Risk Management

Risk Management Policies and Procedures

The ability to discover internal and external operational risks in advance, and to properly assess and process these risks, is important to effectively prevent and reduceloss exposures as well as maintain control over operational risks. In December 2019, a risk management committee was established by the ASEH board of directors,followed by the approval of the ‘Risk Management Policies and Procedures’ in 2020 as the ultimate guiding risk management principle. Awareness in risk managementforms an integral part of ASEH management, and risk management has been duly incorporated into the company’s business strategies and organizational culture. ASEHconducts risk assessments on an annual basis. For major risks, the company formulates specific management plans covering goals, organizational structure andresponsibilities, and risk management procedures. The implementation of the risk management plans help to effectively identify, measure, monitor and control variousrisk exposures. Risks that arise from the company’s business activities can then be controlled within an acceptable range.

Scope of Risk Management

ASEH conducts a comprehensive evaluation on the probability and impact of various risks faced during the ordinary course of business, and takes appropriate measures to continuously make improvements and reduce corporate risks.

ASEH’s business operation risks can be categorized into operational risks, strategic risks, market risks, compliance risks, information security risks, environmental risks,climate risks, financial risks, and other risks associated with business operation. To ensure that all risks are kept within an acceptable range, ASEH shall aggregate andestablish benchmarks for each risk category to be regularly monitored by respective business units.

Risk Tolerance

The top level management of ASEH conducts risk identification on an annual basis. The company integrates the risks identified into its ERM framework to conduct riskevaluations according to the impacts on financial, reputational and operational management. After which, a thorough review on the existing controls andcountermeasures are conducted based on the degree of risk impact and frequency of occurrence. We will continue to maintain and control low level risks. For medium orhigh level risks, we will adopt control mechanisms or countermeasures for improvement. In 2022, information technology (cybersecurity), sustainable development(renewable energy use), key talent and strategy risks (customer/market) were identified as high level risks. Moreover, regulatory compliance, corporate governance andgeopolitics risks were identified as medium level risks. After estimating and formulating remedial mechanisms, the mitigating actions shall be taken for two items withlower risk tolerance for improvement as follows:

• Through the use of the ERM tool, we have evaluated and classified information technology (cybersecurity) risks as a high priority risk. Of great concern, are the frequency and complexity of cyberattacks and the sophisticated tactics used to evade detection. While we have adopted strict countermeasures to protect our trade secrets and customer information, cyberattacks could still put the company, our customers, and our supply chain at risk. As such we have actively stepped up our cyber defenses and created a system of coordinated measures. The Information Security Teams of each subsidiary has created a platform for classifying cyber incidents and risk reporting. In addition, a security health check is performed annually by a professional third party security expert on each subsidiary’s cybersecurity posture. In 2022, we added cybersecurity insurance as an additional tool to protect the company. The cyber insurance covers ASEH and all 3 major subsidiaries, and is designed to reduce the financial burden to the company, our customers and suppliers, and allow faster recovery in the event of a cybersecurity attack.
  

• Sustainable development (renewable energy use) risks has also been evaluated through the use of our ERM tool and classified as a high priority risk . Globally, many countries are setting climate targets and revising regulations to achieve Net Zero. For example, Taiwan introduced the Major Electricity User clause, and many customers are requiring ASEH to increase the proportion of renewable energy in the company’s energy portfolio. However, there is a shortage of renewable energy in Taiwan and its cost is relatively higher than conventional electricity. Besides requiring a number of our subsidiaries to install solar power, we are also actively procuring renewable energy in Taiwan and acquiring renewable energy certificates from overseas regions. We are actively exploring the procurement of offshore wind power and other types of renewable energy in Taiwan to further increase the proportion of renewable energy in our energy portfolio, so as to comply with the Major Electricity User clause, meet specific customer demands, and fulfill our Net Zero commitments.
  

We conducted a sensitivity analysis on the Carbon Boundary Adjustment Mechanism(CBAM) to be implemented in October 2023, and the impact of the mechanism onthe company's overall operations is currently under control.

Implementation

ASEH adopts a rigorous risk management mechanism, the Risk Management Committee convenes regular meetings at least twice a year and reports the progress to theBoard of Directors on a yearly basis. Our activities in 2023 include the following:

• On May 29, 2023, the amendment of Company's " Risk Management Committee Charter " were resolved by the Board of Directors.
  

• On July 11, 2023, the Company’s risk management system passed BSI verification according to ISO 31000 and received the Risk Management Framework Compliance statement of conformity.
  

• On July 13, 2023, the second Risk Management Committee convened its fourth meeting. The committee secretariat and representatives of the Company’s subsidiaries presented 2022 risk management reports and 2023 work plans.
  

• On August 10, 2023, submitted a report on the operation of risk management in 2023 to the Board of Directors.
  

• On December 19, 2023, the second Risk Management Committee convened its fifth meeting to present the 2023 report on major risks management of the Company and its major subsidiaries.
  

Statement of ISO31000 Conformity

ISO 31000 risk management system principles and guidelines are international standards for risk management. It provides a comprehensive principle to help companies conduct risk analysis and risk assessment. ASEH appoints BSI to verify the company's risk management system in accordance with ISO 31000. The risk management complies with the international standard risk framework, and a statement of conformity is issued.