In order to implement sustainable development, Wistron not only follows the existing organizational management system and internal control system to manage the risks at all operation levels to oversee and control the risks that should be considered at strategic levels, but also promises to assess the potential impact of each risk on the Company's operations through the participation of the Board of Directors and the implementation of systematic management in accordance with the spirit of ISO 31000. Therefore, the corporate governance is implemented, the goal of sustainable management is achieved, and the rights of stakeholders are protected. The Company established the systematic "Risk Management Policy and Procedures" in accordance with the relevant provisions of "Regulations Governing Establishment of Internal Control Systems by Public Companies" promulgated by the Financial Supervisory Commission and the "Best Practice Principles on Risk Management for TWSE/ TPEx Listed Companies"of the Stock Exchange in 2022. To better tackle relevant risks, we adopted proactive and effective methods for assessing company governance, social inclusion, environmental protection (including climate and natural resources), and innovation value risks across the world and their potential threat to the Company's sustainable development.
Risk Management and Business Continuity Policy
The Company adheres to the principle of sustainability. By establishing, implementing, and maintaining an active risk management mechanism, Wistron continues to keep abreast of internal and external issues and environmental changes, conduct impact analysis and risk assessment, and improve its capability to effectively and flexibly respond to relevant challenges. Through performing regular self-inspection, the Company continuously improves its resilience in order to fulfill the commitment to ensure business continuity and protect the best interests of customers and interested parties. In order to effectively control the risks related to operations, the Company should establish a risk management culture within the organization through the optimization of mechanisms such as education and training, performance management, early warning notification, and public disclosure.
Risk Management Framework
- The Board of Directors possesses the highest responsibility for the Company’s risk management, approves risk management policies and related regulations, oversees the overall implementation of risk management, and ensures effective risk control.
- Audit Committee: The Committee is responsible for assisting the Board in its risk management responsibilities. A risk management team is established under the Committee, with the Chief Financial Officer as the convenor. The risk management team conducts a comprehensive assessment of the Company's operational and emerging risks; and report the risk management operation status to the Audit Committee and the Board semi-annually.
- Risk Management Team: Members come from the top manager of each unit to ensure that the business units implement the risk management system. One staff in each unit staff is assigned as a risk management executive to implement the risk management procedures with relevant staff from each business unit.
- Risk Management Office: Members assigned by the convenor of the Risk Management Team, the Office handles tasks assigned by the convenor of the Risk Management Team and assists the Risk Management Team in establishing, promoting, maintaining, and reviewing the risk management mechanism
- Audit Office: The Audit Office is an independent unit under the Board of Directors. It prepares an annual audit plan following this PP and the various risk management systems, conducts independent audits and provides recommendations on the effectiveness of risk management activities, and reports audit results to the Board of Directors regularly to help ensure that critical operational risks are appropriately managed, and the internal control systems are operating effectively.
Risk Management Procedures
The Company's risk management procedures include risk identification, risk analysis, risk assessment, risk response and monitoring, risk reports and disclosure. The ESG Committee convenes regular meetings each year and requests the Committee Members and Work Group responsible for each aspect to evaluate and discuss the Company's potential risks and emerging risks based on the frequency, level of impact, and level of control on the 4 areas of company governance, environmental protection (including climate and natural resources), social inclusion, and innovation value. Regular reports are made to the Board of Directors. (Starting from May 2023, the reporting responsibility has been shifted from the ESG Committee to the Audit Committee and the Board of Directors.)
Risk Identification and Operations
The members of the Company's risk working group cover the customer relationship management, product design and development management, manufacturing management, corporate governance and sustainable management, supply chain management, financial management, human resources and administration, technology, public relations, information management, Wistron Digital Technology Holding Company, Wistron Medical Tech Holding Company and legal affairs, etc. These units collect events, sources and consequences of the risks in four dimensions: company governance, environmental protection (including climate and natural resources), social inclusion, and innovation value to construct the Wistron risk database. The risk management team discussed and amended, and identified a total of 23 major medium and high risk projects. The risk authority and responsibility unit plan corresponding risk response action plans and implement risk mitigation plans for the major medium and high risks. Furthermore, the risk management executives cooperate with the operating units to assist in the production of key risk indicators (KRI), and the risk management team are continuously reported every month with relevant records.
The senior management and the risk management team jointly held a regular risk calibration meeting to review the results of risk management implementation. After completing the risk assessment and calibration works, the Company's 2022 Top 3 risks were selected, including geopolitics, disaster/disaster loss, and information security risk, respectively. Moreover, the corresponding risk response action plans are proposed by the risk authority. After review and confirmation by the supervisor of the unit, it is included in the regular definition and inspection of the ESG committee. ( Starting from May 2023, the reporting responsibility has been shifted from the ESG Committee to the Audit Committee and the Board of Directors.)
Risk Management Operating Status
The Company actively promotes and implements risk management mechanisms. The operating status is reported to the Board of Directors once every half a year. The main operating status for the period from 2022 to the first half of 2023 are as follows:
- It uses the "governance", "strategy", "risk management", and "indicators and goals" frameworks of the Task Force on Climate-related Financial Disclosures (TCFD) to identify climate risks and opportunities and used it to create measurement indicators and targets for management.
- It convenes risk management meetings to conduct sensitivity analysis and stress testing on financial risks, climate change risks, water resource risks, information security risks, geopolitical risks, new technology risks, and intellectual property rights risks of the Company and important subsidiaries. We aim to strengthen risk awareness within the Company and our subsidiaries and further quantify the tolerability of the risks mentioned above.
- When conducting comprehensive enterprise and operation-level risk identification, the aspects of risk include but are not limited to the operational risks, the market risks, the legal compliance risks, the information security risks, the environmental risks, the climate change and natural resources risks, the operational risks, and other operationalrelated risks. Through "bottom-up" and "top-down" analysis and discussion, the potential risk events that may cause the Company's goals to fail to be achieved, cause losses or negative impacts are fully identified. In addition, risk response strategies or implementation of risk mitigation plans are selected based on the strategic objectives, views of internal and external stakeholders, risk appetite and available resources of the Company. Then, the risk management executives continue to monitor together with the relevant personnel of each operating unit. They also report to the risk management team in a timely manner, and make relevant records.
- The President supervises internal units and subsidiaries which are required to perform two internal control selfassessments each year. The Audit office reviews the self-assessment reports of all units and subsidiaries and it uses the internal control discrepancies and irregularities found as the basis for the annual Internal Control System Statements.
- The risk management team reports the implementation of risk management to the ESG Committee and also submits risk management reports whose content included the assessment results of each aspect of risk, and the team also explained the control and supervision procedures aimed at the higher risk aspects. Furthermore, the ESG Committee reported the results of risk management implementation to the Board of Directors. ( Starting from May 2023, the reporting responsibility has been shifted from the ESG Committee to the Audit Committee and the Board of Directors.)
- We revised the Company's risk management policies and procedures, and established the Risk Management office under
the Risk Management team.
- In May 2023, a risk management meeting was held to conduct sensitivity analysis and stress testing on financial risks, renewable energy risks, information security risks, geopolitical risks, and compliance risks (privacy infringement) for our company and important subsidiaries. The purpose was to enhance risk awareness for our company and its subsidiaries and further quantify the level of risk tolerance through analysis.
2022 Corporate Risk Map
Emerging Risk Management
Starting in 2020, Wistron has referred to the emerging risk reports released by external institutions every year (such as the Global Risk Report by the World Economic Forum) in order to identify emerging risks through the 4 main processes of "confirm the environment and background of the industry, evaluate the risks (risk identification, risk analysis, and risk assessment), risk handling, and monitoring and review". We compiled the comments of the managers to identify emerging risks and formulate risk reduction measures. The results are reported to the ESG Committee for early deployment and response. ( Starting from May 2023, the reporting responsibility has been shifted from the ESG Committee to the Audit Committee and the Board of Directors.) The main emerging risk items are transition risks: difficulty in obtaining regional renewable energy, geopolitical risk, and cost of living risk according to the identification results of emerging risks at the end of 2022 and early 2023.