Corporate Governance

Risk Management

In view of the increasingly complex risks faced by enterprises in their operations, which test the risk prevention capabilities and emergency response and recovery capabilities of enterprises, in order to enable the enterprise risk management mechanism to form good protection, identify possible future challenges, enterprises must take preventive measures early to avoid being affected, ensure that they are capable of dealing with threats and have the ability to continue operations, demonstrating organizational resilience.

Risk Management Policy

  • Proactively deploy management measures in response to risk threats.
  • Demonstrate organizational resilience and ensuring operational continuity.

Goals

  • Establish Key Risk Indicators (KRI) for real-time monitoring.
  • Establish short, medium and long-term risk prevention plans,and review and improve them on a regular basis.
  • Continuously strengthen various emergency response strategies and execute regularly drills

Business Continuity Management Committee

To ensure effective risk management, ASUS has established a Business Continuity Management (BCM) Committee, serving as a platform for communication between governance and operational units. ASUS also implements cross-departmental risk management mechanisms, breaking down departmental silos to transform risk response from reactive to proactive, thereby enhancing the Company's resilience against risks. In addition to establishing a regular review mechanism, ASUS adopts a three-line defense system to construct its internal control framework, and undergoes regular supervision at the board level.

Organization Role
Board of Directors Oversees the strategy development of the BCM Committee
Business Continuity Management Committee Oversee risk management operations
Business Continuity Management Office Responsible for planning and supervising risk management and compliance across departments, as well as facilitating cross-departmental communication
Taskforce Units (TUs) Responsible for identifying risks and implementing mitigation measures
View more

In accordance with the requirements of the ISO 31000 Risk Management System, ASUS constructs risk operations in each management system, and conducts third-party verification as well as the internal audits every year.

Three Pillars of Risk Management

ASUS’s risk management framework is structured around three main pillars: enterprise resilience, group resilience, and supply chain resilience. Comprehensive management across these pillars has earned ASUS the SGS Risk Management Quality Excellence Award.

Three Pillars of Risk Management: Enterprise Resilience, Group Resilience, and Supply Chain Resilience

Enterprise Resilience

Risk Management Process

By integrating the ISO 22301 international standard for business continuity management systems with relevant tools, ASUS has developed a BCM management framework tailored to its practical needs and corporate development. The process involves collecting information from four key sources: stakeholder concerns, regulatory requirements, international risk trends, and controversial incidents. This comprehensive approach enables the identification and assessment of potential operational risks. In 2024, based on the company’s risk tolerance levels, eight major risk issues were identified. To address vulnerabilities in key resources, 46 Key Risk Indicators (KRIs) and corresponding risk prevention plans were established. The progress of risk control measures is reviewed quarterly, with an annual KRI achievement rate of 89%. Additionally, in response to evolving international trends, a new geopolitical business continuity plan was introduced in 2024, along with the completion and review of eight scenario-based drills.

Step.1

Collect Risk Issues

Step.2

Analyze Risk Issues

Step.3

Conduct Risk Management

Step.4

Regular Review and Improvement

To mitigate risks associated with fluctuations in the internal and external environment, ASUS undertakes biannual risk assessment reviews: a documentary review in July 2024 and an in-person review in April 2025. The objective of these reviews is to maintain the currency and relevance of defined risk tolerance levels and implemented mitigation measures.

Step.1

Collect Risk Issues

 

Identify relevant risk issues based on International risk trend reports, regulatory compliance, stakeholder concerns, controversial incidents, company needs, as well as the requirements from the BCM committee and board of directors.

Step.2

Analyze Risk Issues

 

Risk Assessment Procedures

Risk Exposure Calculation

Risk Exposure Calculation includes 1. Impace, 2. Occurence, 3. Vulnerability

Risk Tolerance

Matric of Risk Tolerance, with x-axis is Vulnerability and y-axis is Impact times Occurance

To address risk issues arising from changes in internal and external environment, the company conducts two risk assessment reviews annually: The first is a written review, conducted in July 2024; the second is a physical meeting review, conducted in Apr. 2025. The purpose of doing this is to ensure that the designated risk tolerance levels and mitigation actions remain up-to-date and relevant.

Emerging Risk Identification Procedures

Step.1

Collect international risk trends

Step.2

All BCM units identify risks

Step.3

Identify emerging risks and analyze impacts

Step.4

Pay attention to emerging risks and establish an adaptation plan

Step.3

Conduct Risk Management

 

Risk Aspects

Cybersecurity
Shortage of Technical Talent
Management of International Risk Issues
Macroeconomic Volatility
Climate Change

Management Plans

Establish Key Risk Indicators
Develop and Implement Risk Prevention Plans
Establish Business Continuity Management Plans

Step.4

Regular Review and Improvement

 

Develop a management plan for high-risk events and incorporate it into regular reviews.

Major Risk Issues and Mitigating Actions

Cybersecurity

Potential Impact

In the digital age, the value of information has surged, making the cost of confidential data breaches significantly higher. With the rise of diversified after-sales services such as on-site support and remote connections, the risk of data leakage has intensified. Any incident could result in severe economic and reputational losses.

Mitigating Actions

Strengthening Data Security Controls and Vendor Cybersecurity Management

  • Develop and implement guidelines for data classification, categorization, and security controls to ensure consistent platform security measures
  • Establish cloud security management procedures and train personnel in secure cloud service configuration
  • Provide cybersecurity training for service providers, establish KPIs, and conduct cybersecurity audits

Shortage of Technical Talent

Potential Impact

Declining birth rates and global talent mobility have heightened challenges in recruitment and retention. The emergence of new technologies further complicates talent development, ultimately impacting corporate competitiveness.

Mitigating Actions

Focusing on the Retention of High Potential and Senior Talent

  • Expand academia-industry collaboration programs, develop professional talent development modules, and enhance compensation and benefits systems
  • Implement talent review mechanisms to ensure that key talent receives appropriate development opportunities

The BCM Committee identified two key emerging risks for ASUS: generative AI and supply chain disruptions due to geopolitical risks. It is implementing relevant mitigating actions for each risk.

Emerging Risk

Generative AI

Potential Impact

Generative AI (hereinafter referred to as "GAI") has become a critical business technology. Failure to adapt may result in a loss of competitiveness, decreased customer satisfaction, missed opportunities for efficiency gains and innovation, and heightened data security risks. Hackers are leveraging AI and machine learning for organized attacks, while AI-generated misinformation also impacts public opinion and the cybersecurity landscape.

Resource Vulnerabilities:

  • Insufficient employee understanding of GAI
  • Departments developing independently without resource integration
  • Lack of cybersecurity threat posture assessments

Mitigating Actions

Focusing on GAI Enablement and Cybersecurity Risk Response

  • Establish a GAI Committee to promote the maturity of GAI applications and development across departments
  • Develop an AI learning roadmap and knowledge platform to foster a self-directed learning environment and ensure foundational knowledge for all employees
  • Organize trend seminars and share the company ’s AI strategy for product deployment
  • Implement the company ’s self developed AI Hub platform to enhance employee productivity
  • Expand endpoint cybersecurity protection on OA (office automation) devices to effectively detect and respond to threats
  • Build an in-house threat intelligence platform and increase the number of intelligence sources

Geopolitics

Potential Impact

Overconcentration of production bases increases the risk of supply chain disruptions due to trade conflicts or rising tariffs, potentially affecting order fulfillment.

Resource Vulnerabilities:

  • Excessive concentration of production bases
  • Insufficient awareness of geopolitics related regulations

Mitigating Actions

Continuously Optimizing Global Capacity Allocation

  • Encourage partner suppliers to diversify their manufacturing bases
  • Establish compliance management processes related to geopolitical regulations

ASUS Risk Management Principles Training

Risk management principles training Objects Frequency
1. [Risk Trend] International Risk Trend BCM Taskforce Unit members Annual recurrent training
2. [Operational Risk] Corporate Risk Assessment Tool BCM Taskforce Unit members Annual recurrent training
3. [Quality Risk] Quality Management System and Hazardous-Substance training All employees Annual recurrent training
4. [ESH Risk] Occupational Safety and Health Training All employees Annual recurrent training
5. [Code of Conduct Risk] Employee code of conduct All employees Annual recurrent training
6. [Information Security Risk] General education on information security-Common information security threats All employees Annual recurrent training

Group Resilience

  • Promote the ASUS Group 360° Watch mechanism to regularly monitor group-wide controversial incidents, including environment, business ethics, labor and human rights, and sustainable procurement.
  • Establish a controversial incident management, review and improve it during quarterly BCM meetings, and integrate it into the management system by standardizing improvement measures and incorporating them into internal audit spot checks.
  • Launch “Controversial Incident Risk” training for all employees to enhance transparency regarding controversial incidents and improve risk awareness.
Monitoring and Identifying Controversial Incidents
  • Monthly detection of controversial events through ASUS Group 360° Watch Finding
Establishing Tracking and Improvement Plans
  • Tracking and improvement of group-wide controversial events
  • Standardization of corrective actions
Supervision and Review
  • Quarterly BCM meetings to review improvement progress
  • Regular audits to supervise implementation
Implementation of Prevention and Education
  • Annual company-wide risk awareness training

Supply Chain Resilience

  • Climate change-related disasters may lead to supply chain disruptions; therefore, ASUS promotes supplier climate transition initiatives to enhance supply chain resilience. According to the ASUS TCFD report, the company’s primary revenue-generating product assembly plants (EMS) are located in Chongqing, where hydropower will be a critical future energy source. Under extreme climate scenarios such as droughts or heavy rainfall affecting operations, key EMS plants in Chongqing are designated as targets for climate transition initiatives.
  • Three supplier resilience forums were held, and supply chain BCM (Business Continuity Management) maturity surveys and vulnerability analyses were completed.
  • ASUS assisted suppliers in developing business continuity plans (BCPs) for climate change scenarios, including: Scenario 1—production line shutdowns caused by drought-induced power outages; Scenario 2—transportation disruptions caused by heavy rainfall.
Supplier Climate Resilience Assessment
  1. Identify suppliers targeted for climate transition
  2. Assess climate change scenarios
  3. Develop the ASUS Supplier BCM Questionnaire
Supplier Resilience Information Collection
  1. Conduct briefing sessions on completing the BCM Questionnaire
  2. Collect completed supplier BCM Questionnaires
Supplier Resilience Support
  1. Analyze suppliers’ BCM maturity
  2. Assist suppliers in developing Business Continuity Plans (BCPs) to enhance maturity