Risk Management

The Company has developed its risk management system in alignment with the internationally recognized COSO Enterprise Risk Management (COSO-ERM) 2017 framework (The Committee of Sponsoring Organizations of the Treadway Commission). The system is implemented in an integrated manner across the entire organization and encompasses all types of risks and all business activities. This approach provides assurance that the Company’s risk management is sufficiently effective and efficient, enables risks to be managed within the acceptable level of risk appetite, and supports sustainable business operations. The Company has also established a risk management and oversight structure that is interconnected at all levels, including the Board level, management level, and operational level.

Board Level

The Audit and Risk Management Committee is entrusted by the Board of Directors with reviewing the adequacy and effectiveness of the risk management framework, as well as overseeing compliance with the Company’s risk management policies, strategies, and risk appetite.
The Executive Committee is responsible for overseeing and monitoring the status of key risks and risk management practices, as well as promoting a risk management culture throughout the organization.

Management Level

The Risk Management Working Team, which is independently established and separate from business units, is chaired by the Chief Financial Officer. This subcommittee plays a key role in driving the Company’s risk management by reviewing the Company’s key risks, monitoring the implementation of risk mitigation measures and key risk indicators, and working collaboratively with all relevant functions in their capacity as risk owners. The Risk Management Subcommittee convenes on a quarterly basis.
Business unit executives and heads of functions are directly responsible for assessing and managing risks within their respective areas of responsibility and for reporting the results of risk management to the Risk Management Subcommittee.

Operational Level

Risk Champions serve as intermediaries facilitating coordination between business units and the Risk Management Office.
All Employees Across the Organization are expected to actively participate in risk management as an integral part of their responsibilities, act in accordance with the Company’s risk management culture, and promptly report identified risks through the established reporting channels.

Central Function for Driving and Coordinating Collaboration

The Risk Management Office is responsible for promoting and disseminating knowledge, as well as providing guidance to relevant functions on risk management, and for monitoring the progress of risk mitigation activities.
The Internal Audit Office reviews risk assessment processes to ensure alignment with the risk management policy, monitors the implementation of risk mitigation measures by relevant functions in their capacity as risk owners, and provides recommendations to enhance the effectiveness of the risk management system.

The Company requires risk assessments to be conducted on a quarterly basis or whenever there are significant changes in the operating environment. The Risk Management Subcommittee reports the results of such assessments to the Executive Committee and the Audit and Risk Management Committee, respectively. In addition, the assessment outcomes are communicated to the Management Committee for acknowledgement and implementation of the prescribed risk mitigation measures.

Risk Management Process

The Company has developed a Risk Management Manual to consolidate the framework, procedures, and tools used in risk management. The key components are as follows:

Assessment of the Business Environment

Consideration of the business environment at the macroeconomic, industry, and company levels in order to understand the current situation as well as future trends.

Risk and Opportunity Identification

Identification of risks and opportunities that may affect the achievement of the Company’s objectives, including existing risks, emerging risks, and business opportunities. This process covers both internal and external factors and utilizes various tools and techniques, such as the identification of potential internal and external issues and cause-and-effect analysis under hypothetical scenarios.

Risk Assessment, Risk Prioritization, and Determination of Risk Responses and Key Risk Indicators (KRIs)

Establishment of risk assessment criteria based on the Company’s acceptable level of risk (Risk Appetite) across the following dimensions:
- Investment returns must exceed financial costs.
- Business operations must be conducted fairly toward stakeholders and in compliance with laws, ethics, and the corporate culture.
- No deficiencies in safety matters, with due consideration for environmental protection and social responsibility.
- Production of goods in accordance with defined quality standards.
- Preservation of corporate image and reputation.
- Accurate and reliable disclosure of information.
Risk assessment through data collection via risk assessment questionnaires and workshops, applying the defined assessment criteria, with results presented in a Risk Heat Map.
Risk prioritization based on the relationship between impact and likelihood. Risks exceeding the acceptable level are classified as key risks, for which the root causes must be clearly identified.
Determination of appropriate risk responses and key risk indicators, taking into consideration efficiency and effectiveness prior to implementation.

Reporting and Monitoring

Reporting and monitoring of progress in implementing risk response measures and the status of key risk indicators in accordance with the prescribed reporting cycle.

Risk Management Culture

The Company communicates roles and responsibilities and promotes awareness to ensure that directors, executives, and employees act responsibly in considering potential risks and opportunities through the following initiatives:

Enterprise-wide Risk Culture

The Company is committed to fostering a risk management culture across the entire organization through the following approaches:

Environmental (Governance and Framework) Dimension

Integrating risk management into the formulation of the Company’s strategies, action plans, and budgeting processes.
Communicating the risk management policy, including the roles and responsibilities of personnel.
Systematically embedding risk management principles into the Company’s policies, rules, and operational procedures.

Awareness and Capability Building

Communicating risk events, together with prevention and mitigation measures and risk management principles, through various media such as posters, short videos, and knowledge-based games designed to enhance understanding and practical application.
Enhancing risk management capabilities of directors, executives, and employees through appropriate training programs.

Operational Practices

Assessing business risks and opportunities, defining risk response measures, establishing key risk indicators (KRIs), and regularly monitoring progress.
Conducting risk assessments for specific activities and issues, including climate change, flooding, drought, human rights, mergers and acquisitions, large-scale investments, workplace safety, and new product development.
Utilizing risk assessment results to continuously improve work processes.
Reporting risk incidents through designated reporting channels.
Promoting the inclusion of risk-related agenda items in business unit meetings and encouraging the sharing of risk management experiences among business units.

Financial Incentives

Consideration of executive and employee remuneration based on defined performance indicators, such as occupational health and safety, environmental and energy risk management, and compliance with applicable regulations.

Remark: Further details on risk management can be found in the Annual Report 2025 (Form 56-1 One Report), Part 1: Business Operations and Performance, Section 2: Risk Management.