Risk and Information Security Management

Risk Management Mechanisms

Our perspective on risk management is threefold: to protect and increase company value, to structurally and systematically assess existing and potential risks the company may face, and to respond with decisions that align with the company’s operational goals and strategies. We believe this view provides more opportunities for promoting continuous improvement. As an international leader in our industry, we continue to pay attention to and improve upon a range of risk management topics.

In preparation for emerging risks and any other possible risks that may interrupt our business operations or damage our reputation, we established the company’s Risk Management Policy in 2008 and Business Continuity Plan in 2009. By regulating how operations are managed when a risk is identified, we are not only able to minimize any possible impacts and influences when a risk actually occurs, but we are also in a position to respond accordingly and adapt as necessary. Furthermore, whenever we face risk, we strive to provide transparent, immediate communication with any and all stakeholders who might be affected.

Improvement plan

The year 2020 saw sweeping changes occur in many industries worldwide. Changes in international trade, the subsequent wave of digitalization following the impact the COVID-19 pandemic, and cybersecurity incidents were major risks that Advantech has faced in the past year. We therefore believe it essential to reinforce existing organizational structures and procedures pertaining to risk management. In late 2020, we held several meetings to discuss how to improve the company’s risk management. In addition to reviewing our risk management governance framework, the operation of the risk management committee and our SOP for risk management, we plan to complete updating relevant guidelines in 2021 Q1. In the future, we also plan to promote risk management in a more systematic and structured manner. At the beginning of each year, we will review both existing and emerging risks in our operations and quantitatively confirm any major risks. The Risk Management Committee will then review and follow-up on the assessment each quarter, and any major risks that are identified will be presented to the Board of Directors and the Auditing Committee, and to be discussed and traced. The plan will then be adjusted quarterly based on actual risks and impacts.

Emerging risk

In 2020, Advantech identified two new emerging risks: (1) violation of the United States’ prohibited transaction list, and (2) information security risk. Information security risk is explained here.

Risk management of violating the United States’ prohibited transaction list.

Background

The Bureau of Industry and Security (BIS) of the United States Department of Commerce announced compliance risks related to the export control list.

During the US–China trade war, the United States made a prohibition list, banning US companies and global products involving US technologies from trading with companies on the prohibition list. For Advantech, only a small number of products were sourced from companies on the list. Currently, we have complied and have ceased the trading with those companies. This has had only a minor influence on our operations. We will continue to observe the situation with the US–China trade war to decide whether we will resume trading. Violation of the US prohibition of trading may, in the most severe case, result in products being prohibited from sale in the US and criminal charges being pressed.

Preliminary response measures

Legal affairs personnel to monitor the BIS prohibition list and provide timely information on compliance

Advantech’s Legal Department cooperates with the company’s internal forwarding departments for imports and exports in order to monitor relevant trades

Risk Assessment, Management, and Control

Category

Risk

Management strategy

Material procurement risks

Risk

Management strategy

Shortage risk

Supplier management
When Advantech takes on a new supplier, we require them to sign a procurement contract to ensure that delivery times, product quality, and warranty regulations are all met. In particular, suppliers are required to immediately report any delivery delays resulting from either natural or human made disasters.

Safety stock
For common electronic components, we have mechanisms in place to establish and manage secondary sources. For major materials, we have safety stock to avoid the risk of material shortages or quality issues.

Centralized procurement
Advantech’s approach to material procurement management is diverse. Specific procurement personnel designated to monitor the market, and weekly and monthly meetings are held to examine market dynamics. We adopt a centralized procurement strategy and have built up a preferred vendor list of outstanding suppliers. Through convergence and concentration, we achieve high-efficiency cooperation with suppliers, thereby ensuring high-quality materials and stable delivery.

Financial risk

Risk

Management strategy

Exchange rate risk

Advantech’s operational activities and the net investment of foreign operating organizations are primarily conducted in foreign currencies. To avoid losses on foreign currency assets and fluctuations in future cash flow due to changes in exchange rates, we leverage the pre-sale of foreign currency hedging contracts to reduce risk. The hedge rate for 2020 was 0%–75%.

Interest rate risk

Advantech holds bank savings under floating interest rates. We regularly monitor the interest rate risk, which is reviewed by management. When needed, we consider taking essential hedging measures on significant interest rate risks.

Other price risks

Advantech holds listed and OTC equity securities investments as well as beneficial certificates of open-end funds. The risk is controlled by holding portfolios of varying risk. Also, because the price risks for Advantech primarily center on equity instruments and beneficial certificates of open-end funds in Taiwan, the risk is relatively low.

Credit risk

To reduce financial losses due to trading partners delaying the fulfillment of contractual obligations, Advantech has a designated team responsible for determining credit limits, approving credit, and other monitoring procedures to ensure that appropriate action is taken on overdue receivables. In addition, on daily balance sheets, we review the amount of money that can be retrieved to ensure that receivables that are not received will be recorded as an impairment loss.

Liquidity risk

By effective management and maintaining sufficient cash and cash equivalents, Advantech can support operations and reduce impacts on cash flow fluctuations. Management supervises the bank financing limits and ensures that the company complies with any and all loan contract terms. The ultimate responsibility of liquidity risk management lies with the Board of Directors. Advantech has established an adequate liquidity risk management framework to respond to short-, mid-, and long-term demands in financing and liquidity management.

Information security risk

Risk

Management strategy

Cybersecurity threats

On the basis of information security policies and the ISO/IEC 27001:2013 standard, the Information Security Governance Taskforce establishes, implements, maintains, and continues to improve the information security management system.

Climate change risk

Risk

Management strategy

Transformation risk

situation on greenhouse gas emissions and energy use. Carbon reduction goals are then based on the inventory results. Consider government policies on using renewable energy when planning the purchase of renewable energies and obtaining licenses and carbon credits. Ensure service quality and provide green and low-carbon products and services.

Physical risk

Establish risk management procedures and build disaster prevention and response capabilities. Consolidate supplier assessment mechanisms to strengthen supplier quality and environmental management ability. Increase the number of approved backup suppliers. Each year, regularly conduct supplier audit management.

Information security management

Information security policy guidelines

Advantech strives to offer reliable and secure solutions for customer projects. In the face of emerging and evolving cybersecurity threats, we have proposed the following information security policy guidelines:

Establish a designated information security organization and management procedure to ensure the confidentiality, integrity, and availability of Advantech’s information assets. Value and protect the data privacy of all users and clients. Offer comprehensive security measures and improve system availability and reliability.

Incorporate IT backup mechanisms as well as reliable and secure backup solutions. Regularly host disaster drills to help control any potential damage the company may experience from interruptions.

For critical operating systems and operating activities, obtain third-party information security certification. Regularly conduct external inspections, especially for production and assembly plants and critical e-commerce platforms websites.

Information security governance organization

Information security governance operation

Advantech establishes, implements, maintains, and continuously improves its information security management system in accordance with the ISO / IEC 27001: 2013 standard. The processes involved in the Information Security Management System (ISMS) are based on the following PDCA model.

Information security reinforcement

In response to the emerging Ransomware-as-a-Service (RaaS) cybersecurity threat, we are reinforcing the following four aspects: