Risk Management
To ensure soundness of management and sustainable development, the Company follows the Enterprise Risk Management framework to continue identification and evaluation of various possible risks, and pays attention to global environmental and industrial changes to enable appropriate risk management strategy development, and decrease the probability of risks and negative impacts of risks to effectively manage and mitigate such impacts.
Risk Management Organization and Duties
Three lines of defense for corporate risk management are implemented together by the Board of Directors, Audit Committee. Auditing Office, President, President’s Office, individual units, risk management units, and subsidiaries:
Risk Management Policies and Operations
Walsin Lihwa's Risk Management Policy and Procedures area the prime guiding principle of risk management procedures for itself and its subsidiaries. On January 26, 2024, the Company revised its risk management objectives, organizational structure, relevant units’ responsibilities, management procedures, and control mechanisms to incorporate risk management into daily operations, so that employees can conform with the principle to together participate in and promote risk management. Every year the status of risk management is reviewed and reported to the Audit Committee and the Board of Directors. The 2023 status of risk management was reported to the Audit Committee and Board of Directors respectively on October 27 and November 3, 2023. For further information, please refer to the
Company website.
Risk Control Mechanisms
Walsin Lihwa's risk management is intended to mitigate the impacts from internal and external risks based on the degrees of severity and Company's business characteristics to identify, monitor, and manage the risks associated with corporate governance as well as economic, environmental, and social issues. For further information on the risk response plans and mitigation measures, please refer to relevant chapters of this report or the Annual Report. The status of risk management is reported to the board on a regular basis. For further information on relevant risk types and risk control mechanisms, please refer to the Risk Management Policy and Procedures at
https://www.walsin.com/wp-content/uploads/2024/02/rule21_EN20240126.pdf. ▪Risk Management Categories
Emerging Risk
The Company has included emerging risks into risk management supervised by the board to pay attention to the trends and developments of global climate change to enable comprehensive business development and future planning while identifying emerging risks every year.
▪Three Steps of Identification
▪Results of Identification
Intellectual Property Right and Confidential Information Protection
Through effective intellectual property right management, Walsin Lihwa encourages R&D, protects its technologies and R&D achievements, pursues manufacturing process optimization, expedites product innovations and upgrades, and pursues smart manufacturing to achieve value-added transformation of the Company for ongoing growth. In 2020, the Company commenced the Taiwan Intellectual Property Management System (TIPS) implementation, which was certified in the same year. Class A certification by the TIPS was granted to Walsin Lihwa respectively in 2021 and 2023. The certification is valid through December 31, 2025.
An organizational adjustment in 2023 incorporated the Procurement Management Center into the TIPS' scope of implementation while engaging in trade secret management system design in conjunction with confidentiality labelling of electronic documents implemented in 2022 to gradually strengthen confidential information protection in compliance with the TIPS requirements and develop annual intellectual property management policies and their objectives. On November 3, 2023, the status of implementation and annual plan were reported to the board.
Grievance and Suggestion System and Protection of Whistleblowers
Walsin Lihwa encourages employees and outsiders to report corruption, briberies, as well as unethical conducts and other misconducts. The Company has enacted its Guidelines for Suggestions and Complaints by Stakeholders and set up a designated stakeholder section on the Company's website for stakeholders to send their suggestions and complaints to the Company's management and chief audit executive. There is also an opinion mailbox for employees to provide suggestions, and employees or stakeholders are encouraged to report any suspicious activities or misconducts within the organization or between transacting parties, thereby preventing unlawful conduct or misconduct. The investigation process is always kept confidential to protect whistleblowers. The reports received are processed by responsible units, and the Audit Committee shall be informed of how they are processed. In 2023, 2 complaints were received and both were processed according to relevant regulations. Suspicious activities or misconducts include:
Internal Audit
The comprehensive internal audit system and Audit Committee of Walsin Lihwa help ensure effective internal control and report; management also closely monitors the improvement results for internal control deficiencies. The Auditing Office -- an independent unit with chief audit executive and dedicated auditors -- reports directly to the board of directors. The chief audit executive and independent directors of the board shall meet at least once quarterly to report the statuses of internal control and audit implementation to the Audit Committee in addition to regular reports to the board of directors. In case of major abnormalities, their meetings can be convened anytime. The chief audit executive reports to the chairman of the board, the convener of the Audit Committee, independent directors, and president on an as-needed basis. The Auditing Office may also provide management with timely information on existing or potential issues with internal control through auditing activities.
Stakeholders Contact
Material Topics
Information Security
As information security threats have been escalating in tandem with the advent of the digital age along with increasingly complex business activities, Walsin Lihwa has enacted its Information Security Management Measures to effectively identify the information security risks facing the company and timely control and mitigate such risks. Therefore, the measures serve as the basis for information security risk identification, assessment, management, monitoring, and review to enable systematic risk management structure development. Moreover, to build up an information system structure for digital sustainability and expedite the company’s goal of digital transformation, Walsin Lihwa focuses on strengthening information security resilience for its information security strategy and solution development as well as comprehensive information security protection platform implementation, so that its information security protection technologies and measures can be optimized to strengthen real-time and active defense capability, lay a solid foundation for digital sustainability, and support the government policy to achieve information security as national security.
Information Security and System Maintenance Division for Information Security Management Promotion
The Chief Information Security Officer and the Information Security and System Maintenance Division of Walsin Lihwa are responsible information security management promotion including information security policy development, planning, coordination, and implementation of information security protection measures, assessment and management of information security risks, comprehensive information security planning, and promotion of information security management year by year with relevant solutions provided.
IT Steering Committee
The IT Steering Committee -- the information security management organization and decision maker at the Company and its individual business units -- is responsible for review and decision of the matters related to information security management. The board also has several members with information security-related backgrounds on the Audit Committee to supervise and review information security policy promotion. Members on the IT Steering Committee shall convene at least one management review meeting every year to review the status of information security policy implementation and ensure the effectiveness and appropriateness of information security policy standardization in compliance with relevant laws and regulations as well as competent authorities’ requirements. In 2023, 3 information security regulations were amended to comply with domestic and overseas laws and regulations and respond to external changes.
Information Security Management System Implementation and Compliance
Walsin Lihwa's ISO 27001 Information Security Management System implementation in 2022 for information authorization, data backup, system development, outsourced vendor management, and intellectual property right management has obtained third-party certification. In January 2023, the Company received the latest ISO 27001:2013 certification, which is valid through October 2025. The Company's PDCA (Plan-Do-Check-Act) cycle has the confidentiality, integrity, and availability of all the data secured by a comprehensive information security management system to keep strengthening information security management through effective prevention, monitoring, and responsiveness before and throughout any information security event. In 2023, three third-party information security risk assessments were implemented.
Information Security Policy
Objectives of information security: To maintain the confidentiality, completeness, and availability of business information including sensitive information at Walsin Lihwa, all the employees, internal and external information service users, and third-party service contractors are expected to work steadfastly together to achieve the following objectives:
- Comply with relevant laws and regulations to protect company confidential information; prevent unauthorized access, tempering, damage, and/or improper disclosure (compliance).
- Protect company business information from unauthorized access or disclosure to ensure the correctness of every category of business information (protection of business secrets).
- Set up comprehensive business continuity planning and procedures for effective management of information security events to ensure such events are properly responded, controlled, and processed, and conduct scenario drills on a regular basis to ensure ongoing operation of IT systems and information services in case of any information security events.
- Cautiously handle and protect personal information and intellectual property rights pursuant to relevant domestic and overseas requirements (intellectual property).
- Review the status of compliance with information security requirements to ensure effective information security management (PDCA).
- Enhance employees' awareness of information security and reduce the risks associated with how information is used through management review, risk appraisal, internal auditing, education and training, and information security drills (full participation).
- Require all the employees to strengthen compliance with the Information Security Policy as well as relevant regulations and SOPs (full participation).
Development of Information Security Resilience for Effective Information Security
Develop information security plans for information security policy implementation year by year, bring in information security systems and workflow standards, and continue making information security technologies and relevant protection measures more complete. The specific management program has 5 objectives, separation of intranet from extranet, multilayered security defense, identification of security loopholes or other potential risks by log analysis and security inspection, smart security protection, and behavior analysis by log and big data analysis at the security operation center, which can be achieved step by step through 4 approaches, IT governance, data and equipment protection, network and system control, and boundary defense.
▪The specific management program includes:
- Information protection mechanism planning and implementation to decrease confidential information leakage risks.
- Continue bringing in advanced information solutions to enable effective system, host, and network behavior management and protection.
- Reinforcement of protection of external information service to effectively block hacker attacks.
- Focus on important systems to conduct disaster backup drills on a regular basis to rapidly resume operation in case of any disasters.
- Evaluate and improve endpoint, server, and network equipment protection, and engage third-party professional services such as the information security inspection and diagnosis provided by the Industrial Development Bureau, Ministry of Economic Affairs.
- Implementation of endpoint detection and response (EDR) to strengthen endpoint, server, and network equipment protection.
- Security operation center (SOC) implementation to enable effective and timely responsiveness to security issues.
- Reinforcement of cloud information security management through Zero Trust to help achieve digital and ESG sustainability.
Education and Training on Information Security
An annual information security month, mandatory information security education and training throughout the Company with more than 2,500 attendees in 2023, implementation of 2 email social engineering drills with more than 5,000 attendances in 2023, and an online information security course and test required for those who failed the drills.
2023 Implementation Results
No major information or communication security issue, no confidential information leakage, and no relevant damage to the Company and its customer in 2023.
Regulatory Compliance
Regulatory compliance foundation: Corporate culture of "Commitment to Business Integrity"
A so-called corporate culture of "commitment to business integrity" stresses that all business activities must comply with local laws and regulations of Taiwan and the place of business. We stress to our employees that they must refrain from violating relevant laws and regulations for obtaining business profits.
Monitoring and Evaluation of Relevant Business Laws and Regulations
We are in the manufacturing industry and our main compliance risks are related to labor and environmental protection laws, as well as the use of conflict minerals. Sales related risks include protection of consumer safety and health rights by the industry's competent authority and the Fair Trade Act. Accounting related risks are mainly related to the Tax Laws, the Tax Collection Regulations in each country, and the Anti Money Laundering Regulation. Public companies are required to comply with the Company Act, Securities and Exchange Act, and corporate governance and ESG related regulations.
Violation and Penalty in 2023
No bribery, corruption, money laundry, anti-competitive practice, insider trading, conflict of interest, discrimination, harassment, or personal information and privacy leakage or violation of the Company Act in 2023. Material penalties, i.e., higher than NT$100,000, for non-compliance with the Regional Plan Act, Labor Law, and tax filing regulations as well as the status of improvement are tabulated as follows.