Each department of CSRC assesses various operational risk factors and plans relevant management and control tasks. Internal auditors list high-risk operations as an annual audit plan and they create audit reports from the audit results. They regularly submit reports to the Audit Committee for review and attend the Board of Directors in a nonvoting capacity. In addition, each department conducts self-assessment of the internal control system every year to ensure the effectiveness of system design and implementation. In the future, a dedicated unit shall be established for risk management; more in-depth discussions shall be conducted on the Company’s risk management priorities, risk assessment, and response measures; and reports shall be made to the Board of Directors on operational risks and management strategies.

Business operational continuity plan

Each department of CSRC assesses various operational risk factors and plans relevant management and control tasks. Internal auditors list high-risk operations as an annual audit plan and they create audit reports from the audit results. They regularly submit reports to the Audit Committee for review and attend the Board of Directors in a nonvoting capacity. In addition, each department conducts self-assessment of the internal control system every year to ensure the effectiveness of system design and implementation. In the future, a dedicated unit shall be established for risk management; more in-depth discussions shall be conducted on the Company’s risk management priorities, risk assessment, and response measures; and reports shall be made to the Board of Directors on operational risks and management strategies.

Risk management is an important key to business operations. Through the identification, management, measurement, and analysis of the Company’s internal and external risk factors in the short, medium and long term, CSRC improves the effectiveness of decision-making and enhances corporate value. In order to continuously improve the risk management mechanism, we control finance, business, materials, and engineering for related internal control issues. Recently, we have focused on the risk management of climate change risks and work safety, and formulated corresponding response strategies and plans. Through the risk early warning system, risk items are regularly tracked and countermeasures are proposed in advance. The system automatically generates warnings about abnormalities, reducing associated labor and avoiding omissions. The validity of the risk identification and early warning process is confirmed through regular audits by the Audit Office. The audit supervisor of the Audit Office regularly explains to the Board of Directors the key points of risk management, evaluates and plans corresponding measures, and reports operations-related risks and management strategies.

Internal Audit Scope

In 2023, CSRC's internal audit unit executed and completed 25 audit reports and six follow-up reports in accordance with the annual audit plan, proposing a total of 15 internal control recommendations. Areas covered included procurement, acceptance, production management, real estate plant and equipment management, inventory management, sales and receipts, safety and health, and seal management, all tracked and improved in accordance with regulations.

The challenges and responses to various risks of CSRC at this stage are explained as follows:

Risk management and opportunities for climate change

Following the Paris Agreement, climate change response has become an issue that governments and companies must face actively. Domestic and international greenhouse gas emission regulations are becoming stricter, and natural disasters brought about by extreme climates have a direct impact on the operating premises and will all affect the Company’s finances. In response, we have identified risks and opportunities through project meetings based on the TCFD framework (Task Force on Climate-related Financial Disclosures) and set relevant targets to gradually mitigate climate change. In June 2021, we publicly supported the international TCFD initiative and completed the signing of the TCFD. For detailed information on the management of climate-related risks and opportunities, please refer to section 4.1 Response to Climate Change.

Information Security Risk Management

The Company's dedicated information security unit is primarily entrusted to TCC Information Systems Corp. (hereinafter referred to TCCI) under the Taiwan Cement Group for overall information security architecture design, information security operations and monitoring, internal and external information security incident response and investigation. The company has set up a chief information security officer and 3 dedicated information security members on November 9, 2023, a total of 4 people. The information security support team has a total of 28 people, mainly composed of the corporate groupTaiwan Cement Information Co., Ltd. (hereinafter referred to as TCC Information) Responsible for the design of the overall information security architecture, information security maintenance and monitoring, and response and investigation of internal and external information security incidents.

The Company's compliance with the ISO/IEC 27001 information security system in 2020: In 2013, CSRC adopted the PDCA cycle operating model as the international standard, establishing and implementing an Information Security Management System. The information security policy is approved by the highest information security unit of the enterprise group, and by the end of 2020, CSRC obtained ISO 27001 certification, valid until January 5, 2024. In December 2023, CSRC successfully completed the transition to ISO/IEC 27001:2022 version certification. Currently, the certificate is valid from January 5, 2024, to January 4, 2027. A cross-departmental Information Security Management Committee is convened by the President, meeting annually to review the effectiveness of information security planning and implementation and significant information security decisions, while coordinating the allocation of necessary resources for information security. An Information Security Management Task Force has been established Under the Information Security Management Committee. It is primarily responsible for planning, establishing, implementing, maintaining, reviewing, and continuously improving information security management systems for information systems, and reporting information security issues to the Information Security Management Committee. The Information Security Management Task Force holds regular meetings to review the implementation status, and reports the implementation status and review to the Board of Directors on a regular basis every year.

The Company also engages external consulting firms to assist in conducting information security audits to assess the effectiveness of the Company's information security management system. Additionally, external technical firms are commissioned to conduct information security technical tests to inspect the security protection of information systems and websites.

Proportion of factories covered by CSRC’s IT service providers certified by ISO/IEC 27001

●IRP Information Security Incident Response Plan Flowchart

●Information security control and protection mechanisms

●Implementation performance of information security management

In 2023, none of the plants of CSRC received any complaints about customer privacy violations, information leakage, theft, or loss of customer information

●Protection of personal data, prevention of personal data leaks, and maintenance of Company information security through education and training:

●Other risk items

In 2023, the various risks of CSRC were implemented under the existing management measures; no major abnormalities occurred.