Risk Management Policies & Procedures
The Company's risk management policy: Integrate the company's strategies, actively identify risks, implement risk management, link performance indicators, continuously monitor and improve, and move towards sustainable development.
In order to strengthen corporate governance, implement the Company's risk management policy, and reasonably ensure the achievement of the Company's objectives, the risk management rules were formulated in 2006 and approved by the Board of Directors, and the latest revision date is August 9, 2023.
The Company's Risk Management Policy includes risk management procedures and pursuant to the five key elements of the COSO framework, i.e., Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information and Communication and Reporting, eight steps have been integrated into the operations to fully exercise risk management.
Risk Review
To timely capture changes in the operating environment and potential risks, the Company conducts risk event identification on an annual basis, complemented by regular risk reviews, assessments, and execution follow-up on a monthly basis, continuously identifying emerging and material risk events that may impact the operations, finances, compliance, reputation, and the achievement of strategic objectives at the Company on a rolling basis.
The risk events are evaluated based on their likelihood and magnitude at the Company. A risk matrix is employed to determine risk levels and management priorities to ensure that all risks, including strategic, operational, reporting, and compliance risks, are integrated into management. Furthermore, the Company regularly tracks control indicators, risk trends, and mitigating actions for each risk event, maintaining overall risk exposure within the acceptable level of risk appetite.
In 2025, the overall risk appetite of Chunghwa Telecom was NT$2.305 billion. The Company formulates corresponding control measures and mitigating actions in line with respective risk levels, while enhancing its early-warning mechanisms for risks, response capabilities, and operational resilience through regular reviews and execution follow-ups.
Prioritization of identified risks in 2025
Chunghwa Telecom conducts risk event identification and assessment in accordance with the strategic pillars of its business plans, domestic and international risk trends, and material risk topics. The expected values of risks are calculated based on "likelihood × magnitude." The events are prioritized through a risk matrix to establish the basis for subsequent risk control, mitigating actions, as well as follow-up and management.
The primary risk events for 2025 are as follows: competitive market changes, network quality and infrastructure maintenance, AI governance, investment in business, development of advanced technologies, new service market development, information system and information technology management, sustainability and climate strategies, overseas market service development, information security and privacy protection, and human resource management and development.

| Item | Description |
|---|---|
| Identified Risk | Information security and privacy protection |
| Company-specific Risk Exposure | The telecom sector is facing operational challenges such as rapid technological transformation, AI adoption, cloudification, virtualization, and an increased reliance on third-party vendors. While AI technology helps enhance process automation and operational efficiency, it may also lower the threshold for external cybersecurity threats, expanding the scale and scope of cyberattacks. Although emerging technologies like virtualization and cloudification improve system flexibility and cost-effectiveness, they also introduce system integration complexities and a broader potential attack surface. Furthermore, as quantum computing technology gradually matures, existing encryption mechanisms such as RSA and ECC may face the risk of being breached, increasing the likelihood of sensitive communication data leaks. In addition, enterprises' growing dependency on third-party vendors ushers in cybersecurity threats related to supply chain infiltration. All the aforementioned risks could lead to service disruptions, compromised customer trust, reputational impact, and operational stability decline. |
| Processes of Risk Appetite | In consideration of the adoption of emerging technologies, regulatory requirements, business development, and external threat intelligence, the Company regularly identifies and assesses cybersecurity and privacy protection risks. The assessment process includes referencing the AI guidelines issued by competent authorities, external AI cybersecurity risk intelligence, security vulnerability scanning, vulnerability testing, automated vulnerability detection, and early-warning mechanisms for cybersecurity incidents, quantifying the likelihood and magnitude of risk exposures, determining risk levels and priorities. Items that exceed the defined risk appetite are integrated into risk management and internal control procedures to establish appropriate control measures, ensuring the security of systems, data, and services. |
| Mitigating Actions |
|
| Item | Description |
|---|---|
| Identified Risk | Network quality and infrastructure maintenance |
| Company-specific Risk Exposure | Geopolitical tensions, catastrophic natural disasters, external environmental shifts, or the concurrent materialization of multi-barrier incidents may trigger severe network disruptions. For instance, commercial shipping operations may result in communication failures of the submarine cables connecting offshore islands. Also, natural disasters such as typhoons, torrential rains, and earthquakes may lead to congestion or outages in mobile telecommunications, local fixed-line telephony, and backbone networks across mountainous and remote regions, resulting in compromises in critical communication services, customer connectivity quality, public telecommunications, and emergency response capabilities. |
| Processes of Risk Appetite |
|
| Mitigating Actions |
|
Risk Management Process Audit
Chunghwa Telecom issued American Depository Receipts (ADR) at the New York Stock Exchange (NYSE). In line with the New York Stock Exchange (NYSE) listing standards, the Company establish an internal audit system to assess the risk management operations and internal control system of the Company.
In Taiwan, we abide by the Regulations Governing Establishment of Internal Control Systems by Public Companies of the Financial Supervisory Commission (FSC), establishing the internal control/audit systems in compliance with the regulatory requirements for governance.
We have incorporated risk management processes into our enterprise-level the internal control systems, In addition to regular performance of self-assessments annually, the internal control system policies and procedures of the Company are regularly reviewed though the auditing by the internal audit unit and external audits (accountants), including financial, operational, risk management, information security, outsourcing, legal compliance, etc.
The Audit Committee assesses the effectiveness of the business risk management and procedures of the internal control systems and regularly reviews reports from the audit department of the Company, certified public accountants, and the management, including those on risk management and legal compliance. With reference to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (2013), the Audit Committee is convinced that the risk management and internal control systems of the Company are effective and that the Company has adopted necessary control mechanisms to monitor and correct violations.

https://www.cht.com.tw/en/home/cht/investors/financials/annual-report
Implementation of Risk Management Culture
| Item | Description |
|---|---|
| Risk management education for all non-executive directors |
|
| Training throughout the organization on risk management principles |
|
| Incorporation of risk criteria in the development of products and services |
Potential risks in product and service development: product conflicts, customer confusion due to unclear product labeling, failure to accurately capture market demands, inadequate maintenance of service quality/image, and failure to effectively manage product profitability.
|
| Financial incentives which incorporate risk management metrics |
Financial incentives that incorporate risk management metrics across various domains, including store services, employee OHS, cybersecurity and privacy protection, and business development, are established at Chunghwa Telecom. With key risk control outcomes integrated into the framework for performance rewards, the risk culture is reinforced throughout the Company. The systems include, but are not limited to:
|