元大金控元大金控 元大金控元大金控 元大金控元大金控

Risk Management
Risk Management Organizational Structure

Yuanta Financial Holdings' risk management structure covers the board of directors, the Audit Committee, the Risk Management Committee, company management, risk management units, legal and compliance units, information units, as well as all business units.

Board of Directors

The board of directors holds ultimate responsibility for risk management regarding all operations. Its major duties include approval of the Company’s risk management policy and risk management systems, approval of annual risk limits, monitoring of indicator thresholds, and supervision of the implementation of the Company’s risk management systems.

Audit Committee

The Audit Committee assists the board of directors in its risk management role. Its chief responsibilities include review of the Company’s risk management policies and risk management systems, review of annual risk limits, monitoring the threshold of indicators, overseeing the management of the Company’s existing or potential risks, and assisting the board of directors in supervising the implementation of risk management systems.

Company Management

Company management monitors risks associated with all Company business operations, and ensures that the Company’s risk management system can completely and effectively control all relevant risks.

Risk Management Committee

The Risk Management Committee assists the Audit Committee and the board of directors in executing their risk management duties. Its main objectives include review of annual risks limits, monitoring of indicator thresholds, review of risk management reports, assistance in supervising the implementation of risk management systems, integration and coordination of Company subsidiaries risk management issues, and communication of other important matters relating to risk management.

Risk Management Department

Directly responsible to the board of directors, the Risk Management Department is responsible for the drafting of the Company's risk management system, establishing effective methods and risk management systems for measuring risks, monitoring and analyzing risks, as well as the timely reporting and early warning of significant risks.

Compliance Affairs Department

The Compliance Affairs Department executes control over compliance risk, ensuring that all operations and management rules and regulations are updated in a timely manner in accordance with relevant laws and regulations, supervising legal compliance managers of each unit to implement the introduction, establishment, and execution of the relevant internal regulations, and helping to evaluate any legal risks associated with the Company’s operations.

Legal Affairs Department

The Legal Affairs Department executes control over legal risk, and assists in evaluating business and legal documents, contracts, and other matters that may involve legal risk.

Information Departments

The information departments shall implement information security risk control to help avoid information security risks that could jeopardize the normal operation of related information systems due to intentional external intrusion or internal misuse, leakage, tampering, or destruction of information assets.

Business Units

Each business unit shall review each risk management specification in its entirety and comply with each risk management specification prior to the execution of each operation.

The risk management organization of the Company follows a “three lines of defense” model, with each line having clearly defined organization, responsibilities, and functions to ensure the effective implementation of risk management mechanisms.

Risk Management Policy

In order to establish the Company’s risk management standards, and ensure that its risk management is comprehensive, effective, and reasonable, Yuanta has set in place its risk management policy to serve as guiding principles for its risk management system. The Company's risk management systems shall adhere to this policy, and shall be set after taking into consideration the various risk attributes faced and their potential impact on the Company's operational stability and capital security.

The Company’s risk management system shall cover company-wide operational risks, legal and compliance risks, and environmental risks. Subsidiaries shall establish a risk management system in accordance with the Company's risk management policy and the regulations of the local competent authorities that is consistent with their business portfolio, business scale, and capital size in order to effectively manage the various risks they undertake.Each subsidiary has established an appropriate risk management policy based on its business portfolio, business scale, and capital size. The Company continuously reviews the risk management policies of each subsidiary to ensure that it can effectively manage the various types of risks to which it is exposed.

The major categories and components of the Company’s and each subsidiary’s operational risk are as follows:

Market Risk

Market risk refers to the risk of market prices, volatility, or other related changes that can result in losses to the Company's financial position. Market prices can include indexes, stock prices, interest rates, exchange rates, products and credit premiums. The market risk management principles of the Company and its subsidiaries include the setting of risk early-warning indicators, risk limits and quantitative values of risk based on the Company’s risk tolerance level to accurately estimate potential losses and effectively control market risk. Our value at risk (VaR) measurement model uses as a risk measure the maximum expected loss over the next trading day, which is estimated at a 99% confidence level.

Credit Risk

Credit risk refers to risk arising from the following situations:

  • Instances in which a bond (bill) issuer, borrower, counterparty, or custodian violates their contract, experiences bankruptcy or liquidation, or otherwise fails to uphold their contractual obligation to discharge debt liabilities, resulting in the risk of losses;
  • Instances in which a bond (bill) issuer, borrower, or counterparty’s guarantor violates their contract, experiences bankruptcy or liquidation, or otherwise fails to uphold their contractual guarantee liabilities, resulting in the risk of losses;
  • Instances in which the underlying instrument of a financial product experiences weakened credit or has its credit rating reduced, or in which the issuance contract of a financial product is violated, resulting in the risk of losses.

The Company and its subsidiaries set separate credit risk management mechanisms based on their respective risk attributes:

  • Credit authorization risk: Using a credit rating or credit scoring model to classify and manage credit authorization cases and strengthen the credit risk measurement mechanism, in order to increase credit asset quality; using an early warning mechanism to integrate with the middle-term management platform, and immediately initiating post-authorization credit management and response measures, in order to reduce potential losses from credit risks.
  • Financial transaction credit risk: in order to effectively integrate the Company and its subsidiaries' financial transaction credit risk distribution pattern, closely monitor any changes to the financial transaction credit exposure of the Company or its subsidiaries, the Company has not only implemented internal credit rating systems and credit risk classification and management to effectively evaluate and control financial transaction credit exposure, but has also established a credit early warning system and notification procedures to effectively respond to credit incidents.
Market Liquidity Risk

Market liquidity risk refers to insufficient market trading volume continuity or market disorder leading to a clear decline in trading volume, causing asset sales or closure of positions currently in progress to face the risk of potential losses. To reduce market liquidity risks, the Company and its subsidiaries have set specific guidelines for liquidity positions and potential loss limits based on their respective business areas and financial product characteristics, in order to ensure the market liquidity of the Company's overall positions.

Asset-liability Matching Risk

Asset-liability matching risk includes asset liquidity risks and interest rate risks. Asset liquidity risk refers to situations in which assets cannot be sold in a timely manner or external financing cannot raise sufficient capital, causing a risk of inability to meet scheduled payment obligations. Interest rate risk refers to fluctuations in market interest rates which cause the net interest income of interest-bearing assets and interest-bearing debts to face risks from adverse changes.

The Company and its subsidiaries’ asset liquidity risk management is based on the characteristics of its various business areas, and sets in place appropriate asset liquidity risk monitoring standards, pre-assessment of potential funding gaps, effective control of overall asset liquidity risks, as well as setting in advance capital movement plans sufficient to respond to systematic risk events, in order to strengthen the asset liquidity risk management capabilities of the Company and its subsidiaries.

The Company and its subsidiaries’ interest rate risk management includes identification and measurement of interest rate repricing, yield curve risk, basis risk, options features, and other sources of risk, as well as using quantified monitoring indicators to set early warning values for evaluation, in order to effectively control the negative impact of interest rate changes on the net interest income of the Company’s interest-bearing assets and interest-bearing debts.

Large Exposure Concentration Risk

Large exposure concentration risk refers to business concentration resulting in a specific risk factor, resulting in situations in which an unanticipated change in said risk factor can lead to the risk of significant losses for the Company. The Company and its subsidiaries have established large risk exposure management systems, which include credit authorization, investment and business transaction risks, and monitor overall risk exposure concentration levels on a same person (enterprise), same Group, same industry, and same country basis.

Insurance Risk

Insurance risk refers to the risk of loss due to unanticipated changes when the insurance business is operated and assumes the risk of transferring the insured after receiving the premiums and paying the claims and related expenses according to the contract. Insurance risk management includes product design, pricing, policy underwriting, reinsurance, catastrophe insurance, claims, reserves, and other types of risk.

The Company's insurance subsidiary has managed insurance risks by setting standard operating procedures and management mechanisms, and implementing a monitoring mechanism to effectively strengthen the Company's insurance risk management abilities.

Operational Risk

Operational risk refers to the risk of losses arising directly or indirectly from negligence or errors in internal operations, staff or systems, or from external events. The Company and its subsidiaries’ operational risk management is based on the principle of implementing the standard operating procedures and control points established in the internal control and internal audit systems, and ensuring the functioning and effectiveness of control points and check points through regular self-assessments of internal controls. Additionally, the Company strengthens its overall operational risk management through the gradual establishment of operational risk management mechanisms such as operational risk incident reporting, standard operating procedure reviews, operational risk measurement, risk control, and self-assessments.

Information Security Risk

Information security risk refers to the extent to which the normal operation of business-related information systems is affected or jeopardized by improper use, leakage, tampering, or destruction of information assets due to human negligence, intentional, or natural disasters. In order to strengthen information security management and ensure the availability, integrity, and confidentiality of information, the Company and its subsidiaries have established an information security policy approved by the board of directors, which all employees of the Company and its subsidiaries and the personnel assigned by outsourcing companies should comply with to maintain information security.

Human Resources Risk

Human resources risk refers to the risk related to human rights issues of employees and the development and management of human resources of the Company, such as attracting, retaining, and developing talents.

Emerging Risks

Emerging risks refer to new types of business or new types of risks that may have adverse effects on future business operations due to the failure to identify and evaluate risks.

Compliance Risk

Compliance risk refers to the risk of incurring penalties from the regulatory authorities, resulting in significant financial or reputational loss, when the Company engages in business activities without fully complying with relevant laws and regulations. The Compliance Affairs Department of the Company and its subsidiaries is responsible for the planning, management, and implementation of the legal compliance system and the establishment of the legal dissemination, consultation, coordination, and communication system. The department is also responsible for: ensuring that all operational and management guidelines comply with the law and are updated in a timely matter; producing opinions on the legality of and granting approval to the Company’s internal regulations; analyzing each department’s legal compliance material weaknesses or malpractice, and submitting improvement plans; assessing the effectiveness of each department’s legal compliance procedures, in order to ensure the effective implementation of the Company’s legal compliance system.

Legal Risk

Legal risk refers to the risk of potential loss due to invalidation of the contract due to its lack of legal validity, ultra vires acts, omission of terms and conditions, and inadequate regulations. The Legal Affairs Department of the Company is responsible for the preparation, review, and management of external contracts, legal disputes, and consultation and handling of legal matters related to non-litigation and litigation cases.

Risks of Money Laundering and Financing of Terrorism

Risks of money laundering and financing of terrorism refer to the risks that the business is abused for money laundering or financing of terrorism activities. In order to ensure the Company’s compliance with anti-money laundering and countering the financing of terrorism laws and regulations, the Company has established an anti-money laundering and countering the financing of terrorism policy as a management mechanism to identify, measure, and monitor risks of money laundering and financing of terrorism.

Integrity Management Risk

Integrity management risk refers to the risk that a director of the board, supervisor, manager, employee, or person with substantial control over the Company will directly or indirectly offer, promise, request, or receive any improper benefit or commit other unethical conduct such as breach of good faith, wrongfulness, or breach of fiduciary duty in the course of engaging in business activities in order to obtain or maintain benefits. The Company has established a mechanism to assess the risk of unethical conduct, and regularly analyzes and evaluates the business activities with higher risk of unethical conduct within the scope of business, so as to formulate a prevention plan and regularly review the appropriateness and effectiveness of the prevention plan.

Environmental Risk

Environmental risk refers to the risk of greenhouse gas emissions management, carbon rights management, energy management, and other related issues in response to climate change and natural disasters, as well as the risk of compliance with international and local environmental regulations such as the management of air, water, waste, toxic substances, noise, and emissions or environmental impact assessment (EIA) requirements.

Emerging Risks

With the increasing global regulatory requirements, the rapid development of emerging technologies, and the threats of climate change, future risk management of the financial industry will undergo tremendous changes. In response to this trend as early as possible, Yuanta Financial Holdings has completed emerging risk identification, follow-up plans and actions to further enhance the efficiency and effectiveness of risk control.

Risk Factor
Risk Description
Potential Operational
Impact or Influence
Response Plan
Environmental Governance (including Climate Risk Management) and Sustainable Operation
Violation of relevant environmental protection laws and regulations of the competent authority, failure to grasp ESG-related business opportunities, failure to control risks and grasp opportunities arising from climate change, and failure to comply with international trends or standards such as sustainable operations.
According to a paper by the Bank for International Settlements (BIS), climate change threatens to trigger a “green swan” event that could trigger a systemic financial crisis unless government authorities take action against climate change risks. Government authorities or enterprises around the world must respond in advance. In addition, violations of relevant environmental protection laws and regulations of the competent authority resulting in penalties or damage to the Company’s credibility, loss of business opportunities or increased operating costs due to ESG, climate change or sustainability issues as a result of climate change.
  1. Identify and establish sustainable organizations;
  2. Promote the implementation of relevant environmental protection measures;
  3. Establish the TCFD project to continuously further review and evaluate the impact of climate risks on the Company’s finances; continue to strengthen the Company’s management of climate risks;
  4. Import international standards such as ISO certification;
  5. Participate in social welfare activities and care for the society.
Risk of Infectious Diseases
Diseases with large scale, strong infectivity, severe symptoms and no effective treatment or medicine; community infections caused by the movement of people trigger a large number of human deaths in cities or countries, and even necessitate widespread isolation.
  1. The Company is affected by the epidemic, resulting in personnel isolation and increased operating costs, which will most seriously cause interruption of operations;
  2. Increase in credit risk due to reduction of orders, decline in operating income, and interruption of operations caused by the customers affected by the epidemic;
  3. Abnormal fluctuations in financial markets caused by the epidemic resulting in increased losses in the Company’s investment positions.
  1. Set up an epidemic prevention team to plan and direct Company-wide epidemic prevention procedures, such as conducting epidemic prevention campaigns, implementing division of offices for different locations or work at home, and epidemic prevention measures for personnel, and increasing the frequency of disinfection;
  2. Assist customers in epidemic prevention and reduce the impact of the epidemic on customers;
  3. Pay attention to the situations of the regions or countries affected by the infectious disease, inspect and assess the possible extent of the impact on the risk-exposed positions, to reduce the impact of loss.
Digital Finance and Information Security
Data breach, hacker intrusion, fraudulent financial transfers, and theft of customer personal data.
According to a study by Trend Micro, the convenience of having a financial account on the go also presents a profit opportunity for cybercrime syndicates as the financial industry moves more aggressively than ever toward the convergence of information technology (IT) and operational technology (OT). Although the new regulations have particularly strengthened the relevant provisions on cybersecurity and privacy protection, the financial industry and its customers remain the primary targets of cybercrime groups. This situation will not change in the short term and highlights the fact that the financial sector has become a major target for hackers, potentially causing significant financial losses, damage to company reputation and penalties from the competent authorities.
  1. Implement management system: implemented the ISO 27001 Information Security Management System (ISMS) and pass the British Standards Institution (BSI) certification to strengthen the monitoring and management of information security;
  2. Enhance employees’ awareness of information security and regularly conduct various protective and backup drills to improve the ability to respond to emergency information security incidents;
  3. Strengthen longitudinal defense: build internet firewalls, web access interceptors, access detectors, junk mail filters and malicious mail APT to prevent external intrusion; enhance the control of outgoing mail and data transmission by using mail auditing system, Internet DLP and mobile endpoint DLP.