Economic Aspect

Risk Management

Issue Date:2020/08/19

Risk Governance

Chunghwa Telecom places great emphasis on business risk management as a means of ensuring stability against impacts from the external environment and internal operations. It has the "Risk Management Policy" in place to guide employees' actions. The board of directors outlines the Company's risk management policies, framework, and culture. The secretariat assists the board in the implementation of risk management practices throughout the Company.

In 2006, the Board of CHT adopted the Risk Analysis Matrix and introduced Enterprise Risk Management (ERM), formulating risk management policies, structure and culture. In 2016, the Risk Management Committee was established with the President as the chairperson and the SEVPs and VPs of the headquarters as the committee members. The CHT Risk Management Committee operates outside the business mechanism, carrying out assessment, examination, and management of corporate risks while reporting the implementation results of risk management to the Board/ Audit Committee. A Secretariat is created under the Committee to facilitate matters of risk management and operation improvement; the auditing office reviews the risks; and the Board stipulates the policies, architecture, and culture of risk management.

The CHT Risk Management Committee has convened for matters like confirmation of corporate risk priority, discussion of responding action plans, and review of the effectiveness of plans executed. In 2019, CHT listed the execution results with regard to risk management as one of the performance indicators of senior executives so as to strengthen the enterprise’s overall risk management mechanism.

President of Chunghwa Telecom is the chairperson of the Risk Management Committee of CHT, which is convened at least once a year. The resolutions reached in the meeting will be reported to the Board/ Audit Committee by the President.




Chunghwa Telecom's risk management practices involve ongoing analysis of operational goals, the accuracy of financial reports, and impacts of high-risk events. These findings are constantly reviewed to ensure that all business risks can be identified and controlled, and thereby maintain business operations while protecting stakeholders' interests.

We also have an enterprise risk management (ERM) system in place to control risks associated with our businesses. Risk managers have been assigned to all departments to monitor risk targets and risk events, and report findings on a monthly basis. Risk managers are also involved in the review and adjustment of risk measures, assessment of risk impacts, and execution of systematic records, management, and follow-up tracking.

We use a "risk map" for assessing regulatory risks, network maintenance risks, market competition risks, and financial risks. For every major concern identified in our operations, we conduct intensive sensitivity analysis and stress-testing to decide whether we should take steps to accept, transfer, mitigate or avoid the associated risks, thereby minimize our possible losses.


Sensitivity Analysis

Chunghwa Telecom conducts sensitivity analyses and pressure tests on key operational risk factors annually and reduces potential losses with risk acceptance, risk transfer, and risk reduction measures.
Financial risks: Analyses on risks like credits and exchange rates to determine the potential maximum impacts on which items. Operational risks: performance test on the accounting system to ensure it fit for various service scenarios. Market risks: CHT TTI eLearning performance test. Strategic risks: marketing manpower sensitivity analyses on the 5000 employees retired in 5 years and on the cases of Review Committee. Compliance risks: analyses on impact in the CHT operation due to amendment of telecommunication regulations in Taiwan.


Climate Change Risk

Climate risk and opportunity management is an integral part of our business and decision-making processes and is embedded into Chunghwa Telecom entire organizational structure and business processes. The scope of evaluation includes all business groups of the Company.

CHT has incorporated the climate change factor into the evaluation system for corporate performance and risk management. Significant risks are listed in the annual corporate operating plan. Target management and performance evaluation are then conducted along with continuing certification and feedback activities. The key components of our risk management system include our CSR Policy, guidelines and reporting systems, strategy, planning, and controlling processes; Internal audit activities; the establishment of CSR committees and the requirement for Environmental Management Systems within all of our operations with significant risks.


CHT Climate Risk Management Procedures


● Evaluation conducted frequency depends on the business needs of individual group/department

●Criteria for determining materiality/priorities: Climate change risks and opportunities are determined with reference to probability of occurrence and severity and are measured against threshold values stipulated in the CHT’s Policy for Opportunity and Risk Reporting.

●To whom are the results reported: Risk reporting is fully integrated into our standardized budgeting and controlling processes. The asset level Risk Owner reports into their department manager. The Manager reports into CSR Committee member. Significant Risks at a company level are reported quarterly into the CSR Committee and the Board of Management. The information is also publicly communicated on CDP questionnaire and CHT CSR Report.


The Potential Operational Risks Caused by Climate

1. The impact of the greenhouse effect, rising global temperatures and the aggravation of extreme climate, have caused some areas of Taiwan to experience more severe typhoons and flooding while other parts face serious water shortage. Such crises affect both industrial and domestic water use and effort has to be made to reduce the severity and avoid disastrous outcomes.
2. Resources need to be made available for action in cases of natural disaster, and the equipment used must be properly maintained and be available for further use after disasters and operational energy must also be easy to acquire.
3. We will establish greenhouse gas emission control and also allow carbon rights transactions in accordance with the “Greenhouse Emission Reduction and Management Act” of Taiwan. The CHT Internet and the operation of the generator room depend on a huge amount of energy and the relative input has a direct effect on company finances.


Emerging Risks

Emerging Risk 1: Cybersecurity and Information Security 

Trend Micro Security Predictions for 2020 suggests that three risks will emerge in the future, including enhanced cloud risks for enterprises, AI deepfakes, and expanded risks from IoT.
As industries in Taiwan actively engage digital transition, IT strategies like hybrid cloud and multi-cloud are employed. The ever-accelerating technological development and deployment thus burden cybersecurity or the time for vulnerability tests.
Gartner, a global research company, predicts that up to 60% of corporate organizations will use external cloud management services by 2022, when data leak due to human negligence in cloud settings is expected to be more common.

Potential Business Impact:

Now that the financial industry in Taiwan are rapidly making transition to digital finance, relying heavily products and services by telecom providers. For instance, online-only bank and 5G commercialization that introduces more rapid and diversified experiences shall bring forth more emerging information security risks.

1. The major threats of 5G to enterprises in terms of cybersecurity identified in the Prague Proposals include, unexpected incidents from human error, individual hackers, hacktivist groups, organized crime groups, insider, cyber-terrorists, and state-sponsored actors.
2. To Chunghwa Telecom, how to build a trustworthy software/hardware supply chain management shall be one of the critical issues in information security of 5G. The quality and the control thereof from software design to development and maintenance and how to verify to businesses and authenticate 5G software/hardware in terms of security shall bring impacts to Chunghwa Telecom.

Besides, after 5G commercialization, how to balance between safeguarding personal privacy from violation and abuse and creating data values will become the risk Chunghwa Telecom has to address upon its first 5G commercialization in Taiwan.

Mitigating Actions:

Pursuant to international standards, Chunghwa Telecom (CHT) laid out the cybersecurity measures and has had the 5G security requirements in place.

1. CHT continues to better risk management measures, introduce international standards, and work with international cybersecurity organizations to strengthen its overall cybersecurity capabilities while proactively developing key information technology, facilitating emerging business development, and offering secured, reliable digital environment for clients.
2. In light of the openness and diversity of vertical integration of future 5G architecture, CHT examined relevant mechanisms in terms of network security, secure communication of OT and IT networks, secure software development, management of supply chains,  MEC security, and protection for clients’ private data to ensure the  security of future service application with regards to relevant security and detection mechanisms
3. CHT released 5G Technology White Paper in April 2019 and has included security requirements in its 5G planning in “Security Protection Plan for Mobile Broadband Services” in line with cybersecurity standards of ITU and 3GPP. Hence, it ensures the security, resilience, and reliability of its 5G system as the 1st operator to pass the NCC’s on April 1, 2020.

Emerging Risk 2: Investment on infrastructure of 5G commercialization brings burden to capital expenditure while the immature 5G business model potentially impacts profits

1. Chunghwa Telecom is the first telecom provider that obtained commercial 5G license. 18,000 5G cell sites are to be deployed in the next 5 years with a budget of NT$40 billion and a goal to achieve 85% of 5G coverage by 2024.
2. To achieve the abovementioned targets, Chunghwa Telcom is to complete 3,000 5G cell sites in 2020, doubled to 6,000 by 2021, and 18,000 cell sites by 2024. The total capital expenditure shall peak as early as 2021-2023.

Potential Business Impact:

The uncertainty with the business model, application, and development upon 5G commercialization may impact revenues generated from innovative products and services of 5G.

1. The specific profitable business model upon 5G commercialization is still in need of exploration. The expensive 5G infrastructure investment poses new risks to Chunghwa Telecom’s profits.
2. Considering the uncertainty of the business model, application, and development upon 5G commercialization, it may impact Chunghwa Telecom’s profit if there are no coping strategies in place.

Mitigating Actions:

As the result, Chunghwa Telecom proactively launched the strategic alliance across industries, promotes inter-disciplinary innovations, integrates resources and technology, and tests viable 5G business models.

1. CHT acquired the best 5G frequency bands, stays ahead in 5G infrastructure construction, aims for highest coverage, and explores viable mode for profits.
2. Together with ICT giants in Taiwan, CHT formed “Taiwan 5G Industry Development League - CHT Pioneer Team” to streamline resources of the ICT giants. Over 70 organizations at home and abroad, including ITRI, III, MediaTek, ASUS, HTC, Advantech, and Quanta Computer, have joined the League.
3. 5G test sites are available for 5G services and equipment testing. Through collective technology and wisdom across disciplines, we actively develop innovative 5G services and solutions in order to make transition and upgrade with relevant industries, expand opportunities, increase revenues, and alleviate cost impacts due to excessive capital expenditures.


Other Risks

Other Risks 1: Human Resource Risks

Chunghwa Telecom is facing a high peak of personnel retirement. In 2019, there are over 1,000 estimated retirements with YoY >20%. In the next 3 years, there will be over 1,000 retirements every year. From 2018 to 2022, a total of over 5,000 retirements are expected. While we depend on the continued service of our executive officers and skilled technical and other personnel, this retirement issue could have adverse effects on our company operation.

Our business could suffer if we cannot supplement those retirements in time. In particular, we are not insured against the loss of any of our personnel. We may not be able to retain our present personnel or attract additional qualified personnel as and when needed, as there is intense competition for experienced personnel in Taiwan. This might disrupt our business and operations with materially and adversely affect the quality of our services and harming our reputation.

CHT had begun reserving manpower (including base level) since the second half of 2018. As for experienced professionals, based on the needs for future business development, they will be the first to be hired for emerging businesses which includes security, big data, IoT, AI, and mobile payment, etc. Meanwhile, we need to raise the employee compensation levels as the incentives to attract and retain more talented personnel. Our Manpower supplement strategy:

(1) Plan early for the manpower supplements of our core business

(2) Layout of the manpower for R&D, network, information and marketing in key emerging business

(3) Recruit experienced personnel and concentrate on the selection of basic level practitioners

(4) Nurturing more professional: train frontline service staff to acquire more bidding projects with professional skills required, such as IoT, SDN/NFV, information security, Big Data, AI, smart home, etc.


Other Risks 2: Regulatory Risks

As the major telecommunications service provider in Taiwan, we are subject to extensive regulation. Any changes in the regulatory environment applicable to us may adversely affect our business, financial condition and results of operations. If we do not immediately respond to the climate change issues and relevant regulations and systems, there may be risks of legal penalties and the possibility of losing our industry leading edge.

In response, CHT has been closely monitoring relevant regulations both domestic and foreign, proposing amendments to the draft contents, and actively communicating with stakeholders and relevant authorities by discussions, and taking appropriate response measures to protect the rights and interests of the company. We have been actively promoting the innovative emerging business and expanded market opportunities to reduce the impact of regulatory changes on the company.

For example, the newly drafted digital convergence laws will reduce the entry barrier to the telecommunications industry hence intensifying the competition level. Also, it is likely that CHT will be classified by the competent authority as the dominant player in some specific telecommunication service markets and subjected to special obligations impeding our competitiveness. In addition, the opening up of the domestic roaming and flexible usage of frequencies will enable operators to share relevant resources, hence increasing the market dynamics and making our operation more difficult.

As for the environmental regulations, following the implementation of the "GHG Emission Reduction and Management Act", our country will conduct greenhouse gas emissions control and open carbon rights and carbon trading in the future. Since the daily operations, both the networks and engine rooms, are highly dependent on a high amount of energy support, this will increase our operating costs and affect CHT’s financial performance. It is necessary to invest more in natural disaster prevention, post disaster facilities maintenance, operational energy access, etc. With self-developed "Environmental Sustainability Development Management Services System", we can effectively increase the efficiency in our environmental resources and energy usage with costs reduced. We use ICT technology to create green innovation services such as smart city and continue to explore more low carbon emission solutions with customers. We had established "Energy Office" focused on the business development in three areas, namely, solar energy, wind power and LED.

Risk Culture

1. Chunghwa Telecom Incorporates risk criteria in the product development or approval process:
According to Chunghwa Telecom’s “Directions Governing Product Management”, product development department is liable to provide relevant risk management in “product launch business plan” for review, including technical risks, market risks, operational risks, and information security and personal data risks.

2. Financial incentives which incorporate risk management metrics: 
Pursuant to the provisions of “Directions Governing Performances of Senior Managers of Chunghwa Telecom”, the sustainability indicators hooked with the variable compensations of the executives are: (1) risk management; (2) code of ethical conduct; (3) information/cyber security; (4) climate change; (5) inventory and engagement of stakeholders; and (6) social participation.
Results of performance appraisal of the senior managers are hooked with the variable compensations thereof (i.e. the attainment of annual indicators related to risk management is the attainment of the standard for cash incentive for senior managers).
For branch offices, risk management performance indicators such as service quality, and overall environment maintenance are stipulated. Upon achievement of the indicators, the total reward for the retail stores is up to NT$2,200,000 and an incentive up to NT$1,000 per person per month.
“Directions Governing Organizing Work Safety Competition of Chunghwa Telecom” is stipulated for the risk management in employees’ occupational safety and health. Upon attainment of agreed management indicators regarding occupational safety and health (including safety parameter such as employee injury frequency, severity of injury, and foreign severity rate), rewards and recognition will be issued.
In addition, department managers and employees with contribution in management of risks will be publicly recognized by Chunghwa Telecom on the anniversary event for their outstanding performances with incentive bonus of NT$10,000 or NT$20,000.

3. Chunghwa Telecom focus on training throughout the organization on risk management:
Chunghwa Telecom organizes risk management trainings regularly to inform employees our risk management policies, processes as well as standards and regulations to follow. Also, risk management related seminars are organized irregularly to strengthen employees’ risk management awareness.
In the risk management training courses, specific cases are cited regarding issues of information security, environmental issues, and natural disasters to strengthen employees’ risk management awareness and skills in handling risks that are adjusted dynamically in accordance to the changes in the environment.
All employees are demanded to participate in the e-learning risk management courses while achieving 100 points in the test, which include courses of information security risks, code of ethical conduct of employees, and new businesses.
Courses pertaining to risks organized by Chunghwa Telecom in 2019 include occupational safety and health, information security, internal audit, risk management, and internal control, participated by 16,035 employees with total hours of 102,768 which is higher than the previous years.

4. In the HR annual self-evaluation by employees, “performance in cybersecurity implementation” and “ability of risk response” are included in the items. The former demands a 100% cybersecurity implementation while the latter, from the perspective of conduct regulations, evaluates employees’ ability to detect, identify, respond, and control and handle an unexpected incident timely in order to improve their risk awareness and ultimately handle such properly.

5.  Measures allowing individual employees to proactively identify and report potential risks throughout the organization:
Enterprise Risk Management (ERM) system is established in Chunghwa Telecom for employees to proactively identity and report potential risks to CHT, including the targets, threshold values, stakeholders, description of risk incident, response plans, action plans, and residuals, which keeps detailed records of risk incidents.
Identified risks are classified pursuant to the 17 systems of Chunghwa Telecom, which will be discussed and communicated by the system teams regarding the countermeasures, so as to enhance risk awareness and carry out iterative identification of new risks and reporting and responding promptly to potential risks.
“Procedures Governing Hazard Identification and Risk Assessment Management” has been stipulated in Chunghwa Telecom to identify and assess any risk, physical, chemical, biological, or of human factors, arising from materials, machines and equipment, or personnel operation involved in activities, facilities, or operations in Chunghwa Telecom and the subsidiaries thereof so as to engage risk identification, registration, and assessment.
Regarding information security risks, Directions for Rewards for Employee Proactively Reporting Cybersecurity (Personal Data Protection) Incident is enacted to provide cash incentives to employees that proactively report suspicious information security incident quarterly upon review in line of the possible risks of the incidents.

6. Measures allowing continuous improvement in risk management practices through the involvement of employees in structured feedback process:
The ERM system of Chunghwa Telecom can keep specifically the risk management operation records. Through internal email communication, employees are invited to feedback systematically on risk management matters, which will be delivered to dedicated department for discussion and response according to the class of the risk reported by employees.
“Chunghwa Telecom online forum” is created for employees to voice their opinions in anonymity regarding corporate polies, risks, regulations, daily routines. Meanwhile, a policy is enacted to forbid the enterprise interfering the freedom of speech over the forum.
“Employee suggestions” system is established for employees to provide feedbacks and suggestions with dedicated personnel to handle and track matters that follow.
Directions Governing Special Bonuses and Timely Rewards is promulgated to offer cash incentives for employees with significant contributions in business promotion, new market expansion, corporate image elevation, and maintenance efficiency improvement so as to encourage them to ceaselessly better their risk management behaviors.

7. Upholding the philosophy of ISO 22301 for Business Continuity Management, Chunghwa Telecom ceaselessly improves its risk management with measures as follows:
11 branches obtained OHSAS 18001 certification and 15 branches ISO 450001 certification, ceaselessly managing risks in corporate environment and occupational safety and health.
Creation of information security management system is certified with ISO 27001 to manage risks of information security.
Personal Information Management System (PIMS) is established and has been continuously certified BS 10012:2017 in 2019.
Risk exercises are designed and carried out to reduce risks. For example, “offshore island communication distress exercise” is carried out regularly every year to ensure employees familiar with the relevant responses and a prompt recovery of important offshore island communication in the event of disasters.
“Digital innovation application competitions” are organized to invite students and adults to participate, which converges brilliant technology talents and C&C momentum and reduces the market competition risks.
Important news and information are updated on the frontpage of the EIP to provide insights in changes in the management landscape and important information to employees in order to manage risks.
Employees are encouraged, with the financial support from CHT, to obtain certificates on key issues. As of 2019, 1,093 certificates across 19 categories like labor safety, legal, accounting, construction, auditing, information, finance, and information security have been obtained by 36,632 individuals. There are 25,874 valid certificates obtained in total; among the individuals obtained these certificates, 7 employees also obtained certificates of PMI-RMP.