Risk Management

Risk Management

To advance corporate sustainability, Wistron adheres to established organizational and internal control systems for managing operational risks across all levels. We are committed to evaluating the potential impact of these risks on the company's operations through board-level participation and systematic management practices aligned with ISO 31000 principles. This approach ensures robust corporate governance, attainment of sustainable business goals, and protection of stakeholder rights. In 2022, Wistron formulated systematic "Risk Management Policy and Procedures" in accordance with guidelines such as the "Regulations Governing the Establishment of Internal Control Systems by Public Companies" issued by the Financial Supervisory Commission and the "Best Practice Principles on Risk Management for TWSE/ TPEx Listed Companies" provided by the Stock Exchange. Leveraging a three-line defense risk management framework, we proactively and effectively assess risks across four key dimensions: corporate governance, environmental protection (including climate and natural resources), social inclusion, and innovation value. This comprehensive approach enables us to address potential threats to the company's sustainable development effectively.

Risk Management Framework

1. Board of Directors: Holds the highest responsibility for the Company’s risk management, approving risk management policies and related regulations, overseeing the overall implementation of risk management, and ensuring effective risk control.
2. Audit Committee: This committee assists the Board in its risk management responsibilities. A risk management team is established under the committee, with the Chief Financial Officer serving as the convener. The team conducts comprehensive assessments of the Company's operational and emerging risks and reports the status of risk management operations to the Audit Committee and the Board semi-annually.
3. Risk Management Team: Consisting of top executives from each department, the Risk Management Team ensures the effective implementation of the risk management system within the company. They designate risk management executives responsible for executing risk management procedures and collaborate with relevant personnel from operational units to ensure compliance.
4. Risk Management Office: Assigned by the convener of the Risk Management Team, the Risk Management Office handles tasks delegated by the convener and supports the Risk Management Team in establishing, promoting, maintaining, and reviewing the risk management mechanism.
5. Audit Office: As an independent unit under the Board of Directors, the Audit Office formulates an annual audit plan in accordance with the risk management policies, procedures, and systems. It conducts independent audits to assess the effectiveness of risk management activities and provides improvement recommendations. The Audit Office regularly reports audit findings to the Board of Directors to ensure the proper management of critical operational risks and effective operation of internal control systems.

Risk Management Procedures

The Company's risk management procedures include risk identification, analysis, evaluation, response and monitoring, as well as reporting and disclosure. Each year, the risk management team engages various working groups responsible for different risk dimensions: corporate governance, environmental protection (including climate and natural resources), social inclusivity, and innovative value. Together, they assess and discuss potential and emerging risks, considering factors such as frequency, impact, and control level. Regular reports on these assessments are presented to the Audit Committee and the Board of Directors.

Risk Identification and Operations

The Company's risk management team includes members from various units such as client relations, product design and development, global manufacturing, corporate governance and sustainability management, supply chain management, finance, global human resources and administration, technology, public relations, M.I.S, legal, Wistron Digital Technology Holding Company,  and Wistron Medical Tech Holding Company. They collect data on risk events, sources, and consequences across four key dimensions: corporate governance, environmental protection (including climate and natural resources), social inclusivity, and innovative value. This information is used to establish the Wistron risk database, which is then discussed and revised by the risk management team.In 2023, the Risk Management Team identified a total of 16 major medium to high-risk items. The risk responsibility unit have formulated corresponding risk response action plans and implement risk mitigation plans for the major medium and high risks. Furthermore, the risk management executives cooperate with the operating units to assist in the production of key risk indicators (KRI), and report them to the risk management team monthly, maintaining relevant records.

Senior executives regularly hold risk calibration meetings with the risk management team to review the results of risk management implementation. After completing the risk assessment and calibration process, the top four risks for the Company in 2023 were identified as geopolitical risk, financial market risk, macroeconomic risk, and cybersecurity risk. The responsible units propose corresponding risk response action plans, which are reviewed and confirmed by unit supervisors before being included in the periodic definitions and reviews by the Audit Committee and the Board of Directors.

Risk Management Operating Status

The Company actively promotes and implements risk management mechanisms. The operating status is reported to the Board of Directors once every half a year. The main operating status for the period from 2023 to the first half of 2024 are as follows:
 

1. Utilizing Task Force on Climate-related Financial Disclosures (TCFD) recommendations, the company identifies climate risks and opportunities within the framework of "governance," "strategy," "risk management," and "metrics and targets." This includes discussions and the establishment of measurement indicators and target management.
2. Holding risk management meetings to conduct sensitivity analysis and stress testing on financial risks, renewable energy risks, information security risks, geopolitical risks, and compliance risks (privacy infringement) for both Wistron and major subsidiaries. These analyses aim to enhance risk awareness and further quantify the company's capacity to withstand these risks.
3. Conducting comprehensive enterprise and operational level risk identification that involves evaluating various risks including operational, market, compliance, information security, environmental, climate, natural resource, and other operation-related risks. Through both "bottom-up" and "top-down" analyses and discussions, potential risk events that may hinder the company's objectives, cause losses, or have negative impacts are identified. Risk response measures or risk mitigation plans are then selected based on company strategy goals, internal and external stakeholder perspectives, risk appetite, and available resources. Risk management executives, along with relevant personnel from each operational unit, continuously monitor these risks, report to the Risk Management Team in a timely manner, and maintain relevant records.
4. The Risk Management Team is responsible for executing risk management activities and delivering a comprehensive risk management report to the Audit Committee. This report includes assessments of risks across various aspects and outlines controls and oversight procedures for areas with heightened risk levels. Subsequently, the Audit Committee reports on the results of risk management execution to the Board of Directors.
5. Implementation of a key risk indicators dashboard allows for the quantification of potential significant risk events that could adversely affect the company. Thresholds for warning and danger levels are established, and risk values are continuously monitored by risk management executives and relevant personnel from each operational unit. The monitoring results are visually presented for simple understanding.
6. The CEO oversees the biannual self-assessment of internal controls conducted by internal units and subsidiaries. The internal audit unit reviews the self-assessment reports of each unit and subsidiary, along with any identified internal control deficiencies or abnormal issues, and issues an annual internal control system statement.

2023 Corporate Risk Map

Emerging Risk Management

Since 2020, Wistron has annually consulted emerging risk reports published by external organizations, such as the World Economic Forum's Global Risks Report. The identification of emerging risks follows four main processes: confirming the industry's environmental context, risk assessment (including risk identification, analysis, and assessment), risk response, and monitoring and review. These processes involve gathering opinions from management, identifying emerging risks, and devising risk mitigation measures. The results are then reported to the Audit Committee and the Board of Directors for proactive planning and response. Based on the emerging risk identification results from the Risk Management Subcommittee at the end of 2023 and the beginning of 2024, the primary emerging risk areas include generative AI risks, policy risks, economic recession risks, and risks related to new technologies.