In August 2022, the TWSE and TPEx announcedthe promulgation of the Risk Management Best Practices Principles for TWSE/TPEx-listedCompanies (hereinafter the “Principles”) in the hope of helping TWSE/TPEx-listedcompanies build a comprehensive risk-management system to avoid risks whichmight result in the failure of company goals and damages or negative impact tothe company, including strategy risks, operational risks, financial risks,information risks, legal compliance risks, integrity risks, and other emergingrisks ( such as risks associated with climate change or infectious diseases). Withthe establishment of a risk-management system, businesses may operate stablyand move towards the goal of sustainable development. The following is a briefintroduction to the content of the Principles.

Risk management policies and procedures: TWSE/TPEx-listedcompanies shall formulate risk management policies and procedures, which shouldcover at least risk management objectives, risk governance and culture, organizationalstructure and responsibilities of risk management, risk management procedures, andrisk reporting and disclosure. Among them, risk management procedures shouldinclude at least five elements: risk identification, risk analysis, riskassessment, risk response, and supervision and review mechanism, and specifythe procedures and methods for the actual implementation of each element.

TWSE/TPEx-listed companies shall alsodisclose their risk management policies and procedures, organizationalstructure of risk governance and management, risk management operations andimplementation (including the frequency and date of reporting to the board ofdirectors and committees) on the company’s website or the Market Operation PostSystem.

Risk management unit: it’s the board ofdirectors of a TWSE/TPEx-listed company shall be reckoned as the highestgovernance body for risk management. A TWSE/TPEx-listed company may, aftertaking into consideration the company’s size, business characteristics, and natureof risks and operational activities, establish a risk management committeeunder the board of directors and assign appropriate units to facilitate andimplement the risk management.

Board of directors: As the highestgovernance body for risk management, the board of directors is responsible forapproving the policies, procedures, and structures of risk management, ensuringthat the direction of operational strategies is consistent with risk managementpolicies, ensuring that an appropriate risk management mechanism and riskmanagement culture have been established, supervising and ensuring the effectiveoperation of the risk management mechanism, and allocating and assigningsufficient and appropriate resources to enable the effective operation of riskmanagement.

Risk management committee: The majority ofthe members of the risk management committee should preferably consist ofindependent directors, with an independent director serving as the chairman.The risk management committee should report to the board of directors andsubmit the proposed proposals to the board of directors for resolution. Therisk management committee shall formulate its charter and have such charter approvedby the resolution of the board of directors.

The content of the committee charter shallinclude the number of committee members, term of office, duties and powers, rulesof procedure, and resources to be provided by the company when exercisingpowers. A TWSE/TPEx-listed company may also, in consideration of its size,replace the functions of the risk management committee with other functionalcommittees or working groups.

The responsibilities of a risk management committeeinclude examining risk management policies, procedures, and structures andregularly reviewing their applicability and implementational effectiveness;approving risk appetite (risk tolerance) and guiding resource allocation;ensuring that the risk management mechanism can adequately address the risksthe company faces and be integrated into the daily operational procedures;approving the priority and risk level of risk management; reviewing theimplementation of risk management, putting forward necessary improvementsuggestions, and reporting to the board of directors on a regular basis (atleast once a year), and; implementing the risk management decisions of theboard of directors.

Risk management promotion and implementationunit: A TWSE/TPEx-listed company may, in consideration of the company’s size,business characteristics, nature of risks, and operational activities, assign adedicated unit or appoint a group by tasks to form a unit to facilitate andimplement risk management.

The responsibilities of the unit offacilitating and implementing risk management include drafting risk managementpolicies, procedures, and structures; drafting risk appetite (risk tolerance)and establishing qualitative and quantitative measurement standards; analyzingand identifying the sources and categories of corporate risks, and regularly reviewingtheir applicability; regularly (at least once a year) compiling and submittingcompany risk management implementation reports; assisting and supervising theimplementation of risk management activities of various departments; coordinatingcross-departmental interactions and communication of risk managementoperations; executing the risk management decisions of the risk management committee,and; planning risk management-related training to enhance the overall riskawareness and culture.

(This article was published in the Expert’s Commentary Columnof the Commercial Times：https://view.ctee.com.tw/tax/46077.html）

‍