Risk Management 返回

Risk Management Policies and Procedures 

In order to strengthen corporate governance and improve risk management procedures to reasonably ensure the Company's sustainable operation and development, the Company's Board of Directors resolved to establish a "Risk Management Policy" on November 4, 2020 and to implement risk management through risk assessment and identification, recognition, proposed measures and regular review. 

Scope of Risk Management
This policy covers all potential strategic, operational, and financial risks that could affect our operations and profitability, including but not limited to the following types of risks, for example, financial risk, product risk, market change risk, customer service risk, information security risk, human resources risk and occupational safety risk.

Risk Management Organizational Structure and Responsibilities
I、Board of Directors 

The Board of Directors holds the ultimate responsibility for risk management of the Company and is responsible for approving, reviewing and supervising the Company's risk management policies in compliance with laws and regulations, ensuring the effectiveness of risk management, and promoting and implementing overall risk management. 

II、Organizational Structure of Risk Management Team

The risk management team is responsible for implementing risk control, with the President as the convener, and an interdepartmental team is established to receive regular reports from the supervisors of each unit. The supervisor in each unit is responsible for risk management, and shall identify the initial risks within the unit, evaluate and control the risk and ensure the effectiveness and implementation of the rules and procedures for risk management and control.

III、Organizational Structure of Risk Management Team

  1. The team is responsible for the overall risk management of the Company, formulating risk management policies, structures, organizations and mechanisms and reviewing and revising these policies in response to changes in domestic and international laws and regulations.
  2. The risk management team will report to the Board of Directors on the implementation of the risk management policy annually and make recommendations for improvement as necessary.
  3. The priority of risk control management is set according to the resolution of the board of directors based on changes in internal and external environment.
  4. Other matters as instructed by the Board of Directors.
  5. Review the risk control management reports from each unit and track the implementation status and improvement progress.
  6. Regularly track the status of each unit's risk management implementation.

Implementation Status:
On January 15, 2025, the board of directors reported on the 2024 Report of Risk Management Implementation. 

Information Security Policy

The “Information Security Policy” is formulated to demonstrate the Company’s emphasis on the importance of information security, such as establishing an information security management mechanism to ensure the security of information equipment and network and protect the confidentiality, availability and integrity of computerized planning and data processing of the Company's operations. This ensures that in the event of information security risks or emergencies, the Company has the principles and capability to respond and handle issues to resume normal operations rapidly.


Management Structure
The Management Department is responsible for formulating the Company's Information Security Policy, planning information security measures and executing related information security operations and is staffed with one information security officer and several IT engineers.
The Company's Audit Office is responsible for conducting annual information security checks in accordance with internal control procedures and computerized information circulation practices. The Audit Office performs regular information security checks every year and if any deficiencies or information security incidents are identified, the Audit Office shall immediately request the inspected unit to propose relevant improvement plans and submit them to the Board of Directors. The Audit Office shall also conduct regular tracking on the effectiveness of improvements so that the information security inspection system is continuously and thoroughly implemented and convene information security meetings from time to time to reduce information security risks.


Control Mechanism

  • System regulation: The "Computerized Information System Management System" is established to regulate the IT operations environment and the information security behavior of the Company’s personnel and to prepare and revise the information security protection mechanism and make plans in accordance with the information security regulations and changes in the operating environment.
  • Software and hardware maintenance: promote various application systems, assist in the automation of computer-related operations, encourage departments to make full and effective use of computer software and hardware and establish various information security measures to enhance the security of the overall information environment.
  • Employee training: the Company provides external training to enhance the professional skills for IT personnel and promotes information security-related awareness precautions within the Company to enhance all employees' awareness of information security risks and response capabilities.
  • External resources: join the TWCERT/CC Information Security Alliance (Taiwan Computer Emergency Response Team / Coordination Center) to share information related to information security with fellow members.

Management Procedures
The specific measures to implement the information security are as follows:

Item  Measures 
Security Management for Computer Systems
  • Firewalls are installed to block external network attacks.
  • All computer systems are installed with anti-virus software, regularly updated virus database and scheduled scanning are also intended to reduce the chances of virus infections.
  • Servers are synchronized with hourly backups and stored off-site regularly.
Network Security Management
  • Configured with online behavior management and filtering devices to control access to the Internet and block access to network addresses and content that are harmful or not allowed by Company policy, strengthening network security and preventing inappropriate use of bandwidth resources.
  • Multi-layer anti-virus and spam filtering system to control and ensure email security.
  • Two-factor authentication for client connections, providing secure login authentication mechanisms.
Physical and Safety Environment Management
  • The Company’s servers and network equipment are installed in a dedicated server room and the access to the server room is by access card only and access records are kept.
  • Fire protection and security integration for data rooms to reduce disaster damage.
  • Conduct regular disaster recovery drills in the third quarter of each year and submit the relevant reports.
Information/System Access Control
  • Data storage is strictly controlled according to account authorization level.
  • Create remote connection and authentication for laptops and mobile devices.
Personal Data Management
  • Add confidentiality clauses to supplier contracts, so the supplier must be responsible for keeping personal data and confidential information secure.
  • The physical contracts will be destroyed by the Management Department after the statutory retention period.