The company, recognizing its long-term sustainable responsibility to the industry and society, established a risk management organization and system in 2010. Through cost-effective methods, it integrates and manages various potential risks, including strategic, operational, financial, environmental, and hazardous risks, that could impact operations and profitability. The goal is to provide comprehensive risk management to the company’s stakeholders, shareholders, and other relevant parties.

Risk Management Mission

Construct and implement an effective risk management mechanism, continuously improving it to create a high-quality corporate structure and assist in achieving operational goals.

Risk Management Commitment

Include the entire company within the scope of risk management.
All Fortune employees are risk managers.
Implement risk management in the company's operations.

Risk Management Policy

On August 19, 2010, the company’s Board of Directors approved the Risk Management Commitment, which includes the establishment of a risk management system and the issuance of a risk management manual. The company’s risk management policy is as follows:

Organizational Structure

Risk Management Department

The company's risk management operations are governed by policies set by the management office, and are executed by the Risk Management Department. This department assists each division in formulating risk management objectives, promotes risk management activities across all departments, and regularly monitors the risks of each department, providing evaluation reports.

Risk Management Review Committee

To implement the risk management policy with full participation, expand the benefits of the risk management system, and reduce the risk of information asymmetry, the company has established a Risk Management Review Committee composed of experts from various departments (as shown in the diagram below). The committee holds regular risk review meetings. In parallel, a risk information collection system has been developed to enable the company to promptly monitor relevant internal and external risk information, achieving the effectiveness of risk prevention.

Risk Management Tasks

The company follows the principles and framework of the international risk management system ISO 31000, ensuring that all company products, processes, and activities comply with these requirements. The PDCA management cycle is used to assist the company in risk management, as shown in the diagram below:

Regulatory Compliance Policy

1.Purpose:
The relevant regulations that each department within the company must follow in order to promote the company's business or comply with the requirements of administrative agencies, and the related compliance procedures required for execution, are all within the applicable scope.

2.Purpose:
In order to implement the company’s consistent business philosophy of "Quality, Participation, Well-being, and Sustainability," comply with the requirements of regulatory authorities, and ensure adherence to relevant laws and regulations, the company has established a series of processes including the collection and tracking of laws, evaluation, related policies and procedures, education and training, and legal awareness promotion. These efforts aim to strengthen employees' awareness of legal compliance, protect the company's image, and reduce legal risks in business operations.

3.Actual Practices:
1. Each business department collects important and frequently applicable laws, updates them in a timely manner, and regularly conducts educational training and advocacy to ensure the implementation of regulatory operations.
2. The important laws to be collected include: laws, regulations, general principles, orders, rules, detailed regulations, procedures, guidelines, standards, or norms issued by various authorities, which have been passed through three readings by the Legislative Yuan and promulgated by the President of the Republic of China.
3. The annual performance of regulatory compliance operations will be monitored, initially through self-assessments conducted by each business department, followed by a re-examination conducted by the Risk Management and Legal Department for execution.

Recent achievements

• Each year, the company regularly reviews its risk appetite and ensures that all business activities are within this standard. Additionally, risk maps for each business unit are provided to help the company monitor risk dynamics.
• Each year, the company regularly conducts risk identification and assessment in four key areas: strategy, operations, finance, and information. It also addresses and monitors urgent risk events as needed.
• Each year, the company regularly conducts research on the relationships between risk events, providing data on key risk units, key risk workflows, and key risk event categories, helping the company understand the risk relationship context.
• Each year, the company regularly conducts risk cause-and-effect analysis to identify key risk factors and the relationships between causes and effects, thereby understanding potential risk causes and strengthening the overall risk management.
• The company passed the 2017 ISO 9001 revision certification (with risk management incorporated as a key item), and the first external audit after the 2018 ISO 9001 revision showed no deficiencies.
• On March 8, 2023, a report was presented to the Board of Directors on the execution of the risk management work for the year 2022:
  1. The risk management work was carried out on schedule: In 2022, a total of 105 high-level risk events were identified, including those related to operations and environmental climate. For those with significant impact or requiring immediate improvement, action plans were developed. Additionally, high-level risk events without action plans will continue to be monitored and managed. Other medium- and low-level risk events were managed by the respective departments and reported to the Risk and Legal Management Department.
  2. Related training execution: As of the end of 2022, a total of 109 people received training in the "Risk Awareness and Control" course, with a cumulative total of 189 hours of training, including the year's new employee training.
  3. In 2022, the risk treatment performance achieved the completion of 154 risk treatment measures. After evaluation, 89% of the risk events were successfully reduced and effectively controlled.
• On March 8, 2024, a report will be presented to the Board of Directors regarding the execution of risk management work for the year 2023.
  1. The risk management work was carried out as scheduled: A total of 129 high-level risk events, including operational and environmental risks, were identified. Among these, handling and improvement plans were proposed for those with significant impacts or that required timely intervention. Additionally, high-level risk events that have not yet received treatment plans will continue to be tracked and managed. Other medium and low-level risk events will be managed by the respective departments and reported to the Risk and Legal Management Department.
  2. Related training execution: As of the end of 2023, a total of 182 people participated in the new employee training and the "Risk Awareness and Control" course, accumulating 302 hours of training.
  3. In 2023, a total of 84 risk mitigation measures were completed, and it was assessed that 88% of the identified risk events were reduced and effectively controlled.