Strengthen Sustainable Governance by Enhancing Risk Management and Control

To become a resilient organization that controls and reduces the operational risks in the face of changing external conditions, CTCI Group continues to identify and evaluate the various risks that it may face, so as to formulate appropriate risk management strategies to reduce the chances of such risks materializing and suffering from their negative effects. To ensure steady success, we have made many improvements in risk management and control in the past year. Good risk management and control allows us to make stable progress and enhance sustainable governance on the basis of stability and sustainability.

A Dedicated Unit for Risk Management and Control

Established for over 17 years since 2006, the "Risk Management Executive Committee" has been the main promotion organization responsible for CTCI Corporation's risk management. However, given the need for stable operation and development, as well as the need to be aware of and respond to various internal and external risks, a new Group-level unit called the "Risk Control and Management Office" was set up on November 1, 2022 to coordinate planning and promote the Group's risk control operations, establish a risk control system, systematically respond to and control risks, and enhance the risk management culture. The new office helps all corporate units become more accurately aware of and respond to the increasingly complex risks in the industry, which contributes to CTCI Group's goal of stable growth and sustainable operations.

Enhancing the Group's Risk Control Management Mechanism

To enhance CTCI Group's risk control mechanism, we reviewed the Group's current risk-related SOPs, took stock of the legal requirements, filled in the gaps, integrated current standards, and set up control points based on lessons learned from risk events. We also released a new Group-level risk control standard operating procedure document called “GCP-011 Group Risk Control and Management Regulations” on May 23, 2023. 

The main control management mechanisms that have been enhanced include: adding risk management and control objectives to enhance the importance and effectiveness of risk management and control; establishing risk management baseline; strengthening risk management and control in the project quotation stage (such as risk bottom-line check, high-risk project report); clearly defining emergency risk management and control mechanisms, etc. The following table summarizes the risk categories. Under the risk aspects of "company operation risk" and "project risk," we have identified and listed the relevant key risk items, as well as their "warning criteria" and "action criteria," which serve as the basis for handling and control. When an event reaches the risk warning or action criteria, the responsible personnel shall immediately report to the direct supervisor, before reporting to the competent supervisor and form a response team to treat such emergency risk event.

Strengthen Risk Training to Improve Awareness

To help all units implement risk control mechanism, we have conducted risk-related trainings and lectures to raise the awareness on risk management. The risk training activities held in 2023 include the following:

• Workshops on Group risk management and control 
At workshops, we explained to CTCI Corporation and the affiliate companies the key points of Group-level risk management and control, covering topics such as the risk control units and their duties, risk management planning and promotion, risk execution and control, risk audit, lessons learned and reporting, as well as the plan management and control tools that allows each company to better control and understand its own risk status (one tool example is the risk management and control log at the project quotation stage). This allows the implementation of the risk control mechanism to become more effective.

• Lectures on corporate reputation crisis management
To enhance the awareness of risk management and control, we invited an external professional media service strategy consultant to provide insights on Taiwan's media landscape and the current situation of reputation crisis that companies frequently face. The experts not only helped us review CTCI Group's corporate reputation crisis map, but also used the Group risk control SOPs to explain CTCI Group's corporate reputation crisis management mechanism, thus allowing CTCI’s supervisors and staff to understand what should be done and what should not be done when dealing with corporate reputation management. The lectures were held online and offline simultaneously.

• Risk management lectures on trends in digital technology and artificial intelligence 
We actively collect and timely share the information related to the external risk issues. AI-related emerging risks is one example. We also invited the executive deputy vice president of KPMG Enterprise Management Consultant to give lectures to CTCI directors and managers. During the lecture, the expert provided global CEOs’ post-pandemic strategic insights, shared some thoughts on corporate transformation opportunities, introduced emerging digital technologies, and talked about the hidden worries and risks related to digital technologies.

Discover, Control, and Respond to Potential Risks

Through awareness and training campaigns, all staff understand that they should proactively report to their direct supervisors when an emergency risk event occurs within their work scope. Supervisors at all levels also understand that they should identify, analyze, and evaluate the risks that occur within their jurisdiction to ensure that important risks can be controlled and dealt with.

The Risk Control and Management Office, on the other hand, helps identify (potential) risks and implement risk management through meetings and reports. To help detect (potential) and respond to risks as early as possible, the office also conducts risk audits on the risk discovery that have been previously identified through daily risk management and control, on quotation projects, and on high-risk execution projects. The treatment progress of the risk issues or events are managed and tracked, with the dual aim of minimizing negative impacts and ensuring continuous improvement through lessons learned (LL) to prevent recurrence.

Incorporate Risk Management into ESG to Improve Sustainable Governance

Risk management and control is a part of corporate governance. In addition to the aforementioned mechanism and its implementation, CTCI also attaches great importance to the internal and external issues, existing and emerging alike, as well as their potential risks and opportunities for continuous operations. Responsible units would regularly collect new information, examine whether it is relevant, and determine the impact.

• Sensitivity analysis and stress testing
In terms of important financial and non-financial critical risk issues, we prudently conduct sensitivity analysis and stress testing to evaluate the impact of key attributes and variables on the company's operations as a reference for decision-making and response strategies.

• Emerging risks
Emerging risks are included in the cycle of risk management. With a systematic management system, we can identify emerging risks and look out for changes in the global landscape. This not only helps us actively develop and implement countermeasures for potential emerging risks, but also helps us watch out for opportunities by looking at the potential future trends.

Summary

In line with the international risk management trends, CTCI’s risk management and control implementation status is disclosed on the company's official website, in the annual report, and in the ESG report. We actively demonstrate our efforts in sustainable governance to improve the effectiveness of risk management and control, as well as strengthen the Group's operating physique. Strengthening the Group's operating physique helps us ensure continued stable growth and sustainable operation.