Risk Management Process

Chunghwa Telecom deeply recognizes the importance of risk management in a rapidly changing industry environment. To this end, we adhere to our core values of risk management. Pursuant to the five key elements of the COSO framework, i.e., Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information, Communication and Reporting, eight steps have been integrated into the operations to fully exercise risk management.

 

Risk Review

To assess operational risks in a timely manner, we identify risk events annually, conduct regular risk review, assessment, and tracking monthly, and identify potentially new risk events ongoingly, ensuring risks (including categories like "strategic risk," "operational risk," "reporting risk," and "compliance risk") identified. Also, it actively tracks risks mitigation action indicators corresponding to various risks on a regular basis to maintain within the scope or overall risk appetite.

The amount of the overall risk appetite was NT$2.33 billion in 2023. We assess the severity of operational impacts based on the likelihood and impact of individual risk event, ranks the priority and level of risks via a risk matrix, and takes corresponding risk control actions in accordance with risk levels.

Prioritization of identified risks in 2023

Competitive market changes , information security and privacy protection, network quality and infrastructure maintenance, new service market development, human resource management and development, sustainability and climate strategies, development of advanced technologies, and information system and information technology management

Item Description
Identified Risk Information security and privacy protection
Company-specific Risk Exposure The telecom industry faces technological changes and evolving challenges, such as 5G and AI service applications, adoption of emerging technologies (virtualization/cloudification), and supply chain attacks, which may lead to service disruptions, decrease in customer trust, and damage to the corporate reputation.
Processes of Risk Appetite In consideration of the adoption of emerging technologies, regulatory requirements, and key business development, the potential cybersecurity and personal data privacy risks are assessed technically, including regular security vulnerability scans and vulnerability testing, automated vulnerability intelligence early warning mechanisms, and quantifying the probability and impact of risk occurrences, so as to take appropriate control measures to protect the security of systems and data.
Mitigating Actions
  1. Strengthen the security control principles and security testing technologies for 5G software-defined architectures to prevent networks being controlled or misused.
  2. Establish the AI 2.0 corporate strategy committee, create an AI governance system, and stay abreast of AI-related risks and international standard development trends.
  3. Along with the adoption of emerging information technologies, establish a zero-trust framework to ensure the security of the Company in accessing cloud services, and continue to develop anomaly behavior analysis rules and automated vulnerability intelligence early warning mechanisms to enhance the observability of security analysis and threat hunting capabilities.
  4. Formulate supplier cybersecurity management regulations, enhance the assessment and supervision of suppliers' cybersecurity capabilities, and introduce security rating tools to help suppliers capture their security posture and asset exposure in order to improve the security of the supply chain ecosystem.

Item Description
Identified Risk Network quality and infrastructure maintenance.
Company-specific Risk Exposure Significant network disruptions arise due to geopolitics, major natural disasters, external environmental changes, or occurrence of multiple obstacle events simultaneously, such as offshore island submarine cable communication failures owing to cargo ship operations, or paralysis of mobile/landline/network services in mountainous and remote areas due to typhoons.
Processes of Risk Appetite
  1. With reference to the data analysis of major disasters over the years, subjective experience-based expert judgment, scenario analysis, etc., Chunghwa Telecom assesses the "actual and potential impact on the national security and livelihood economy" of risk events as well as confirms the annual strengthening goals and risk appetite in formulating the annual operation plan at the beginning of the year.
  2. In order to implement risk control, pursuant to the management operations at the Company, performance indicators are linked and added into consideration on a rolling basis, followed by implementing risk response and mitigation actions to reduce the total residual risk to within the risk appetite.
Mitigating Actions
  1. Boost the backup bandwidth for the networks of offshore islands in order to lower the impact of submarine cable disruptions on communication networks.
  2. Plan the Taiwan-Penghu-Kinmen-Matsu No. 4 Submarine Cable to enhance the resilience of the offshore islands' communication networks.
  3. Integrate network resources like submarine cables, satellites, 5G private networks, and fixed line as well as coordinate with external support units to complete the tasks for the 2023 National CIP Designated Exercise for Critical Infrastructure.
  4. Implement integrated training for mobile communications and establish the command and rescue system.
  5. Prepare various backup plans to strengthen the resilience of the national communications network.

Risk Management Process Audit

Chunghwa Telecom issued American Depository Receipts (ADR) at the New York Stock Exchange (NYSE). In line with the New York Stock Exchange (NYSE) listing standards, the Company establish an internal audit system to assess the risk management operations and internal control system of the Company.

In Taiwan, we abide by the Regulations Governing Establishment of Internal Control Systems by Public Companies of the Financial Supervisory Commission (FSC), establishing the internal control/audit systems in compliance with the regulatory requirements for governance.

We have incorporated risk management processes into our enterprise-level the internal control systems, In addition to regular performance of self-assessments annually, the internal control system policies and procedures of the Company are regularly reviewed though the auditing by the internal audit unit and external audits (accountants), including financial, operational, risk management, information security, outsourcing, legal compliance, etc.

The Audit Committee assesses the effectiveness of the business risk management and procedures of the internal control systems and regularly reviews reports from the audit department of the Company, certified public accountants, and the management, including those on risk management and legal compliance. With reference to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (2013), the Audit Committee is convinced that the risk management and internal control systems of the Company are effective and that the Company has adopted necessary control mechanisms to monitor and correct violations.

https://www.cht.com.tw/en/home/cht/investors/financials/annual-report


Implementation of Risk Management Culture

Item Description
Risk management education for all non-executive directors
  1. Regular risk management training courses are conducted each year for non-executive directors, with each non-executive director having received 1.5 hours of professional risk management training in 2023.
  2. It is planned that each non-executive director is to participate in relevant training courses at least 1.5 to 3 hours yearly as of 2024 to ensure that non-executive directors grasp the latest risk management practices and possess the ability to assess various forms of risk, thereby incorporating risk management considerations into their decision-making process.
  3. The topic for the course in 2023 was "Concepts and Practices in Risk Management". For more information, please refer to here.
Training throughout the organization on risk management principles
  1. The risk-related courses offered at CHT in 2023 included occupational health and safety (OHS), cybersecurity, internal audit, risk management, and internal control, with a total participation of 19,750 employees and a total of 75,629 hours.
  2. CHT regularly conducts risk management trainings for all employees to inform employees of the risk management policies, processes, and guidelines and standards of the Company to follow, along with risk management seminars held from time to time to strengthen the risk management awareness of employees.
  3. In the risk management training courses, specific cases related to cybersecurity, environmental issues, and natural disasters are cited to enhance the risk management awareness and risk-handling skills of employees, which are dynamically adjusted subject to environmental changes.
  4. All employees are required to participate in the online risk management courses, covering cybersecurity risks, employee code of conduct, new business promotion, and other courses related to risk management.
  5. Focused trainings on the systematic and practical aspects are provided for risk managers and operational staff, with courses such as "Risk Management and System Development" and "Enterprise Risk Management Concepts and Practices" offered in 2023.
Incorporation of risk criteria in the development of products and services Potential risks in product and service development: product conflicts, customer confusion due to unclear product labeling, failure to accurately capture market demands, inadequate maintenance of service quality/image, and failure to effectively manage product profitability.
  1. According to the product launch and removal procedures at CHT, financial and risk assessments are required in the reviews for product launch and operation, covering aspects such as technology, market, operation, cybersecurity and personal data protection, and other risks.
  2. Risk assessments, including customer and supplier creditworthiness and contract performance capabilities, are required in project and tender review.
Financial incentives which incorporate risk management metrics Financially incentive systems with risk management indicators in various aspects such as store services, employee OHS, cybersecurity and personal data protection, and business development are actively enacted at CHT to enhance the incentives for a risk management culture, including but not limited to:
  1. Regular store and individual risk management incentives: Incentive measures are provided to regular stores and individuals on the basis of the assessment indicators in service quality, operational accuracy, and customer comfort in the overall store environment.
  2. Employee OHS risk management incentives: If a unit or department achieves OHS management indicators (including safety parameters, employee injury frequency, injury severity, and external involvement severity rate), all employees on the unit or department are rewarded.
  3. Cybersecurity risk management incentives: Employees who proactively identify suspicious cybersecurity incidents are provided with quarterly cash rewards after review in line with the potential risk of the incident.
  4. Sustainable development risk management incentives: To enhance the operating performance and promote sustainable development of the Company, the Regulations Governing the Timely Rewards have been formulated to encourage active work performances in major business strategies, transformation and upgrade promotion, effective improvement of corporate profitability, significant R&D achievements, improvement of operational efficiency, among others.
Excellence & Innovation
Innovation Management
Interaction
Latest News Surveys Contact Us Newsletter Subscription Chunghwa Telecom CSR Fan Page

BACK TO TOP