Article 1 Purpose

To fully establish the Company’s corporate governance plan and implement risk management measures in our business operations, we have formulated management policies and procedures designed to tackle any unforeseeable factors that could potentially threaten our business operations.

Article 2 Risk management objective

The objective of the Company’s enterprise risk management is to manage various risks that may affect the achievement of the Company’s objectives through a comprehensive risk management framework, and by integrating risk management into operational activities and daily management processes, the Company will achieve the following objectives:

1. Achieving company goals.
2. Enhancing management efficiency.
3. Providing dependable information.
4. Allocating resources efficiently.

Article 3 Risk Management Policy and Culture

The Company’s risk management policy is to create a business strategy and organizational culture that emphasizes risk management, to establish a comprehensive risk management system, and to involve the Board of Directors of the Company and its subsidiaries, as well as managers and employees at each level, in its joint promotion and implementation. This management process is upheld throughout the Company at all levels. In accordance with the Company’s overall business policy, we define various risks and establish a risk management mechanism for early identification, accurate assessment, effective monitoring, and strict control of potential risks. This is to manage the risks that may arise during operational activities within a controllable range, prevent potential losses, and serve as a reference for the establishment of business strategies with the aim of reasonably ensuring the achievement of the Company’s strategic goals.

Article 4 Risk management organization structure and responsibility

1. Board of Directors:
   As the top supervisory unit for the Company’s risk management, it ensures that the Company complies with the law, approves the Company’s risk management policies and procedures based on the overall business strategies and business environment, and establishes the risk related organization structure to ensure the risk management mechanism is effectively implemented.
2. Sustainable Development Committee:
   The Company has established the Sustainable Development Committee under the Board of Directors as the highest advisory body for the Company’s risk management The Executive Office under the Sustainable Development Committee has the responsibility of managing risks. It is responsible for analyzing and monitoring the relevant risks of each business unit to ensure the successful implementation of risk control mechanisms and procedures.
3. Executive Office:
   The Corporate Social Responsibility and Corporate Governance Committee is accountable for executing, promoting, and coordinating the risk management activities of the Company. This involves organizing risk management meetings, supporting the Sustainable Development Committee in developing risk management policies and procedures, sharing risk information with different business units, and compiling and incorporating risk management reports from designated business units, as directed by the Sustainable Development Committee.
4. All Business Units:
   Each business unit serves as a participant in the Risk Management Meeting and bears the responsibility of executing its own risk prevention plan, including risk identification, risk analysis, risk assessment, risk response and control, as well as self-monitoring. Each business unit shall report the status of the implementation of risk management for each type of risk to the Sustainability Committee on a regular basis or as requested by the Sustainability Committee and consolidated by the Executive Office.
5. Auditing Office:
   Regularly reviews the implementation of internal controls and audit plans in each business unit in accordance with the risks monitored by the subcommittee of the Corporate Governance and Sustainable Development Committee, and submits follow-up improvement reports based on the audit results.

Article 5 Risk management process

To optimize risk management functionality, the Company’s risk management process includes five key elements: risk identification, risk analysis, risk assessment, risk response, and supervision and review mechanisms. This allows the scope of each risk to be clearly understood and appropriate measures to be taken to ensure the proper management of relevant risks, so that limited resources can be efficiently allocated to relevant risk management activities.

1. Risk identification:
   (1) The Company should identify internal and external risk factors and use appropriate and feasible methods to consolidate past experiences and predict potential future risks. This will allow for classification and further evaluation, monitoring and management of risks.
   (2) The c=Company has identified various risk categories, including but not limited to governance risk, operational risk, strategic risk, financial risk, hazard event risk, legal compliance risk, information security risk, and climate risk. Each business unit conducts risk management in line with its functions and responsibilities, while consistently monitoring global and domestic risk management developments to recognize emerging risks.
2. Risk analysis:

   After identifying potential risk factors for each business unit, the Company analyzes the likelihood and negative impact of their occurrences to comprehensively understand their impact on the organization and create the basis for risk management.

3. Risk assessment:

   The Company prioritizes risk events based on comparing the results of risk analysis with risk tolerance. We then use the results as a reference for subsequent response actions.

   Each business unit should compare the results of the risk analysis with the risk appetite approved by the Sustainable Development Committee, and plan and implement subsequent risk response measures according to the level of risk.

   The results of relevant risk analysis and assessment should be accurately recorded and submitted to the Sustainable Development Committee for approval.

4. Risk response:
   The Company shall establish appropriate risk response plans, ensure that they are fully understood and implemented by relevant personnel, and monitor the implementation of such plans on an ongoing basis.

   The Company should consider its strategic goals, the viewpoints of internal and external stakeholders, risk appetite, and available resources to select a risk response approach that balances achievement of objectives and cost-effectiveness.

   Each business unit shall submit risk management statements in a timely and proactive manner to the Executive Office of the Sustainable Development Committee on a regular basis for compilation and reporting to the Sustainable Development Committee. The implementation of risk management operations is reported to the Board of Directors at least once a year by the Convener of the Sustainability Committee or his/her designee.

5. Risk supervision and review:

   The risk review and supervision mechanism should be well-defined within the risk management process to review risk management procedures and assess the effectiveness of related risk measures. Additionally, it should incorporate relevant results into performance measurement and reporting.

   Risk management should be integrated into crucial processes within the organization to ensure effective supervision and to increase the benefits of the implementation of risk management.

(1) Each risk factor is displayed in Annexed Table I. Any further risk factors can be added to the “Other” category of the risk consideration level without the approval of the Board of Directors. Each business unit should monitor its risk exposure and promptly report the risks and strategies to the Executive Office of the Sustainable Development Committee. This will aid in the implementation of risk management measures (risk acceptance/risk avoidance/risk reduction/risk transfer). Additionally, it will enable tracking and evaluating the execution status after the implementation of risk management measures.

Article 6 Risk information disclosure

In addition to disclosing relevant information in accordance with regulatory requirements, the Company should also disclose risk management information on its annual report or website.

Article 7 Amendment to risk management policies

The Executive Office of the Sustainable Development Committee should review this risk management policy annually and keep up-to-date with the progress of international and domestic risk management systems. By reviewing and enhancing this policy, we can boost the efficiency of risk management implementation for the Company and its subsidiaries.

Article 8 The risk management policy and procedures undergo review and approval by the Sustainable Development Committee before being ratified by the Board of Directors. This process also applies to any revisions made.

Article 9 The operation procedure was established on August 3, 2023.