In 2006, the Board of CHT adopted the Risk Analysis Matrix and introduced Enterprise Risk Management (ERM), formulating risk management policies, structure and culture. In 2016, the Risk Management Committee was established with the President as the chairperson and the SEVPs and VPs of the headquarters as the committee members. The CHT Risk Management Committee operates outside the business mechanism, carrying out assessment, examination, and management of corporate risks while reporting the implementation results of risk management to the Board/ Audit Committee. A Secretariat is created under the Committee to facilitate matters of risk management and operation improvement; the auditing office reviews the risks; and the Board stipulates the policies, architecture, and culture of risk management.
The CHT Risk Management Committee has convened for matters like confirmation of corporate risk priority, discussion of responding action plans, and review of the effectiveness of plans executed. In 2020, CHT listed the execution results with regard to risk management as one of the performance indicators of senior executives so as to strengthen the enterprise’s overall risk management mechanism.
President of Chunghwa Telecom is the chairperson of the Risk Management Committee of CHT, which is convened at least once a year. The resolutions reached in the meeting will be reported to the Board/ Audit Committee by the President.
Chunghwa Telecom's risk management practices involve ongoing analysis of operational goals, the accuracy of financial reports, and impacts of high-risk events. These findings are constantly reviewed to ensure that all business risks can be identified and controlled, and thereby maintain business operations while protecting stakeholders' interests.
We also have an enterprise risk management (ERM) system in place to control risks associated with our businesses. Risk managers have been assigned to all departments to monitor risk targets and risk events, and report findings on a monthly basis. Risk managers are also involved in the review and adjustment of risk measures, assessment of risk impacts, and execution of systematic records, management, and follow-up tracking.
We use a "risk map" for assessing regulatory risks, network maintenance risks, market competition risks, and financial risks. For every major concern identified in our operations, we conduct intensive sensitivity analysis and stress-testing to decide whether we should take steps to accept, transfer, mitigate or avoid the associated risks, thereby minimize our possible losses.
Climate Change Risk
Climate risk and opportunity management is an integral part of our business and decision-making processes and is embedded into Chunghwa Telecom entire organizational structure and business processes. The scope of evaluation includes all business groups of the Company.
CHT has incorporated the climate change factor into the evaluation system for corporate performance and risk management. Significant risks are listed in the annual corporate operating plan. Target management and performance evaluation are then conducted along with continuing certification and feedback activities. The key components of our risk management system include our CSR Policy, guidelines and reporting systems, strategy, planning, and controlling processes; Internal audit activities; the establishment of CSR committees and the requirement for Environmental Management Systems within all of our operations with significant risks.
1. According to the IDC statistics, after the 5G commercialization, over 50% of the data will be analyzed, processed, and stored on the object of low latency by the service provider on the edge of networks in the future.
2. To minimize the latency, the edge computing equipment has to be situated in venues in proximity to users, which increases the potential risks of hacker attacks, making attackers easier to get in contact with servers, leading to potential threats like physical hacking/damage, service disruption, user privacy breach, etc.
3. As COVID-19 still ravages the world, most enterprises implement remote working and maintenance, increasing the cybersecurity risks of the edge computing environment, to which CHT is required to pay especial attention.
Potential Business Impact:
1. The edge computing equipment may be deployed in an unsafe physical environment, leading to a potential risk for equipment subject to malicious physical breach.
2. 5G offers more diverse vertical applications, while the edge computing equipment has more connections and interactions with third-party services. Should the edge computing equipment have issues like configuration error, vulnerabilities, or poor maintenance and connection management, the security of the edge computing networks would be compromised.
3. The data generated from the edge computing equipment may involve personal data, privacy, and sensitive materials. Should the data be transmitted to the cloud, there may be security issues of information breach.
4. In light of the remote working and maintenance available under the threat of COVID-19, hackers may invade CHT corporate networks via the remote maintenance channel of employees to compromise the edge computing services of CHT.
1. Establish security management for the edge computing, ranging from creating physical protection, security check and secured connections to third-party. Preemptively incorporate security requirement in the planning, demanding manufacturers to provide products in compliance with security regulations. Ensure security throughout the supply chain via rigorous selection and supervision of suppliers.
2. Deploy a diverse Defense-in-Depth and intelligent detection mechanism to uncover malicious behavior in time in the early stage of hacker attacks via cybersecurity monitoring and hunt down possible threats.
3. Facing the COVID-19 pandemic, to ensure a secured connection of its employees from home, CHT has established cybersecurity protection mechanism; accessing computers are required to install control agent. It will conform the security setting requirements and cut-off of the connection to the Internet to ensure that no external hacker exploits such to slip into our corporate network.
Emerging Risk 2: Climate Change Risk
Due to the industrial characteristics of CHT, the impacts from the physical and transition risks brought by climate change are ever significant. For instance, the immediate and long-term extreme weather events (physical risks) shall bring impacts to CHT IDCs and base stations. CHT IDCs and base stations are facilities of high energy consumption. Therefore, our government and industry will demand CHT to save energy and cut emissions or undergo energy transition to realize a transition to a low carbon economy, impacting the operating costs and revenues. As a result, the Risk Management Committee defined climate change as one of the key emerging risks of CHT.
The Climate Change Strategy Group under the Risk Management Committee executed the climate change project in 2020. Following the recommended framework of TCFD, it carried out analysis of climate-related risks and opportunities with 6 transition risks and 5 physical risks identified as the result.
The transition risks and physical risks of climate change identified by CHT:
Potential Business Impact:
Following the TCFD framework, CHT analyzed the scope of operation and upstream/downstream thereof as well as the short-/mid-/long-term climate risks and opportunities through the life cycle of assets:
1. The major impact from the physical risks is the extreme weather events that will bring about damages to telecom equipment and facilities and even operation discontinuation, which will drive the operating costs of CHT;
2. The major impact from the transition risks is the national policy of marching toward a low-carbon economy, like the government’s plan to raise the renewable energy power generation ratio to 20% by 2025, which demands enterprises’ compliance to install renewable energy installed capacity or use renewable energy, leading to increased operating costs from renewable energy purchase.
To manage climate change risks, CHT pushes for works of climate change adaptation and mitigation based on the results of climate risk analysis:
Climate change adaptation works: Pursuant to the RCP 2.6 scenario and in accordance with the National Adaptation Action Plan to Climate Change (2018-2022) stipulated by the Executive Yuan, CHT conducted climate scenario analysis. With TCCIP as the tool for analysis, CHT deployed “Action Plans/Programs for Adaptation of Communication Networks to Climate Change”.
Climate change mitigation works: Following the IEA’s SDS and on the basis of the environmental laws and regulations of Taiwan, CHT conducted climate scenario analysis. CHT plans to establish green energy office to purchase green energy and engage renewable energy construction, phase out the old and introduce high energy efficient IDC equipment and low-carbon base stations, and obtain low-carbon products and equipment with green label issued by the government to reduce the carbon emissions of CHT.
As the major telecommunications service provider in Taiwan, we are subject to extensive regulation. Any changes in the regulatory environment applicable to us may adversely affect our business, financial condition and results of operations. If we do not immediately respond to the climate change issues and relevant regulations and systems, there may be risks of legal penalties and the possibility of losing our industry leading edge.
In response, CHT has been closely monitoring relevant regulations both domestic and foreign, proposing amendments to the draft contents, and actively communicating with stakeholders and relevant authorities by discussions, and taking appropriate response measures to protect the rights and interests of the company. We have been actively promoting the innovative emerging business and expanded market opportunities to reduce the impact of regulatory changes on the company.
For example, the newly drafted digital convergence laws will reduce the entry barrier to the telecommunications industry hence intensifying the competition level. Also, it is likely that CHT will be classified by the competent authority as the dominant player in some specific telecommunication service markets and subjected to special obligations impeding our competitiveness. In addition, the opening up of the domestic roaming and flexible usage of frequencies will enable operators to share relevant resources, hence increasing the market dynamics and making our operation more difficult.
As for the environmental regulations, following the implementation of the "GHG Emission Reduction and Management Act", our country will conduct greenhouse gas emissions control and open carbon rights and carbon trading in the future. Since the daily operations, both the networks and engine rooms, are highly dependent on a high amount of energy support, this will increase our operating costs and affect CHT’s financial performance. It is necessary to invest more in natural disaster prevention, post disaster facilities maintenance, operational energy access, etc. With self-developed "Environmental Sustainability Development Management Services System", we can effectively increase the efficiency in our environmental resources and energy usage with costs reduced. We use ICT technology to create green innovation services such as smart city and continue to explore more low carbon emission solutions with customers. We had established "Energy Office" focused on the business development in three areas, namely, solar energy, wind power and LED.
Financial incentives which incorporate risk management metrics:
Pursuant to the provisions of “Directions Governing Performances of Senior Managers of Chunghwa Telecom”, the sustainability indicators hooked with the variable compensations of the executives are: (1) risk management; (2) code of ethical conduct; (3) information/cyber security; (4) climate change; (5) inventory and engagement of stakeholders; and (6) social participation.
Results of performance appraisal of the senior managers are hooked with the variable compensations thereof (i.e. the attainment of annual indicators related to risk management is the attainment of the standard for cash incentive for senior managers).
For branch offices, risk management performance indicators such as service quality, manipulate accurately and overall environment maintenance are stipulated. Upon achievement of the indicators, the total reward for the retail stores is up to NT$2,200,000 and an incentive up to NT$1,000 per person per month.
“Directions Governing Organizing Work Safety Competition of Chunghwa Telecom” is stipulated for the risk management in employees’ occupational safety and health. Upon attainment of agreed management indicators regarding occupational safety and health (including safety parameter such as employee injury frequency, severity of injury, and foreign severity rate), rewards and recognition will be issued.
Focused training throughout the organization on risk management principle:
In the risk management training courses, specific cases are cited regarding issues of information security, environmental issues, and natural disasters to strengthen employees’ risk management awareness and skills in handling risks that are adjusted dynamically in accordance to the changes in the environment.
All employees are demanded to participate in the risk management courses while achieving 100 points in the test, which include courses of information security risks, code of ethical conduct of employees, and new businesses.
Courses pertaining to risks organized by Chunghwa Telecom in 2020 include occupational safety and health, information security, internal audit, risk management, and internal control, participated by 13,245 employees with total hours of 88,893 which is fewer than the previous years due to the pandemic.
Inclusion of risk management criteria in the HR review process for employee evaluations:
In the HR annual self-evaluation by employees, “Performance in Cybersecurity Implementation” and “Ability of Risk Response” are included in the items.
Performance in Cybersecurity Implementation: Demands a 100% cybersecurity implementation.
Ability of Risk Response: From the perspective of conduct regulations, evaluates employees’ ability to detect, identify, respond, and control and handle an unexpected incident timely in order to improve their risk awareness and ultimately handle such properly.
Measures allowing individual employees to proactively identify and report potential risks throughout the organization:
Enterprise Risk Management (ERM) system is established in CHT to track and identify new risks on a rolling basis, report potential risks, and response promptly, on which the employees may proactively identify and report risk incidents through diverse interfaces, including the targets, threshold values, stakeholders, description of risk incident, response plans, and residuals, which keeps detailed records of risk incidents.
“Procedures Governing Hazard Identification and Risk Assessment Management” has been stipulated in Chunghwa Telecom to identify and assess any risk, physical, chemical, biological, or of human factors, arising from materials, machines and equipment, or personnel operation involved in activities, facilities, or operations in CHT and the subsidiaries thereof so as to engage risk identification, registration, and assessment.
Regarding information security risks, Directions for Rewards for Employee Proactively Reporting Cybersecurity (Personal Data Protection) Incident is enacted to provide cash incentives to employees that proactively report suspicious information security incident quarterly upon review in line of the possible risks of the incidents.
Measures allowing continuous improvement in risk management practices through the involvement of employees in structured feedback process:
The ERM system of Chunghwa Telecom can keep specifically the risk management operation records. Through internal email communication, employees are invited to feedback systematically on risk management matters, which will be delivered to dedicated department for discussion and response according to the class of the risk reported by employees.
“Chunghwa Telecom online forum” is created for employees to voice their opinions in anonymity regarding corporate policies, risks, regulations, daily routines. Meanwhile, a policy is enacted to forbid the enterprise interfering the freedom of speech over the forum.
“Employee suggestions” system is established for employees to provide feedbacks and suggestions with dedicated personnel to handle and track matters that follow.
Directions Governing Special Bonuses and Timely Rewards is promulgated to offer cash incentives for employees with significant contributions in business promotion, new market expansion, corporate image elevation, and maintenance efficiency improvement so as to encourage them to ceaselessly better their risk management behaviors.
Incorporating risk criteria in the product development or approval process:
Pursuant to “Chunghwa Telecom Directions Governing the Launch and Discontinuation of Products”, the product developing department is required to provide materials of financial assessment and risk management in “product launch business plan” for review, including technical risks, market risks, operational risks, as well as information security and personal data risks.
According to “Chunghwa Telecom Directions Governing the Project and Bid management”, the risk assessment is required in considering whether to bid or not, including the risks with the credit of the client and vendor as well as their performance capability.
Other means of measuring or innovating for an effective risk culture:
Upholding the philosophy of ISO 22301 for Business Continuity Management, Chunghwa Telecom ceaselessly improves its risk management with measures as follows:
1. Risks in occupational safety and health: All the 26 operation sites in Taiwan certified with ISO 45001
2. Risks in information security: Certification of ISO 27001; establishment of Personal Information Management System (PIMS) that is certified by the new version of BS 10012:2017.
3. Risks in operation continuity: Risk exercises are designed and carried out to reduce risks. For example, “offshore island communication distress exercise” is carried out regularly every year to ensure employees familiar with the relevant responses and a prompt recovery of important offshore island communication in the event of disasters. Besides, establishment of BCM mechanism in response of COVID-19 for operation continuity and the support to the epidemic prevention system of the government of Taiwan, which is recognized by the government of Taiwan
4. Risks in professional talent: Encouragement to employees to obtain certificates on critical operational issues; a total of 34,062 individuals obtaining 1,163 certificates at home and abroad in 16 categories, including labor safety, risks, audit, and cybersecurity, in which 6 individuals obtained the PMI-RMP certificates
5. Risks in competition in the industry: “Digital innovation application competitions” are organized to invite students and adults to participate, which converges brilliant technology talents and C&C momentum and reduces the market competition risks. Furthermore, kick-off of CHT’s 3-year transformation plan “Rise on, Together 2021” in light of the competing operational environment with the framework and responsibilities for risk management adjusted and the existing regulations to be amended to achieve a sustainable risk management.