Economic Factors >
Risk Management and Continuous Operation
Risk Management and Continuous Operation
Our company has established internal controls in accordance with the "Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries". The system covers all business activities and require joint compliance by the Board of Directors, management, and all employees.
The Board of Directors shall be aware of the operational risks faced by the company or business, supervise its operating results and bears the ultimate responsibility for ensuring the establishment and maintenance of appropriate and effective internal
control system.
To improve the internal control system and strengthen the Company's controls, we established three lines model in internal controls and clarified the roles and scope of duties of the three lines model to ensure the organization structure meets the principles of the three lines model and their effective operations.
First line roles – Internal inspection by Business unit
Second line roles - Sound compliance and risk management system
1. Compliance system
・FFHC, First Bank, First Securities, First Securities Investment Trust and First Life Insurance have all established dedicated compliance units reporting to the president in accordance of the law. Other subsidiaries also appointed the Chief Compliance Officers at their head offices. The Chief Compliance Officers are responsible for the planning, management and execution of the regulatory compliance system at their respective companies. FFHC is continuing to require all subsidiaries to enforce their compliance systems. Related developments in 2023 are as follow:
・Penalties Imposed on the Company and its subsidiaries by the competent authority and improvement measures taken in 2023
There were no major penalties imposed by the competent authority to the Companyand its subsidiaries in 2023*.
There were no major penalties imposed by the competent authority to the Companyand its subsidiaries in 2023*.
*:The disclosure of penalties relating to cases of major violations must comply with Article 36, Paragraph 3, Item 2 of the Securities Exchange Act if there is a possible of material impact to the rights and interests of shareholders or the price of securities or if it complies with Article 2 of the "The Financial Supervisory Commission's Measures for the Public Announcement in Major Penalty Violations of Financial Laws".
2. Risk management
Risk Management Structure
FFHC's Board of Directors is the top policy-making unit when it comes to Group risk management. A "Risk Management Committee" has been established under it. The Chairman serves as the committee chairperson, while the President, VPs and the chairmen and presidents of subsidiaries serve as committee members. A meeting would be convened once every two months to supervise and examine the effectiveness and implementation status of the Group's and each subsidiary's risk management, which is reported to the Board of Directors on a regular basis. The Risk Management Department is responsible for carrying out various risk management policies.
Risk management Policies & Process
A. The Group identifies, weighs, monitors and controls each risk based on the "Risk Management Policy" approved by the Board of Directors, and formulates qualitative and quantitative measures commensurate with risk appetite.
・Identification of Risks: The influence path of major hazards, risk types and risk descriptions are identified through the compilation of various data, such as historical events as well as domestic and international issues and trends.
・Risk Measurement Assessment: Risk assessment models are introduced for scenario analysis to complete the quantitative assessment of the impact that risks have on business as well as potential opportunities.
・Risk Strategy: Based on the quantitative assessment results and the organization’s current situation, adopt strategies for mitigation, transfer, acceptance, or control of climate risks and establish action plans for mitigation and adaptation.
・Objective Setting: Concrete organizational goals and indexes are established based on the outcome of risk strategy formulation. These goals are in turn allocated to business management units.
・Objective Monitoring: Organizational risks and opportunities are monitored regularly to ensure that milestones are met in time. An independent Risk Management Committee has been set up to effectively integrate the reviewing, monitoring, reporting and coordinated operation of the risk management matters of the entire Group.
The Company has imposed caps on the maximum risk undertaking for the Group's and its subsidiaries' credit extensions and investment operations in order to control the Group's large risk exposures; The subsidiaries have set their respective capital adequacy ratio (CAR) alarm levels for various industries in order to maintain the Group's CAR; The Group regularly reviews its subsidiaries' main risk monitoring indexes, including credit risk, market risk, interest risk, liquidity risk, insurance risk, operational risk and emerging risk, in order to faithfully implement the early-warning and stop loss mechanisms; Effective internal control systems are implemented to reduce possible losses caused by risks.
As the types of global emerging risk items and related incidence gradually rise, the Company has also separately formulated the "Emerging Risk Management Guidelines" so that the Group can enhance corporate governance and administer assessments of emerging risks (such as trade war, global epidemic diseases, climate emergencies, information security risk, etc). By doing so, we have established a Group-level management mechanism for emerging risk items. The Company also adds or amends various risk management regulations and monitoring indexes in accordance with regulatory requirements or changes in the economic environment. In 2023, we formulated the "Management Guidelines Governing FFHC Asset Assessment and Categorization", and amended related regulations such as the "FFHC Incident Reporting Guidelines" and "Table of Maximum Risk Undertaking for a Subsidiary's Credit Extension to/Investment in Same Individual, Same Related Party, or Corporate Credit Extension to the Same Conglomerate".
B. Risk Appetite
After taking business plans and risk profiles into account, we would set our risk appetite in accordance with the amount and level of risks we are willing and able to accept or assume. Aside from referencing reliable risk quantitative data, we would also incorporate past experiences and decision makers' macro vision. The Group's risk appetite is presented in two ways. The first is its CAR target, and the other one is risk limits (including credit risk, market risk and operational risk).
C. Analysis of Sensitive Scenarios & Stress Test
・The Group's sensitivity analysis includes interest rate risk, foreign exchange risk, and equity securities risk.
・The Group's subsidiary bank is one of the competent authority's domestic systematically important banks (D-SIBs), which should be subject to a two-year stress test. It should also calculate various kinds of capital adequacy ratios and various profit and loss situations under severe recession scenarios in accordance with the Financial Supervisory Commission's "Operating Plan for Conducting Stress Tests on Domestic Banks" methodology.
D. Independent External Audits
First Financial Holding is subject to a full-scope examination by the Financial Examination Bureau, FSC once every two years, in addition to unscheduled targeted examinations. In particular, as the subsidiary bank has been designated as a domestic systematically important bank (D-SIBs), it is required to file its CAR assessment results to the competent authority regularly. The competent authority also has more stringent demands with respect to the Bank's risk management process.
3. Risk management enhancement measures
A. System upgrade
In response to the fact that the subsidiary bank has completed revision of its "Default Probabilities of Various Risk Grades in Corporate Finance", we have revised and added "Overdue Grades (W1 and W2), measurement methods and risk characteristics. The "Operation Directions for Credit Rating in Corporate Banking" and "Operation Directions for Grading in Specialty Financing" have also been amended accordingly.
B. Main risks - credit risks, market risks, interest rate risks, liquidity risks, insurance risks, operational risks, and emerging risks.
・The risk coefficient table has been corrected in order to stay in touch with the latest market changes and to increase effectiveness for measuring potential future exposure of derivative product transactions.
・To make it easier for business units to stay on top of credit asset risks in a timely fashion, a new "days overdue" field has been added to the "New System for Credit Asset Risk Assessment Operations-Table of Manual Adjustment Details for Business Units", in order to help business units stay on top of the latest overdue status on such credit cases in a timely fashion. In case a borrower's credit rating or collateral deteriorates or improves, business units should immediately conduct re-evaluation and make necessary adjustments and classification.
・To make it easier to file LCR and NSFR correctly, business units should ensure the correctness of information, including those in the fields for industry type, enterprise type and headquarters' business administration number, when they file or change a customer's basic information.
・When business units implement various business promotional plans in accordance with the SOPs and marketing measures stipulated in related regulations, they shall never sell any products not rolled out by the Group, or those that have yet to receive regulatory approval. They shall not guide customers to engage in any brokerage deals or transactions with any external cooperative agencies or any other organizations such as fund companies without permission.
■ Subsidiary First Bank capital adequacy ratioUnit: NT$1,000
4. Establishment of the Corporate Risk Culture
To enhance and ensure smooth operation of the Group's risk management mechanism and to establish a risk-oriented corporate culture, we would invite and round up various companies within the Group to discuss current financial events and related changes, evaluate and adjust various risk control indexes and frequencies, and host risk management seminars from time to time. In the meantime, we also leverage the complementary online e-Academy to help build a systemic risk awareness. We hope that each and every Group employee understands FFHC's risk culture and core ideas, and we also conduct related educational training in risk management for promoted employees on various levels. In 2023, a total of 749 employees completed 47 hours of in-person or online educational training in courses or tests relating to risk management. For those who had failed to pass the tests, we also conducted retraining and retesting until the pass rate reached 100%.
Additionally, as the formats of financial products and services have become increasingly diverse and complicated, transaction disputes and financial crimes are more likely to occur as a result. To help our employees fully understand related domestic and international regulations and avoid regulatory gaps, we conducted three hours of training titled "Corporate Governance Forum-Money Laundering Risks Associated with Emerging Technologies" in 2023. A total of 54 Group Directors and Supervisors attended the training. Furthermore, as climate change has become a global consensus and an issue of concern, we conducted three hours of training named "Risks and Opportunities Presented by Climate Change and Net-Zero Emissions for Corporate Management". A total of 51 related Group employees attended the training.
Establishment of Risk Management Culture Measures
Connection between Risks and Performance
・Risk indicators (includes asset quality, customer complaints, regulatory compliance, and major incidents of internal control) are included in the standards for the distribution of performance bonuses for the President, senior management, and employees, and they affect the amount of the annual performance bonus.
・The performance evaluation items of the risk management unit include risk management indicators such as the capital adequacy ratio and leverage ratio, return on capital, and non-performing loan ratio control target achievement rates, employee training, and innovative measures. The evaluation results shall be used as an important reference for determining the performance bonus for the evaluated department.
・Performance Assessment:
(1).With regard to the internal control and management checklist item of "points deduction standard for administrative efficiency" under "management performance" in the performance assessment, if an employee violates regulations relating to credit rating adjustments for corporate banking, and has been notified of three or more incidents of inadequacy by the Risk Management Department or fails to improve within the required timeframe after being notified during the assessment period, he or she shall be subject to points deduction in commensurate with the severity of negligence.
(2).With regard to the "monitoring and management measures for controlling real estate credit concentration", an important management index relating to "profitability" and "management performance" in the "financial performance" of the performance assessment, we have also formulated related incentive measures.
(3)."Capital utilization effectiveness" and the achievement rate of "economic profits" after taking capital cost into account have been incorporated in the performance assessment. We also conduct assessment contests for return on capital, including return on capital for net profit before withdrawals or deposits, the amount of increase in return on capital for gross operating profit before withdrawals or deposits, and the amount of increase in capital deduction, which serve as items worthy of extra points in the performance assessment of business units; Additionally, we would also conduct incentive activities to grade each unit's return on risk-weighted assets and average risk weights. Commendations/bonuses are awarded to outstanding units based on their scores.
・We continue to follow up on review opinions of internal audit units, accountants, and business administration units or deficiencies proposed by internal audit units, and matters requiring improvement listed in the internal control system statement. Improvements are submitted in writing to the Board of Directors and Audit Committee and used as an important item for penalties and rewards and performance evaluations of related units.
・The results of the compliance evaluation of the departments and subsidiaries are used as the basis for personnel evaluations.
Risk Reporting measures
・We strive to establish a risk reporting mechanism for internal staff through related regulations, such as the Rules for the Regulatory Compliance System, FFHC's Guidelines for Reporting Regulatory Compliance Cases, Implementation Rules for the Internal Audit System, FFHC Incident Reporting Guidelines, Operational Risk Management Guidelines, and Credit Risk Management Guidelines.
・A range of transparent, equal and convenient complaints channels have been established including the "Supervisor Mailbox", "President's Mailbox", "Chief Auditor's Mailbox", "Ideas Mailbox", "Employee Support Hotline", "CEO Weekly", and "Good Articles" as well as public forums on the company intranet to ensure complaints are handled properly.
Enhancement of the Risk Culture
・The Company organizes risk management seminars from time to time and invites subsidiaries to discuss recent changes in the finance industry to evaluate and adjust the risk monitoring indicators and frequency.
・We established the employee proposal system to encourage employees to actively identify and report potential risks.
・We publish the risk management newsletter each month and use the "Risk Management Report", "Special Report", and "Risk Management Terminology" to enhance the risk awareness of all employees and increase their professional knowledge and skills.
・Organize relevant education and training for emerging risks (such as information security risks, climate change risks and personal information protection risks) to improve risk resilience.
・Based on the "Standard Operating Procedures for New Types of Products", various business management units would discuss the profiles, operating procedures and internal control mechanisms of new types of products. Their proposals are submitted to the Business Decisions Committee or (Managing) Board of Directors for review; Before a new type of product is officially launched/goes online, it is necessary to conduct risk identification and assessment in accordance with related RCSA procedures and methods in the "Guidelines for Operational Risk Management Tools".
5. Emerging risks
The identification outcome of the Group's emerging risk includes "cyber insecurity", "interstate armed conflicts", and "wrong and false information". The mitigating measures we have adopted to deal with the potential impact from such risks are indicated in the following table:
Risk Description - Cyber Insecurity
With the rapid development of cyber information, people are growing more reliant on the Internet. As a result, new applications of cyber technologies continue to emerge, from which many cybercrimes are also derived. Criminals continue to come up with new modi operandi, which not only results in personal information leaks and fraud, or theft of corporate secrets, but also causes disruptions to business operations. These cyber security threats continue to occur all over the world, posing an enormous challenge to the financial industry as well.
Potential Impact
・Large-scale cybercrimes and threats may cause anomalies for central networks, systems and equipment, impacting information security; As the M.O. of unauthorized credit card use evolves incessantly, personal information leaks and insufficient safeguard for system information security could damage our customers' rights as well as the Group's business reputation.
・Major security loopholes in the information system are constantly exposed, which may risk intelligence being threatened by cyber insecurity or vulnerabilities being unable to be grasped in a timely fashion. Insufficient awareness of information security among employees may result in them clicking on social engineering emails, or they may run the risk of having their account passwords stolen after browsing unsafe websites.
・Scam rings would leverage social media websites and LINE groups, or pretend to recruit talent through SMS. They would use high compensation as a hook to deceive consumers into taking the bait. They would then seize their victims' bank passbooks or IDs during interviews, demanding that they apply for online bank accounts over the counter as dummy accounts for their scams; They would lure people into joining their investments, using high yields or guaranteed returns as an incentive. They would then ask their victims to wire funds to their designated accounts. When the victims wish to redeem and realize their profits, they would find that they are unable to retrieve their funds. As a result, people's property safety has come under great threat.
・In response to the relentless flow of threats to cybersecurity, the compliance departments of various subsidiaries need to frequently add to or revise related internal regulations in response to regulatory amendments, so that they can align with regulatory requirements. This may call for more manpower training, additional procurement of information systems or equipment updates, which could lead to increases in operating costs for the Group.
・When a credential stuffing incident occurs, the online order placement service slows down, and unauthorized orders may be placed with the online system. As a result, customer complaints are likely to arise due to investment losses from passive transactions.
Mitigation Measures
Short-term:
・Comply with regulations and SOPs relating to digital security; stay on top of the latest intelligence on information security; and conduct patching and enhancements with respect to important information system vulnerabilities.
・Establish a reporting process for anomalies via phone/Internet, as well as effective response measures.
・Make sure that anti-virus, anti-malware and anti-spyware software has been faithfully installed and updated, and that Internet firewall isolation has been implemented.
・Conduct remote back-up drills regularly to ensure uninterrupted company operation in case of a risk event.
・Publish statistical data about red-flagged accounts on a monthly basis; re-affirm that business units are required to faithfully conduct their audit operations for account opening; remind customers that provision of personal accounts for illicit use may result in criminal liabilities when they open an account or renew a passbook over the counter; print reminders on the inside of passbooks stating that customers should never feel free to offer their passbooks or ATM cards to others, and that they should always look into unusual transactions. By doing so, we hope to effectively reduce the recurrence of incidents associated with red-flagged accounts.
・Conduct educational training in information security for all employees every year; and increase the awareness of not clicking on suspicious emails, external websites, or downloading files of dubious origins. Unless it is required for business, the Company's employees should refrain from leaving their company-issued email accounts with others.
・In response to domestic or overseas regulatory amendments, all business management units and overseas branches should revise their related internal business regulations within the required timeframe to facilitate compliance.
・To counter ransomware, the latest and most effective anti-virus software must be used, in addition to conducting system patches and management from time to time so that vulnerabilities that have come under attack could be repaired in a timely fashion; identify and verify user clearances, and test data backup as well as the effectiveness of completing data restoration in due time; and carry out drills to simulate various ransomware attack scenarios.
・Two-factor authentication has been adopted for downloading certificates from and logging in the online order placement system. It can enhance safeguard for identity validation, increase capacity against credential stuffing, and reduce risks associated with the theft or unauthorized use of related account passwords.
Additionally, the following medium- and long-term risk mitigation measures have also been adopted:
・Continue to be mindful of risk assessments required for information security; improve information and information security equipment; and enhance information security and personal information protection training for personnel.
・Update anti-virus software regularly to guard against malware attacks.
・Introduce new-generation Internet firewall equipment to reinforce the defense against emerging technologies.
・Conduct educational training, drills and tests relating to information security and the defense against social engineering regularly, in order to build risk awareness and increase the level of alertness.
・Provide the frequently seen scenario symptoms of people falling for scams as compiled by the National Police Agency, MOI; and invite business units to promote the related awareness and enhance educational training, in order to implement over-the-counter goodwill outreach.
・Continue to keep track of the latest domestic and international trends in FinTech applications; study and reference other banks' practices as well as penalty cases and cases under review by the competent authority; refine and implement daily educational training; and increase employees' awareness and literacy with respect to regulatory compliance.
Risk Description - Interstate Armed Conflict
The world has come under the influence of international conflicts recently. The ongoing war between Ukraine and Russia and the Israeli-Palestinian conflict have added more uncertainties to the global economy. Geopolitical risks are rising dramatically, and the financial industry needs keen eyes for insights into the impact from global economic and geopolitical factors.
Potential Impact
・Companies under the influence of armed conflicts may face an elevated risk of default, which may increase the Group's exposure to credit risk. In the event that a business unit of the Group is located in a war zone or an affected area nearby, our operational risk may also increase. Furthermore, spikes in raw material prices and supply chain disruptions may also increase the Group's exposure to market risk.
・Interstate conflicts have led to exacerbated financial market fluctuations across the globe, which may further trigger a systemic risk that may result in a crisis for the global financial system. As a result, investors' hedging sentiment is on the rise as they dump the financial products in their possession, triggering a price collapse. The Group may face an eroding clientèle, a shrinking scale of wealth management assets, as well as difficulties in promoting our overall business operations.
・No matter if it is an economic/trade conflict or armed warfare between different countries or regions, it could trigger related sanctions. In particular, trade sanctions and financial sanctions could lead to suspended operations or asset freezing for customers, which could further impact financial institutions' ability to promote business operations in trade financing and international foreign exchange.
・An uneasy global atmosphere may cause economic setbacks and stock/bond market plunges, making it more difficult to hedge specific targets, and losses would be incurred.
Mitigation Measures
Short-term:
・Pay attention to international political/economic developments and information about social security and rating outlook, as well as changes in national power and global situations; increase geographic risk awareness, and decentralize and tightly control related exposed positions. Formulate emergency response measures and continue to cooperate with government and regulatory agencies to reduce related impact.
・Monitor the quality of the Group's credit assets regularly and the level of concentration of various credit risks; and issue timely red flags and propose countermeasures.
・Conduct stress tests regularly to measure the financial impact to the Group. The frequency of such tests may be increased in line with the presence of major issues and future changes in the environment, and timely countermeasures are taken in accordance with the test results.
・When a major unfavorable event occurs, we would immediately disclose our operational exposure, the level of impact, and our proposed response measures. We would notify business units of changes to trust products brought about by geoeconomic conflicts, as well as notice items that need to be relayed to investors with their assistance, including the transfer of fund products and liquid assets, and the division of funds.
・Reduce country risks; conduct educational training regularly to raise employees' risk awareness of interstate armed conflicts; continue to stay on top of international financial situations; and evaluate and adjust control and response measures for foreign exchange operations at appropriate times.
・Continue to develop new customers, expand the business customer base and decentralize the focus on major customers to prevent impact to the Group's operations due to a rapid decline in the operating volume of single customers or similar industries.
・Boost the efficiency in adjusting stock/bond positions in response to changes when war breaks out; and increase the level of cash reserves or move investment portfolios towards large legacy industries or public utilities stocks with low volatility. Additionally, control credit risks associated with convertible bond asset swap (CBAS) tightly; and suspend undertaking as soon as the target's operations fall short of expectations.
In addition to the above, the following mitigation measures are implemented in the medium and long term:
・Reinforce the capital structure of financial institutions so that they could withstand a variety of risks encountered in times of crisis; and retain sufficient liquidity and create diverse income sources to reduce the reliance on a single market and related impact.
・Continue to monitor borrowers' changes in credit line; pay attention to the operating status of their mother companies and the current industrial situation; and stay on top of the utilization of the overall credit amount.
・Continue to pay attention to global geopolitical and economic confrontations as well as related current affairs and trends; observe changes to the political and economic situation of the world's major economies; and regularly monitor a product's risk balance for a country or the Group.
・When undertaking various foreign exchange cases, we would prudently go about our business based on our past exchanges with the customers and the level of debt guarantee. We would also continue to pay attention to the international financial situation, and take corresponding protective measures at the right moment.
Risk Description - Wrong and False Information
The continued presence of misinformation such as false, impersonated, manipulated and concocted content, and its extensive circulation via media outlets and the Internet, have led to distrust on the part of the general public and public opinions about the truth and authority. This further intensifies social and political divisions, or even triggers armed conflicts, causing the global economy even higher risks.
Potential Impact
・Entities pretending to be financial institutions or individuals impersonating as employees of the Group would lure people to join their LINE groups, and egg them on to invest in specific products, resulting in customers' losses. Or, they would use misinformation to concoct content and maliciously undermine the Group's image.
・The dissemination of wrong, false and untrue information is prone to causing the public to form prejudice towards specific matters, which would lead to a spike in the number of customer complaint cases and increase our operational and processing costs. Furthermore, the negative public image thus formed is detrimental to the Group's efforts in building and managing a favorable corporate image.
・Misinformation could also cause the management team to make wrong judgment calls in management policymaking, which would lead to failure, unnecessary cost burdens, and operating losses.
・False information could cause people to question the legitimacy of information, and undermine social stability. New types of crimes would surge and threaten social cohesion.
Mitigation Measures
Short-term:
・Disseminate the correct message to investors and customers via various channels, including bank statements and transaction app push; provide anti-fraud information to customers regularly; set up a dedicated counter-fraud zone on the official website; make a list of frequently seen investment fraud patterns and related information from government agencies and continue to update it; and raise the anti-fraud awareness on the official social media platforms
・Clearly remind customers to call the "165" anti-fraud hotline for verification and reporting when they suspect an impostor of posing as a Company employee, or find a counterfeit and phony official website, marketing advertisement, or an impostor using apps to misguide or scam people.
・Install an instantaneous and smooth channel for the distribution of material messages and communications about customer complaints; make timely clarifications to block and eliminate misinformation; and prevent negative public sentiments from spreading, so that society's impressions on the Company are not impacted.
・Increase employees' information security awareness of fraud patterns derived from emerging technologies through regular educational training and bulletin reminders.
Additionally, the following medium- and long-term risk mitigation measures have also been adopted:
・Leverage systems and AI to search for related information online; make a detailed compilation of tricks and rhetoric routinely used by scam rings and distinguish if they contain wrong and false information after analyzing them; update the list of frequently seen investment fraud patterns from time to time; and remind investors to be prudently mindful of fraud in order to reduce financial losses.
・Evaluate the feasibility of setting up an emergency response team to counter cases involving impostors and cope with various patterns of impostor incidents.
・Install an internal re-evaluation mechanism for investment business operations; and reduce the probability of policy mistakes through secondary group reviews, debugging and proofreading.
・Set up a dedicated zone for financial security on the official website; and compile and provide various anti-fraud information to raise customers' awareness in terms of identifying fraud.
Third line roles - Independent internal audit unit
To enhance the functionality of the second and third models such as regulatory compliance and internal audit and control, the Company would ask its various departments and subsidiary companies to be mindful, and review the completeness and effectiveness of related internal control regulations and control measures in its "Review Seminar for Improving Internal Control System Faults & Regulatory Compliance". The meeting focuses on the emphasis of financial examination noted by the Financial Supervisory Commission and the financial holding company's internal audit seminar, the annual examination emphasis announced by the Financial Examination Bureau, main faults identified in examinations of the financial industry, as well as the fault patterns in penalty cases. The Company would ask various audit units to incorporate the aforementioned items in their annual audit focus, in order to implement the three models of internal control and facilitate sound management for the Company. To implement performance assessments, we would regularly assess the results of related audit operations, including the subsidiaries' internal audit units and systems as well as their verification for internal audit and audit management, in accordance with the Company's assessment regulations governing the evaluation of subsidiary companies' audit operations. The results would be presented to the Board of Directors of each subsidiary as an important basis for the performance assessment of each audit unit.
With regard to the execution of the Company's 2023 internal audit operations and formulation of our 2024 audit plan, we would adopt a risk-weighted management approach, in addition to referencing the latest changes in regulations, the competent authority's updated examination focus, ratings for the internal control execution of various units (including subsidiaries), and the business characteristics of various units (including subsidiaries). In addition, the two models would supervise the examination outcome from the internal control system itself. After being reviewed by the audit units, the outcome, along with internal control faults and the improvement status of anomalies as identified by the audit units, would be used for evaluating the effectiveness of our overall internal control system. By doing so, we hope to consummate self-evaluation in the Group's internal control system. Additionally, subsidiary First Bank has implemented a risk-oriented internal audit system by establishing a series of risk-oriented methods and procedures to evaluate internal audits. This acts as a foundation for compiling audit plans to determine the frequency of internal audits based on the assessed risk level, thereby deploying audit resources with more effectiveness as well as reinforcing audit focus on critical risks.
Key audit criteria
■ Implementation of the internal audit system in 2023 is as follows:
Business Continuity Management Mechanism
In addition, to promptly and effectively handle the business crisis of the Company and its subsidiaries (including the occurrence of bank run, robbery, theft, major malpractice, financial crisis, major investment failure, information crisis (including: data leakage, system interruption, etc.), fire, explosions, natural disasters, customer collective petitions and other major events or disasters), hoping to quickly pacify the incident or restore operations, and reduce the harm, the Company has formulated the "Crisis Response Principles for the Company and its Subsidiaries". When a crisis occurs, the business responsible unit shall promptly deal with it, and in addition to taking general contingency measures for its related business, it shall also adopt different contingency measures for business crises caused by various reasons. The Company shall set up a crisis management team when necessary, and the risk management department shall be responsible for the establishment of case files, convening meetings, case listing and tracking records, and reporting the case and handling process to the Company's supervisors at all levels at any time, until the incident subsides and the crisis is lifted.
In light of heavy casualties resulting from the explosion at the Pingtung plant of golf equipment manufacturer Launch Technologies Co., Ltd. on Sept. 22, 2023, the Company's Risk Management Committee has asked various subsidiaries to inspect their fire protection facilities to make sure that they are in normal working order. The Committee also demands that fire drills be conducted on a regular basis.
To ensure uninterrupted operation for the financial system, and to provide people with reassuring, convenient and diverse financial services as the basis of innovative FinTech developments, the Company and its subsidiary bank, securities company and life insurance company implement and execute measures for information security and privacy protection. Please refer to the "Information Security and Privacy Protection" chapter for more details on related planning and execution status.