To ensure the healthy development and capital adequacy, and achieve reasonable risk and benefit targets, the Company follows the "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries" to formulate the "Risk Management Policy and Guidelines" as a basis for risk management.

TCFHC and major subsidiaries are equipped with "Risk Management Committees" that are responsible for designing risk management systems, policies, and indicators for monitoring and for carrying out risk management activities. The purpose is to ensure healthy development of the Group, ensure capital adequacy, and achieve reasonable risk and return targets.

Risk Management Strategy and Structure

The Company’s Board of Directors serves as the highest risk management decision-making body and the final undertaker throughout the Group and the "Risk Management Committee" consists of the chair of the Board of Directors, CEO, vice presidents, E.V.P & Chief Compliance Officer, unit heads, and CEOs of respective subsidiaries in order to link risk management units (2nd line of defense) and business units (1st line of defense) of the Company and its subsidiaries. The Internal Audit Unit (3rd line of defense) performs audits super-independently and periodically that cover the Company’s risk management procedures in order to reasonably ensure the effective operation of the risk management system.

The highest management level of risk management is the "Risk Management Committee". The Risk Management Committee is chaired by the chair of TCFHC, and the highest management level of the highest risk monitoring and auditing is the E.V.P. & Chief Audit Executive, who all report to the Board of Directors. The Risk Management Committee held quarterly and reported by the Company and its subsidiaries. Overview of current risk management, changes in capital adequacy, handling of major abnormal events, risk analysis of key monitoring objects and industries, and tracking of the progress of matters that should be implemented in meeting resolutions, etc.

Major Risk and Emerging Risk Management

Major Risks

TCFHC Group assesses the internal and external operational risks when providing financial services every year. The Group reports the risk-bearing capacity, response measures, and implementation of risk management to the Board of Directors and senior management, which are managed by looking into authorization mechanisms, limit management, and indicator monitoring. In addition, the subsidiaries are required to establish risk indicators and control procedures based on nature of product, size of business, and risk attributes. To monitor risk management, the Company regularly monitors the Group’s credit risk exposures and relevant limit controls on a monthly basis. This includes the categories of industries, industries of concerns, high-risks in China, country risks, risk-bearing capacity in China, limits for large groups, and other information on controls. In addition, the Company also uploads statutory statements to the FSC website on a monthly basis according to the prescribed deadlines to regularly monitor changes in exposures and risk management. After assessing internal and external risks and considering the potential impacts on the Company’s business, the 2 major risks in 2023 are credit risk and operating risk.

Risk Appetite

Risk appetite is the overall risk that is willingly undertaken within the overall scope of risk-undertaking capability, is mainly based on the operational strategy and financial goals, and takes into consideration factors such as growth, risk, and rewards. TCB has its risk appetite mechanism adopting a "bottom-up" approach. Every year, the supervisory vice president of Risk Management Department and the business units responsible for each indicator have meetings to discuss. The risk management department is responsible for summarizing and submitting results of meetings to the Risk Management Committee and the Board of Directors for review. After approval, those will be reported to the Risk Management Committee and the Board of Directors on a quarterly basis. In 2023, a total of 25 indicators were defined and the responsible unit for each indicator reported its implementation status on a quarterly basis. In case of non-compliance, related countermeasures shall be clarified at the same time in order to define the risk culture and to reinforce the risk management mechanism.

Sensitivity Analysis and Stress Test

We regularly conduct sensitivity analysis and stress testing on financial and non-financial risks to review the risk management mechanism and risk tolerance. In terms of financial risk, based on the content set in the stress test scenario meeting, TCB conducts market risk factors (including interest rates and equity securities prices) inspection. If the interest rate curve rises by 100 basis points, the value of the transaction book will drop by NT$ 304.82 million; if the equity security price increases by 15%, the trading book value will increase by NT$47.22 million. In terms of nonfinancial risks, TCB analyzes the operational risk impact in the event of misappropriation of customer deposits. The test results show that the capital adequacy ratio, first-class capital ratio, common equity ratio and leverage ratio all meet the requirements of the competent authorities.

Organization and Functioning of Internal Audit

To establish an effective internal audit system and to ensure enforcement of risk management, the Company has its "Audit Guidelines" and also follows the "Implementation Rules of Internal Control and Audit Systems of Financial Holding Companies and the Banking Industry" promulgated by the FSC by creating a general audit system for overseeing audit operations. The Auditing Department, established under the Board of Directors, performs internal audits on the Company and each subsidiary every 6 months. It assists the Board of Directors and the management in inspecting and evaluating the internal control system operates effectively and provides timely improvement advice, so as to both ensure internal control system can be effectively operated and make it as the reference for further review and revision. The Auditing Department performed 1 project audit while reviewing how the internal control system was enforced at respective departments of the Company in 2021 according to the annual audit plan, 1 general business audit and 1 project audit, and 1 project audit of each of the 7 subsidiaries in the 1st half and the 2nd half of the year, respectively. In 2022, 17 audits were performed in total throughout the year. The Auditing Department performed 1 project audit while reviewing how the internal control system was enforced at respective departments of the Company in 2022 according to the annual audit plan, 1 general business audit and 1 project audit, and 1 project audit of each of the 7 subsidiaries in the 1st half and the 2nd half of the year, respectively, in 2023. In order to meet the business demand, 1 project audit of CAM and 2 project audits of TCSIT were added, so that there were 20 audits in total throughout the year.

Furthermore, the FSC as the competent authority conducts regular inspections once every 2 years as well as irregular project inspections of the Company (1 regular inspection and 2 project inspections throughout 2023). The Company is also committed to improvements reflective of inspection feedback and creating an appropriate risk management mechanism. Regarding this, internal audit units continue to follow up on review opinions of or deficiencies identified by FSC, accountants, internal audit units and internal units as well as improvements listed in internal control statements. Improvements are submitted in writing to the Board of Directors and the Audit Committee and used as an important item for penalties and rewards and performance evaluations of related units. This further promotes the benefits of the Group’s overall operations and risk management.

In 2023, the Auditing Department had not just accomplished all the tasks scheduled to complete in the year, but also made a list to track improvement status as being required by each unit of TCFHC and each subsidiary, so as to enhance the gains on overall operational and risk management of the Group.

Shaping Risk Culture

In order to improve the Group’s risk management, establish a climate governance culture, enhance the Group’s directors, supervisors and senior managers’ awareness of risks and the latest international development trends and concept changes, risk management courses are arranged every year. In 2023,a training session on "Natural Solutions and New Business Models for Enterprises to Move towards Net Zero" was held for the Group’s directors and senior managers, with a total of 40 participants. In addition, in order to enhance employees’ risk awareness, strengthen their awareness of laws and regulations related to AML/CFT, and enhance their information security protection capabilities and awareness, in order to establish an overall risk management culture, and effectively implement the Group’s risk management policies, we encourage employees to participate in various internal and external risk management-related education and training. Not only physical courses, but also digital technology is used to hold online education and training. On the other hand, the latest risk management regulations, trends or practices are also communicated to facilitate internal educational training use.

To strengthen crisis management mechanism, resolve and alleviate emergency events quickly or resume operations in time and minimize losses, TCFHC has the "Regulations Governing Emergency and Crisis Management" to activate the group-wide emergency reporting and communication system in the event of a manmade or natural disaster, faulty internal control, employee fraud, security maintenance, significant financial loss in business, or negative media coverage that can affect the Company’s reputation and normal operation. The Crisis Management Task Force is also in charge of handling emergencies, giving instructions and speak on behalf of the Company to outsiders according to the guidelines for spokespersons as needed.

Refining Risk Culture

The Group encourages employees to provide optimization suggestions for the operation process. If the suggestions are adopted, bonuses will be given. In 2023, a total of NT$75,000 are awarded. 268 proposals were introduced by employees throughout 2023, over the optimization of branch-end transaction systems, credit and loan systems, the registry and integration platform for the various types of business to be filed for reference, mobile banking, and smart wealth management, for enhanced operational and management benefits and risk management. 

The Group has formulated the "Operational Risk and Control Assessment Management Directions", and colleagues who are familiar with the business process are responsible for the operation process analysis and risk identification. The operation risk self-assessment process completed in 2023 includes 118 from head office management units and 60 from business units. Through the self-assessments results of risk control, the operational risks that should be paid attention to are summarized, and for projects with high risks, action plans are developed to respond in advance to reduce possible future operational losses, improve colleagues’ awareness and attention to risks, and integrate risk management awareness into in daily business processes.

TCB has formulated "Measures for Handling Financial Product Evaluations". Before developing financial products, it identifies and evaluates potential risks in advance and formulates relevant response plans to strengthen risk control.