Risk Management Policies & Procedures

The Company's risk management policy: Integrate the company's strategies, actively identify risks, implement risk management, link performance indicators, continuously monitor and improve, and move towards sustainable development.
In order to strengthen corporate governance, implement the Company's risk management policy, and reasonably ensure the achievement of the Company's objectives, the risk management rules were formulated in 2006 and approved by the Board of Directors, and the latest revision date is August 9, 2023.
The Company's Risk Management Policy includes risk management procedures and pursuant to the five key elements of the COSO framework, i.e., Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information and Communication and Reporting, eight steps have been integrated into the operations to fully exercise risk management.

 

Risk Review

To timely capture changes in the operating environment and potential risks, the Company conducts risk event identification on an annual basis, complemented by regular risk reviews, assessments, and execution follow-up on a monthly basis, continuously identifying emerging and material risk events that may impact the operations, finances, compliance, reputation, and the achievement of strategic objectives at the Company on a rolling basis.
The risk events are evaluated based on their likelihood and magnitude at the Company. A risk matrix is employed to determine risk levels and management priorities to ensure that all risks, including strategic, operational, reporting, and compliance risks, are integrated into management. Furthermore, the Company regularly tracks control indicators, risk trends, and mitigating actions for each risk event, maintaining overall risk exposure within the acceptable level of risk appetite.
In 2025, the overall risk appetite of Chunghwa Telecom was NT$2.305 billion. The Company formulates corresponding control measures and mitigating actions in line with respective risk levels, while enhancing its early-warning mechanisms for risks, response capabilities, and operational resilience through regular reviews and execution follow-ups.

Prioritization of identified risks in 2025

Chunghwa Telecom conducts risk event identification and assessment in accordance with the strategic pillars of its business plans, domestic and international risk trends, and material risk topics. The expected values of risks are calculated based on "likelihood × magnitude." The events are prioritized through a risk matrix to establish the basis for subsequent risk control, mitigating actions, as well as follow-up and management.
The primary risk events for 2025 are as follows: competitive market changes, network quality and infrastructure maintenance, AI governance, investment in business, development of advanced technologies, new service market development, information system and information technology management, sustainability and climate strategies, overseas market service development, information security and privacy protection, and human resource management and development.

 
 

 

Item Description
Identified Risk Information security and privacy protection
Company-specific Risk Exposure The telecom sector is facing operational challenges such as rapid technological transformation, AI adoption, cloudification, virtualization, and an increased reliance on third-party vendors. While AI technology helps enhance process automation and operational efficiency, it may also lower the threshold for external cybersecurity threats, expanding the scale and scope of cyberattacks.
Although emerging technologies like virtualization and cloudification improve system flexibility and cost-effectiveness, they also introduce system integration complexities and a broader potential attack surface. Furthermore, as quantum computing technology gradually matures, existing encryption mechanisms such as RSA and ECC may face the risk of being breached, increasing the likelihood of sensitive communication data leaks. In addition, enterprises' growing dependency on third-party vendors ushers in cybersecurity threats related to supply chain infiltration. All the aforementioned risks could lead to service disruptions, compromised customer trust, reputational impact, and operational stability decline.
Processes of Risk Appetite In consideration of the adoption of emerging technologies, regulatory requirements, business development, and external threat intelligence, the Company regularly identifies and assesses cybersecurity and privacy protection risks. The assessment process includes referencing the AI guidelines issued by competent authorities, external AI cybersecurity risk intelligence, security vulnerability scanning, vulnerability testing, automated vulnerability detection, and early-warning mechanisms for cybersecurity incidents, quantifying the likelihood and magnitude of risk exposures, determining risk levels and priorities. Items that exceed the defined risk appetite are integrated into risk management and internal control procedures to establish appropriate control measures, ensuring the security of systems, data, and services.
Mitigating Actions
  1. Established an AI management framework and governance organization aligned with the ISO/IEC 42001 standard; executed AI risk identification, assessment, and control in compliance with the "Reference Guidelines for the Application of Artificial Intelligence in National Critical Infrastructure" to mitigate potential cybersecurity and operational risks brought by AI adoption.  
  2. Completed the PQC mechanism upgrade for public-facing service websites to reinforce data transmission security, mitigate potential risks posed by quantum computing to encryption algorithms, and ensure the confidentiality and integrity of customer data.
  3. Strengthened cloud security architecture and cloud-native protection solutions, deployed the Next-Generation Security Information and Event Management (NG-SIEM) and Zero Trust Architecture (ZTA), as well as integrated AI technologies with external threat intelligence to enhance the efficiency of early-warning, detection, and incident response in alignment with the cloudification strategy at the Company.  
  4. Formulated supplier cybersecurity management regulations to reinforce third-party security capability assessments and supervisory governance and introduced cybersecurity rating tools to help suppliers grasp their security posture and asset exposure, mitigating supply chain cybersecurity risks.
     

Item Description
Identified Risk Network quality and infrastructure maintenance
Company-specific Risk Exposure Geopolitical tensions, catastrophic natural disasters, external environmental shifts, or the concurrent materialization of multi-barrier incidents may trigger severe network disruptions. For instance, commercial shipping operations may result in communication failures of the submarine cables connecting offshore islands. Also, natural disasters such as typhoons, torrential rains, and earthquakes may lead to congestion or outages in mobile telecommunications, local fixed-line telephony, and backbone networks across mountainous and remote regions, resulting in compromises in critical communication services, customer connectivity quality, public telecommunications, and emergency response capabilities.
Processes of Risk Appetite
  1. By leveraging historical data analysis of major disasters, subjective expert judgment, and scenario analysis, the Company assesses "the actual and potential magnitude of impact that relevant risk events may have on national security, public livelihood and economy, and business continuity." In the formulation of the annual operational plan, the Company defines its annual risk reinforcement targets, risk appetite, and key performance indicators.
  2. To enforce robust risk control, Chunghwa Telecom carries out regular reviews in accordance with its risk management procedures. Through ongoing KPI tracking and rolling reviews, risk responses and mitigating actions are executed to reduce residual risks to a level within the acceptable thresholds of the risk appetite at the Company.
Mitigating Actions
  1. Enhanced the network backup bandwidth for offshore islands to mitigate the impact of submarine cable disruptions on the communication network.
  2. Implemented the Taiwan-Penghu-Kinmen-Matsu No. 4 Submarine Cable construction project to elevate the communication network resilience and service availability of offshore islands.
  3. Integrated multi-dimensional network resources, including submarine cables, satellites, microwaves, 5G private networks, and fixed-line networks, while collaborating with external supporting units to complete the 2025 Critical Infrastructure Protection Exercise.
  4. Executed integrated mobile communication training to establish a command-and-control disaster relief system.
  5. Formulated diversified backup solutions to strengthen national communications network resilience.
     

Risk Management Process Audit

Chunghwa Telecom issued American Depository Receipts (ADR) at the New York Stock Exchange (NYSE). In line with the New York Stock Exchange (NYSE) listing standards, the Company establish an internal audit system to assess the risk management operations and internal control system of the Company.
In Taiwan, we abide by the Regulations Governing Establishment of Internal Control Systems by Public Companies of the Financial Supervisory Commission (FSC), establishing the internal control/audit systems in compliance with the regulatory requirements for governance.
We have incorporated risk management processes into our enterprise-level the internal control systems, In addition to regular performance of self-assessments annually, the internal control system policies and procedures of the Company are regularly reviewed though the auditing by the internal audit unit and external audits (accountants), including financial, operational, risk management, information security, outsourcing, legal compliance, etc.
The Audit Committee assesses the effectiveness of the business risk management and procedures of the internal control systems and regularly reviews reports from the audit department of the Company, certified public accountants, and the management, including those on risk management and legal compliance. With reference to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (2013), the Audit Committee is convinced that the risk management and internal control systems of the Company are effective and that the Company has adopted necessary control mechanisms to monitor and correct violations.

 

https://www.cht.com.tw/en/home/cht/investors/financials/annual-report

Implementation of Risk Management Culture

Item Description
Risk management education for all non-executive directors
  1. Regular, consistent, and institutionalized risk management training courses are provided for all non-executive directors on an annual basis to strengthen their grasp of the latest risk management practices and enhance their capabilities in the identification and assessment of various risks, ensuring the integration of risk considerations into the Board's decision-making process and bolstering robust corporate governance.
  2. In 2025, 100% of the non-executive directors at Chunghwa Telecom completed 3 hours of professional risk management course, titled "The Current Landscape and Responses of Corporate Risks around the World," with focuses on the US reciprocal tariffs and foreign exchange rates, geopolitics, AI developments, and ESG sustainability.
Training throughout the organization on risk management principles
  1. In 2025, the company-wide risk management-related training courses organized by Chunghwa Telecom, encompassing risk management, cybersecurity, internal control, internal audit, and occupational health and safety, reached a total attendance of 61,582, with cumulative training hours totaling 289,606 hours.  
  2. Chunghwa Telecom regularly conducts risk management training for all employees to familiarize them with the risk management policies, processes, risk identification, assessment, control, as well as the principles and regulations to be followed at the Company, in addition to risk management seminars held periodically to reinforce the risk management awareness of its employees.  
  3. In 2025, courses such as " The Current Landscape and Responses of Corporate Risks around the World" and "Risk Management and System Development" were offered, providing focused training on systemic and practical dimensions for risk management officers, operational staff, and risk management teams.  
  4. The risk management training programs also incorporate case studies concerning information security, environmental issues, natural disasters, employee codes of conduct, and new business expansion, assisting employees in understanding identification, reporting, response, and handling protocols under different risk scenarios, while enabling dynamic adjustments in response to shifts of external environments.
Incorporation of risk criteria in the development of products and services Potential risks in product and service development: product conflicts, customer confusion due to unclear product labeling, failure to accurately capture market demands, inadequate maintenance of service quality/image, and failure to effectively manage product profitability.
  1. According to the product launch and removal procedures at CHT, financial and risk assessments are required in the reviews for product launch and operation, covering aspects such as technology, market, operation, cybersecurity and personal data protection, and other risks.
  2. Risk assessments, including customer and supplier creditworthiness and contract performance capabilities, are required in project and tender review.
Financial incentives which incorporate risk management metrics Financial incentives that incorporate risk management metrics across various domains, including store services, employee OHS, cybersecurity and privacy protection, and business development, are established at Chunghwa Telecom. With key risk control outcomes integrated into the framework for performance rewards, the risk culture is reinforced throughout the Company. The systems include, but are not limited to:
  1. Customer Service and Operational Risks: Evaluation metrics for regular stores are based on service quality, operational accuracy, overall store environment, and customer comfort, with incentive measures provided to regular stores and individual employees according to the evaluation results to mitigate service quality and operational risks.
  2. Employee Safety and Business Interruption Risks: When employees’ occupational health and safety units or departments achieve OHS risk control targets, including employee injury frequency, injury severity, and external incident severity, rewards are issued to relevant employees in accordance with the system, reducing occupational safety incidents and business interruption risks.
  3. Cybersecurity and Privacy Protection Risks: To enhance capabilities in cybersecurity early warning, reporting, and incident response, the cybersecurity notification unit provides quarterly cash incentives, in line with the potential magnitude of risk event, to employees who proactively discover suspicious cybersecurity events following the review process.
  4. Strategic and New Business Risks: To advance sustainable corporate operations, specific objectives encompassing the enhancement of operational performance, promotion of sustainable development, execution of major business strategies, driving of transformation and upgrading, effective expansion of profitability, major R&D outcomes, and improvement of operation and maintenance efficiency have been established at Chunghwa Telecom, along with the Regulations Governing the Timely Rewards enacted to incentivize employees to actively generate performance, mitigating risks associated with strategy execution and new business initiatives.
ESG Content Quick Links
Excellence & Innovation
Sustainable Revenues
Interaction
Latest News Surveys Contact Us Newsletter Subscription Chunghwa Telecom CSR Fan Page

BACK TO TOP