Chapter 4 Risk Management Procedures |
Article 17 | (Risk management procedures)
The risk management policy shall include risk management procedures, which shall consist of five main elements at the minimum: risk identification, risk analysis, risk evaluation, risk response, and mechanism of oversight and examination. Said procedures shall also state expressly the procedures and methods of actual enforcement of these elements.
|
|
Article 18 | (Analysis and identification of sources and types of company risks)
Generally, sources and types of risks are mainly categorized as below: strategic risk, operating risk, financial risk, information risk, compliance risk, risk of goodfaith, and other emerging risks such as climate change or epidemic etc.
It is advisable for the risk management promotion and enforcement unit to devise and undertake a comprehensive focused risk analysis based on the scale, industry, business features, and operating activities of the company and taking corporate sustainability (including climate change) into account, to analyze and identify the sources and types of risks applicable to the company, define the types of risks of the company, identify in detail the relevant risk scenarios of each type of risk, and review the relevant applicability on a regular basis.
|
|
Article 19 | (Risk identification)
Each operating unit shall perform risk identification in respect of the short-, mid-, and long-term objectives and business functions of the unit to which it belongs, in accordance with the strategic objectives of the company and the risk management policy and procedures approved by the board of directors.
For the performance of risk identification, it is advisable that practicable analytical tools and methodssuch as process analysis, scenario analysis, questionnaire survey, PESTLE analysis etc.be employed, and that to perform based on previous experience and information and taking into account internal and external risk factors and stakeholders' primary concerns, to conduct analyses and discussions in a "bottom-up" and "top-down" approach, and integrate strategic risksand operational risk, in order to identify all potential risk events which may prevent the accomplishment of company objectives, occasion losses to the company, or cause a negative impact on the company.
|
|
Article 20 | (Risk analysis)
Risk analysis is mainly to ascertain the nature and features of a risk event which has been identified and to analyze the probability and degree of impact of such event to calculate the risk value.
Each operating unit shall analyze the probability and degree of impact of any risk event which has been identified, taking into account the comprehensiveness of current relevant control measures, previous experience, and cases in the industry etc., in order to calculate the risk value.
|
|
Article 21 | (Metrics of risk analysis)
It is advisable for the risk management promotion and enforcement unit to develop appropriate quantitative or qualitative metrics based on the company's risk featuresas the basis for risk analysis.
Qualitative metrics express the probability of occurrence and degree of impact of a risk event through textual description; quantitative metrics express these aspectsthrough specific measurable numbers such as days, percentages, amounts, people, etc.
|
|
Article 22 | (Risk appetite)
It is advisable for the risk management promotion and enforcement unitto set a risk appetite (risk tolerance) and submit it to the risk management committee for approval in order to determine the risk limit acceptable to the company. It is also advisable that said unit deliberate on the reconciliation of each risk value to the risk level and ways to respond to each level of riskbased on the risk appetite as thebasis for subsequent risk evaluation and risk response.
|
|
Article 23 | (Risk evaluation)
The purposes of risk evaluation are to provide an enterprise with a basis for decision making, whereby risk events which shall be addressed on a priority basis are determined through a comparison of the results of risk analysis to the risk appetite, and to serve as reference for subsequent formulation of response options.
An operating unit shall devise and enforce risk response proposals by the level of risk based on the results of risk analysis vis-a-vis the risk appetite approved by the risk management committee.
Results of risk analyses and assessments shall be documented accuratelyand reported to the risk management committee for approval.
|
|
Article 24 | (Risk response)
Risk response plans shall be devised, their full understanding and enforcement by relevant personnel ensured, and their enforcement overseen on an ongoing basis.
An enterprise shall take into account its strategic objectives, the perspectives of its internal and external stakeholders, its risk appetite, and the resources available in selecting the risk response(s) to adopt to make such risk response proposal strike a balance between the accomplishment of the goal and the cost-effectiveness.
|
|
Article 25 | (Risk oversight and examination)
A risk oversight and examination mechanism shall be expressly defined in the risk management procedures to ascertain whether risk management processes and relevant risk measures continue to operate effectively and incorporate the results of examination in performance reviews and reports.
Risk management shall be lined up with critical processes of the organization to oversee and enhance the benefits of implementation of risk management effectively.
|
|