Risk Management | ACER ESG
Acer's corporate philosophy is based on the ultimate goal of “sustainable development.” We believe that rigorous and pragmatic risk management not only reflects Acer's persistent commitment to our customers, employees, supply chain partners and investors, but also to our long-term commitment to ensuring sound business performance and compliance of corporate social responsibility. It is also a concrete act of ensuring sound business performance and fulfilling corporate social responsibility. The relationship between sustainable corporate development and risk management is intricate. Only by continuously identifying and analyzing the short-term dynamic changes and long-term trends of risks and implementing relevant risk management strategies, and by establishing a risk-conscious corporate culture through frank internal communication and training programs, can we ensure our hard-earned business results and achieve our goal of "sustainability."
To realize the vision of sustainable development and establish a risk-conscious corporate culture, the Company not only follows the relevant risk management measures under the organizational management system and operational processes at all levels, but also commits to continuously improve the Company's risk management practices through the participation of senior managers, using international standards such as ISO 31000:2018 risk management system and the Corporate Risk Management Integrated Framework (COSO ERM 2017) issued by the National Council on Fraudulent Financial Reporting (NCFR) as references. The Company will continue to improve its risk management practices through the participation of its senior management, and will establish a risk management policy based on international standards such as ISO 31000:2018 risk management system and COSO ERM 2017, which was approved by the Board of Directors on March 16, 2022.
Acer takes a proactive and cost-efficient approach to manage risk. The risk management scope is based on strategic, operational, financial, disaster and climate change risk components, and regular overall assessment of the internal and external business environment (external business environment assessment includes various external international risk reports and relevant reports/research results of the insurance industry/risk management consultants for the purpose of assessing the integrity of risk perception) and establishing a risk radar.
The Acer Risk Radar for 2022 identified 19 internal risks and 26 external risks, totaling 45 risks, through the aforementioned process. Risk Prioritization and Risk Appetite are conducted for the purpose of business growth and effective resource allocation, and corresponding risk management strategies and preventive/mitigation measures, implementation mechanisms and responsible organizations are formulated to ensure that the relevant key risks are effectively controlled and responded to appropriately. To continuously monitor and strengthen risk management practices and response measures, the Audit Committee evaluates and incorporates them into the regular agenda based on the importance and urgency of the risk ranking, and decides on the reporting issues and the responsible units. The Audit Committee regularly summarizes the risk environment, risk management priorities, risk assessment results and related countermeasures together with information security risk management implementation in the Board of Directors' report (at least once a year).
Scope of Acer Risk Management
Acer Risk Management Organization Structure
Risk Management Procedures
01 | Risk Identification and Risk Assessment
Risk Management Working Group members identify risks and assess potential risk scenarios and operational impacts using relevant risk management assessment tools such as Risk Register and Risk Map.
02 | Risk Control and Risk Mitigation
- Use the Risk Management Working Group as a platform to communicate risk across business units/functional organizations, and promote the strengthening of risk control and mitigation programs for each business unit/functional organization.
- The Risk Management Working Group implements risk management programs and regularly tracks the progress and effectiveness of implementation to ensure continuous improvement of risk management.
- Each unit will include risk control in the annual internal control self-assessment review.
03 | Risk Monitoring and Corporate Risk Management Report
- The Risk Management Working Group summarizes the risk environment, risk management priorities, assessment results and related response measures, and the Risk Management Committee approves/decides.
- The Risk Management Committee shall report to the Audit Committee and the Board of Directors at least once a year.
Three Layers of Defense Structure for Risk Management Organization
Risk Identification and Management Effectiveness in 2022
The Company identifies, evaluates and discusses potential and emerging corporate risks in three major areas: environmental, social and corporate governance. Risk management organizations use the Risk Map to assess the potential threat level of each risk to the company's future operations based on the likelihood of occurrence of each risk and the degree/severity of loss that may be caused once the risk occurs, and to prioritize risk management strategies by classifying the risk level. We also use Sensitivity Analysis and Stress Test to further quantify and analyze the risks and examine whether there is a high correlation between the risk factors. The Risk Map for 2022 includes six risk items with a medium to high level, including geopolitical risk, information security risk, inventory risk, ICT market downside risk, downtime/operational disruption, and ESG-related risk (Refer to the 2022 Risk Map for details).
The Risk Management Working Group compiles the results of the aforementioned analyses and tests, draws up a follow-up implementation plan, and reports them to the Risk Management Committee on a regular basis (quarterly); in 2022, the Risk Management Working Group has a total of 16 departments/units to coordinate with. To integrate the implementation of ERM with the daily operation procedures of each department/unit and the Business Objective, each department/unit first compiles 46 Key Performance Indicators (KPIs) and then develops/identifies 82 Risk Scenarios that may actually cause operational impacts on the aforementioned KPIs. Based on the identified and analyzed risk items, the relevant department staff are assigned to prepare the subsequent risk management strategy and related implementation plan (Risk Mitigation), including the common risk management responses in practice: Loss Prevention, Avoidance, Separation & Duplication, Transfer and Retention. Duplication, Transfer, and Retention, etc., and evaluate the appropriate resource input, implementation priorities, and follow-up progress tracking methods. At the same time, we have developed the Incident Response and Crisis Management plans to minimize the negative impact of potential risks on our business objectives and to strengthen the risk resilience of our overall operations. The aforementioned risk management strategy and related implementation plan are based on the cycle of Plan, Do, Check, and Action, and the effectiveness of the risk management plan and the room for improvement are reviewed periodically during the working group meetings for continuous adjustment/refinement. Finally, progress reports on material risk information and corporate risk management operations are made regularly to the Risk Management Committee and the Audit Committee.。
In summary, we continue to actively engage in risk management activities with a proactive approach to address current and future risks and challenges in a prudent manner. The Audit Committee also summarizes the risk environment, risk management focus, risk assessment results and the corresponding response measures, which are reported by the Chairman at the Board of Directors' meeting.
Risk Management Operations Status
The Risk Management Working Group has identified emerging risks such as information security risks, extreme climate risks, large-scale infectious diseases, supply chain-related risks and geopolitical risks in 2021. After regular reconsideration and review in 2022, the Risk Management Committee and Working Group identified a number of emerging risks in 2022, including geopolitical risks (including geo-economic), ICT market downside, inventory management, inflation (including green inflation), interest rate increase, and global climate change. Through group discussions and focused thinking, we hope to carefully assess the potential negative impact of each emerging risk item on the company's future operations, and to consider and structure feasible and cost-effective risk management action plans for registration in the risk analysis/registration worksheet. Cyber Security Risk continues to be a key risk concern for the Company, especially considering the risk correlation between geopolitical and global economic environment and cyber security risk. The Risk Management Working Group summarizes possible loss types (including loss of goodwill, business interruption, data leakage, ransomware, etc.), and the IT department has also compiled the following basic information security principles and continues to work on them to obtain ISO 27001 international certification for information security in 2020.
In addition, Acer has continued to purchase global information security insurance policies since 2018 and regularly reviews the integrity of the overall coverage every year. In addition to risk transfer considerations, Acer also expects to obtain further assistance and resources from external information security experts through the international information security insurance market. With the rapid development of information technology, the trend of digital transformation and the continuous investment in various innovative applications, we will continue to pay attention to the development trend of cyber security risks (e.g., cyber security risks arising from the adoption of remote working mode) in order to continuously review and improve the relevant information security principles and appropriate risk transfer measures.
Information Security Principles
Reviewing external services that are open to the public
Using the least privilege principle and encryption
Verifying and securing endpoints
Considering the security of the application
Identifying and protecting the weakest points
Keeping up with the latest information security regulations and understanding the latest attack techniques
The future trends and potential negative impacts of geopolitical risks (geo-economics), such as country-to-country trade protectionism, related barrier measures and economic and financial sanctions. The Risk Management Working Group collects and summarizes possible loss patterns (including a decline in sales volume or market share due to political and economic instability, or an increase in labor and other related costs due to the relocation of production bases). We will closely monitor the long-term development trend of related risks and their subsequent impact, and make efforts to integrate upstream components with diversified suppliers, and continue our efforts to develop new niche markets and sales channels in order to diversify operational risks and reduce the impact and uncertainty caused by changes in supply chain, logistics and global political and economic conditions.
Acer continues to focus on the long-term trends and threats of global climate change and extreme weather phenomena, and has formally introduced the Task Force on Climate-Related Financial Disclosures (TCFD) assessment framework in 2020. Currently, the supply chain management department assesses the potential low-temperature variation during the shipment period for a specific shipment route and, depending on the type and characteristics of the product, consults with the insurance industry/risk management consultant to discuss and cooperate with the shipping company to take feasible and cost-effective damage prevention measures. For infrastructure service interruptions and other operation-related risks (e.g., typhoons, floods, fires, etc.) with a high probability of occurrence, similar to the impact of the Texas snowstorm, Acer has started to develop a basic emergency response/business continuity management plan (IR/BCP) for global warehousing locations in 2021. The Company started with a pilot project at the Taiwan headquarters (the project was completed in January 2022 and the on-site exercise and validation were completed at Acer's Taoyuan warehouse), with a view to gradually evaluating and incorporating the implementation/improvement and regular audits according to the current resource situation at each global warehouse location, or further incorporating it into the evaluation items for the selection of warehouse service providers, in order to gradually and orderly strengthen the risk resilience in warehouse logistics management.