HIWIN LOGO

投資人&利害關係人

Risk Management

Governance and Oversight

The Board of Directors serves as the ultimate authority responsible for overseeing the Company’s enterprise risk management. In August 2025, the Company further strengthened its governance framework by expanding the mandate of the Audit Committee to explicitly encompass risk management responsibilities, which was subsequently renamed the Audit and Risk Management Committee.

The Risk Management Execution Committee functions as the Company’s central executive body for risk management. It convenes at least twice per year to review risk identification results, risk assessments, the effectiveness of mitigation measures, and emerging risk trends. The Committee formally reports its findings and recommendations to the Audit and Risk Management Committee.

Audit and Risk Management Committee

The Audit and Risk Management Committee serves as the core governance body for enterprise-wide risk oversight. It is composed of three independent directors, together with senior executives and heads of major functional units. The Committee meets at least twice annually to oversee risks that may affect the Company’s long-term sustainable development and acts as the highest supervisory body for risk management. Matters related to enterprise risk are reported to the Board of Directors no less than twice per year.

The Committee is responsible for identifying, assessing, and monitoring a broad range of strategic, operational, and emerging risks. Its duties include formulating risk management policies, setting management objectives, defining risk appetite, and ensuring that overall risk exposure remains within acceptable thresholds.

In 2025, the Committee held meetings on June 11 and December 18. During these meetings, management teams presented assessments across nine major risk categories, including defined risk appetites and corresponding mitigation measures. The independent directors provided strategic guidance on response strategies. Following comprehensive deliberation, the Committee concluded that the Company’s overall risk exposure remained within controllable limits, with no material or abnormal risk events reported.

Responsibilities of the Committee

The Audit and Risk Management Committee’s key responsibilities include:

Key responsibilities Description
Policy Formulation and Review Developing and periodically reviewing the Company's risk management policies and strategies to ensure alignment with business objectives, regulatory requirements, and industry best practices.
Risk Assessment and Monitoring Evaluating key risks—including financial, operational, compliance, market, credit, ESG, and emerging risks—and monitoring internal and external indicators to provide early warning of potential issues.
Risk Planning and Control Measures Promoting, reviewing, and supervising the implementation of risk mitigation plans, internal controls, and risk handling mechanisms, including risk avoidance, transfer, reduction, and retention.
Risk Reporting and Disclosure Regularly reporting material risks, changes in risk exposure, and mitigation effectiveness to the Board of Directors to ensure transparency and accountability.
Crisis Management and Emergency Preparedness Supporting the development and maintenance of contingency plans and emergency response procedures to facilitate rapid response and minimize potential losses during crisis events.
Risk Management Framework

The Company has established an enterprise-wide risk management framework aligned with ISO 31000. In response to increasingly complex and dynamic risk environments, senior management actively identifies and evaluates risks arising from global economic conditions, regulatory developments, environmental factors, technological innovation, and other external influences that may affect the Company’s long-term sustainability.

The risk management process follows a structured, cyclical six-step approach:

  • 1. Risk Identification
  • 2. Risk Analysis
  • 3. Risk Evaluation
  • 4. Risk Response Planning
  • 5. Risk Management Execution
  • 6. Continuous Monitoring and Improvement

This integrated process ensures that risk management remains proactive and forward-looking, enabling the Company to anticipate potential disruptions, safeguard strategic objectives, and maintain stakeholder confidence.

Risk assessments consider both the likelihood of occurrence and the potential impact of identified risks. Risk appetite is formally defined for major risk categories and approved by senior management and the Audit and Risk Management Committee. Risk owners are designated at the departmental level and are accountable for implementing and tracking mitigation actions. Each material risk is assigned an appropriate risk appetite level and a responsible department, with designated managerial supervisors responsible for proposing, executing, and continuously monitoring risk mitigation measures.

In both 2025 and 2024, the Committee concluded—after comprehensive assessment—that the Company’s overall risk exposure remained within manageable and controlled limits, with no abnormal or unexpected risk events reported.

Risk Review and Risk Exposure Assessment

The Company conducts comprehensive risk reviews at least annually and whenever significant internal or external changes occur. Risk exposure is assessed using both qualitative and quantitative methods, including likelihood and impact analysis, scenario analysis, stress testing, and sensitivity analysis for material risks.

For each material risk, the Company evaluates the likelihood of occurrence, potential financial and operational impacts, defined risk appetite, and the effectiveness of mitigation measures. Assessment results are documented and reviewed by the Risk Management Execution Committee and, where appropriate, escalated to the Audit and Risk Management Committee.

Risk Appetite and Responsibilities

Risk appetite is formally defined for major risk categories and approved by senior management and the Audit and Risk Management Committee. Risk owners are assigned at the departmental level and are responsible for implementing, monitoring, and reporting mitigation actions.

Three Lines of Defense

First Line of Defense: Operational Risk Ownership

Each business unit is responsible for identifying and managing risks arising from day-to-day operations through the design and implementation of effective internal controls. Depending on organizational needs, dedicated risk management per sonnel or units may be established to oversee risk-related activities and regularly report risk indicators, compliance status, incidents, and corrective actions.

Key attributes include:
Business accountability, with unit heads acting as risk owners
Execution of internal controls by employees in accordance with established policies and procedures
Ongoing risk awareness and training programs
Regular monitoring and reporting of key risk indicators and incidents

Second Line of Defense: Risk Management and Compliance Oversight

This line comprises department- and section-level managers who convene at least twice per year. Risk-related unit heads report to the Committee Chairperson (the Chairman), overseeing risk exposure and appetite, reviewing execution effectiveness, and formulating Company-wide risk control strategies.

Key responsibilities include:

Maintenance of the enterprise risk management framework Policy development, risk assessment, and oversight of overall risk exposure Coordination through cross-functional committees and defined escalation mechanisms

Third Line of Defense: Independent Audit Unit

The Internal Audit Office conducts independent reviews of risk management processes and significant operational risks. It reports quarterly to the Audit and Risk Management Committee and at least annually to the Board of Directors to ensure the adequacy of internal controls and the integrity of risk assessment and mitigation processes.

Key characteristics include:

Direct reporting to the Audit and Risk Management Committee
Review of control design and effectiveness across all three lines
Independence from daily risk management activities

Audit of Risk Management Processes

The Company conducts annual internal audits of its risk management processes using a risk-based audit methodology. Audit scope includes:
Identification and assessment of strategic and operational risks
Evaluation of risk response plans and mitigation measures
Verification of control implementation
Monitoring of key risk indicators
Review of risk reporting and escalation mechanisms
Compliance with internal policies and regulatory requirements
Audit findings are documented and submitted to senior management and the Audit and Risk Management Committee. In 2025 and 2024, audits covered credit and financial risks, information security, industry changes, supply chain risks, and occupational safety, with no material irregularities identified.

Risk Culture

The Company actively promotes a robust risk management culture across all organizational levels. Group-wide risk management training is provided to employees, covering core enterprise risk management principles and individual responsibilities. Risk considerations are integrated into new product and service development, and management performance evaluations and incentive mechanisms incorporate risk-related objectives to reinforce effective risk mitigation behaviors.

Company-Specific Risk Exposure Examples

Shadow AI and Carbon Fee Risk are assessed using likelihood, impact, risk appetite, and mitigation measures as described below:

Shadow AI Risk

Risk Description Impact Mitigation Measures
  1. Employees may independently use external AI tools or agents (such as conversational chatbots, AI agents, or external cloud‑based generative AI services) to process work‑related tasks without prior approval or inclusion under the Company’s governance framework.
  2. There is a risk that Company information (including R&D documents, process parameters, source code, customer data, etc.) may be submitted to external platforms through personal accounts, personal APIs, or file uploads, bypassing existing information security controls and evolving into a composite emerging risk encompassing information security, legal compliance, operational, financial, and reputational impacts.
  3. A lack of governance mechanisms and visibility (e.g., absence of audit logs, inability to track data flows and model usage scenarios) may hinder timely risk detection, monitoring, and traceability.
    Likelihood: Moderate to High, due to AI tools becoming cheaper and easier to use, employees are already adopting them faster than organizations can govern them over the next 1–3 years.
  1. Employees may input confidential information, personal data, contracts, R&D documents, process parameters, source code, and other sensitive materials into non‑compliant AI tools through prompts, file uploads, or plugin‑based data extraction, resulting in data leakage beyond the Company’s sphere of control.
  2. In the event of a data leakage incident, the Company’s brand trust and reputation may be compromised, undermining the confidence of employees, customers, business partners, and investors in the Company’s management and operational capabilities.
  3. The leakage of R&D data or proprietary technologies may lead to loss of key information and erosion of technological advantage, potentially resulting in long‑term adverse impacts on the Company’s operations and market competitiveness.
  1. Establish AI Usage Policies: Clearly define that only Company‑approved AI tools are permitted for use, explicitly specifying allowed and prohibited use cases. Priority shall be given to providing Company‑approved AI solutions (such as Copilot and other compliant services), and an exception request and approval process shall be established.
  2. Implement Technical Controls and Visibility Measures: Deploy firewalls or AI‑dedicated proxies capable of managing AI‑related network activities, along with data classification and labeling mechanisms and Data Loss Prevention (DLP) controls. Implement upload and plugin permission management, as well as audit logging, to ensure that AI usage within a controlled and monitored environment.
  3. Enhance Training and Continuous Auditing: Regularly conduct information security and AI compliance awareness programs (including risks associated with prompts and data uploads), perform spot checks and audits, and establish reporting and incident response mechanisms to mitigate the risk of misuse.

Carbon Fee Risk

Risk Description Impact Mitigation Measures
  1. In 2024, the Ministry of Environment announced the carbon fee (carbon pricing) scheme, under which enterprises with annual greenhouse gas emissions of 25,000 metric tons of CO₂e or more are required to file emissions declarations and begin paying carbon fees starting in 2026.
  2. The standard carbon fee rate is NT$300 per metric ton of CO₂e. Companies that submit and obtain approval for a voluntary emission reduction plan may qualify for preferential rates of NT$50 or NT$100 per metric ton. Based on preliminary assessments, the Company’s Yunlin Plant No. 1 is expected to exceed the emission threshold and therefore falls within the scope of carbon fee applicability.
  3. If no voluntary emission reduction plan is submitted, carbon fees will be calculated at the standard rate, resulting in increased operating costs and greater pressure on emissions management.
  1. At the standard carbon fee rate of NT$300 per metric ton of CO₂e, the Company would be required to pay approximately NT$1.33 million in carbon fees. If proactive carbon reduction measures are not implemented, potential future rate increases or the loss of eligibility for preferential rates may further raise long-term carbon-related costs and operating expenses.
  2. Failure to comply with regulatory requirements for carbon emissions management may adversely affect the Company’s ESG ratings, customer supply chain assessments, and overall international competitiveness.
  3. With the implementation of international mechanisms such as the Carbon Border Adjustment Mechanism (CBAM) by the European Union, the Company may face increased export costs in the absence of effective carbon reduction strategies.
  1. A voluntary emission reduction plan has been submitted and approved, enabling the applicable carbon fee rate to be reduced from NT$300 to NT$100 per metric ton of CO₂e, thereby effectively mitigating financial impacts in accordance with the Ministry of Environment’s preferential carbon fee framework. In compliance with regulatory requirements, the Company will regularly submit implementation results of the voluntary reduction plan to maintain eligibility for the preferential rate.
  2. The Company will continue to identify emission hotspots, promote energy efficiency improvements, and introduce low-carbon equipment and renewable energy solutions to further reduce actual greenhouse gas emissions.
  3. In accordance with the carbon fee regulations, the Company will evaluate the use of domestic emission reduction credits (such as voluntary reductions or offset projects) or the submission of a plan qualifying for the NT$50 per metric ton preferential rate, in order to further reduce chargeable emissions.