Risk Management

Risk Management Policy and Process

Taiwan Mobile Co. (TWM) established a risk management policy in 2011, and relevant policies and procedures were disclosed on the official website. The policy was revised for the third time by the board of directors in 2022 as the highest principle for risk management. The Company actively plans risk management policies, the organizational structure and risk management systems; potential risks in the operation of the Company are dealt with on a preventive basis before they occur.

The Risk Management Committee (RMC) was set up in 2015 after the approval of the board of directors to reinforce the organization’s risk management mechanism. Our Chief Finance Officer is assigned to be the chairman of RMC by chairman of board. All the records of RMC operations are submitted to the chairman of the board for approval. Starting from 2021, the status will be reported to the board of directors at least once a year to ensure that all risks are effectively managed.

The Internal Audit Office conducts an annual review of the risk management mechanism and annual year-end risk assessments, and rates the importance and possibility of each risk, then calculates the risk value according to the results of the rating. The risk value becomes the basis for the following year's audit plan.

In 2024, the audit results did not show any internal control deficiencies and abnormalities. Nevertheless, 82 concrete suggestions for improving operational procedures were proposed as ways to improve the quality of management. The improvements and suggestions are to be tracked on a quarterly basis until they have been completed.

Risk Management Scope

TWM integrates and manages various important risks that may affect operations and profits by proactive and cost-effective manner along with a response mechanism from the three-level risk management.

The company's important risks include "Operating risk", "Risks related to information privacy and security", "Innovation risk"... and so on. Please read the detail content in the company's annual report.

Risk Management Structure

	Responsible unit (Risk Ownership)	Function
Operational Risk Ownership (first line)	Corporate Affairs, Information Technology Group, Technology Group, Consumer Business Group, Enterprise Business Group, Home Business Group, Finance Group	Risk factors are analyzed and assigned to responsible units to monitor and ensure timely and effective detection. Each unit shall ensure, on a daily basis, that risks are kept under acceptable levels. Should there be any changes in condition or other factors, the responsible unit shall report these to the Company for an appropriate course of action.
Risk Management and Compliance Oversight (second line)	Risk Management Committee*	Integrate the Company's risk management framework and internal control mechanism. Execute risk management strategies and conduct a review of the efficiency of the overall risk management mechanism. Exercise control over the four following committees:
	1) Operations and Management Committee	Conduct periodic reviews of each business group’s operating targets and performance to meet the Company’s guidance and budget.
	2) Communication Quality Assurance Committee	Ensure and manage network communication quality.
	ESG Steering Committee	Establish a functional committee governance system, strengthen management functions, and commit to the implementation of corporate social responsibility and sustainable management.
	1) ESG Working Group	Integrate operations and core resources to promote the Company’s ESG policies to move toward sustainable development.
	2) Occupational Safety and Health Working Group	Supervise and minimize potential risks to workers’ health and safety.
	3) Environmental Working Group	Develop and manage the Company's policies and objectives for environmental and energy management.
	4) Innovation Working Group	Integrate the Company’s innovation strategies and establish a management mechanism.
	5) Brand Development Working Group	Implement the brand spirit of "Open Possible" and build a seamless brand experience from the inside out through employee conduct, products and services, internal and external working environments, and marketing communications.
	Cyber Security and Data Privacy Protection Committee	Demonstrate the Company’s commitment to these principles by investigating reported breaches of information privacy principles and policies, and, if necessary, take appropriate corrective measures.
TOP	Board of Directors	Responsible for assessing material risks, designating actions to control these risks and keeping track of their execution.
Independent Audit Unit (third line)	Internal Audit Office	Regularly monitor and assess potential and varying levels of risks that the Company might face and use this information as a reference for drafting an annual audit plan. Report any discrepancy to the concerned unit chief and ensure that remediation efforts are completed.

*Note The Board of Directors exercises control over the ESG Steering Committee and the Cyber Security and Data Privacy Protection Committee. In addition, the Chairman exercises control over the Risk Management Committee. If any major event or incident happens, the responsible unit shall report it to the Operations and Management Committee and corresponding Committee or Working Group to undertake any necessary measures.

Risk Operation

TWM sets up RMC which is chaired by the Chief Financial Officer and consists of 6 members including the chairman of board and the highest-ranking officer or their agent from each major risk management area. RMC is responsible for supervising and strictly controlling risk management related issues, and promotes a risk management-oriented management model to achieve the goal of improvement continuously.

The RMC is hold at least once every six months, and communicates with various functional committees as “Operations and Management Committee”, “Occupational Safety and Health Working Group”, “Communication Quality Assurance Committee”, “Environmental Working Group”, “Cyber Security and Data Privacy Protection Committee” , “ESG Working Group” and “Innovation Management Working Group” and other special committees and working groups to discuss the issues of risk management regularly , for accurately control risk issues in different fields.

In the event of a major event or proposal, each responsible unit shall report it to a meeting of operation management or each management committee to decide the necessary measures. Each functional committee not only proactively focus and identify the potential risk issues within internal and external for the company, but bring up appropriate solutions.

The operation record of the RMC is submitted to the chairman for approval. The Internal Audit Office follows up the status of operation and report to the Board of Directors at least once a year to ensure that relevant risk issues are effectively managed.

The company has proactively promoted the mechanism of risk management since 2011.
The followings are the status of main operating over the years.

Formulated Risk Management Policy in 2011.
The Risk Management Committee was established in 2015.
Revised the Risk Management Policy in 2017.
The Risk Management Policy was revised the second time in 2020.
The Chief Internal Auditor attended the Board of Directors to report the business of the Risk Management Committee on August 5, 2021.
The Risk Management Committee meeting was convened for second time to discuss 17 issues in 2021.
Revised the Risk Management Policy for third time and approved by the Board of Directors in2022.
The Chief Internal Auditor attended the Board of Directors to report the business of the Risk Management Committee on August 1st , 2022.
The Risk Management Committee meeting was convened for second time to discuss 19 issues in 2022.
The Chief Internal Auditor attended the Board of Directors to report the business of the Risk Management Committee on August 4 , 2023.
The Risk Management Committee meeting was convened for second time to discuss 17 issues in 2023.
The Chief Internal Auditor attended the Board of Directors to report the business of the Risk Management Committee on August 5 , 2024.

The Risk Management Committee meeting was convened in April and October 2024 to discuss 17 issues which are submitted by special(functional) committees to discuss the related issues of risk along with the mitigation plans.

Risk Management Procedure

The RMC and ESG working group reviews global, local, industrial trends, and identifies relevant risks that are applicable to TWM on a corporate level, discuss the risk prioritization according to the impact levels and the possibility of occurrence.

Annually, an inventory is conducted based on the risk categories and risk items, and each risk item is further reviewed to adjust the risk description based on emerging international trends. After evaluating potential impacts, each responsible unit shall select priorities according to risk levels and adopt corresponding measures and actions to control risks under acceptable range, and risk appetites and risk tolerances shall be formulated for relevant major risks and submitted to RMC for approval.
Risk Management Policy

Risk tolerance indicators, thresholds of overall gap between target/metric and actual performance that the company is accepting to tolerate, are established and monitored for each risk item. Taking "Changes in customer behavior" and " Sustainable and Responsible Supply Chain Management " as examples:

Changes in customer behavior：We Set the proportion of "Double-Play" plan covers 80% of our existing own households client as Risk tolerance Indicators
Sustainable and Responsible Supply Chain Management：
1. The proportion of tier-1 suppliers not assessed within three years is below 20%.
2. The proportion of significant tier-1 suppliers not subject to site assess within three years is below 8%.
3. The proportion of significant tier-1 suppliers not conducting GHG emissions audits within three years is below 8%.

The risk prioritization, impact of each major risk and mitigating actions, please refer to the Risk Management Matrix and Analysis of Key and Emerging Risks and Opportunities.

Risk Management Matrix

Analysis of Significant and Emerging Risks and Opportunities

△ Significant Risk
△ Emerging Risk：defined as an emerging and external risk that is expected to have a significantly long-term impact on the company's business.

Please Swipe Left or Right View All.

Category	Risk	Emerging Risk correlate with WEF category	TWM Material Topics	Description	Trend	Impact	Mitigating actions	Risk Tolerance
Regulatory	1. Legal Compliance △		Legitimacy/legal compliance	To prevent and combat fraud, the Legislative Yuan passed the " Fraud Crime Hazard Prevention Act" on July 12, 2024. The Act clearly stipulates the anti-fraud obligations for the financial, telecommunications, and digital industries, increasing the regulatory compliance responsibilities of these businesses. Companies that fail to implement the regulations will be subject to hefty fines.	Remaining stable	The Act requires telecom businesses to interface with the government-designated database to verify user identities when processing applications for telecom services. If a user is identified as high-risk, the user shall be restricted to applying for no more than one mobile number within 3 years. Additionally, before providing the international roaming services to offshore high-risk telecom businesses, or prepaid card services to non-Taiwanese users, telecom businesses must first verify the users’ entry status and identity through the designated database. After providing these telecom services, telecom businesses shall regularly check whether such users leave the country or overstay by connecting to the database. Telecommunications businesses who fail to fulfill these obligations will be subject to hefty fines.	The Company has integrated with the "165 Anti-Fraud Joint Risk Database" and the "Immigration Agency Database" on November 1, 2024. We will continue to comply with legal regulations and diligently fulfill our responsibilities in fraud prevention as a telecom business.	No penalties have been imposed due to failure regulatory compliance.
Regulatory	2. Policy and legislation changes △	Societal	Legitimacy/legal compliance	To promote the development of next-generation satellite communication services and industries, and strengthening the nation's digital resilience, the Ministry of Digital Affairs (moda) announced a revision to the “Radio Frequency Supply Plan” on February 13, 2025. This revision includes the initial release of 7 satellite mobile communication frequency bands and the expansion of 12 satellite fixed communication frequency bands. Telecommunications businesses will be able to apply for these bands as early as the end of June. The company must assess the potential impact of satellite communication development on our operations and incorporate this into our overall strategic planning to continuously enhance future competitiveness.	Remaining stable	The coverage of our mobile communication network is good. At present, satellite communications are primarily utilized as a solution to enhance wireless network coverage in remote areas and as a backup network for disaster response. Given the limited transmission capacity of satellite communications, there is no significant impact on competition within domestic mobile communication services in the short term. However, attention should be paid to the potential issue of adjacent channel interference arising from a few allocated frequency bands in the future. In the long term, due to the rapid advancement of satellite mobile communication technologies and the growing global focus on the integration of satellite and terrestrial mobile networks, it is essential to closely monitor whether these developments will further impact the mobile broadband market.	The company will continue to monitor modas’ policies on satellite communication services and frequency resource allocation, and will flexibly adjust the strategy in response to the development of satellite communication technologies.	Adjacent channel interference
Network bandwidth resources	3.Climate change/ natural disasters △	Environment	Climate change mitigation and adaption	New climate-related disasters are external risks that will lead to more intense storms and longer periods of high temperatures. Increase in repair personnel after natural disasters. Unstable electricity and water supply.	On the decline	Climate change-related disasters have significantly impacted the Company's operations and finances and will continue to cause the following impacts. According to the TCFD report, disasters such as flooding, landslides, and mudslides have resulted in financial losses. Analysis of the Company's own assets shows that 78 machine rooms are at risk of one or more types of disasters. In terms of financial impacts, we have calculated 1) operating losses and 2) increased costs as follows: 1) Operational Losses: 75 HUB machine rooms are at risk of flooding due to severe weather conditions such as typhoons and heavy rains. Without backup batteries and power outage alerts, this could lead to power failures in the machine rooms, resulting in service interruptions or poor service quality, thereby impacting operations. HUB machine rooms are located in one area prone to landslides and two areas prone to landslides, with an estimated annual revenue of approximately 360 million yuan from affected base stations. 2) Increased Costs: When 78 machine rooms are impacted (including 75 flood response sites, one landslide cleanup site, and two landslide cleanup sites), the estimated annual labor costs are approximately 81.89 million yuan.	Our company has responded by identifying and adjusting our climate strategy. The measures listed below are managed through 1) capital investment, 2) human resources, and 3) equipment additions, as described below: 1) Capital investment: Capital investment for relocation and establishment of new sites: machine rooms are at risk of landslides or mudslides, with each site costing approximately NT$1 million. 2) Human Resources: (Flood prevention) Installation of water leakage detection systems and temporary generators in 75 machine rooms, totaling approximately NT$1.82 million. (Landslide and mudslide prevention) Slope monitoring operations, technical inspection and analysis services, and installation of temporary generators in 3 machine rooms, totaling approximately NT$1.1 million. 3) Addition of equipment: (Flood prevention) Installation of leak detection systems and temporary generators in 75 machine rooms, at a total cost of approximately NT$22.14 million. (Landslide and mudslide prevention) Installation of automated slope monitoring systems and temporary generators in 3 machine rooms, at a total cost of approximately NT$28.88 million.	Renewable energy usage Energy intensity Energy savings Backup generator capacity
	4. ICT Infrastructure and Bandwidth Resource Management		Network quality and coverage	The failure rate of infrastructure was increased with years of use. Outdated systems and infrastructure should be phased out. After network integration, issues with quality consistency and network user experience.	Remaining stable	The failure rate of infrastructure was increased with years of use and impact the operation of the information system. Outdated systems and infrastructure cannot meet business needs and affect competitiveness. The merged dual networks have inconsistent coverage, which may affect user network speeds.	Regularly checking the operation status of infrastructure equipment and consider the vendor's support to carry out timely replacement and updates and design a backup mechanism to ensure the normal operation of the information system. To implement a private cloud platform for quickly building information systems to support business development and enhance competitiveness. After completing the physical integration, we will continue to optimize and refine the consistency and user experience of coverage, significantly reducing the negative user experience caused by integration issues. Optimize spectrum utilization to achieve a better experience by leveraging the new spectrum acquired through consolidation.	To Implement a private cloud platform and replace old equipment with new one year by year. The annual replacement rate of physical hosts should not be less than 8%. The proportion of new local systems built on private cloud platforms must be no less than 80%.
	5. Telecommunication technology innovation		Network quality and coverage	The ability to maintain network stability and continuous operation in the face of various challenges and disasters.	Remaining stable	For network resilience, satellite communication is the top recommendation. Currently, satellite services in Taiwan are provided by competing agents, which reduces our autonomy. Taiwan experiences frequent natural disasters such as typhoons and floods during the summer, which can cause serious damage to telecommunications infrastructure and result in network outages in disaster areas.	Engaging with multi-orbit satellite communication providers and collaborating with other satellite communication companies to enhance the resilience and autonomy of our satellite communications. Accelerate the planning of satellite communication resilience solutions to provide network services in isolated areas affected by disasters.
Information security	6. Information privacy and person data protection △△	Technological	Privacy protection	Domestic and international personal data privacy regulations are becoming increasingly stringent, along with heightened public awareness of personal data protection. Data breaches involving personal information from emerging services and products may lead to diminished user rights, reduced company revenue, and damage to corporate reputation.	On the rise	The Executive Yuan will establish an independent supervisory authority for personal data protection—the Personal Data Protection Commission—about August 2025 and promote legislation for the Artificial Intelligence Fundamental Act in response to the rapid advancement of artificial intelligence technologies and the potential challenges they may pose, which will require for personal data protection users who use artificial intelligence and strengthen regulatory requirements related to privacy and information security. To establish a comprehensive personal data privacy management framework, our company must continuously invest various resources and additional costs to comply with regulatory requirements and external risks expected by both regulatory authorities and users. To provide a wide range of high-quality telecommunications and value-added services, the scope of our innovative services and products will continue to expand over the next three to five years. This will involve the processing of a large volume of personal data and privacy matters. In the event of an accidental personal data breach affecting users’ privacy, the company would be legally liable. For example, compensation to affected users must be paid at not less than NT$500 and up to NT$20,000 per person per incident, and in serious cases, an administrative can fine between NT$150,000 and NT$15,000,000. In addition to compensation to users, the company may also face impacts such as user attrition and decreased revenue.	To address external impacts relating to information privacy and information security, our company has established mechanisms for the protection of users’ personal data privacy, staying international trends and regulatory requirements. In alignment with the development of innovative services and products, we continuously optimize operational processes involving personal data privacy. By engaging impartial third-party assessments to verify the effectiveness of our personal data privacy management, we ensure the continued validity of certificates such as ISO 27001 and ISO 27701 (Information Security and Personal Information Management Systems), as well as BS 10012 and ISO/IEC 29100 (Privacy Framework). These standards are integrated into our business operations, driving ongoing enhancements to our security mechanisms. We are planning the following actions to further elevate our information privacy and security standards: Establishing and regularly updating information security policies and standards. Strengthening the functions of the dedicated information security organization. Continuously conducting personal data security audits and data breach simulating drills.	Legal Disputes and Customer Complaint Controversies
Information security	7. Cyber Security and Cyber Attack △△	Technological	Information security	Cyberattack methods are rapidly evolving with the application of AI and other advanced technologies, and the scope of attacks is expanding to include both enterprises and their supply chains. Regulatory authorities are strengthening information security management for publicly listed companies and imposing increasingly stringent network security protection requirements specifically for the telecommunications industry.	On the rise	Amid the emergence of various new cyberattacks across industries worldwide, it is anticipated that, over the next three to five years, hackers will strengthen their attack techniques by leveraging tools such as AI. The company may be impacted by these emerging cyber threats, such as ransomware attacks that encrypt corporate files, or social engineering attacks that result in the leakage of sensitive information. For example, if the company suffers a DDoS attack causing a one-day service outage, the estimated revenue loss would be approximately 546 million NTD. As a telecommunications critical infrastructure provider designated by the Executive Yuan—and one of Taiwan’s three major telecom operators—any inability to withstand external cyberattacks could severely disrupt user telecommunications services. This, in turn, may lead to compensation for service interruptions, revenue reduction, and reputational damage. Regulatory authorities have mandated the strengthening and implementation of information security maintenance programs, which means the company will need to continuously increase its investment in defensive measures to mitigate external risks associated with cyberattacks and regulatory compliance requirements.	To address external impacts related to cybersecurity, our company must continuously invest resources to establish information and communications security protection mechanisms and promote security measures in order to comply with the regulatory authorities’ cybersecurity management requirements. We will review the effectiveness of these protection mechanisms and the achievement of security objectives, and report progress and benefits to the Information Security and Personal Data Privacy Committee. The cybersecurity protection mechanisms include: Engaging external auditors to inspect and ensure compliance with regulatory requirements, such as the Mobile Broadband Cybersecurity Management directives from the Ministry of Digital Affairs. Conducting penetration testing that simulates hacker behavior to identify and remediate vulnerabilities. Establishing various quantitative indicators to track the security posture. Enhancing the cybersecurity threat detection and management mechanism (Security Operations Center, SOC) and conducting red team exercises. Monitoring and analyzing information security protection systems and equipment, and evaluating the implementation of a Zero Trust Architecture (ZTA) framework.	Information Security Incidents Handling
Business operation	8. Greenhouse gas emissions		Climate change mitigation and adaptation	Growth in telecommunications services leads to increased greenhouse gas emissions. Failure to respond promptly and effectively to oversight from civil organizations. Failure to disclose carbon-related information in a timely manner (e.g., CDP).	Remaining stable	Taiwan Mobile had already committed in 2022 to achieving RE100 by 2040 and net-zero carbon emissions by 2050. To reach these goals, it is necessary to increase investments in renewable energy installations and green power procurement, which in turn raises operating costs. At the same time, improving the energy efficiency of data center equipment and operational sites will require capital expenditures for replacing outdated equipment. Civil organizations (such as Greenpeace) continue to monitor corporate energy-saving efforts. A lack of positive response could harm the company’s reputation. In conducting self-assessments for international sustainability ratings and carbon disclosure, failure to respond positively may reduce investor confidence in the company.	Conduct organizational carbon inventory. Establish an energy/environmental management system. Support the government's green energy policies. Develop green energy infrastructure. Increase the use of renewable energy and improve energy efficiency. Promote green energy strategies through media campaigns. Continuously enhance performance through international sustainability initiatives and evaluations.	Carbon reduction Electricity savings Renewable energy usage Installed capacity of green energy Media exposure / number of views Advocacy achievement rate Evaluation score
	9. Occupational safety and working rights		Supply chain management	Working rights Workplace discrimination incidents result in legal violations. Occupational safety Crucial technical talent have been occurred work- related injuries. Contractor's woks security vulnerability	Remaining Stable	Working rights Discriminatory treatment in remuneration, benefits, promotions, raises, tenure, trainings, working conditions or employment rights due to gender, age, marital status, race or disability. The company's discriminatory practices result in legal violations, leading to reputational damage and government penalties. Occupational safety If the number of occupational disasters increases, it may cause employees to be temporarily disabled and unable to work, affecting operations. If there are loopholes in the contractor's works safety, it will affect goodwill.	Working rights The company operates its recruitment process through open hiring and explicitly states that there will be no differential treatment based on gender, age, marital status, race, or disability in terms of remuneration, benefits, promotions, raises, tenure, trainings, working conditions, and employment rights. Occupational safety Increase safety education and training for all employees. Establish operating procedures and provide appropriate protective equipment for use Develop contractor safety and health management standard operating procedures for contractors to follow, and implement contractor management and supervision.	Working rights Incidences of unlawful workplace discrimination:0 Occupational safety Reduce Disabling Frequency Rate(FR)10%
	10. Sustainable and Responsible Supply Chain Management △		Supply chain management	Due to suppliers lacking comprehensive related policies and measures, there is a risk of violating labor rights laws and regulations, which may lead to occupational health and safety management risks. Intensified extreme weather conditions may cause transportation disruptions and material shortages, resulting in the risk that suppliers cannot provide materials in a timely manner. Due to the worsening of extreme weather, outdoor workers may face heat-related injuries, thereby generating related occupational safety risks. With increased government regulatory enforcement and the imposition of related taxes and fees, there is a risk of increased operating costs arising from lagging climate action. With rising international standards and national regulations concerning biodiversity, if suppliers’ raw material origins, product supply, or service scope impact biodiversity, there is a risk of increased operating costs for suppliers.	Remaining stable	If a supplier violates labor and human rights, it may damage TWM’s brand reputation, reduce investor confidence, disrupt the supply chain, and weaken market competitiveness, thereby affecting customer relationships and operational stability. The transportation and materials provided by suppliers may be impacted by extreme weather conditions, causing transportation interruptions and material shortages, which could adversely affect TWM’s operations. Extreme heat caused by climate change may result in heat-related injuries to outdoor workers, potentially leading to labor shortages and impacting TWM’s operational capacity. As international regulations on carbon management become increasingly stringent, suppliers unable to comply in a timely manner may face related fees, thereby increasing TWM’s operational costs. If suppliers’ operations or raw material sourcing affect local biodiversity, suppliers may be forced to relocate their facilities, causing material shortages and potentially damaging TWM’s reputation or disrupting its operations.	Regularly conduct sustainable supply chain due diligence to identify occupational health and safety risks and human rights risks of suppliers, and assess their impact on TWM. If high-risk suppliers are identified, require them to submit Corrective Action Plans and audit to ensure the effectiveness of those improvements. Identify key products of TWM, inventory important suppliers, and analyze their impact levels. Strengthen audit management of significant suppliers, enhance supply chain resilience, adjust multinational supply chain layouts, and seek alternative suppliers. For TWM’s high carbon-emission suppliers and those needing improvement in carbon management capabilities, provide empowerment and promote cooperative relationships, such as assisting in setting Science Based Targets initiative (SBTi) goals and group purchasing of green electricity, to establish a low-carbon supply chain. Identify biodiversity-related risks within the supply chain and evaluate their potential impact on TWM. For suppliers assessed as high risk, it is advised to promote increased biodiversity awareness and understanding among them.	The proportion of tier-1 suppliers not assessed within three years is below 20%. The proportion of significant tier-1 suppliers not subject to site assess within three years is below 8%. The proportion of significant tier-1 suppliers not conducting GHG emissions audits within three years is below 8%. By 2035, supply chain greenhouse gas emissions will be reduced by at least 23% compared to the 2020 baseline year.
	11. Infectious disease pandemic and epidemic		Employee’s physical and mental health	Although the risk of infectious diseases has declined, if technical talents or other key employees are infected with emerging infectious diseases, it may still lead to employee absence, thus affecting the quality of communication services and operations.	On the decline	During the peak of infectious diseases, the infection may still affect work efficiency and service quality, especially the absence of technical personnel, which may delay project progress, reduce service quality, and affect internal collaboration.	Establish a "health management system" to set up active "infectious disease/fever" notifications to control the health of office personnel, and carry out follow-up control if there are clusters. Regularly promote infectious disease prevention and self-health management through Internal e-newsletter to enhance employees' awareness of epidemic prevention and self-protection capabilities.	Symptoms of the same infectious disease occurred within a week on the same floor and in the same unit.
Market	12. Product End-of-Life (EOL) management		Circular economy	If used/discarded cell phones and electronic waste from business operations are not reduced, recycled, or reused to achieve zero waste and reduce pollution, they may lead to resource depletion and environmental pollution.		The circular economy is a contemporary international consensus and trend; failure to support and actively implement it may harm a company's image. The potential impact on brand image requires continuous monitoring, regular risk assessments, and timely adjustments to strategies to respond to changes.	Based on the actual recycling performance in 2024, the original Heart of Sustainability 2.0 targets were updated in 2025: from 2020 to 2025, the cumulative number of recycled old/used mobile phones is set to reach 283,000 units; by 2026, the cumulative total is expected to reach 358,000 units.	The cumulative recycling target figures are subject to rolling adjustments based on actual annual performance.
	13. Alternative and emerging business models		Circular economy	The replacement cycle of mobile phones is extended. It’s difficult to attract users to transfer 5G higher-rate plans by only offering flagship handsets’ plans.	Remaining stable	Due to the high similarity in the content of mobile plans offered by different providers, users face a lower threshold when considering switching providers. Furthermore, telecom companies are all striving to expand their user base and offer a variety of plan options to broaden their market presence. They are also utilizing OTT services or leveraging group resources to enhance their sales competitiveness. Consequently, Taiwan Mobile is encountering competitive pressures extending beyond its traditional telecom domain.	Taiwan Mobile is persistently utilizing its group resources to strategize the "momobile" plans. It offers increasingly higher rewards for higher-tier plans and actively pursues exclusive partnerships for telecommunications services and products. These include globally recognized services such as Max, Apple One, and YouTube Premium. Moreover, launch the “Ride and Share for a Greener Earth” promotion in collaboration with WeMo to accelerate the net-zero transition. The OP Life project, which focuses on a one-stop service experience, has also introduced technology lifestyle bundles, creating a unique sales advantage for Taiwan Mobile while attracting users to switch to higher-tier plans.	Taiwan Mobile's exclusive plan accounts for over 10% of the total mobile users.
	14. Intensified Competition △		Risk management	The mergers of TWM and T-Star, and FET and APT have been completed. Each operator will through exclusive services or difference terminal equipment related to 5G service to facilitate the promotion of 5G service. Peer company continues to expand the application of point economy in end-users' life circles.	Remaining stable	Each operator is actively allocating resources to the development of 5G services and applications, with the goal of becoming the first provider to offer a groundbreaking service. This is intended to enhance incentives for users to upgrade to 5G and seize market share. Taiwan Mobile must confront the risk of potential decreases in both users and revenue due to the absence of a killer 5G application. Competing telecommunications companies are launching shopping reward programs akin to Taiwan Mobile's "momobile" or adopting bonus rewards as a gift model. This raises concerns about eroding Taiwan Mobile's unique position as an e-commerce pioneer and its profitability.	By packaging exclusive telecommunications projects with diversified multimedia entertainment services, Taiwan Mobile aims to enhance its market competitiveness and attract a broader 5G user base. This includes exclusively representing internationally renowned services such as Max and offering complimentary YouTube Premium services exclusively to telecom customers. To strengthen its sales advantage, Taiwan Mobile is deepening its integration with momo shopping resources. The plan offers momo dollar rebates and discounts for purchases made on momo's platform. Additionally, it introduces the option to use momo dollars for discounts on mobile phones, accessories, and MyMoji. This expansion of momo doallr usability enhances the ecosystem of momo dollars and creates synergies within the group.	The penetration rate of 5G exceeds 35%.
	15. Changes in customer behavior △		Customer experiences	According to the increasing in 5G penetration and the popularity of home broadband, the hotspot on the consumer side will shift to smart homes, IoT devices and other exclusive terminal and audio-visual services.	Remaining stable	According to the increasing in 5G penetration and the popularity of home broadband, the hotspot on the consumer side will shift to smart homes, IoT devices and other exclusive terminal and audio-visual services.	Leveraging successful collaboration models within the group, Taiwan Mobile plans to further expand its "Double Play" service to enhance coverage. Additionally, it aims to diversify its offerings by expanding the range of one-stop comprehensive experience products (OP Life) and introduce technology lifestyle bundles featuring e-book readers and tablet keyboards. Moreover, it will utilize Matter to interconnect IoT products across brands and create a more comprehensive range of smart home bundles. This strategy is designed to incentivize users to choose higher-tier plans and strengthen customer loyalty.	The "Double Play" plan covers 80% of households nationwide.
	16. Demographic changes		Service impact management	The continuous decrease in newborn numbers contributes to an aging structure in population, the changing demands for telecom services tailored to the elderly should be addressed.	Remaining stable	Taiwan's society is progressively aging, resulting in a decrease in mobile subscription demand, thereby impacting company revenue. The evolving demand for mobile services has led to a gradual decline in the effectiveness of stimulating monthly subscription fee increases through mobile phone contract bundling.	Although older users tend to replace their phones less frequently, the acceptance and usage of digital technology have increased. This can be capitalized on by implementing diverse product and service packaging projects, as well as comprehensive one-stop experience service bundles, to transform the bundling product model. By providing diverse choices and addressing the pain points of segmented technology product searches, this approach can also lead to an increase in monthly subscription fees.	Continuously introducing plans tailored for the elderly and vulnerable demographics, with an annual user base surpassing 750K individuals.
	17. Geopolitical and Economic/Political Changes △	Geopolitical	Supply chain management	Policy Changes: Adjustments in national regulations and trade restrictions may affect the import and export activities within the supply chain. Trade Wars: Trade conflicts can drive up raw material prices, increasing production costs and thereby impacting product profitability. Regional Conflicts: Political instability and international conflicts may compromise supply chain stability, leading to transportation disruptions or supply chain interruptions.	On the rise	As geopolitical volatility increases, external factors beyond corporate control may intensify. TWM could face the following operational impacts: If raw materials become unavailable due to transportation or export disruptions, TWM may be unable to procure critical materials, which could affect product manufacturing. Additionally, trade wars and policy changes that drive up raw material prices may increase TWM’s operating costs. If suppliers experience delays or interruptions in delivery caused by blocked or disrupted transportation routes in specific regions, TWM may face difficulties in obtaining key products or equipment components, potentially causing sales and other operational processes to deviate from planned schedules.	Inventory TWM’s significant suppliers and assess the degree of impact. Strengthen focus on critical services and products, enhance audit management intensity for significant suppliers, and simultaneously adjust the multinational supply chain layout to improve supply chain resilience.	The proportion of tier-1 suppliers not reviewed within three years is below 20%. The proportion of tier-1 key suppliers not subject to on-site review within three years is below 8%.
Talent management	18. Shortage of technical talent and workforce		Green application and circular economy	Rising demand for talent in emerging fields/specialized skills. Increased costs for talent recruiting, retention or training. Unable to recruit emerging key technical talent in a timely manner. Inability to attract and retain emerging key technical talent. AI technology is rapidly evolving.	On the rise	As industries and technology trends continue to evolve, the company's competitiveness will be impacted if we fail to cultivate, hire, or retain talent in emerging fields/specialized skills. Recruitment difficulties lead to a shortage of technical talent, which will affect the construction or development of new network equipment or services. Talent loss affects project progress and network maintenance quality. Failure to continuously acquire AI-related technologies can easily lead to competitive disadvantage.	Based on industry trends and strategic development, we conduct annual training needs assessment to develop yearly training plans. We provide diverse development opportunities to cultivate talent in anticipation of future expertise, enhancing workforce efficiency and strengthening the company's competitiveness. Technical supervisors map out required skills and certifications in response to trends. Supervisors evaluate employees on skills/licenses and tailor training programs accordingly. Employees will collaborate with supervisors to create their own individual development plans in accordance with feedback from multifaceted appraisal system and career plans. This helps employees acquire knowledge and skills they need at work or for their next role within the organization. The company initiates "Work Club" scheme to encourage cross departmental collaboration. Employees from different departments can work on projects together, learn new things from each other, which contributes to their overall personal and professional development. Train employees to use Low-Code and No-Code tools. This will free them from tedious administrative tasks and allow them to focus on high-value, creative work to enhance efficiency. Utilize AI technology and tools from telecommunications equipment manufacturers, combined with their professional training programs, to enhance employees' mastery of new technologies and cultivate internal seed teachers to compile e-learning electronic teaching materials and establish a new technology training database.	IDP completion rate: below 75%
Innovation management	19. Responsiveness to the trend of innovation and creativity energy △△		Technology innovation & application	Rapid Technological Advancements Impact Competitiveness: The rapid development of 5G, eSIM, AI, blockchain, and Web 3.0 technologies necessitates timely integration and market alignment; failure to do so may weaken competitive advantages. Technologies such as blockchain, Web 3.0, and generative AI are still in the development and validation stages, with business models, regulatory frameworks, and user adoption remaining uncertain. Companies pursuing innovation in these areas must allocate substantial resources while facing uncertainties in return on investment and financial risks due to rapid technological iteration and market volatility. Failure to seize integration opportunities of 5G and AI within cross-industry ecosystems such as smart cities, smart manufacturing, and smart healthcare may result in missing key alliances and platform advantages, thereby weakening the company's business momentum and market influence in emerging application scenarios.	On the rise	As global industry competition intensifies, failing to establish an early presence may result in losing first-mover advantages and incurring higher costs and time pressure to catch up. Failure to comply with government regulations, ESG requirements, and cybersecurity standards may lead to operational risks and significant remediation costs. Choosing the wrong strategic direction may lead to declining competitiveness and missed business opportunities. In the telecommunications industry, failing to stay aligned with market demand may negatively impact growth trajectories and revenue expansion. High investments in advanced technologies, if not generating returns as expected, may increase financial risk and reduce operational flexibility. Challenges in cross-industry collaboration or ecosystem development may hinder the advancement of emerging businesses and weaken first-mover advantages.	Enhancing 5G+AIoT Patents and Standardization: Proactively expanding into international markets to strengthen global competitiveness. Accelerating Green Energy Investments: Launching services like myCharge and leveraging strategic alliances and cross-industry collaborations to validate and scale market adoption through minimum viable products. Integrating CT, IT, and OT Technologies: Leveraging strong technological capabilities to build ecosystems and diverse solutions, offering enterprises one-stop AI-driven solutions. Continuously collaborating with leading tech firms to explore new products and business models. Adopt diversified investments and strategic alliances to enhance market adaptability and reduce risks Continuously launch innovative services such myVideo, cloud gaming, telecom-fintech, and smart home solutions to expand service scope and strengthen revenue streams. Organize innovation competitions, challenge days, work communities, and talent-sharing platforms to encourage cross-departmental collaboration and accelerate application implementation. Strengthen market-driven technology strategies to ensure innovations meet demand and generate revenue. Mitigate financial risks through phased investments and business model validation. Enhance industry collaboration and standardization efforts to improve ecosystem integration efficiency and accelerate innovation adoption.	User Growth & Revenue Performance Number of Projects and Participants

Risk Culture

Regular risk management education for all non-executive directors
In accordance with Article 40 of《Corporate Governance Best Practice Principles》, the Company requires directors to complete at least three hours of risk management training annually to enhance their relevant capabilities. Training programs for directors please reference the company annual report P.41. Annual report

Focused training throughout the organization on risk management principles
In order to fortify risk response competency of employees and cultivate risk management culture, we conduct risk management trainings every year with topics such as how to conduct risk management and information security. We also test employees with simulated phishing attacks. Such trainings and simulation sessions aim to enhance awareness of employees and train them to respond effectively in accordance with Company’s regulations. Consequently, creating risk management culture within the company is a responsibility for all employees, ensuring sustainable business operations. In 2023, the total number of hours for the risk management course is 78,032.6 hours. In 2024, the total number of hours for the risk management related courses is 96903.8 hours.

New employee orientation programs include risk management, such as code of conduct, information security training, labor safety and health, and prevention of discrimination and harassment. These programs aim to enable new employees to understand our company culture and our stand on risk.

Financial incentives which incorporate risk management metrics
Employees are encouraged to propose suggestions on how to lower risks and improve the performance and quality of their work while achieving objectives. Awards will be given to employees in recognition for suggestions deemed valuable to the company, and these credits will be noted in their evaluation. Employees with better performance will receive higher bonus and salary increase. On the contrary, if an employee violates the regulations of internal control system or information security policy, the employee may be recorded a warning, and may not receive a rewarding performance evaluation. The poor performance ranking will lead to a lower bonus and salary adjustment.

Incorporation of risk criteria in the development of products and services
As a telecommunications provider of critical infrastructure, Taiwan Mobile fully recognizes that the stability and security of IT systems are of utmost importance. Accordingly, in the development and maintenance of our information systems, we not only adhere strictly to security standards but also regard risk assessment as a core element. From requirements planning to daily operations, every stage incorporates comprehensive risk assessments to ensure system stability, availability, and information security, thereby reducing the potential impact of system disruptions or data breaches on our customers and operations. In the development of our IT products and services, we primarily conduct risk assessments across three dimensions: technical architecture and systems, system performance and availability, and information security and privacy.

1. Technical Architecture and Systems Assessment

We focus on ensuring that the system’s foundational design is robust and sustainable, preventing architectural issues that could hinder future scalability and maintenance.

Key Areas of Assessment:

Scalability Risk: Evaluating whether the system design has sufficient flexibility to accommodate future business growth and new feature integration. We commonly adopt microservices or modular designs, enabling independent development and scaling of services while reducing interdependencies.
Technology Selection Risk: Assessing the maturity of selected technologies and the extent of community support. We also avoid over-reliance on a single vendor (Vendor Lock-in) to ensure that replacement or integration in the future does not result in excessive costs or technical barriers.
Compatibility Risk: Evaluating the stability of integrations between new systems, legacy systems, third-party services, or APIs. This includes integration testing and the establishment of standardized API interfaces to reduce risks caused by version updates or interface changes.

2. System Performance and Availability Assessment

We ensure that systems can withstand high traffic loads and maintain service stability even under unexpected conditions, thereby delivering a high-quality user experience.

Key Areas of Assessment:

Capacity and Performance Risk: Using stress testing and load testing to simulate peak traffic conditions, ensuring systems remain stable and response times stay within acceptable limits.
High Availability Risk: Preventing single points of failure by adopting redundant designs, such as multi-data center or multi-cloud deployments, with automated failover mechanisms to seamlessly switch to backup systems when primary systems encounter issues.
Disaster Recovery (DR) Risk: Establishing detailed disaster recovery plans, including regular backups and offsite redundancy. We also define clear Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) to ensure rapid service restoration and minimal data loss in the event of a disaster.

3. Information Security and Privacy Risk Assessment

This is the most critical dimension in our development process, aimed at safeguarding both customer and corporate data while ensuring compliance with international security standards.

Key Areas of Assessment:

Secure Development Lifecycle: Incorporating ISO 27001:2022 and related international standards throughout development, testing, and deployment to uphold confidentiality, integrity, and availability (CIA principles) from the outset.
Secure System Design: Embedding security architecture in early design stages. For instance, identity authentication and access control follow the principle of least privilege, granting users only the minimum level of access necessary.
Pre-Deployment and Operational Security Testing: Conducting code reviews, penetration testing, and vulnerability scans before system launch to eliminate potential threats. Post-deployment, we maintain continuous monitoring, timely updates, and regular reviews to ensure the effectiveness of security measures.
Supply Chain Risk Management: Requiring third-party vendors to comply with international standards (such as 3GPP, ITU, NIST) and provide relevant certifications, thereby reducing risks arising from the software supply chain.

Through these three dimensions of risk assessment, we ensure that our IT products and services not only meet functional requirements but also deliver a stable, efficient, and secure user experience.