Risk Management

In view of the increasingly complex risks faced by enterprises in their operations, which test the risk prevention capabilities and emergency response and recovery capabilities of enterprises, in order to enable the enterprise risk management mechanism to form good protection, identify possible future challenges, enterprises must take preventive measures early to avoid being affected, ensure that they are capable of dealing with threats and have the ability to continue operations, demonstrating organizational resilience."

Risk Management Policy

  • Proactively deploy management measures in response to risk threats.
  • Demonstrate organizational resilience and ensuring operational continuity.

Goals

  • Establish Key Risk Indicators (KRI) for real-time monitoring.
  • Establish short, medium and long-term risk prevention plans,and review and improve them on a regular basis.
  • Continuously strengthen various emergency response strategies and execute regularly drills

Business Continuity Management Committee

To ensure effective risk management, ASUS has established a Business Continuity Management (BCM) Committee, serving as a platform for communication between governance and operational units. ASUS also implements cross-departmental risk management mechanisms, breaking down departmental silos to transform risk response from reactive to proactive, thereby enhancing the Company's resilience against risks. In addition to establishing a regular review mechanism, ASUS adopts a three-line defense system to construct its internal control framework, and undergoes regular supervision at the board level.

Governance Structure of Business Continuity Management Committee

Major Accomplishments on 2023:

  • Establishment of the ASUS Group 360° Watch mechanism to monitor group dispute events. Risk reporting expanded to include the entire group and senior management, enhancing information transparency and risk awareness.
  • Cross-functional units jointly discussed responses to ASUS Top Risk, enhancing the integrity of risk management strategies.
  • Addition of a Business Continuity Plan (BCP) for severe infectious diseases. Scenario drills were conducted by the response team to enhance preparedness capability.
  • Development of courses on “International Risk Trends” and “Corporate Risk Assessment Tools” to enhance the risk management capabilities of control members.。


In accordance with the requirements of the ISO 31000 Risk Management System, ASUS constructs risk operations in each management system, and conducts third-party verification as well as the internal audits every year.

Picture showing ISO 31000 includes what other ISO or International Standards
Organization Role
Board of Directors Oversees the strategy development of the BCM Committee
Co-Chief Executive Officers (co-CEOs), Chief Operating Officer (COO), and senior business executives Implement joint supervision, review and establish protection mechanisms in daily operations
Taskforce Units (TUs) Responsible for monitoring risk trends and preventive risk management in all areas, and are responsible for developing quantifiable KRI( Key Risk Indicator) and risk prevention plans. When the risk occurs, they must respond immediately and establish an emergency contingency plan to minimize the impact and disruption time.

Risk Management procedure

Step.1

Collect risk issues

Step.2

Analyze risk issues

Step.3

Conduct risk management activities

Step.4

Conduct regular reviews and improvements

The BCM Committee presented to the Board of Directors in July 2022 for the approval of the risk management policies and objectives, management Scopes, organizational structure and Risk Management procedure, all of which are defined in the 'Asus Enterprise Risk Management Standard.

Step.1

Collect risk issues

 

Identify relevant risk issues based on International risk trend reports, regulatory compliance, stakeholder concerns, controversial incidents, company needs, as well as the requirements from the BCM committee and board of directors.

Step.2

Analyze risk issues

 

Risk Assessment Procedures

Risk Exposure Calculation

Risk Exposure Calculation includes 1. Impace, 2. Occurence, 3. Vulnerability

Risk Tolerance

Matric of Risk Tolerance, with x-axis is Vulnerability and y-axis is Impact times Occurance

In response to the risks posed by changes in the internal and external environment, the company conducts two annual risk value reviews: The first is a written review, conducted in July 2023; the second is an on-site review, conducted in March 2024. This ensures that the designated risk tolerance levels and mitigation actions remain up-to-date and relevant.

Emerging Risk Identification Procedures

Step.1

Collect international risk trends

Step.2

All BCM units identify risks

Step.3

Identify emerging risks and analyze impacts

Step.4

Pay attention to emerging risks and establish an adaptation plan

Step.3

Conduct risk management activities

 

Risk aspects

Stabling Organization Operation
External Communication
Information security
Sustainable development
Innovation development
Stabilizing supply chain
Financial Resilience
Business Risk
Customer Service

Management activities

Key Risk Indicators (KRI)
Risk Prevention Plans
Business Continuity Planning(BCP)

Step.4

Conduct regular reviews and improvements

 

Develop a management plan for high-risk events and incorporate it into regular reviews.

Major Risk Issues and Mitigating Actions

Cloud Security

In today's digital environment, establishing a cloud security management system is key to the success of enterprises, ensuring the confidentiality, availability, and integrity of cloud data

Potential Impact

The total expenditure on cloud services is increasing, and remote services are becoming quite prevalent. It is essential to ensure the confidentiality, availability, and integrity of data processing/storage in cloud services.

Mitigating Actions
  • Establish configuration security standards, detect configuration security
  • Strengthen key cloud systems
  • Regular vulnerability scanning and patching
  • Master and visualize public cloud services
  • Establish cloud security management systems, audit the implementation of information security protection by user units and vendors



 

Climate and Carbon management

Effective climate and carbon management can reduce the potential risks and impacts of climate change and carbon emissions on business operations.

Potential Impact

ASUS pledges that by 2035, 100% of its global locations will utilize renewable energy. However, the domestic renewable energy market faces supply-demand imbalances. Failure to proactively establish infrastructure may lead to increased operational costs and could even impact orders.

Mitigating Actions
  • Establish carbon reduction goals and create a carbon inventory platform
  • Plan pathways for renewable energy adoption
  • Enhance the proportion of low-carbon indicators among suppliers, including the percentage of suppliers certified by third parties for ISO 14064/ISO 50001, the proportion meeting SBT carbon reduction goals, and the use of renewable energy at a ratio of RE40 to RE65




 

We evaluated each impact of emerging risk and identified two major emerging risks of concern to ASUS, including Generative AI and geopolitical instability leading to supply chain disruptions risks. We then began related adaptation actions for each type of incident.
 

 

Emerging Risk

Generative AI

The importance of generative AI technology in the business environment is increasingly evident. Failing to adapt to this technology may put companies at a disadvantage in the market, resulting in adverse effects on their long-term development.

Potential Impact

The failure to implement generative AI technology may entail multiple risks, including competitive disadvantages, decreased productivity and operational efficiency, subpar customer experiences, hindered innovation, and increased data security risks. These issues could lead to declining market competitiveness, decreased customer satisfaction, missed opportunities for efficiency improvements and innovation, and potential exposure to security breaches. Furthermore, with the increasing frequency of hackers utilizing technologies such as artificial intelligence and machine learning for attacks, businesses face even greater security risks.

Mitigating Actions
  1. Bringing together the hardware and software resources of ASUS Group, we are fully committed to AI applications, collaborating closely with industry giants such as AMD, NVIDIA, Microsoft, Intel, and Qualcomm to jointly develop generative AI applications, leading the comprehensive AI trend
  2. Developing generative AI solutions, we are entering the realm of large enterprises from supercomputing power and cloud services, integrating AI into all aspects of operations. This strategy encompasses cloud and supercomputing services, edge devices, LLM, and smart applications, with a comprehensive layout of AI products including servers, PCs, phones, AIoT devices, and more
  3. Establishing the GAI Committee to drive cross-department exploration of application scenarios and develop GAI application projects
  4. Establishing the GAI Academy to provide colleagues with different needs access to the latest AI skills, and offering GAI trend lectures to understand the latest trends and application scenarios of GAI technology
  5. Introducing protective measures to critical resource endpoints and optimizing the self-built threat intelligence platform
  6. Conducting regular security drills, simulating intrusion attacks and defenses through red team exercises




 

Geopolitical instability leading to supply chain disruptions

Geopolitical risks have led to disruptions in the supply chain, affecting business operations and production, potentially resulting in material shortages, production interruptions, and cost increases.

Potential Impact

The increase in geopolitical risks has led to supply chain disruptions. Due to excessive concentration of production bases, trade disruptions may result in shortages of raw materials, production halts, and cost escalation. With the international situation remaining uncertain, countries continue to adjust import and export regulations, potentially leading to trade conflicts, political instability, and international sanctions, impacting company finances, reputation, and competitiveness.

Mitigating Actions
  1. Strengthening supplier risk management involves not only establishing ASUS' Supply Chain Disruption Continuity Plan but also promoting the enhancement of Business Continuity Management (BCM) control maturity within the supply chain, assisting suppliers in establishing operational continuity plans for various risk scenarios
  2. Implementing cross-regional production diversification and sourcing from multiple suppliers to reduce reliance on a single region or supplier and mitigate geopolitical risks
  3. Establishing a program for high-risk product sourcing from third-party suppliers in different locations
  4. Establishing compliance management processes related to geopolitical issues
  5. Developing requirements for supply chain operational continuity management and integrating them into daily management practices to enhance awareness of supply chain risk management


 

ASUS Risk Management Principles Training

Risk management principles training Objects Frequency
1. [Risk Trend] International Risk Trend BCM Taskforce Unit members Annual recurrent training
2. [Operational Risk] Corporate Risk Assessment Tool BCM Taskforce Unit members Annual recurrent training
3. [Quality Risk] Quality Management System and Hazardous-Substance training All employees Annual recurrent training
4. [ESH Risk] Occupational Safety and Health Training All employees Annual recurrent training
5. [Code of Conduct Risk] Employee code of conduct All employees Annual recurrent training
6. [Information Security Risk] General education on information security-Common information security threats All employees Annual recurrent training