Risk Management Policy

Chapter 1 General
Article 1. Purpose
The purpose of this Policy to better manage and form a basis for Yang Ming’s risk management operation. This Policy is formulated with a view to regulate Risk Identification, Risk Evaluation, Risk Decision-Making/Effect-Monitoring and operational improvement procedures in order to ensure the company’s business objectives can be reached.
Article 2. Definition
“Risk” includes man-made disasters, natural disasters, climate change, economical and political events causing adverse impact to the enterprise. The Risks will be evaluated based on Risk Frequency and Risk Severity.
Chapter 2 Structure and Duty
Article 3. Structure and Duty
1. All divisions/departments of Yang Ming Group (including branches and affiliates) shall follow ISO regulations to evaluate risk and assist in implementing Annual Group Risk Evaluations.
2. The Risk Management & Insurance Claim Dept. will be responsible for drafting and amending ISO regulations on Risk Management Operating Procedure, managing overall and cross department risk-control projects as well as performing Annual Group Risk Evaluations.
3. The Audit Dept. will audit all Risk Management Operations to ensure the Risk Management Policies are efficiently implemented and followed.
Chapter 3 Process
Article 4. Process: From Risk Identification, Risk Analysis, Risk Evaluation to Risk Decision-Making
1. Risk Identification: all divisions/departments will discover and list all risk factors by identifying risks under their respective operational/management field via internal control process, situational simulation analysis, practical experience (external information included) and evaluating impacts on internal/external stakeholders. Sources of risk may include:
(1) Strategy Risk: resource allocation, extension or reduction of company goals, market situation, public and investor relations, domestic/foreign policies and political risks…etc.
(2) Operational Risk: marketing, supply chain, employee, technology, cyber attack, computer room damage, huge disaster, asset , act of god (ex: natural disaster、pandemic、terrorist attack).
(3) Financial Risk: cash flow, credit, financial report, taxes, capital structure.
(4) Compliance Risk: corporate governance system, code of conduct and international laws/regulations.
(5) Climate Change Risk: risks and opportunities attributed to climate change.

2. Risk Analysis: via statistics, situational simulations and practical experiences to collect outside information (including case study or figures within the industry) to analyze risk frequency and risk severity.

3. Risk Evaluation and Handling: the degree of risk will be evaluated by grading the risk frequency and risk severity. The risk degree will then be submitted into the RISK-MATRIX for final assessment. When encountering risks, measures that may be taken includes, risk self-retention, risk transfer, risk prevention and avoidance.

4. Risk Monitoring: all divisions/departments will ensure a smooth risk management operation and cooperate with external/internal audit for thorough risk monitoring. Annual Group Risk Evaluation Report shall be submitted to the BOD for reference.
Chapter 4 Annex
Article 5. This policy will be in full effective after approval from the BOD (Board of Directors); any amendments to the policy will follow the same procedure.

(this policy was approved by BOD on 2021/05/12)