Taiwan Mobile established a risk management policy in 2011, and relevant policies and procedures were disclosed on the official website. The policy was revised for the third time by the board of directors in 2022 as the highest principle for risk management. The Company actively plans risk management policies, the organizational structure and risk management systems; potential risks in the operation of the Company are dealt with on a preventive basis before they occur.
The risk management policy was revised in 2015, and a Risk Management Committee was set up after the approval of the board of directors to reinforce the organization’s risk management mechanism. Records of Risk Management Committee operations are compiled and submitted by the Internal Audit Office to the chairman of the board for approval. Starting from 2021, the status will be reported to the board of directors at least once a year to ensure that all risks are effectively managed.
The Internal Audit Office conducts annual year-end risk assessments, and rates the importance and possibility of each risk, then calculates the risk value according to the results of the rating. The risk value becomes the basis for the following year's audit plan.
In 2021, the audit results did not show any internal control deficiencies and abnormalities. Nevertheless, 80 concrete suggestions for improving operational procedures were proposed as ways to improve the quality of management. The improvements and suggestions are to be tracked on a quarterly basis until they have been completed.
TWM integrates and manages various important risks that may affect operations and profits by proactive and cost-effective manner along with a response mechanism from the three-level risk management.
The company's important risks include "Operating risk", "Risks related to information privacy and security", "Innovation risk"... and so on. Please read the detail content in the company's annual report.
TWM sets up "Risk Management Committee" for supervising and strictly controlling risk management related issues, and promotes a risk management-oriented management model to achieve the goal of improvement continuously. The Risk Management Committee is hold at least once every six months, and communicates with various functional committees as “Operations and Management Committee”, “Occupational Safety and Health Committee”, “Communication Quality Assurance Committee”, “Environmental Management Committee”, “Cyber Security and Data Privacy Protection Committee” , “ESG Steering Committee” and “Innovation Management Committee” and other special committees to discuss the issues of risk management regularly , for accurately control risk issues in different fields.
In the event of a major event or proposal, each responsible unit shall report it to a meeting of operation management or each management committee to decide the necessary measures. Each functional committee not only proactively focus and identify the potential risk issues within internal and external for the company, but bring up appropriate solutions.
The operation record of the “Risk Management Committee” is coordinated and submitted by the Internal Audit Office to the chairman for approval. The Internal Audit Office follows up the status of operation and report to the Board of Directors at least once a year to ensure that relevant risk issues are effectively managed.
The company has proactively promoted the mechanism of risk management since 2011.
The followings are the status of main operating over the years.
△ Critical Risk
△ Emerging Risk:defined as an emerging and external risk that is
expected to have a significantly long-term impact on the company's business.
Category | Risk | Emerging Risk correlate with WEF category | Description | Trend | Impact | Mitigating actions |
---|---|---|---|---|---|---|
Regulatory | 1. Legal Compliance △ |
|
On the rise | On Dec. 29, 2021, NCC unveiled the framework of Digital Communications Act, which was designed to
regulate online platforms such as Google, Meta, YouTube, and Dcard, as well as internet service
providers and caching service providers, with different degree of obligations and penalties for
violation. NCC will publish the whole text in 2022 and organize public hearing to collect opinions
and suggestions. The company is regulated because of the business scope which covering internet service providers and caching service providers. If there is a violation in the future, the company will be fines and even have a negative reputation impact. |
The Company is closely monitoring the progress of the proposed bill and continues to communicate with the NCC in hopes of maintaining a regulatory environment conducive to the industry’s development. After the announcement of the draft, the company will evaluate the impact of obligations and penalties, and implement the improvement mechanism if necessary. | |
2. Policy and legislation changes △ |
|
Remaining stable | The Legislative Yuan approved a new law to establish a ministry of digital development on Dec. 28,
2021. The new ministry are expected to take place in the middle of 2022 at the earliest, and will be
in charge of planning the nation's digital development policies, some of these areas currently fall
under several government agencies, including the NCC, the National Development Council, the
Department of Posts and Telecommunications, the Technology Division of the Ministry of Economic
Affairs, the Electricity Resources Group of the Industrial Bureau, and the Information Security
Division of the Executive Yuan. The Digital Development Department will help the digital transformation of the industry, but the separation of telecom supervision and counseling will increase the communication costs for operators and may even affect administrative efficiency. |
The Company will pay close attention to the progress of the organizational changes, actively cooperate with the authority in the transfer of business, master new administrative procedures, and maintain effective communication with the supervisory authority to reduce communication costs. | ||
Network bandwidth resources | 3. Climate change/ natural disasters △ |
|
Remaining stable | Climate change has been considered as having material financial impact on business operations, and
its impact is estimated to last for at least 10 years from now. Accordingly, we keep reviewing and
modifying our climate strategy to cope with the impacts. The potential impact are listed as the
following.
|
|
|
4. IT infrastructure maintenance and operations |
|
Remaining stable |
|
|
||
5. Telecommunication technology innovation |
|
On the decline |
|
|
||
6. Bandwidth resources planning |
|
Remaining stable |
|
|
||
Information security | 7. Information privacy and security △△ |
Technological | 1.Personal privacy regulations in Taiwan and around the world are becoming stricter, while public
awareness of personal information protection is getting higher. Predictably, the competent authority
will strengthen information security (IS) and privacy supervision in the next year. 2.Emerging product and services would potentially increase the possibility of personal information leakage, and such leakage affects customers’ rights and company reputation, resulting in revenue loss. Thus, to provide various high-quality services, it is expected that the scope of innovative services and products will increase in the next 3 to 5 years, which will involve a large amount of PI and privacy processing. |
On the rise | Personal privacy regulations in Taiwan and around the world are becoming stricter (e.g. expected
revised relevant regulation). In recent years, customers’ demands for personal information
(PI) protection have increased significantly. As a result, to establish and improve PI and privacy management, the company must continue to invest various resources and minimize external risks related to IS and privacy-related regulations of competent authorities and customer expectations. If we accidentally leak customers’ PI, we must face the relevant legal responsibilities, customer compensation, loss of users, administrative penalties, revenue loss, and reputation damage. |
In response to the external impact of information security (IS) and privacy, we must 1. build a
customer personal information (PI) and privacy protection mechanism; 2. pay attention to
international development trends and regulatory requirements; 3. cooperate with the development of innovative services and products; and 4. continue to optimize related processes involving PI and privacy. We verify the PI and privacy management effectiveness through an impartial third party. We continue compliance the ISO 27001 "Information Security Management System (ISMS)" and the BS 10012 and ISO/IEC29100 privacy framework standards certificates, integrating corporate operating procedures such as promote the IS maintenance plan. We also expand the scope of PI and management and privacy and obtain the certificate of the latest international privacy protection standard-ISO27701 "Personal Data Privacy Management System" to improve IS and privacy level. |
8. Cyber security △△ |
Technological |
|
On the rise | In recent years, industries around the world have faced various emerging cyber-attacks. We predict that hacking tactics will continue to change in the coming year, such as encrypting corporate files, theft of sensitive information, launching DDoS attacks, and even attacking upstream /downstream of the value chain. TWM is the critical infrastructure of telecommunications approved by the Executive Yuan and is one of the major telecommunications companies in Taiwan. If we cannot prevent nor counter the attack, we would have to take on relevant legal responsibilities, and face customer compensation, loss of users, administrative penalties, revenue reduction, and reputation damage. The competent authority has formulated information security management requirements for mobile broadband and requires telecommunications operators to implement information security management. We need to invest in the protection against cyber-attacks that will continue to increase, preventing cybersecurity-related hacker attacks and external risks. | In response to the external impact of cyber security, we must continue to invest resources to establish and promote security protection measures to fulfill the competent management of personal information and security management requirements. We review the effectiveness of the protection mechanism and the achievement of information security objectives, while reporting the progress and benefit to the Cyber Security and Data Privacy Protection Committee. Information security protection mechanism includes: 1. Implement the inspection of the external certification body and the NCC Mobile Broadband Information Security Management Requirements. 2. Conduct annual penetration test to simulate hacking for system security tests, and fix vulnerability as the improvement. 3. Establish various quantitative indicators to track the security level. | |
Business operation | 9. Greenhouse gas emissions |
|
Remaining stable |
|
|
|
10. Occupational safety and working rights | Occupational safety
|
On the decline | Occupational safety
|
Occupational safety
|
||
11. Sustainable and Responsible Supply Chain Management △ |
|
On the rise |
|
|
||
12. Infectious disease pandemic and epidemic △△ |
Societal | Operational disruption caused by employees infected with COVID-19;infected with COVID-19 of technical talent has led to a decline in the quality of communication services and affected operations. | Infectious disease has different virus variants with increased contagiousness, which leads to an increased risk of infection among employees. In addition to affecting the health status of infected employees, the disease also affects the physical and mental health of employees who have been identified or investigated, causing negative impact on the stability of the company's operations; Such impact is expected to continue for another year. The source of infection comes externally and is highly infectious, so such risk cannot be controlled by the company. Most of our business locations and office buildings are located in large cities where tourists gather, which leads to a higher risk of contracting the disease. | we formulate our standard process that is beyond government anti-epidemic measures to prevent infection and to protect the physical and mental health of all employees and customers. 1.Formulate a standard table for the identification of epidemic prevention cases, which is better than government regulations for epidemic identification or investigation, which prevents the risk of infection in stores and offices. 2. According to the business needs of each unit, the rapid COVID test kits are prepared by the company, or the expenses on the kits can be reimbursed after purchase, so that employees can use at ease. 3. Provide Service Leave and encourage employees to be vaccinated to protect themselves and others. 4. Protect critical technical talent workers who are outside the office to maintain communications services. 5. According to the epidemic situation, start the personnel backup plan, work in divided groups and work from home. 6. Sufficient stockpiles of anti-epidemic materials. 7. Formulate a notification management mechanism to prevent and block infection. 8. Real-time reporting of daily M+ messages, tracking and care management of each employee to prevent any possible sources of infection. 9. Formulate and update the [Office Epidemic Prevention Management Guidelines] in response to the epidemic, including: improve colleagues' awareness of epidemic prevention, restrict visitors, and avoid cross-building contact and other epidemic prevention measures to reduce the risk of infection. | ||
Market | 13. Alternative and emerging business models | The replacement cycle of Mobile phone is extended. It’s difficult to attract users to transfer higher-rate plans by only offering flagship handsets’ plans. | On the decline | Due to the high similar offering in mobile phone rate plans among operators, the threshold for
users to switch operators will be lowered. Telecom companies have expanded battlefields by offering a variety of mobile-OTT mixed programs to strengthen the sales numbers. Therefore, the Company is facing the impact beyond the original competition in the telecommunications industry. |
To the competitive situation beyond the telecommunications industry, the Company has launched Disney+ in Taiwan in 2021, which is exclusively cooperation in the telecom market. Besides, the Company has integrated Fubon Group's resources to launch the "momobile" and "momo plus" rate plans. Using these unique plans to escalate the competitive advantages of TWM. | |
14. Intensified Competition △△ |
Economic | 1.Due to over-saturated market, small companies are seeking to merge with the big players. The
competition between three major players will transition to diversified innovative services and the vertical integration of business applications in the next 3 to 5 years. 2.Telecom companies have invested in the broadband network market. Through cooperation with broadband operators, telcos aim to build networks to improve network stability and deploy the smarter home market, leading to the escalation in the competition of Taiwan Mobile’s “Double Play plans”. |
On the rise | The merger of Taiwan Mobile and Taiwan Star, internal risks include, 1. The willingness of the monthly-fee payment is different between the two companies, how to manage the demand and avoid the loss in the number of users to reduce revenue and financial impact is crucial. 2. The challenges and the cost impact on integrating the two operating systems and network. The External risk is to stimulate the consolidation of telecom companies and accelerate the coming of the “ New Three Kingdoms” era. Telecom companies seeks to cooperate with broadband ISP operators to replicate the model of “Double Play Plans”, which may erode the sales and revenue of TWM “Double Play Plans”. |
For the price-sensitive users of Taiwan Star, the Company has launched exclusive "momobile", “momo plus", ”Just Kids” plans to reduce the impact of consolidation. The Company has launched diversified value-added services such as Disney+, GeForce NOW cloud games for facing the coming of the “ New Three Kingdoms” era. In addition to the 5G battlefield, the company will introduce innovative application services of value-added, IOT and wearable devices to expand revenue. Using the successful model of the Fubon Group's cooperation, the Company has planned to expand coverage area of “Double Play Plans” and deepened smarter home market business via bundle plans of smarter home appliances. The Company cooperates with broadband operators to build network to improve connection stability and develop the smarter home market. |
|
15. Changing customer requirements △ |
|
On the rise | Users’ demand on internet and connection stability have enhanced the applications of “Double Play Plans”. But on the other hand, if the quality of the connection stability is compromised would lead to the loss of users. Telecom companies have launched rate plans similar to "momobile", bundling bonuses or offer bonuses as giveaways for e-commerce’s online shopping, which may erode the Company’s uniqueness and profitability in e-commerce online shopping. | The Company has planned to launch rental service of mesh Wi-Fi to strengthen the quality of broadband service and expect to expand revenue through the consolidation of miscellaneous services. To strengthen 5G selling competitiveness, the Company has deepened the cooperation with momo and launched "momo plus" rate plans. Besides, the Company also has offered TWM users to pay the mobile bills by momo coins. The Company plans to build a new channel on momo Shop to strengthen the momo ecosystem and gain resource synergy effect within Fubon Group. | ||
16. Demographic changes △ |
|
Remaining stable | Due to Taiwan’s population has begun aging and negative growth, the demand for mobile
service is decreasing, which would erode the Company’s revenue in the long term. The demand for mobile services is changing, and the demand for mobile phone bundled plans has gradually declined. |
The elder users tend not to replace the handsets and is hard to stimulate elderly users to apply
higher-rate planes, the Company has launched miscellaneous rate plans of products and value-added
service for customers to apply. The Company has launched “My Angel” service to offer bundled plans of wearable devices and value-added service, which can provide the non-stop caring for the elder users and lessen the risk of getting lost for elder customers. |
||
Talent management | 17. New technology training needs |
|
Remaining stable |
|
|
|
18. Change of skill set needed |
|
Remaining stable | With technology trends changing so quickly, we may fail to sustain a competitive advantage if we are unable to build or acquire talent. |
|
||
Innovation management | 19. Innovation kinetic energy growth △ |
|
Remaining stable |
|
|
|
20. Responsiveness to the trend of innovation |
|
Remaining stable |
|
|