Risk Management System and Structure
Sustainable Operations Philosophy
-
-
- A risk management policy has already been drawn up by the Company and took effect on March 15, 2022, after Board Approval and now serves as the highest guiding principles for risk management at Compal. The core spirit of the policy is compliance with the international standards system and learning from benchmark enterprises. Regulatory compliance is also enforced to ensure the sustainability of the business.
- The Company has established, in accordance with the Regulations Governing Establishment of Internal Control Systems by Public Companies issued by the Financial Supervisory Commission, financial, business and accounting management systems for evaluating and supervising the risks of operating activities. The risks of operating activities are kept within an acceptable through the proactive involvement of the management in the formulation of risk management policies and response strategies.
- The Company complies with the local policies and regulations of our key production bases. These include guidance related to the Basic Norms for the Internal Control of Enterprises issued by the Ministry of Finance of the People’s Republic of China in conjunction with the China Securities Regulatory Commission, National Audit Office, China Banking Regulatory Commission, and China Insurance Regulatory Commission.
Designed for full participation in internal controls
- The internal control system is based on the structure of the organization, authority and responsibilities, as well procedure control points. It is implemented through internal self-assessment and performance audits.
- Internal control self-assessment has been implemented at every management and operational level. In 2024, self-assessments were conducted by 436 units (including division or higher level units as well as independent units) and 251 people (including the Chairman, Vice Chairman, President, Independent Directors and related management personnel). Coverage was sufficiently comprehensive to ensure the effective introduction and implementation of internal control processes.
Ethical Management and Risk Management Organization Structure
- The Ethical Corporate Management Best Practice Principles and Procedures for Ethical Management and Guidelines for Conduct were established by the Company in accordance with the Ethical Corporate Management Best Practice Principles for TWSE/GTSM Listed Companies and Procedures for Ethical Management and Guidelines for Conduct published by the TWSE.
- The actual functions of the Company organizational structure as well as the 3 Lines of Defense structure for risk management published by the IIA were used as a reference by the Company to formulate our management organization and process for risk management.
- To promote risk management, the head of each department organizes and establishes responsible units based on their duties and responsibilities, bearing the responsibility for daily risk management. Through communication, coordination, and liaison among various departments, they jointly launch and implement annual plans and projects to ensure the risk management of overall operations.
- Risk management courses: To enhance every employee’s information security concepts, the Company offers information security training courses for all employees to raise their risk awareness and vigilance.
.png)
Risk Identification and Priority for 2025
The Company follows the ISO 31000 framework and methodology to carry out the processes of risk identification, analysis, and evaluation. A total of 42 risk issues were identified and consolidated under five categories: Strategy, Finance, Operations, Compliance, and Environment. The Risk Analysis Matrix was then applied, taking into account the Company’s resources, to determine the prioritization of risk management efforts.
Risk Response Strategy
Based on the results of the risk analysis matrix, the Company analyzed both internal and external environments for the top three identified risks to confirm the specific nature of each risk. Corresponding response strategies were then developed, as detailed below in order of priority.
Identification of Emerging Risks
ETHICAL MANAGEMENT AND ANTI-CORRUPTION
Compal is committed to the establishment of the corporate culture of ethical management and upholds the principle of “zero tolerance” for unethical conduct, including bribery and corruption. See relevant policies on Compal website.
- To uphold a high standard of business integrity, Compal has always adhered to a zero-tolerance policy toward corruption and bribery. In order to effectively manage risks such as conflicts of interest, the Company has established an ethical management and anti-corruption system. This system is built with reference to the ISO 37001 Anti-Bribery Management System, aligns with the expectations of international organizations for transparency and disclosure, and complies with the regulations and requirements of competent authorities.
- The ethical management and anti-corruption management team periodically strengthens internal management and audit procedures in line with best practice at international benchmark companies, the US Foreign Corrupt Practices Act (FCPA), and the UK Bribery Act (UKBA) of 2010. Our efforts have laid down a solid foundation for our globalization strategy and quest to become a leading international enterprise.
Ethical management and Anti-corruption Training (Includes part-time employees and interns)
Worldwide Manager & Non Managers Training Metrics
Cyber Security
ISO 27001Information Security Policy
To achieve the information security strategy of "ensuring business continuity and enhancing customer satisfaction," Compal has implemented an information security management system. This includes formulating roles and responsibilities for information security, ensuring full participation from all employees and contractors. We identify information assets, conduct information security risk assessments, comply with laws and regulations, meet customer security requirements, and carefully evaluate overall information security risk items and acceptance criteria.
In response to the evolving digital environment and ever-changing new technologies, we strengthen digital resilience and implement information security controls with a proactive defense mindset. This includes identification, protection, detection, response, and recovery, aimed at maintaining the confidentiality, integrity, and availability of critical information assets. Through management reviews and performance evaluations, we continuously improve and maintain the effectiveness of the information security management system. Our goal is to gain customer trust, fulfill commitments to shareholders, and achieve sustainable business operations.
Compal Information Security Management Organization
Policies and Regulation for the Protection of Personal Data and Privacy
Compal formulates "Compal Group - Policies and Regulations for the Protection of Personal Data and Privacy", stating the employees should abide by and protect various forms of personal data processing procedures, the scope of application, corrective actions, and disciplinary actions. "Compal Group - Policies and Regulations for the Protection of Personal Data and Privacy" applies to all group-wide in Compal. The "Personal Data Management Team" (known as the "Data Management Team" is established across functions for the proper protection of privacy right, and the hotline at +886287978588#14385, or the e-mail at Compal_PIR@compal.com is set for filinging a complaint and reporting. Compal adopts a zero-tolerance policy for privacy protection. In the use of personal information, unless the individual explicitly agrees, Compal will not collect any personal information. In addition, Compal is also prohibited from using personal information for secondary purposes. There was zero secondary use through internal monitoring in 2024. If any relevant personnel is in breach of duty, Compal will take disciplinary actions and corrective actions to protect data privacy.
ISO 27001 Certification 
Compal Group Policies and Regulations for the Protection of Personal Data and Privacy