Our Focuses|Corporate Governance|Risk Management

Corporate Governance

“Business integrity” is the foundation of the sustainable operation of the enterprise, and it is the highest corporate culture and spirit of Winbond. Winbond is committed to formulating comprehensive corporate governance regulations and management processes, and continuously monitoring and improving processes. With the efforts of all colleagues, Winbond has been ranked in the top 20% since the first TWSE Corporate Governance Evaluation. Moving forward, we will continue to embrace a corporate culture founded on business integrity, establishing a trustworthy and reputable company.

SDGs 17 Partnerships for the Goals
SDGs 13 Climate Action
SDGs 8 Decent Work and Economic Growth

Renewable energy investment

955

million

International Voluntary Carbon Credits

13500

tons of CO2e

Integrity and ethics education and training for all directors and employees

100

%

Risk Management

Risk Management

Winbond belongs to the semiconductor manufacturing industry. Facing natural disasters, accidents, human-made incidents, changes in international political and economic situations, the emergence of new technologies, and changes in policies and regulations may all cause serious impacts on its operations and finances. Therefore, Winbond established a "Risk Management Committee" under the Board of Directors. This committee is one of the functional committees and organizes existing departments or units responsible for risk to enhance the overall risk management organizational structure. It formulates sound internal management regulations and operating procedures for each unit's scope of responsibility and conducts risk management.


Risk Management Committee Organizational Structure

*The Risk Management Team is currently led by Deputy CEO Chan, and its members include the President, Executive Vice President, Vice Presidents, Assistant Vice Presidents, and a total of 13 executive managers. The team is responsible for identifying, assessing, and implementing risk control plans across four major risk scopes and 17 specific risks. They establish both qualitative and quantitative management standards to enhance risk control practices and regularly report risk management outcomes to the Risk Management Committee.

 

In 2023, Winbond revised the "Risk Management Committee Chapter" and formulated the "Risk Management Policy and Procedures" after receiving approval by the Board of Directors. It actively manages the four major types of risks faced by contemporary enterprises: "strategic," "operational," "financial," and "information security." It develops comprehensive plans and processes for pre-assessment, risk avoidance, loss prevention, and crisis management for various operational activities and regularly reports to the management and governance units to ensure that all corporate risk control goals are achieved. The risk management team should pay attention to the development of international and domestic risk management systems and changes in internal and external operating environments, adjust control mechanisms, report to the Risk Management Committee and the Board of Directors for approval, and enhance the effectiveness of risk management implementation. For details on the operation of the Risk Management Committee, please refer Functional Committee.

 

The company’s internal audit department is under the Board of Directors. Select audit items and frequency based on risk assessment results. It drafts an audit plan, which, after approval by the Board of Directors, is executed to assess the operational effectiveness of the internal control system. Audit reports are prepared accordingly, and follow-up reports on findings and recommendations are regularly submitted until all findings are resolved. To ensure that relevant units have taken timely and appropriate corrective actions, continuously enhancing the effectiveness of the risk management mechanism.


Internal audit department also ensures that all departments and subsidiaries regularly conduct self-assessments of the implementation of the internal control system. Risk management factors are incorporated into the annual internal control effectiveness verification process to conduct audits on organizational operations and risk management. 2023 self-assessment of the internal control systems and the audit tasks of the internal audit department were completed in January 2024.
 

 
4 Scope of Risk Management
Ⅰ- Strategic Risk

 

①Political Change
②Technology Change
③Industrial Change
④Climate Change

Ⅱ- Operational Risk

 

①Operational Planning, Execution, and Crisis Management
②Product Quality Management

③Environmental, Health, Safety, and Carbon Rights Management
④Global Human Resources Management
⑤Intellectual Property Management
⑥Internal Control Management

Ⅲ- Financial Risk

 

①Exchange Rates and Interest Rates
②Financial Operations
③Investments

Ⅳ- Information Risk

 

①Information Management
②Information Security Protection

 

 

 

 

Winbond Risk Management Policy and Procedures

 includes but not limit to: ❶ Risk management objectives. ❷ Risk management organizational structure and responsibilities. ❸ Risk management procedures.

 

Winbond Risk Management Objectives

Winbond aims to manage various risks that may impact the achievement of company goals through a comprehensive risk management framework. By integrating risk management into operational activities and daily management processes, Winbond aims to achieve the following objectives: ❶ Achieve company goals. ❷ Enhance management efficiency. ❸ Provide reliable information. ❹ Allocate resources effectively.

 

Risk Management Procedures

Winbond's risk management procedures include at least five elements: risk identification, risk analysis, risk assessment, risk response, and supervision and review mechanism. The specific procedures and methods for each element are as follows:

 
 
Risk Identification
 
 
Risk Analysis
 
 
Risk Assessment
 
 
Risk Response
 
 
Supervision
and Review

 

Risk Identification
  • Each functional unit and subsidiary should identify the risks of the short-, mid-, and long-term objectives and the business operations based on the company's risk management policies and procedures.
  • Various feasible analysis tools and methods (such as process analysis, scenario analysis, questionnaire surveys, PESTLE analysis, etc.) should be used for risk identification. Risks should be analyzed from both topdown and bottom-up perspectives, considering internal and external risk factors, stakeholder concerns, etc., to comprehensively identify potential risk events that may affect the company's goals or cause losses or adverse impacts.

     

Risk Analysis

Each functional unit and subsidiary should analyze the probability and impact of identified risks based on existing control measures, past experiences, industry cases, etc., and calculate the risk value accordingly. 

  • Risk Analysis Measurement Standards: 
    • The risk management team should establish appropriate quantitative or qualitative measurement standards based on the company's risk characteristics as the basis for risk analysis.
    • Qualitative measurement standards refer to expressing the probability and impact of risk events through textual descriptions, while quantitative measurement  standards refer to expressing the probability and impact of risk events through specific measurable numerical indicators (such as days, percentages, amounts,
      numbers, etc.).
  • Risk Appetite:
    • The risk management team should develop risk appetite (risk tolerance) and report it to the Risk Management Committee and the Board of Directors for determining the company's acceptable risk threshold. Based on the risk appetite, the risk management team should discuss the corresponding risk levels for each risk value and the response methods for each risk level, serving as the basis for subsequent risk assessment and risk response.

 

Risk Assessment:
  • Each functional unit and subsidiary should, based on the results of risk analysis, align with the risk appetite approved by the Risk Management Committee and the Board of Directors. They should then plan and execute subsequent risk response measures according to the risk levels.
  • The relevant results of risk analysis and assessment should be accurately documented and reported to the Risk Management Committee.

 

Risk Response
  • After assessing business risks, each unit should propose appropriate risk response measures and control operations and report them to the risk management team for review.

 

Supervision and Review
  • The risk management team should regularly report the implementation results of risk management procedures to the Risk Management Committee as a reference, and report major risk events to the Risk Management Committee and the Board of Directors, as necessary.

 


Winbond has included climate change risk into the long-term operation and management of the enterprise, and in order to understand its impact on the environment and operations, since 2021, Winbond has adopted the Task Force on Climate-Related Financial Disclosures’ (TFCD) framework, and based on the observation on international regulatory trends and market outlook, every year, we regularly identify and disclose the financial impacts of climate-related risks and opportunities (both quantitative and qualitative), providing comments on the situation as well as proposing a management strategy. Winbond will continue to monitor the impact of risks brought by the climate, strengthen the company’s operational capabilities, promote various carbon reduction plans, improve energy efficiency, and steadily move towards sustainable development. Please refer to Climate Change Management for detailed information.

Risk Analysis Table

Strategical Risk

 

Operational Risk

 

Financial Risk

 

Informational Security Risk

 
Risk TypeDescription of Impact AssessmentResponse MeasuresResponse / Performance Management
Geopolitical
and Economic
  • International situation risk: G2 geopolitical disputes have formed two major market segments dominated by China and the United States. The Chinese market has gradually turned to domestic products, while the European and American markets have gradually stopped using products
    produced by Chinese companies
  • In response to the globalization market structure (globalization) , it is rapidly developing towards regionalization (localization), actively expanding the European, American, Japanese and Korean markets and international Tier -1 customer orders, and developing Tier -1 High value-added products required by customers
  • Listed in the annual plan and regularly review the plan
Technological
  • Technological and technical risk: PIM (Processor in Memory) technology may have a significant impact on traditional chip computing architecture; NOR Flash is approaching the limits of device performance and shrinkage
  • Pay close attention to PIM technology and invest some R&D resources in research and development
  • In addition to process R&D and emerging memory research, we strengthen research on the integration of heterogeneous memory and logic chips to generate innovative applications in large-capacity and fast read-write memories
  • Listed in the annual plan and regularly review the plan
  • Technology development risk: New technology development may encounter unforeseen difficulties, leading to delays in the development schedule
  • Maintain a strong relationship with major equipment suppliers to engage and exchange the latest solutions
  • Implemented TFMEA analysis to assess potential risks in advance and seek effective solutions
  • Regularly hold technical seminars with major equipment suppliers
  • Technology development periodic review TFMEA
Industrial
  • Geopolitical and competitive risk: G2 may cut customers and markets, affecting future performance scale. At the same time, science and technology are changing with each passing day, and industry models are shifting rapidly. If technology and products are relatively backward, the impact might be significant
  • Develop a decentralized production strategy, understand the needs of specific customers, and reduce the risks and impacts that G2 may bring
  • In response to geopolitics and customer requirements, seek to diversify production bases and expand global markets; actively innovate to enhance product differentiation, and develop high-end customers to enhance operational competitiveness 
  • Strengthen partnerships with key customers; hold regular meetings to understand customer needs; and ensure consistency of long-term development blueprints for both parties
  • Study the ecological chain of each application, understand its pain points and proactively provide customer
    solutions
  • Adjust operating strategies and include them in annual plans
  • In response to the rapid shift of industry paradigms, technology and product development can be adjusted immediately, and the organization can be adjusted in a timely manner
Climate
  • Climate change risk: In the context of global warming and extreme climate intensification, transition climate risks and physical climate risks may have an impact
  • Introduce the TCFD management structure to identify the sources of climate risks and assess their impacts, and formulate mitigation and adaptation measures accordingly to reduce the impact of climate risks and enhance the company's operational resilience
  • Published a climate-related financial disclosure report (TCFD) to review Winbond’s operational resilience in facing
    climate issues and improve information transparency
  • Energy demand risk: Renewable energy is not easy to obtain, and the production of low-carbon products is limited; energy costs increase, and production costs increase
  • Carbon pricing risk: indirect costs increase, suppliers pass on costs, and procurement costs increase
  • Set a goal of using green electricity in CTSP Fab
  • Plan and purchase renewable energy power, and evaluate investments in renewable energy projects
  • Promote water-saving measures; install water storage equipment; increase the proportion of recycled water
  • Conduct energy resource usage surveys on suppliers every year to understand scope 3 carbon emissions and suppliers’ carbon management levels, further plan reduction measures, and conduct regular tracking and communication
  • The renewable energy usage rate of CTSP Fab in 2023 is 0.4%
  • The water recovery rate of the Fabs in 2023 is 82.2%
Risk TypeDescription of Impact AssessmentResponse MeasuresResponse / Performance Management
Planning,
Executing, and
Emergency
Management
  • Operational risk: Due to increased shipments or unexpected quality abnormalities, it is necessary to quickly find out the real cause and propose improvement plans to avoid causing quality problems in the customer's products in the end market
  • Utilize the latest instruments, quality management techniques and comprehensive education and training to strengthen the analytical ability to independently inspect product abnormalities, quickly implement improvement plans, improve interaction with customers and obtain immediate feedback, build mutual trust and increase cooperation opportunities
  • Promote Zero Defect 2.0 activities and implement them in all units of the company
Product
Quality
Management
  • Quality improvement risk: Various requirements arising from customer product upgrades or development of new product applications, including: increasingly stringent product reliability and validity specifications, requirements for continuous improvement of yield rates, requirements for early introduction and use of new technologies for manufacturing, etc. Causes the quality of newly manufactured products to face unprecedented challenges
  • In the face of emerging quality challenges, big data quality analysis and machine learning have been used to accelerate quality improvement; at the same time, new design tools are applied to improve product stability as well
  • Kaohsiung Fab uses digital transformation to increase Virgin Yield
Environment,
Safety, and
Health
  • Epidemic risk: the impact of the epidemic on personnel health or loss of business interruption
  • Implement epidemic prevention management regulations, such as implementing separate warehouses and stratification for working from home according to changes in the epidemic, maintaining indoor air circulation and regularly cleaning the environment
  • Regularly / irregularly, senior managers hosts epidemic prevention meetings and conduct rolling reviews of epidemic prevention management measures
  • There were no personnel health impacts or operational disruptions caused by the epidemic in 2023
Carbon Credit
Management
  • Liquidity risk: The domestic carbon rights market trading and swap regulations are not yet mature, and may face risks such as insufficient liquidity in carbon rights trading and high volatility
  • Join the Singapore Carbon Exchange (CIX) and the Taiwan Carbon Exchange (TCX) to increase access to diverse carbon rights and continue to pay attention to the progress of carbon rights swap regulations
  • Participate in voluntary carbon rights market transactions and continue to track changes in carbon price trends
  • Starting from 2022, Winbond has been participating in voluntary carbon rights market transactions and continuously expanding its channels for obtaining diversified carbon rights to respond promptly to market changes. As of 2023, carbon rights issues have had no negative impact on Winbond's operations
Global Talent
Management
  • Human rights risk: Ignoring human rights in corporate governance may bring risks of legal action, supply chain misconduct, regulatory compliance issues, brand reputation damage, and loss of support from socially responsible investors; ignoring employee trust in the company can also increase the risk of losing talent
  • Implement human rights education and training, with a global training rate target of 100%
  • Conduct human rights due diligence every three years to understand potential risks
  • Chairman signed Winbond Human Rights Policyin 2022
  • Conducted the first company-wide human rights due diligence in 2022. Among the 28 issues, there were no high-risk issues that require immediate resolution
Patent Risks
Management
  • Infringement risk: May constitute an illegal act and cause the management bears civil and criminal liability in serious cases.In minor cases, it may also cause losses to the company's finances or goodwill
  • Active prevention in advance: The R& D department works closely with the intellectual property department when conducting product design and development to conduct relevant searches, analysis and research on intellectual property rights. If necessary, it will obtain legal authorization or adopt methods such as design around to do its best to avoid infringement
  • Effective response after the fact: In the rare case of being accused of infringement, the legal department immediately workes with relevant units to clarify the facts and actively safeguard the rights and interests of Winbond and its customers
  • Since 2016 to date, Winbond has not been involved in any infringement lawsuits or disputes
  • Intellectual property risks: Unfavorable patent licensing negotiations, increased royalties and the possibility of patent litigation
  • Regardless of whether the rights holder resorts to demanding high royalties or even filing patent litigation based on protection of intellectual property rights, commercial considerations, or other unknown purposes, we actively discuss and develop countermeasures with external lawyers
  • Continue the patent layout of key technologies and consider the quality of the patents as bargaining chips for licensing negotiations or counter-claims
  • Adhering to the principle of seeking win-win results, and relying on mutual respect and rational interaction with rights holders, Winbond has effectively controlled patent-related risks, and no adverse results have occurred to Winbond

 

Risk TypeDescription of Impact AssessmentResponse MeasuresResponse / Performance Management
Exchange Rate & Interest Rate
  • Exchange rate risk: Primarily arises from foreign currency positions related to import and export business, as well as derivative financial instruments associated with corresponding commitments. These measures are implemented to mitigate the exchange rate risk stemming from foreign currency positions
  • When engaging in derivative financial product transactions and selecting objects, the first priority is to consider credit risk to avoid losses due to the failure of the other party to perform the contract
  • Winbond keeps abreast of financial market information, judges trends, is familiar with financial products, regulations and investment operation techniques, and provides sufficient and timely information for the reference of management and relevant departments
  • For derivative financial product transactions, the financial unit regularly evaluates twice a month, prepares reports, and submits them to the head of the financial unit and senior executives authorized by the Board of Directors for review
  • The exchange rate fluctuation risk and the exchange gain or loss in 2023 were both within manageable limits
  • Interest rate risk: mainly from floating interest rates on long-term borrowings incurred for operational needs such as improving manufacturing processes or expanding production capacity
  • Strive for better interest rate conditions based on current market conditions to reduce the impact of interest rate fluctuations. The corporate bonds issued by Winbond have fixed interest rates, are denominated in New Taiwan dollars, and are measured at amortized cost, so interest rate fluctuations will not affect its cash flow and fair value
  • It was estimated that the impact of interest rate changes on the company's operations in 2023 within the controllable range
Financial
Operation
  • Credit risk: Excessive financial leverage or poorer than expected risk assessment may cause the company to fall into credit risks such as default
  • Through continuous and dynamic financial simulation, we can truly understand the company's capital flow and possible future changes in order to reduce uncertainty
  • 2023, in response to operational needs, we raised funds through multiple channels to ensure a stable long-term financial structure
Investment
  • Investment risk: mainly from investment income and asset impairment of strategic investment and financial investment
  • Establish a prudent investment decision-making process, conduct a comprehensive assessment of the technology, products, market, management, finance and other aspects of the investment target before investing, and set different investment decision-making approval standards according to the investment amount; regularly track management and evaluation during the holding period. To maximize investment returns and prevent the occurrence or expansion of losses
  • The financial unit submits management reports quarterly, examining whether there have been adverse changes in the significance of investment targets in terms of finance and operations, and timely proposes disposal recommendations
  • The investment decision-making process in 2023 was in compliance with Winbond’s internal and external regulations of the competent authorities
Risk TypeDescription of Impact AssessmentResponse MeasuresResponse / Performance Management
Cybersecurity
  • Hacker attack risk: may lead to network interruption, data theft / deletion / encryption and blackmail
  • Perform vulnerability and vulnerability management, including completing security monitoring reports and anomaly event analysis on a weekly basis, arranging monthly downtime operations for major Microsoft updates and patching, performing vulnerability scans quarterly, and using Security Scorecard to monitor external service risks, while collaborating with information security advisors and intelligence centers to quickly assess and remediate reported vulnerabilities
  • There was no major security incidents in 2023, and we have been actively repairing high-risk weaknesses to ensure that the Security Scorecard score remains above A class
  • Continuously conduct information security monitoring and reporting and processing of abnormal events, strengthen abnormal event analysis and investigation reports, and plan and implement improvement measures
  • Social engineering attack risk : may result in loss of property and reputation, and increase the risk of hacker attacks
  • Enable the phishing email blocking mechanism and enhance employees’ information security awareness; and organize education and training to enhance employees’ information security awareness
  • In 2023, we completed 12 information security promotions, with a total of 14,500 people trained
  • Effectively blocks phishing emails and handles reported incidents immediately, without any incident
Information
Security
  • Sensitive information leakage risk: may affect the company's competitiveness and corporate reputation, property losses, and legal liability
  • Application of emerging technologies risk: Careless use of generative AI tools may lead to the leakage of sensitive information
  • For sensitive data, evaluate data classification and solutions, and develop data protection and control mechanisms
  • Precautions related to the use of generative AI tools, and evaluate the introduction of technical control tools
  • Completed crafting data protection strategies and preliminary implementation plans as well as the evaluation of data classification
  • Conducted 2 information security promotions and 1 training of using Generative AI tools in 2023
Disaster
Recovery for
Information
Systems
  • Malicious attacks risk: may modify or destroy the data in the system database
  • Establish critical system database backup solutions and recovery procedures
  • Completed the construction of critical system database backup solutions and recovery procedures

For more information on Information Security Management Policy, please refer to: Information Safety.

Emerging Risks

 

Emerging RisksDescriptionImpactMitigating Actions
Geopolitical Risk

The U.S.-China rivalry and Taiwan Strait tensions have posed challenges to Taiwan's semiconductor industry. As trade friction and technological competition between the U.S. and China escalate, Taiwan has become a focal point for both countries. Security issues in the Taiwan Strait are also a concern for global companies, who worry about the stability of Taiwan's supply chain amid political uncertainty, which could impact semiconductor production.


To mitigate their dependence on Taiwan, global companies are urging Taiwanese semiconductor firms to establish production bases in other regions. This strategy aims to diversify risks, ensure the stability of the global supply chain, and shield businesses from potential disruptions due to changes in Taiwan's political situation.
 

In conclusion, Winbond should weigh the high investment costs of globalization in the current volatile global environment and enhance its risk management and contingency planning to stay competitive in the future market.
 

  1. Mainland China is actively supporting the localized semiconductor industry, which will increase the pressure of competition in the market. 
  2. The U.S., Japan, and the European Union are inviting companies to set up factories in their countries, which will increase competition in the market.
  3. The supply of raw materials for semiconductors may be interrupted due to global or Taiwan Strait geopolitical or military actions, which may pose a challenge to operational stability.
  4. Winbond Group's semiconductor business has its main production base in Taiwan. In 2023, approximately 53% of the consolidated turnover will be generated from its own wafer fabrication facilities in Taiwan. The remaining 47% is produced by foundries, with a portion also coming from their Taiwan-based facilities. In the event of a conflict in the Taiwan Strait, operations could be severely impacted.
     
  1. Find out the feasibility of transferring the production of foundry and packaging and testing companies to non-Taiwanese factories and reduce the proportion of manufacturing in Taiwan.
  2. Monitoring the policy direction and implementing localization strategy by paying attention to the policy direction of each country. This includes the localization of product development and manufacturing. 
  3. Establish a second warehousing and shipping center in Southeast Asia to diversify the risk of concentrating the logistics center in Taiwan in the past, and at the same time, provide customers with more response time.
  4. Develop service-oriented business to increase added value and reduce dependence on manufacturing resources.
Risks of AI Applications

In the era of rapid development of AI technology, AI is expected to bring many growth opportunities for enterprises in terms of productivity enhancement, business modeling, and innovation. However, before the technology enters the maturity stage, AI application will also bring multiple and complex risks to enterprises, such as the security and reliability of the AI model itself, AI governance, ethics, privacy, and regulatory completeness, and so on.


In the face of the global development trend led by AI, Winbond has been actively investing in various AI developments and applications. In addition to achieving concrete results in R&D, marketing, production and management, Winbond has also been considering the operational risks brought by AI and taking countermeasures. Overall, Winbond believes that through proactive risk analysis and management, we can accelerate and magnify the benefits of AI on business performance and minimize the negative impacts.

  1. At the stage of rapid development of technology and algorithms, technical issues such as insufficient data and defective models may lead to inaccurate analysis of data and decision-making suggestions, which in turn may lead to wrong business decisions and cause losses.
  2. More and more hackers are targeting the operation of AI, and competitors may use data contamination and parameter tampering to engage in negative business competition.
  3. The application of AI in decision-making may simultaneously create risks in terms of operation supervision, responsibility attribution, and legal compliance.
  4. AI is currently in a stage of accelerated growth, and if the application of AI lags its competitors, it may completely lose its original competitive advantage or even fall behind its competitors in a very short period of time.
  1. Winbond is actively enhancing talent recruitment, training, and algorithm development, while fostering partnerships with the AI industry and academia to improve AI tool quality used within Winbond. 
  2. Winbond is strengthening network security against hackers, besides traditional network security, we focus on AI-specific protections and reinforce measures to prevent and verify hacking in algorithms and program codes, ensuring smooth data and algorithm operations. 
  3. Winbond has established a hierarchical management system where supervisors and operators are accountable for their tasks while leveraging AI to boost productivity. Besides, Winbond continuously optimizing AI interfaces and ensuring legal data use.
    Through our AI strategy of mass trials, rapid screening, and optimized promotion,
  4. Winbond maintains a competitive edge. Dedicated AI teams swiftly assess and implement external tools or algorithms, continuously optimizing and enhancing AI applications as new solutions emerge.