Risk Management OverView
In response to changes in the global economic environment and sustainability related risks, EMC has developed a complete risk management organizational structure and practical implementation framework based on three major aspects: the economy (including corporate governance), the environment, and society. This framework is used to identify and monitor the risks that may impact the Company’s sustainable development. Through the application of related management strategies and corresponding measures such as risk transfer, reduction, and avoidance, potential risks may be minimized, or even turned into operational opportunities. EMC’s Risk Management Policy and Procedures was approved by the Board of Directors at the 16th session of the 12th Board meeting on October 30, 2024, to serve as the highest guiding principles for the Company’s risk management.
The risk management policy of EMC is to define various risks in accordance with the company’s overall operating strategy; establish risk management mechanisms for early identification, accurate measurement, effective supervision, and strict control; and prevent possible losses for the tolerable risks. As the internal and external environment change, EMC will continue to adjust and improve the best risk management practices to protect the interests of employees, shareholders, partners, and customers, thereby increasing the Company’s value and achieving the goal of optimizing the allocation of the Company’s resources.
Every year, the President designates a unit to conduct risk factor identification aimed at identifying the risks that may affect the Company’s sustainable development and determining the scope of risk management. Potential risks are monitored and preventive measures are implemented based on operational needs to strengthen risk management. Risk management strategies that cover management objectives, organizational framework, authority and responsibility, risk management procedures, and other related mechanisms are also formulated and implemented for each risk to ensure that the risks arising from business activities remain controlled within acceptable ranges.
Risk Scope Identification
EMC has identified various risk items of different levels based on various units’ responsibilities and functions. Based on the materiality principle, the Corporate Sustainability Development Committee has further divided the risks into different types, which are economic (including corporate governance), environmental, and social. The details are listed in the table below.
|
Dimension |
Risk Type |
Description of Risk |
Risk Control Measures |
|
Economic (including corporate governance) |
1.1 Market Risks |
1.1.1 Political and economic dimension: Includes risks of financial or business impact on the company due to domestic or international political, economic, and regulatory requirements. 1.1.2 Industrial dimension: Includes risks of financial or business impact on the company due to domestic or international technological and industrial changes. 1.1.3 Financial dimension: Includes risks of losses resulting from changes in the company’s financial assets or liabilities (including on- and off-balance sheet assets and liabilities) due to fluctuations in market risk factors (interest rates, exchange rates, stock prices, commodity prices, electricity prices, etc.). |
1. Interest Rate Risk:: The Company’s interest rate impact is mainly reflected in the interest revenue from bank deposits and the interest payments on bank loans. In terms of short-term loan management, in principle, the Company keeps its short-term facility drawdown ratio no higher than 50% and appropriately increases credit limits to enhance short-term funding flexibility. As for long-term loans, to meet the funding needs for plant expansion, the Company applies for project loans to gain the benefits of stable long-term interest rates and lower overall loan costs, thereby effectively reducing the risks from interest rate fluctuations. 2. Exchange Rate Risk: In response to significant fluctuations in the international foreign exchange market and increased variables for exchange rate changes, to reduce exchange rate risks, the Company adopts strategic management by controlling the net position ratio to hedge against exchange rate risks, thereby achieving a natural hedging effect and effectively reducing the impact of exchange rate fluctuations. 3. Accounts Receivable Risk Accounts Receivable Risk: The Company holds regular meetings to review customers’ business conditions or analyze customers’ financial reports. For customers with operational problems, it is recommended that shipments be suspended or credit be reduced. For domestic/export customers, in principle, credit is granted based on risk level, and appropriate insurance should be taken out based on risk levels. |
|
1.2 Operational Risks |
1.2.1 Operational dimension:Includes risks that impact the company due to changes in the business model, adjustment of organizational structure, over-concentrated sales/purchasing, product replacement, product/service design, quality management, and major risk management of business contracts, etc. 1.2.2 Financial dimension: Includes risks that impact the company due to asset evaluation, credit and solvency, liquidity risks, and accounting policies, etc. 1.2.3 Internal control dimension: Includes risks related to the company’s internal control. 1.2.4 Supply chain dimension: Includes risks that impact the company due to issues such as supplier quality, price, delivery, and corporate social responsibility. |
||
|
1.3 Investment Risks |
1.3.1 Investment dimension: Includes risks of short-term investment market price fluctuation impact on the company due to over-concentrated reinvestment targets, high-risk and high-leverage operations, financial derivatives trading, financial planning, etc., or the operational management risks involved in the long-term investment of the company to be invested. |
||
|
1.4 Regulatory Compliance Risk |
1.4.1 Regulatory compliance dimension: Includes risks of failure to comply with relevant laws and regulations, including but not limited to the Labor Act, the Company Act, the Securities and Exchange Act, import/export regulations, industry code of conduct, anti-corruption regulations, etc. 1.4.2 Legal dimension: Includes risks that may result from failure to comply with various legal norms, or various legal risks that may infringe on the company’s rights and interests. |
||
|
1.5Information Security Risk |
1.5.1 Including risks that threaten the confidentiality, integrity, or availability of the Company’s information assets due to natural, human, or technological factors. |
1. Beginning this year, the Company has commissioned an internationally renowned certification body (SGS) to conduct ISO 27001 certification. Additionally, the audit department conducts at least one information security audit every year. 2. The Company has commissioned a professional information security consulting company to perform server host vulnerability scans, aiming to identify potential risks and make corrections to strengthen defenses against hacker attacks. 3. The Company conducts regular education, training, and advocacy to raise awareness of the latest information security knowledge. The Company consistently improves its information security education, and it implements social engineering drills every year to enhance employees’ information security awareness and protect data security. |
|
|
2. Environmental |
2.1Environmental Risk |
2.1.1 Includes risks related to greenhouse gas emission management, carbon credits management, and energy management conducted in response to climate change and natural disaster issues, as well as risks for complying with international and local environmental protection laws such as emission/discharge management for gas, water, waste, poison, and noise or Environmental Impact Assessment requirements. |
1. Environmental impact of carbon emissions due to business activities: (1) The Company analyzes potential climate change risks, explores possible opportunities and response measures through greenhouse gas inventories and product carbon footprint investigation, and explains corresponding response methods. (2) The Group holds regular inter-plant technical exchange meetings and continuously promotes energy saving, carbon reduction, occupational safety, environmental protection, and equipment preventive maintenance based on experience accumulated through each plant’s successful projects. (3) The Company pays constant attention to changes in policies and regulations related to energy and carbon management and proactively participates in public consultations and hearings regarding new (revised) regulations. 2. Environmental pollution caused by business activities: (1) The Company carries out the Group’s safety and environmental audits to verify the regulatory compliance of its occupational safety, environmental protection, and fire safety activities, and it takes relevant actions for correction and improvement. (2) Annual safety and environmental education and training plans are implemented to enhance environmental personnel’s competence and understanding of the latest safety and environmental regulations. (3) The Company pays constant attention to changes in domestic and international environmental laws and regulations and proactively participates in public consultation or hearings regarding new (revised) regulations through associations. |
|
3. Social |
3.1Workplace Hazard Risk |
3.1.1 Operational dimension: Includes risks to the company caused by occupational safety, hygiene and health, chemical management, safety protection, emergency response, and other improper management operations or errors. 3.1.2 Workplace dimension: Includes risks caused by issues related to the safety of the workplace for employees or contractors. |
1. Comply with relevant laws and regulations, and formulate various operation management guidelines. 2. The Workplace Safety and Health Committee regularly reviews the compliance with environmental/occupational safety laws and regulations |
|
3.2Human Resources Risk |
3.2.1 Includes issues related to the human rights issues of employees or suppliers, including but not limited to risks derived from labor relations, child labor, and forced labor, as well as risks resulting from the cultivation of talents, such as the mechanisms for recruitment, retention, and development of talent. |
1. Regularly conduct manpower check and review. 2. Plan and implement employee education, training, and development plans. 3. Design competitive compensation and employee benefit measures. 4. Develop complete training and local talent development plans |
Information Security Management
EMC has formulated its Directions for Information Security Management based on the three principles for information security management, which are confidentiality, integrity, and availability. The goals are to provide an information environment for EMC Group’s overall business to operate without interruption, establish management systems and standard procedures to meet relevant regulatory requirements, and protect the Company from various information security threats and accidents such as data misuse, leakage, tampering, theft, and destruction to reduce possible hazards.
EMC, Elite Electronic Material (Kunshan), Elite Electronic Material (Zhongshan) and Elite Electronic Material (Huangshi) are all equipped with a cybersecurity response group. The president acts as the leader of the group, and department heads and cybersecurity reporting network contact personnel serve as group members. Guanyin Plant 1 in Taiwan passed the ISO 27001 Information Security Management System certification in 2024, which will not only improve Company’s internal information security management performance, but will also earn and maintain customer confidence. For other plants, information security management will focus on the promotion of internal management consistency.
EMC has followed the standards established by U.S. National Institute of Standards and Technology (NIST) to evaluate its information security status and set up relevant security goals. The Cybersecurity Framework (CSF) has been adopted for the planning of information security policies to reduce the security risks facing key operating facilities.
|
|
|
Cybersecurity Framework (CSF) |
|
|
|
ISO 27001:2022 Certificate |
n Information Security Management Framework
In order to protect the Company’s security and customers’ business secrets, EMC carefully examines and strengthens the management measures for information transmitted between the Company and customers, and further implements an information security management system based on the five major components of information security management technology: Identify, Protect, Detect, Respond, and Recover.
|
Identify |
Protect |
Detect |
Respond |
Recover |
|
1. Information security governance 2. Information assets inventory |
1. Identity verification and access control 2. Endpoint protection on devices 3. Network security protection 4. Data security protection 5. Application service protection |
1. Endpoint network behavior detection 2. Security technology detection and vulnerability management 3. Network threat intelligence utilization |
1. Information security incident reporting and response mechanisms 2. Information security incident analysis and corrective planning |
1. Backup mechanism 2. Backup plan 3. Business continuity planning and exercise |
n Information Security Management Mechanism
In order to protect the Company’s security and customers’ business secrets, EMC first classifies data according to its security level and category for further management. Next, EMC carefully examines and strengthens the management measures for information transmitted between the Company and customers, and implements permission control over network access and the computers and personnel being engaged. EMC has developed three major information security management objectives:
1. Information equipment security management
EMC conducts regular inventories of information assets, builds a “no storing of data in endpoints” structure, executes file related permission management, monitors records of the Security Information and Event Management (SIEM) system, uses Two- Factor Authentication (2FA) and Multi-factor Authentication (MFA) to reinforce authentication mechanisms, and protects the security of information. The Company conducts a Backup/Restore drill every year, ensuring that relevant operations can be quickly restored when an incident or disaster occurs, to reduce potential risks and losses from such incidents and disasters. In 2024, a total of four recovery drills were carried out at EMC, Elite Electronic Material (Kunshan), Elite Electronic Material (Zhongshan), and Elite Electronic Material (Huangshi), focusing on the inter-plant switching of major equipment and services and testing of backup data recovery.
2. Network and antivirus management
To prevent cyber attacks and respond to malicious intrusions, EMC has set up next-generation firewalls, intrusion prevention systems, advanced threat protection systems, advanced endpoint detection and protection systems, and introduced network security monitoring and host-based intrusion prevention systems for industrial control zones and production line systems, aiming to block zero-day system vulnerability attacks. Moreover, the Company continuously obtains external threat information and combines the information with existing information security systems to identify external malicious attacks. Automated detection and blocking systems are also employed. Vulnerability scanning is performed on a monthly basis through vulnerability scan tools, and system patching is conducted for identified vulnerabilities. Network information security risk management systems are also adopted to continuously assess EMC’s cyber security risks. We also regularly entrust external information security professionals to reinforce our information security systems through measures such as penetration tests, which thoroughly search for blind spots in information security protection, thereby establishing a safe operating environment for the system and ensuring the Company’s sustainable operations.
3. Employee information security education and training
In addition to the information security promotion programs conducted for new employees, the Company also provides information security advocacy and training sessions on an irregular basis to strengthen employees’ awareness of customer privacy and information confidentiality, thus reinforcing the importance of information security among employees.
n Reporting Procedures for Information Security Incidents and Related Events
When an information security incident occurs, the Company’s employees should follow the EMC Operating Procedures for Cyber Security Incident Reporting and Response to report the incident to the top information supervisor. The responsible unit will determine the security level and category of the incident, and take immediate control measures to deal with the incident in the most expedient manner. No violations of information-security-related laws and regulations and no information security incidents occurred at EMC during the period from 2022 to 2024.
|
Information security incident management status in the last 3 years |
2022 |
2023 |
2024 |
|
Total number of information security breaches |
0 |
0 |
0 |
|
Total number of security hacking incidents |
0 |
0 |
0 |
|
Total number of customers affected by information security incidents |
0 |
0 |
0 |
|
Total amount of fines associated with information security/cyber security violations |
0 |
0 |
0 |
n Specific Management Plans
The Company has implemented relevant measures in accordance with corresponding operating regulations for its physical and environmental security, network and computer security, system access control, system’s sustainable operation, information security promotion, education and training, etc. The Company’s Audit Office serves as the supervisory unit for information security supervision. The Audit Office is responsible for supervising the implementation of internal information security measures and performing regular inspections. If deficiencies are identified during inspections, responsible units propose corresponding improvement plans and specific improvement actions, and regular tracking is performed to ensure the effectiveness of the improvements, thereby reducing internal information security risks. Furthermore, with the aim of reinforcing the Company’s information security risk management, the annual information security improvement items were submitted to the Board of Directors on December 23, 2024, to ensure the Company’s continuous operation.
The Company’s dedicated information security unit consists of one information security supervisor and one information security personnel. The unit holds monthly meetings to review the Company’s information security policy and relevant implementation details.