Governance & Risk Framework

The Board of Directors is the ultimate authority overseeing risk governance, supported by the Audit Committee and a dedicated Risk Management Committee composed of senior leaders from key units. In 2020, the Board formally approved the enterprise-wide risk management policy based on ISO?31000, establishing a structured six-step cycle—identify, analyzing, evaluate, respond, manage, and continuously monitoring and improvement. This framework is fully embedded across all organizational levels and reinforced by robust internal control mechanisms to ensure effective risk oversight and mitigation.

Dedicated Operational Risk Function

The company has a formal Operational Risk Management (ORM) unit under the Risk Management Committee, empowered to identify, assess, monitor, and mitigate risks across ten categories—operational, supply chain, cybersecurity, climate, labor, compliance, etc. High-risk issues are escalated through quarterly ORM meetings and annual reporting to the Board, with internal audits verifying effectiveness.

Implementation Examples & Tools

• ? Operational risk assessments are conducted annually, with the ORM team recommending mitigation strategies to the Board
• ? In 2024 and 2023, internal audit reports were submitted to the Audit Committee, evaluating the risk framework’s effectiveness.
• ? Emerging risks (e.g., climate, geopolitical) are actively identified and managed using TCFD-aligned processes, such as climate scenario planning.

Risk Management Procedures

In response to an increasingly complex and dynamic risk landscape, senior management actively engages in the identification and evaluation of risks related to global economic shifts, regulatory developments, environmental factors, technological innovation, and other critical external influences that could impact the Company’s long-term sustainability.

The risk management process follows a structured cyclical six-step approach:

• 1. Risk Identification
• 2. Risk Analysis
• 3. Risk Evaluation
• 4. Risk Response Planning
• 5. Risk Management Execution
• 6. Continuous Monitoring and Improvement

This comprehensive and integrated process ensures risk management is proactive and forward-looking, enabling the Company to anticipate potential disruptions, safeguard strategic objectives, and maintain the confidence of stakeholders.

Risk assessments incorporate evaluations of both the likelihood and potential impact of identified risks. Each risk is assigned an appropriate risk appetite level based on its assessed severity, along with the department responsible for that risk. Designated managerial supervisors are accountable for proposing, implementing, and continuously monitoring effective risk mitigation measures.

In both 2023 and 2024, following thorough deliberations and comprehensive assessments, the Risk Management Committee concluded that the Company’s overall risk exposure remained within manageable and controlled limits, with no abnormal or unexpected risk events reported during the periods.

Three Lines of Defense in Risk Management

First Line of Defense: Operational Risk Ownership

Each business unit is responsible for identifying and managing risks arising from their day-to-day operations by designing and implementing effective internal controls. Depending on organizational size and industry practices, dedicated risk management units or specialists may be established to oversee risk-related activities and report regularly on risk indicators, compliance status, violations, and corrective actions.

Key attributes include:

• ? Business Accountability: Unit heads serve as risk owners, embedding risk management into daily operations.
• ? Control Execution: Employees execute internal controls and adhere to policies and procedures established by the second line.
• ? Training and Awareness: Ongoing risk awareness initiatives ensure employees understand their risk management responsibilities.
• ? Regular Monitoring: Business units regularly report key risk indicators and incidents to the central risk management function.

Second Line of Defense: Risk Management and Compliance Oversight

Composed of department and section-level managers, the committee convenes at least twice annually. Risk-related unit leaders report to the Committee Chairperson (the Chairman), overseeing risk exposure and appetite, reviewing risk management execution, and shaping enterprise-wide risk control strategies.

Key features include:

• ? Enterprise-wide Framework: Responsible for maintaining and updating the Company’s Enterprise Risk Management (ERM) framework, encompassing strategic, operational, compliance, and reputational risks.
• ? Oversight Functions: Risk Management and Compliance teams develop policies, conduct risk assessments, and monitor overall risk exposure.
• ? Cross-functional Committees: Facilitate alignment of risk practices and review emerging risks, with established escalation protocols to senior leadership and the Board.

Third Line of Defense: Independent Audit Unit

Charged with auditing risk management processes and key operational risks, the Audit Office reports quarterly to the Audit Committee and at least annually to the Board of Directors. This ensures the adequacy of internal controls and the integrity of risk assessment and mitigation processes.

Key characteristics include:

• ? Direct Board Reporting: Audit Office operates independently from management and reports directly to the Audit Committee.
• ? Scope of Assurance: Reviews the design and effectiveness of controls implemented by both the first and second lines, including audits covering financial, operational, compliance, and strategic risks.
• ? Independence and Objectivity: Audit Office maintains independence by not participating in day-to-day risk management or control activities.

Risk Management Committee

The Risk Management Committee serves as the central governance body for enterprise risk oversight. Chaired by Chairman Eddie W.H. Chuo and comprising senior executives and heads of major functions, the Committee meets at least twice per year to oversee risks that may affect the Company’s long-term sustainable development.

The Committee is responsible for identifying, assessing, and monitoring a broad range of strategic and operational risks, formulating risk policies, setting management objectives, defining risk appetite, and ensuring risks remain within acceptable thresholds.

In 2024, Committee meetings were held on May 23 and October 25. During these sessions, managers presented assessments across nine key risk categories, including associated risk appetites and mitigation measures. The Chairman provided strategic guidance on response plans. After comprehensive evaluation, the Committee affirmed that the Company’s overall risk exposure remained well within controllable limits, with no material or abnormal events reported.

Responsibilities of the Risk Management Committee

• 1. Policy Formulation and Review
  Develop and periodically review the Company’s risk management policies and strategies to align with business objectives, regulatory requirements, and industry best practices.
• 2. Risk Assessment and Monitoring
  Evaluate key risks—including financial, operational, compliance, market, credit, ESG, and emerging risks—and monitor internal and external indicators for early warnings.
• 3. Risk Planning and Control Measures
  Promote, review, and supervise implementation of mitigation plans, internal controls, and risk-handling mechanisms such as risk avoidance, transfer, reduction, and retention.
• 4. Risk Reporting and Disclosure
  Regularly report significant risks, changes in risk exposure, and mitigation effectiveness to the Board to ensure transparency and accountability.
• 5. Crisis Management and Emergency Preparedness
  Support development and maintenance of contingency plans and crisis response procedures for rapid action and damage mitigation during emergencies.

Functions of the Risk Management Committee

• ? Strategic Function: Assist the Board in setting and overseeing risk appetite and strategy aligned with long-term goals.
• ? Oversight Function: Monitor and evaluate enterprise risk management processes across departments.
• ? Communication Function: Act as a central platform for timely exchange of risk information among departments, management, and the Board.
• ? Continuous Improvement: Foster ongoing enhancement of the risk management framework to adapt to evolving internal and external conditions.

Risk Management Process Audit

To ensure the effectiveness and continuous improvement of the risk management framework, the Company conducts annual internal audits overseen by the Internal Audit Office, applying a risk-based audit methodology.

Scope and Process:

• ? Identification and assessment of strategic and operational risks
• ? Evaluation of risk response plans and mitigation measures
• ? Verification of control implementation
• ? Monitoring of Key Risk Indicators (KRIs)
• ? Examination of risk reporting and escalation mechanisms
• ? Validation of compliance with internal policies and regulatory requirements

Audits are conducted in accordance with ISO 31000 and relevant regulations. Findings are documented in formal reports submitted to senior management and the Audit Committee. This disciplined approach demonstrates the Company’s commitment to cultivating a robust, transparent, and accountable risk culture.

In 2023 and 2024, audits covered credit and financial risks, information security, industry changes, supply chain, and occupational safety risks, with no irregularities detected.

Risk Culture

The Company integrates intellectual property (IP) risk assessments into its product and service development lifecycle. Through systematic analysis, we ensure legitimacy and protection of innovations, thereby mitigating infringement disputes and operational risks.

Company-Specific Risk Exposure Examples

Key Talent Risk

• ? Risk Description: Challenges stemming from demographic shifts, industrial restructuring, and increasing complexities in cross-border labor employment.
• ? Likelihood: Moderate to High, due to intense industry competition for skilled professionals and evolving workforce expectations over the next 1-3 years.
• ? Impact: Moderate, as talent loss may delay projects, reduce innovation capacity, and hinder operational efficiency, potentially impacting annual revenue growth targets.
• ? Risk Appetite: Maintain turnover below industry benchmarks and sustain a healthy talent pipeline; target recruitment success rate ≥70%.
• ? Mitigation Measures:
  • 。 Enhance industry-academia collaborations
  • 。 Diversify recruitment channels, including government-supported talent programs
  • 。 Prioritize recruitment of female R&D engineers and foster an inclusive environment
  • 。 Utilize immigration policies to attract overseas and international talent
  • 。 Build talent databases and engage candidates through digital platforms

Geopolitical Risk

• ? Risk Description: Exposure to political instability, trade restrictions, and regulatory changes across multiple international markets, potentially disrupting supply chains and limiting market access.
• ? Likelihood: Medium, given current global geopolitical tensions over the next 2-5 years.
• ? Impact: Significant, possibly causing supply delays, increased operational costs from tariffs or sanctions, and revenue loss affecting approximately 10% of international sales.
• ? Risk Appetite: Maintain diversified supply chains and markets to mitigate concentrated risk; tolerate annual revenue contraction no greater than 5%.
• ? Mitigation Measures:
  • 。 Expand overseas sales teams and expatriate talent pools
  • 。 Strengthen subsidiary support and communication
  • 。 Accelerate market development in Europe, Latin America, Southeast Asia, Japan, Korea, India, and Taiwan
  • 。 Enhance distributor collaboration to ensure continuity
  • 。 Localize assembly and shipping in strategic regions, e.g., Singapore