2025, various risks of the Company and the risk control measures adopted have been reported to the Board of Directors on Feb. 26, May 6, Aug. 7 and Nov. 10 respectively, and reported to the Risk Management Committee every half year. The reporting date is Feb. 24 and Aug. 6.
In 2025, with SMS training, a total of 102 people have completed the SMS General Introduction training (204 hours), a total of 126 people have completed the SMS General Introduction Recurrent training (126 hours), a total of 1,172 people have completed the Information Security General Education Training (3,156 hours), Professional Courses related to Information Security: 4 information security professionals (160 hours), and Information Security-related Courses: 6 non-information security personnel (192 hours).

The Risk Management Committee has held a total of 2 meetings in 2025. The attendance of the members is as follows:
 
The 2nd Session Members Name Actual
attendance
to meeting		 Attendance
by proxy		 Actual attendance
(sit in) meeting (%)		 Remark
Independent Director (Chairperson) Lin, Chang-Ching 2 0 100% Shall attend 2 times.
Independent Director Wang, Hui-Ching 2 0 100% Shall attend 2 times.
Independent Director Wang, Shih-Kun 2 0 100% Shall attend 2 times.
Independent Director Chang, Ke-Hao 2 0 100% Shall attend 2 times.