Risk Management Policies and Procedures
The ability to discover internal and external operational risks in advance, and to properly assess and process these risks, is important to effectively prevent and reduce loss exposures as well as maintain control over operational risks. In December 2019, a risk management committee was established by the ASEH board of directors, followed by the approval of the ‘Risk Management Policies and Procedures’ in 2020 as the ultimate guiding risk management principle. Awareness in risk management forms an integral part of ASEH management, and risk management has been duly incorporated into the company’s business strategies and organizational culture. ASEH conducts risk assessments on an annual basis. For major risks, the company formulates specific management plans covering goals, organizational structure and responsibilities, and risk management procedures. The implementation of the risk management plans help to effectively identify, measure, monitor and control various risk exposures. Risks that arise from the company’s business activities can then be controlled within an acceptable range.
Scope of Risk Management
ASEH conducts a comprehensive evaluation on the probability and impact of various risks faced during the ordinary course of business, and takes appropriate measures to continuously make improvements and reduce corporate risks.
ASEH’s business operation risks can be categorized into operational risks, strategic risks, market risks, compliance risks, information security risks, environmental risks, climate risks, financial risks, and other risks associated with business operation. To ensure that all risks are kept within an acceptable range, ASEH shall aggregate and establish benchmarks for each risk category to be regularly monitored by respective business units.
The top level management of ASEH conducts risk identification on an annual basis. The company integrates the risks identified into its ERM framework to conduct risk evaluations according to the impacts on financial, reputational and operational management. After which, a thorough review on the existing controls and countermeasures are conducted based on the degree of risk impact and frequency of occurrence. We will continue to maintain and control low level risks. For medium or high level risks, we will adopt control mechanisms or countermeasures for improvement. In 2022, information technology (cybersecurity), sustainable development (renewable energy use), key talent and strategy risks (customer/market) were identified as high level risks. Moreover, regulatory compliance, corporate governance and geopolitics risks were identified as medium level risks. After estimating and formulating remedial mechanisms, the mitigating actions shall be taken for two items with lower risk tolerance for improvement as follows:
- Through the use of the ERM tool, we have evaluated and classified information technology (cybersecurity) risks as a high priority risk. Of great concern, are the frequency and complexity of cyberattacks and the sophisticated tactics used to evade detection. While we have adopted strict countermeasures to protect our trade secrets and customer information, cyberattacks could still put the company, our customers, and our supply chain at risk. As such we have actively stepped up our cyber defenses and created a system of coordinated measures. The Information Security Teams of each subsidiary has created a platform for classifying cyber incidents and risk reporting. In addition, a security health check is performed annually by a professional third party security expert on each subsidiary’s cybersecurity posture. In 2022, we added cybersecurity insurance as an additional tool to protect the company. The cyber insurance covers ASEH and all 3 major subsidiaries, and is designed to reduce the financial burden to the company, our customers and suppliers, and allow faster recovery in the event of a cybersecurity attack.
- Sustainable development (renewable energy use) risks has also been evaluated through the use of our ERM tool and classified as a high priority risk . Globally, many countries are setting climate targets and revising regulations to achieve Net Zero. For example, Taiwan introduced the Major Electricity User clause, and many customers are requiring ASEH to increase the proportion of renewable energy in the company’s energy portfolio. However, there is a shortage of renewable energy in Taiwan and its cost is relatively higher than conventional electricity. Besides requiring a number of our subsidiaries to install solar power, we are also actively procuring renewable energy in Taiwan and acquiring renewable energy certificates from overseas regions. We are actively exploring the procurement of offshore wind power and other types of renewable energy in Taiwan to further increase the proportion of renewable energy in our energy portfolio, so as to comply with the Major Electricity User clause, meet specific customer demands, and fulfill our Net Zero commitments.
We conducted a sensitivity analysis on the Carbon Boundary Adjustment Mechanism(CBAM) to be implemented in October 2023, and the impact of the mechanism on the company's overall operations is currently under control.
ASEH adopts a rigorous risk management mechanism and reports the progress to the Board of Directors on a yearly basis. Our activities in 2022 include the following:
- On July 14, 2022, the second Risk Management Committee convened its second meeting. The committee secretariat and representatives of the company’s subsidiaries presented 2021 risk reports and 2022 work plans.
- On September 29, 2022, submitted a report on the operation of risk management in 2022 to the Board of Directors.
- On December 15, 2022, in accordance with the "Risk Management Best Practice Principles for TWSE/GTSM Listed Companies" issued by the Taiwan Stock Exchange, the company's "Risk Management Policies and Procedures" were revised partially and accordingly before submitting to the Board of Directors for approval.
- On December 20, 2022, the second Risk Management Committee convened its third meeting to present the 2022 report on major risks including the management of geopolitics and COVID-19. The committee also discussed emerging risks for 2022 including renewable energy resources, cybersecurity, geopolitics and talent retention.
Statement of ISO31000 Conformity
ISO 31000 risk management system principles and guidelines are international standards for risk management. It provides a comprehensive principle to help companies conduct risk analysis and risk assessment. ASEH appoints BSI to verify the company's risk management system in accordance with ISO 31000. The risk management complies with the international standard risk framework, and a statement of conformity is issued.