Risk management and Cyber Security
Risk Management System and Structure
- The risk management policy will be adopted on March 15, 2022 as the highest guideline of risk management of the Company. The policy follows international standards and takes learning from benchmark companies. This policy is a realization of regulatory compliance to ensure Compal's sustainable operations.
- Compal adopts a management system for finances, business and accounting pursuant to the FSC's Regulations Governing the Establishment of Internal Control Systems by Public Companies; and evaluates and monitors risk in operating activities. Managerial personnel ensure that any such risk is within an acceptable range by drawing up a risk management plan and response guidelines.
- The Company adheres to regional government policies and regulations of its critical production base.
- The internal control system is based on the structure of the organization, authority and responsibilities, as well procedure control points. It is implemented through internal self-assessment and performance audits.
- In 2023, internal self-assessments throughout all levels of operations and across 421 units are carried out (including departments and independent units). A total of 294 assessments were conducted according to procedure (including directors, vice-directors, general managers, independent directors, and other relevant managerial personnel).
- The Ethical Corporate Management Best Practice Principles and Procedures for Ethical Management and Guidelines for Conduct were established by the Company in accordance with the Ethical Corporate Management Best Practice Principles for TWSE/GTSM Listed Companies and Procedures for Ethical Management and Guidelines for Conduct published by the TWSE.
- The actual functions of the Company organizational structure as well as the 3 Lines of Defense structure for risk management published by the IIA were used as a reference by the Company to formulate our management organization and process for risk management.
2024 Risk identification and corresponding strategy
Compal performed Identification, Analysis and Evaluation based on the ISO 31000 framework and methodology, and determined 24 risk issues in five areas: Strategy, Finance, Operations, Regulatory Compliance, and the Environment. Considering the Company's resources, these issues were then prioritized in a risk matrix.
Following an analysis of the matrix, we determined specific risks for the three main risks based on the internal and external environment and drafted the strategy:
New & Emerging Risk
Cyber Security
In response to the evolving digital environment and ever-changing new technologies, we strengthen digital resilience and implement information security controls with a proactive defense mindset. This includes identification, protection, detection, response, and recovery, aimed at maintaining the confidentiality, integrity, and availability of critical information assets. Through management reviews and performance evaluations, we continuously improve and maintain the effectiveness of the information security management system. Our goal is to gain customer trust, fulfill commitments to shareholders, and achieve sustainable business operations.
Compal formulates "Compal Group - Policies and Regulations for the Protection of Personal Data and Privacy", stating the employees should abide by and protect various forms of personal data processing procedures, the scope of application, corrective actions, and disciplinary actions. "Compal Group - Policies and Regulations for the Protection of Personal Data and Privacy" applies to all group-wide in Compal. The "Personal Data Management Team" (known as the "Data Management Team" is established across functions for the proper protection of privacy right, and the hotline at +886287978588#14385, or the e-mail at Compal_PIR@compal.com is set for filinging a complaint and reporting. Compal adopts a zero-tolerance policy for privacy protection. In the use of personal information, unless the individual explicitly agrees, Compal will not collect any personal information. In addition, Compal is also prohibited from using personal information for secondary purposes. There was zero secondary use through internal monitoring in 2023. If any relevant personnel is in breach of duty, Compal will take disciplinary actions and corrective actions to protect data privacy.
ISO 27001 Certification Compal Group Policies and Regulations for the Protection of Personal Data and Privacy
Updated on July 11, 2024