Article 1: (Basis of Establishment)
These Regulations are established for the purpose of a sound risk management and sustainable operations of the Company.
Article 2: (Definition of risk factors)
The Company's risks are classified as follows:
- Market risk: the potential impact on the market in which the Company is involved due to changes in domestic and foreign political and economic factors, economic cycles, changes in technology, environment, changes in consumption patterns, customers, competitors and other external factors.
- Financial risk: including the related financial risk derived from financing and investment activities, including but not limited to capital turnover, changes in the financial market (such as interest rates, exchange rates), fluctuations in the market value of short-term investments, operating management of the investees under long-term investments, making endorsements/guarantees for others and lending funds to others.
- Credit risk: refers to the risk that arises when a counterparty fails to fulfill its contract or obligation, resulting in a loss. Such as centralized purchasing or sales.
- Computer information risk: caused by external attacks and improper establishment or management of internal information systems.
- Operational risk: refers to the risk factors caused by factors such as negligence in internal control, poor process planning, inappropriate human management, or errors.
- Legal risk: refers to risk factors including but not limited to changes in laws and regulations, legal compliance, inadequate contract specifications, caused by legal factors.
- Hazard risk: various man-made or natural disasters, such as misappropriation, plagiarism, vandalism, fire, earthquake, typhoon, infectious disease, which may cause heavy losses to the company.
- Other risks: risks that are not part of the above, but will result in significant losses to the Company.
Risks at this level are risks that are beyond the control of the state but with a significant impact. For example, risks such as war, Sino-US technology/trade war and regional economic alliances are managed at the board level.
Level 2 risks:
Risks at this level are long-term risks, i.e., no exposure now, but there will be risks in the future. For example, in response to issues such as climate change and carbon neutrality, the CEO will establish a dedicated unit or response team based on the Company's long-term development needs to handle such risks.
Level 3 risks:
Risks at this level belong to the Company's management and execution risks. The risks that can be prevented in advance can be responded to by the organization's division of labor.
Article 3: (Risk management organization)
The Company's risk management organization is as follows:
- Board of Directors: the Board of Directors is the highest risk management unit of the Company. It ensures that the management understands the locations of operational risks and the effectiveness of risk management. When there is a risk of Level 1 risk, the Board members are allowed to propose measures for the risk of that level.
- CEO office: for Level 2 and Level 3 risks, the CEO is responsible for coordinating the detection and response of all business units and administrative departments to ensure that the Company's operations are not affected by various types of risks.
- All departments and all administrative departments of the business department: The head of each unit is responsible for the third-level and first-line risk management. He/She is responsible for analyzing and monitoring relevant risks within their subordinate units. If cross-departmental coordination is required, the authorization system will be followed by reporting to the higher levels.
- Auditing Office: an independent department under the board of directors. It explores potential risks through internal control and internal audit systems.
- Working group: the CEO shall set up an inter-department working group to deal with possible risk factors based on the needs of Level 2 and Level 3 risks.
Article 4: (Risk management mechanism)
The Company's risk management mechanism is mainly conducted through various types of regular and non-scheduled meetings.
- Board of Directors: the board of directors will meet at least once a year, the CEO reports to the board of directors on the risks raised by each unit and the implementation and effectiveness of the relevant response plans.
- Management meeting: once a month, the general managers of each business unit may explain or discuss market risks in the meeting and develop or resolve relevant response plans.
- Administrative department meeting: once a week, the heads of all administrative management units may discuss potential risks inside or outside of their departments and develop or resolve relevant countermeasures.
- Regular or non-scheduled internal meetings of all units (including business divisions): if any risk factors are identified in the operating procedures by front-line personnel, they may report back to the unit head via this meeting. The unit head will make judgement on the severity of the matter and report back according to the level of authority.
- The Auditing Office complies with the regulations of internal audit and internal control and implements the operations of each unit to ensure compliance with the Company's internal management regulations and procedures.
Article 5: (Disclosure of risk management information)
In addition to disclosing relevant information as required by the competent authority, the Company may also disclose risk management-related information on the Company's website.
Article 6: (Amendment of Risk Management Policy)
The Board of Directors and the CEO may review the content of this Policy and the needs of risk management and amend this Policy in a timely manner in view of changes of the internal and external environment.
Article 7: (Approval and implementation of Risk Management Policies)
This Policy shall be implemented upon the approval of the Board of Directors, and the same applies to its amendments.