Title:Risk Management Best-Practice Principles for Taiwan Stock Exchange and Taipei Exchange listed Companies(2022.08.08)
Categories:
Corporate Governance


Chapter 1 General Provisions

Article 1
    (Purpose of enactment)
    These principles are enacted by the Taiwan Stock Exchange Corporation and Taipei Exchange jointly to assist Taiwan Stock Exchange (TWSE) and Taipei Exchange (TPEx) listed companies in establishing a sound risk management system and ensure their sound business operations toward sustainability.
    It is advisable for TWSE and TPEx listed companies to refer to the relevant provisions of these principles in establishment their own risk management policy and procedures in order to strength their risk management systems.
Article 2
    (Objective of enterprise risk management)
    The objectives of enterprise risk management are to manage through a sound risk management structure various types of risks which may affect an enterprise's accomplishment of objectives and to incorporate risk management in operating activities and the day-to-day management routine for the following purposes:
  1. realization of enterprise objectives;
  2. enhancement of management efficiency;
  3. provision of reliable information;
  4. effective allocation of resources.
Article 3
    (Enterprise risk management principles)
    It is advisable for a TWSE or TPEx listed company to follow the principles below in its establishment of a risk management system:
  1. Integration: to include risk management as a part of all activities.
  2. Structure and comprehensiveness: to promote risk management in a structured and comprehensive manner to obtain consistent and comparative results.
  3. Customization: to devise an appropriate risk management framework and process based on the environment, scale, business features, nature of risk, and operating activities of the enterprise.
  4. Accommodation: taking into account the needs and expectations of stakeholders, to enhance and fulfill their understanding of and expectations for enterprise risk management.
  5. Development: to project, monitor, familiarize itself with, and respond to changes in the internal and external environment of the enterprise appropriately and promptly.
  6. Effective information use: to rely on historical and current information as well as future trends inits risk management development and provide such information to stakeholders promptly and clearly for reference.
  7. Personnel and culture: to increase the level of importance attached by the governance and management units to risk management, increase the overall risk awareness of the enterprise through a sound risk management training mechanism across the board, and treat risk management as part of corporate governance and day-to-day operations.
  8. Constant improvement: improve risk management and related operating procedures constantly through learning and experience.
Article 4
    (Establishment of risk management policy and procedures)
    A TWSE or TPEx listed company shall, taking into consideration the overall scale, business features, risk nature, and operating activities of the company and its subsidiaries, establish applicable risk management policy and procedures covering the following at the minimum:
  1. objectivesof risk management;
  2. risk governance and culture;
  3. organization structure and dutiesof risk management;
  4. risk management procedures;
  5. risk reporting and disclosure.
    The above risk management policy and procedures are subject to review at any time subject to changes in the internal and external environments of the company to ensure the design and implementation of the system remain effective.
Article 5
    (Review and enforcement of risk management policy and procedures)
    The risk management policy and procedures established by a company are subject to review by the risk governance unit appointed by the company and approval from the board of directors before implementation.
    The policy and procedures shall be disclosed on the company website or Market Observation Post System.

Chapter 2 Risk Governance and Culture

Article 6
    (Development of a sound risk governance and management structure)
    It is advisable for a TWSE or TPEx listed company to, taking into consideration the scale, business features, risk nature, and operating activities of the company, develop a sound risk governance and management structure whereby risk management are linked to the company's strategy and objectives through the participation of the board of directors, functional committees, and senior management. In this way, the company's material risk items are identified, the results of risk identification become more comprehensive, perspective oriented, and complete, and corresponding risk control and measures are promoted and initiated in a top-down manner, to ensure reasonably accomplishment of the company's strategic objectives.
Article 7
    (Deepening of risk culture)
    It is advisable for a TWSE or TPEx listed company to promote a top-down risk management culture whereby awareness of risk management is integrated in day-to-day decision making and a comprehensive corporate risk management culture is fostered through express risk management representations and undertakings of the governance unit and senior management, the establishment and support of a risk management unit, and the offer of professional training in risk management across the board.
Article 8
    (Offer of sufficient resources and support)
    The risk governance and management units of a TWSE or TPEx listed company shall value and support risk management, offer adequate resources to operate risk management effectively, and be responsible for itseffective operations.
Article 9
    (Integration and coordination)
    A TWSE or TPEx listed companypromoting risk management shall integrate the duties of all its units to ensure joint promotion and enforcement by such units, in order to implement risk management of the whole business through communications, coordination, and contacts among the units.

Chapter 3 Organization Structure and Duties of Risk Management

Article 10
    (Risk management organization structure)
    In addition to the board of directors being the top governance unit of risk management, a TWSE or TPEx listed company may, taking into account the scale, business features, risk nature, and operating activities of the company, also establish a risk management committee under the board of directors and appoint an appropriate risk management promotion and enforcement unit.
Article 11
    (Establishment of a risk management committee)
    To ensure sound and strong risk management, it is advisable for a TWSE or TPEx listed company to take into account its scale, business features, risk nature, and operating activities and establish a risk management committee under the board of directors to oversee the operation of risk management. It is advisable that a majority of the committee members be independent directors and that the committee be chaired by an independent director.
    The risk management committee is accountable to the board of directors and shall submit all proposals to the board of directors for resolution.
    The risk management committee shall enact a committee charter, for which a resolution of the board of directors shall be passed. Said charter shall include the number, tenure, and authoritiesof members, rules of procedure of the committee, and resources to be made available by the company when the committee exercises authority.
    A TWSE or TPEx listed company may also consider its scale and replace the functions of the risk management committee with other functional committees or task forces.
Article 12
    (Establishment of a risk management promotion and enforcement unit)
    A TWSE or TPEx listed companyshall designate or establish an appropriate risk management promotion and enforcement unit to be in charge of planning, enforcing, and overseeing risk management related affairs. Said unit may be in the form of a dedicated unit appointed or be composed as a task force, taking into account the scale, business features, risk nature, and operating activities of the company.
Article 13
    (Duties and role of the board of directors)
    The duties and role of the board of directors are as below:
  1. approve the risk management policy, procedures, and structure;
  2. ensure consistency between the direction of operational strategy and the risk management policy;
  3. ensure an appropriate risk management mechanism and risk management culture have been established;
  4. oversee and ensure effective operation of the entire risk management mechanism;
  5. allocate and designate adequate and appropriate resources for effective operations of risk management.
Article 14
    (Duties and role of the risk management committee)
    The duties and role of the risk management committee are as below:
  1. examine the risk management policy, procedures, and structure, and review their applicability and the effectiveness of their enforcement on a regular basis;
  2. approve the risk appetite (risk tolerance) to facilitate allocation of resources;
  3. ensure the risk management mechanism is able to address adequately risks faced by the company and incorporate the mechanism in day-to-day operating procedures;
  4. determine the priority order and risk levelof risk control;
  5. examine the enforcement of risk management, propose necessary recommendations for improvement, and report to the board of directors on a regular basis (at least once a year);
  6. enforce the risk management policy of the board of directors.
Article 15
    (Duties and role of the risk management promotion and enforcement unit)
    The duties and role of the risk management promotion and enforcement unit are as below:
  1. devise the risk management policy, procedures, and structure;
  2. determine the risk appetite (risk tolerance) and developqualitative and quantitative metrics;
  3. analyze and identify sources and types of company risks and review the relevant applicability on a regular basis;
  4. compile and present a company risk management enforcement report on a regular basis (at least once a year);
  5. assist with and oversee the conduct of each department's risk management activities;
  6. coordinate interdepartmental interaction and communication in regard to risk management;
  7. enforce the risk management policy of the risk management committee;
  8. devise risk management related training programs to enhance overall risk awareness and culture.
Article 16
    (Duties and role of operating units)
    The duties and role of an operating unit are as below:
  1. responsible for identification, analysis, and assessment of, and response to, risks of the unit to which it belongs, and create the relevant crisis management mechanism where necessary;
  2. present risk management information to the risk management promotion and enforcement unit on a regular basis;
  3. ensure effective enforcement of risk management and relevant control procedures of the unit to which it belongs, to ensure compliance with the risk management policy.

Chapter 4 Risk Management Procedures

Article 17
    (Risk management procedures)
    The risk management policy shall include risk management procedures, which shall consist of five main elements at the minimum: risk identification, risk analysis, risk evaluation, risk response, and mechanism of oversight and examination. Said procedures shall also state expressly the procedures and methods of actual enforcement of these elements.
Article 18
    (Analysis and identification of sources and types of company risks)
    Generally, sources and types of risks are mainly categorized as below: strategic risk, operating risk, financial risk, information risk, compliance risk, risk of goodfaith, and other emerging risks such as climate change or epidemic etc.
    It is advisable for the risk management promotion and enforcement unit to devise and undertake a comprehensive focused risk analysis based on the scale, industry, business features, and operating activities of the company and taking corporate sustainability (including climate change) into account, to analyze and identify the sources and types of risks applicable to the company, define the types of risks of the company, identify in detail the relevant risk scenarios of each type of risk, and review the relevant applicability on a regular basis.
Article 19
    (Risk identification)
    Each operating unit shall perform risk identification in respect of the short-, mid-, and long-term objectives and business functions of the unit to which it belongs, in accordance with the strategic objectives of the company and the risk management policy and procedures approved by the board of directors.
    For the performance of risk identification, it is advisable that practicable analytical tools and methodssuch as process analysis, scenario analysis, questionnaire survey, PESTLE analysis etc.be employed, and that to perform based on previous experience and information and taking into account internal and external risk factors and stakeholders' primary concerns, to conduct analyses and discussions in a "bottom-up" and "top-down" approach, and integrate strategic risksand operational risk, in order to identify all potential risk events which may prevent the accomplishment of company objectives, occasion losses to the company, or cause a negative impact on the company.
Article 20
    (Risk analysis)
    Risk analysis is mainly to ascertain the nature and features of a risk event which has been identified and to analyze the probability and degree of impact of such event to calculate the risk value.
    Each operating unit shall analyze the probability and degree of impact of any risk event which has been identified, taking into account the comprehensiveness of current relevant control measures, previous experience, and cases in the industry etc., in order to calculate the risk value.
Article 21
    (Metrics of risk analysis)
    It is advisable for the risk management promotion and enforcement unit to develop appropriate quantitative or qualitative metrics based on the company's risk featuresas the basis for risk analysis.
    Qualitative metrics express the probability of occurrence and degree of impact of a risk event through textual description; quantitative metrics express these aspectsthrough specific measurable numbers such as days, percentages, amounts, people, etc.
Article 22
    (Risk appetite)
    It is advisable for the risk management promotion and enforcement unitto set a risk appetite (risk tolerance) and submit it to the risk management committee for approval in order to determine the risk limit acceptable to the company. It is also advisable that said unit deliberate on the reconciliation of each risk value to the risk level and ways to respond to each level of riskbased on the risk appetite as thebasis for subsequent risk evaluation and risk response.
Article 23
    (Risk evaluation)
    The purposes of risk evaluation are to provide an enterprise with a basis for decision making, whereby risk events which shall be addressed on a priority basis are determined through a comparison of the results of risk analysis to the risk appetite, and to serve as reference for subsequent formulation of response options.
    An operating unit shall devise and enforce risk response proposals by the level of risk based on the results of risk analysis vis-a-vis the risk appetite approved by the risk management committee.
    Results of risk analyses and assessments shall be documented accuratelyand reported to the risk management committee for approval.
Article 24
    (Risk response)
    Risk response plans shall be devised, their full understanding and enforcement by relevant personnel ensured, and their enforcement overseen on an ongoing basis.
    An enterprise shall take into account its strategic objectives, the perspectives of its internal and external stakeholders, its risk appetite, and the resources available in selecting the risk response(s) to adopt to make such risk response proposal strike a balance between the accomplishment of the goal and the cost-effectiveness.
Article 25
    (Risk oversight and examination)
    A risk oversight and examination mechanism shall be expressly defined in the risk management procedures to ascertain whether risk management processes and relevant risk measures continue to operate effectively and incorporate the results of examination in performance reviews and reports.
    Risk management shall be lined up with critical processes of the organization to oversee and enhance the benefits of implementation of risk management effectively.

Chapter 5 Risk Reporting and Disclosure

Article 26
    (Risk documentation)
    The procedures and results of risk management, including risk identification, risk analysis, risk evaluation, risk response measures, relevant information sources, and results of risk assessment, etc.,shall be documented, examined, reported, and properly retained for reference through appropriate mechanisms.
Article 27
    (Risk reporting)
    Risk reporting is an integral part of corporate governance. It is advisable that different stakeholders and their specific information needs and requirements, the frequency and timesensitivity of reporting, methods of reporting, and relevance of information to the objectives and decision-making of the organization be taken into account in assisting senior management and the governance unit in making relevant risk decisions and performing their risk management duties.
    The risk management promotion and enforcement unit shallconsolidate the risk information provided by various units, issue risk management related reports to the risk management committee and board of directors on a regular basis, and develop a dynamic management and reporting mechanism, to oversee the effective enforcement of risk management.
Article 28
    (Risk disclosure)
    A TWSE or TPEx listed company shall disclose the following risk management related information on the company website or Market Observation Post System for external stakeholders' reference and shall update said information on an ongoing basis.
    Specific items to be disclosed include:
  1. risk management policy and procedures;
  2. organization structure of risk governance and management;
  3. operation and enforcement of risk management, including frequencies and dates of reporting to the board of directors and committee.

Chapter 6 Supplementary Provisions

Article 29
    (Attention paid to domestic and foreign developments)
    A TWSE or TPEx listed company shall pay attention at all times to developments inthe risk management mechanisms of domestic and international enterprises based upon which to review and improve the risk management structure developed by the company, for enhancing the effect of corporate governance.
^