Risk Management Policies and Procedures

To ensure the robust operating performance and sustainable development of the Company, various risks were defined based on the Company’s operating strategies and objectives. Potential losses shall be restricted within the tolerable range, and an overall risk management organization framework and risk management mechanism shall be established.

The “Guidelines for Risk Management” of the Company were approved by the Board of Directors on December 27, 2013, as the top guiding principles of the Company’s risk management. On December 24, 2018, Guidelines for BCP Risk Control Procedures were promulgated and amended. The Company regularly assesses risks annually, and promulgates risk management policies for each type of risk covering management objectives, organizational structures, accountability, and risk management procedures to effectively identify, measure, and control the Company’s various risks arising from business activities and restrict them within a tolerable range.

I. Important Risk Categories

Overall, the risks the Company may encounter are divided into the following five categories:

[Strategic Risks] The impact on the Company’s financial business due to changes in the overall domestic and foreign economic situation, and/or important policies and laws.

[Operational Risks] Including risks of sales concentration, procurement concentration, legal regulations, talent recruitment and retaining, and impacts of technological and industrial changes, etc.

[Financial Risks] Interest rate changes, exchange rate changes, inflation, deflation, as well as impacts on the Company’s profits and losses due to policies for high-risk/high-leverage investment, capital loans to other parties, endorsements, and derivative commodity transactions.

[Information Security Risks] The risks of information disclosure of the Company’s major operating information, personal data, and/or client data required to be protected under contract provisions due to computer viruses, hacking, and/or various internal and external information security threats.

[Other Risks] Risks that are not specified in Subparagraphs 1 to 4 of the preceding Paragraph, such as climate change or environmental protection agreements, are expected to have a certain level of impact on the Company’s financial and business performance.

II. Organizational Structure

III. Mechanism for Risk Management

Organizations for Risk Management Responsibilities
Board of Directors The top unit of risk management, with the goal of complying with laws and regulations, promoting and implementing the Company’s overall risk management, ensuring the effectiveness of risk management, and assuming the overall responsibility for risk management.
Department of Finance Establish a high-efficiency and high-quality financial platform to provide transparent and credible financial information, operation analysis, and improvement plans. Adopt strict control, and legal tax planning, credit risk control, and financial crisis prediction models to mitigate corporate risks.
Audit Office Review the existing or potential risks of each operation based on the risk-oriented annual audit plans. Assume the responsibility for the revision and promotion of the internal control system to ensure that the Company can implement effective operation risk management.
Department of Information Technology Plan and improve the Company’s information management system, assume the responsibility for network information security control and protection measures, and provide management levels with fast and effective operation management information to mitigate information security risks.
Business Units The head of each business unit is responsible for the front-line risk management, analyzing and monitoring the relevant risks in the respective unit to ensure that the risk control mechanism and procedures are being effectively implemented.


Risk Management Mechanisms Levels Responsibilities for Risk Management and Control
First-tier Mechanism Business Units and
Staff in-charge
Initial detection, assessment, and control of risks
Second-tier Mechanism Operational Meetings or
Executive Meetings
Feasibility assessment and various risk assessment
Third-tier Mechanism Board of Directors
Audit Committee
Audit Office
The Audit Office is responsible for risk inspection, assessment, supervision, and improvement tracking, summarizes the implementation of risk management of various departments within the Company, and timely provide company risk management reports to the Board of Directors and the Audit Committee.
The Board of Directors and the Audit Committee are responsible for the decision-making and final control of risk assessment and control.

IV. Operation Status

The “Guidelines for Risk Management” of the Company were approved and promulgated by the Board of Directors on December 27, 2013. Since then, the Company has actively promoted the implementation of risk management mechanisms and reported to the Board of Directors the tables for risk assessment analysis and operation status on an annual basis. The data from the risk assessment analysis table would be used as the focal points for the audit of the coming annual period year.

Annual key operation status over the years and respective analysis of risks:

In December 2013, the “Guidelines for Risk Management” were promulgated.

In 2014, the “Risk Assessment Analysis Form” and the “Risk Factor Weight Table” were included in the important risk review indicators of the audit plans.

In 2017, the “Self-assessment Report of Internal Control” and “Annual Audit Findings” and other operational risk loss data were collected and included in the important risk review indicators of the audit plans.

In December 2018, the “Guidelines for BCP Risk Control Procedures” were promulgated.

In 2021 (The Annual Operation Status)

The Company at the Audit Committee meeting held on December 29, 2021, reported on the ever-changing risk environment currently faced by the Company, risk management priorities, risk assessment, and relevant measures based on “Key Risk Assessment Analysis Form for 2021” and the “Audit Plans for 2022”. (See the Table below)

Key Risks Potential Risks Risk Level % Risk Management Type Current Management Approaches Enhancement and Improvement Approaches Implementation Status
Operational Risk Risk of poor project progress control 25 (2)Mitigation 1. Enhance professional training.
2. Enhance the capability to control the current market conditions.
3. Enhance the capabilities and resilience of project managers on the comprehensive planning of the work process at each stage.
4. Enhance the capabilities of project managers to control the schedules and risks of projects.
1. Enhance the communication with the business units, confirm that the R&D resources are distributed to the projects required for business, and prioritize the projects based on the priority of clients’ demands.
2. Clearly define the job responsibilities of RDs to ensure that each RD can be utilized upmost in the project to improve efficacy. Supporting works are done by non-RD engineers to improve efficiency.
3. Introduce the Issue tracking system to allow the project progress tracking.
1. Track and support project progress with R&D professional platform and weekly meetings
Operational Risk Risk of the R&D data breach 20 (1)Avoidance Introduce the Data Loss Prevention system, and use the file encryption right after saving to prevent a data breach. In addition to the protection of the DLP system, the Company also has full control of the access of USBs of all computers to prevent the risk of a data breach. Various firewalls and file encryption operations within the Company have been enhanced and the use of USB has been completely prohibited.
Operational Risk Risk of the outflow of talents 12 (2)Mitigation 1. Development programs for key talents
2. Provide a good workplace environment
3. Employees care
4. Succession plans
5. Recommended graduates from VTESC
6. College graduates or undergraduates recommended by faculties of relevant departments
1. TTQS promotion Program for talents
2. Provide a complete and fair promotion system
3. Design creative recruitment ads
4. Contact college professors and VTESC staff closely.
1. Enhance the functions of the education and training platform and improve the education and training courses
2. Brand marketing of MACHVISION SPORTS
3. The areas from the 1st to 6th floors have been renovated and improved to provide a more comfortable work environment
Information Security Risk *Environmental risk (5%)
Floods, fires, earthquakes...
10 (2)Mitigation Off-site backup Off-site backup Regularly review information security content, increase remote backup mechanisms and prevent data loopholes

On Aug 3, 2021, the Company provided education and training to the department heads and Directors to understand the standards of BCP Risk Control Procedures to enhance their awareness of the importance of risk control.

Dates Provided for/Locations Duration Attendees
2021.8.3 All Directors / 6F 30 min 9 persons
(1 person for video)
2021.8.3 All heads of all departments / B1 Restaurant 30 min 25 persons