Risk Management Process
Chunghwa Telecom deeply recognizes the importance of risk management in a rapidly changing industry environment. To this end, we adhere to our core values of risk management. Pursuant to the five key elements of the COSO framework, i.e., Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, Information, Communication and Reporting, eight steps have been integrated into the operations to fully exercise risk management.
Risk Review
To assess operational risks in a timely manner, we identify risk events annually, conduct regular risk review, assessment, and tracking monthly, and identify potentially new risk events ongoingly, ensuring risks (including categories like "strategic risk," "operational risk," "reporting risk," and "compliance risk") identified. Also, it actively tracks risks mitigation action indicators corresponding to various risks on a regular basis to maintain within the scope or overall risk appetite.
The amount of the overall risk appetite was NT$2.33 billion in 2023. We assess the severity of operational impacts based on the likelihood and impact of individual risk event, ranks the priority and level of risks via a risk matrix, and takes corresponding risk control actions in accordance with risk levels.
Prioritization of identified risks in 2023
Competitive market changes , information security and privacy protection, network quality and infrastructure maintenance, new service market development, human resource management and development, sustainability and climate strategies, development of advanced technologies, and information system and information technology management
Item | Description |
---|---|
Identified Risk | Information security and privacy protection |
Company-specific Risk Exposure | The telecom industry faces technological changes and evolving challenges, such as 5G and AI service applications, adoption of emerging technologies (virtualization/cloudification), and supply chain attacks, which may lead to service disruptions, decrease in customer trust, and damage to the corporate reputation. |
Processes of Risk Appetite | In consideration of the adoption of emerging technologies, regulatory requirements, and key business development, the potential cybersecurity and personal data privacy risks are assessed technically, including regular security vulnerability scans and vulnerability testing, automated vulnerability intelligence early warning mechanisms, and quantifying the probability and impact of risk occurrences, so as to take appropriate control measures to protect the security of systems and data. |
Mitigating Actions |
|
Item | Description |
---|---|
Identified Risk | Network quality and infrastructure maintenance. |
Company-specific Risk Exposure | Significant network disruptions arise due to geopolitics, major natural disasters, external environmental changes, or occurrence of multiple obstacle events simultaneously, such as offshore island submarine cable communication failures owing to cargo ship operations, or paralysis of mobile/landline/network services in mountainous and remote areas due to typhoons. |
Processes of Risk Appetite |
|
Mitigating Actions |
|
Risk Management Process Audit
Chunghwa Telecom issued American Depository Receipts (ADR) at the New York Stock Exchange (NYSE). In line with the New York Stock Exchange (NYSE) listing standards, the Company establish an internal audit system to assess the risk management operations and internal control system of the Company.
In Taiwan, we abide by the Regulations Governing Establishment of Internal Control Systems by Public Companies of the Financial Supervisory Commission (FSC), establishing the internal control/audit systems in compliance with the regulatory requirements for governance.
We have incorporated risk management processes into our enterprise-level the internal control systems, In addition to regular performance of self-assessments annually, the internal control system policies and procedures of the Company are regularly reviewed though the auditing by the internal audit unit and external audits (accountants), including financial, operational, risk management, information security, outsourcing, legal compliance, etc.
The Audit Committee assesses the effectiveness of the business risk management and procedures of the internal control systems and regularly reviews reports from the audit department of the Company, certified public accountants, and the management, including those on risk management and legal compliance. With reference to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control – Integrated Framework (2013), the Audit Committee is convinced that the risk management and internal control systems of the Company are effective and that the Company has adopted necessary control mechanisms to monitor and correct violations.
https://www.cht.com.tw/en/home/cht/investors/financials/annual-report
Implementation of Risk Management Culture
Item | Description |
---|---|
Risk management education for all non-executive directors |
|
Training throughout the organization on risk management principles |
|
Incorporation of risk criteria in the development of products and services |
Potential risks in product and service development: product conflicts, customer confusion due to unclear product labeling, failure to accurately capture market demands, inadequate maintenance of service quality/image, and failure to effectively manage product profitability.
|
Financial incentives which incorporate risk management metrics |
Financially incentive systems with risk management indicators in various aspects such as store services, employee OHS, cybersecurity and personal data protection, and business development are actively enacted at CHT to enhance the incentives for a risk management culture, including but not limited to:
|