Corporate Governance

Corporate Governance

Corporate Governance

Risk Management

Implementing risk management systems and operations is a crucial foundation for ensuring CLC's stable operations. The Board of Directors is responsible for overseeing risk governance. At the end of 2023, the Board approved the establishment of a Risk Management Committee to assist in supervising the risk management system, including reviewing the company's risk management structure and processes to facilitate risk identification and management, and reporting major issues, findings, and recommendations related to risk management to the Board. In 2023, the company also revised the "Risk Management Policy and Procedures," emphasizing Cheng Loong's commitment to a sound and effective risk management system and culture. This includes integrating and managing all potential risks, authorizing the General Manager to make risk management decisions, and ensuring that departments follow risk management procedures to properly identify and manage internal and external risks, and assess the impact of operational, financial, and climate change risks on the company.

Regarding climate change risk management, the company adopted the "Task Force on Climate-related Financial Disclosures" (TCFD) initiative in 2021, becoming the first paper industry company in Taiwan to pass the TCFD audit and receive the highest rating certification, demonstrating its adaptability to climate risks. Recognizing the importance of nature-positive benefits and the impact of operations on biodiversity, the company signed on to support the "Taskforce on Nature-related Financial Disclosures" (TNFD) in 2023, becoming one of the 14 TNFD pioneer companies in Taiwan. The company will follow the TNFD framework to strengthen the disclosure of nature-related risks and responses across four key areas: governance, strategy, risk management, and metrics and targets.


*For complete details, please refer to the report sections: ch4.1 Climate Change Actions TCFD Report and ch4.6 TNFD Biodiversity.
 

Board of Directors Auditing Division President Management
Based on the overall operational strategy and macro environment, the board of directors discerns the risks in operations, focusing on the promotion and implementation of overall risk management to ensure the effectiveness of and assume full responsibility for risk management. The Auditing Division periodically audits the performance based on the Company's internal control and audit programs, produces the audit reports based and presents them to the board, and follows up the performance of each unit. Make decisions for risk management and coordinate cross-department risk management interaction and communication. Being responsible for risk management and analyzes and monitors related risks within the unit to ensure the effective implementation of the risk control mechanism and procedures.






Information Security Control Risk

CLC places a strong emphasis on information security management, with a dedicated information security unit and Chief Information Security Officer in place. Following the "Information and Communication Security Operational Standards Management Method," the company advances various information security management tasks. This includes establishing cross-departmental and site-wide firewall mechanisms to monitor risk vulnerabilities in real time and prevent attack damage, ensuring the security of company operations.

To enhance information security capabilities, resources are continuously invested each year in acquiring information security hardware and software and conducting related education and training. A comprehensive network and computer protection framework has been established. In 2023, the company took a leading position in the industry by implementing the ISO 27001 Information Security Management System (ISMS). Specific management plans have been developed for access control, data backup, system development, and vendor management to ensure the security, availability, integrity, and continuity of information assets and services, minimizing the impact on daily operations. In 2023, the company did not experience any major information security incidents.

Key information security achievements for 2023 include:

Enhancing Information Security Management
1. The information security management system has been improved, with the company passing the BSI British Standards Institution ISO 27001:2013 certification in August 2023. Moving forward, the company will continue to make improvements based on audit recommendations and plans to transition to ISO 27001:2022 in 2024.

2. A digital asset inventory and risk assessment are conducted based on the PDCA cycle to review the operation of information and communication security goals and measures, with improvements made as necessary. The General Manager chairs the ISO Implementation Committee each quarter to review information security execution.

Enhancing Information Security Protection
1. Strengthen protection measures for network connections, data centers, firewalls, email, and servers. Continuously review information security policies and procedures, and hold regular security project meetings for necessary audits and revisions.

2. To improve protection for operational technology (OT) systems, USB antivirus sticks are used to detect potential malware infections. Access control and records are maintained for key infrastructure areas (such as data centers) to ensure physical security.

Building a Collaborative Information Security Defense
1. Establish an information security monitoring center to observe abnormal security behavior. Core systems have integrated MDR (Managed Detection and Response) endpoint protection services, combining rapid detection, protection, and recovery capabilities for IT and OT endpoints. External professional security assistance is used for comprehensive and round-the-clock monitoring and analysis to effectively prevent and respond to viruses and malicious attacks.

2. Actively participate in external information security alliance activities and initiatives to stay informed about security trends.

Cultivating a Corporate Information Security Culture
1. Create a dedicated information security section on the EIP intranet for promotions and announcements, offering online courses to help employees prevent email scams, malicious website links, and other attack methods. This aims to improve understanding and protection of confidential information.

2. In 2023, 2 social engineering drills were conducted, utilizing AI technology to design test emails simulating external attack methods. The average click rate of test emails by employees was below the target value.


In August 2023, the company passed the ISO 27001:2013 (ISMS)
certification by BSI British Standards Institution.