Risk Management Policy and Procedures

The Company established the "Procedures for Risk Management" on August 4, 2022, which was approved by the Board of Directors to serve as the highest guiding principle for the Company's risk management. To ensure the implementation of sustainable development for the Company and its subsidiaries, we adhere to various organizational management systems and internal control systems to control operational risks. We are committed to evaluating each risk's potential impact on company operations through Board-level involvement and systematic management, implementing risk management to achieve sustainable operational goals and protect the rights of stakeholders.

Scope of Risk Management

The Company's risk management encompasses four major dimensions related to company operations: environment (including climate), social, governance, and technology. We comply with relevant laws and regulations and assess, handle, and monitor significant risk impacts based on these.

Organizational Structure

1. The highest responsible unit for risk management in the Company is the Board of Directors, which approves risk management policies and related norms, overseeing the overall implementation of risk management to ensure effective risk control.
2. Under the ESG Committee, a Risk Management Team conducts comprehensive assessments of operational and emerging risks of the company and presents risk management reports to the ESG Committee. The ESG Committee supervises the company's risk management and reports regularly to the Board of Directors annually.
3. At various organizational levels, the CEO, business units, and functional units regularly assess related risks during operational meetings and develop countermeasures and reviews. Unit managers are responsible for risk management and must analyze, monitor, and report relevant risks in their units, implementing risk control mechanisms and procedures.
4. Internal control systems are regularly self-assessed by management levels of operational units and subsidiaries, with the audit office reviewing implementation.

Risk Management Procedures

The Company's risk management process includes risk identification, risk analysis, risk monitoring and response, and risk reporting and disclosure, with main operations as follows:

• Risk Identification: The Risk Management Team, based on the principle of significance, considers factors like the likelihood and impact of risks, identifying and assessing key and emerging risks in various dimensions including environment (climate), social, economic, technological, and others. A company-level risk identification is conducted at least once a year and reported to the ESG Committee.
• Risk Analysis: Comprehensive assessments of identified risks are conducted considering risk appetite and tolerance as a basis for management.
• Risk Monitoring and Response: Risk management indicators are developed and continuously monitored by business units, which report to the Risk Management Team in a timely manner. Relevant business units should propose response strategies or implement risk mitigation plans, establishing necessary preventive, responsive, crisis management, and business continuity plans for effective risk control, and maintaining relevant records.
• Risk Reporting and Disclosure: The Risk Management Team presents at least one risk management report annually to the ESG Committee, which then reports to the Board of Directors. Risk management reports or annual risk management implementation are publicly disclosed in the company's Annual Report, official website, or ESG reports and are regularly updated.

Operational Status

The Company actively promotes and implements risk management mechanisms, reporting its operational status to the Board of Directors annually. Major operational statuses over the years are as follows:

• On November 9, 2020, the Board of Directors approved the addition of the "Rules of Risk Management."
• In 2021, each organizational level conducted risk assessments according to their responsibilities, identifying risk items based on frequency and impact and developing management strategies. Information units planned real-time monitoring and systematic platform construction. On November 4, 2021, the annual risk management status was reported to the Board of Directors, with an explanation of the risk control status of information security.
• To respond to global trends in sustainable corporate development, the "Procedures for Risk Management" were established on August 4, 2022, replacing the "Rules of Risk Management."
• On November 3, 2022, the annual risk management status was reported to the Board of Directors and the ESG Committee, explaining the progress of risk identification and management model construction. To enhance and promote risk awareness, a risk management workshop was held on November 8, 2022, training mid-to-senior managers on ISO 31000 standards and discussing the company's risk scenarios.
• In 2023, the risk execution management plan was implemented with monthly rolling risk monitoring and optimization meetings. Quarterly sustainable risk strategy meetings were held, reporting the risk management implementation status to the ESG Committee. The ESG Committee reported the risk management execution status to the Board of Directors quarterly (March/May/August/November).