Risk Governance

The Board of Directors has an overall responsibility for the governance of risks. The Audit and Risk Committee (ARC) assisted the Board of Directors in the oversight of risk management system, including the review of TSMC’s enterprise risk management (ERM) framework and process for the identification and management of risks and reports to the Board of Directors on material matters, findings and recommendations pertaining to risk management.

Risk Management Policy approved by the Board of Directors affirms TSMC’s commitment for mature and effective risk management system and culture in assisting management in making informed business decisions, by integrating and managing all potential risks to provide assurance that TSMC’s risks are known and within risk appetite and tolerance.

 

Risk Management Policy

 

The Audit and Risk Committees supports the Board of Directors in its oversight of risk management. 

At the management level, it is supported by the various committees including risk management steering committee chaired by senior vice president and chief financial officer, risk management executive council chaired by director of risk management division, risk management taskforces lead by risk management champions, supported by risk management division.

As part of the annual review of the risk management system, the key risks and mitigation efforts are reviewed by the Audit and Risk Committee at least twice a year in February and August.

 

 

Risk Management Organizations

Adhering closely to the International Organization for Standardization (ISO) 31000: 2018 Risk Management System and the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s Enterprise Risk Management– Integrated Framework, TSMC’s enterprise risk management (ERM) framework is a systematic approach that enables the Company to respond to the changing dynamics in the business environment, as well as to capitalize on business opportunities. 

The ERM framework specifies the risk governance structure, the management process that integrates business operations, and the tools that facilitate the identification, assessment and monitoring of risks. A formalized training and communication program to build risk competency and foster a risk-aware culture helps management in making informed risk-based decisions while implementing corporate strategies.

Enterprise Risk Management Framework & Procedure

TSMC adopts the Three-Lines of Defense Model towards ensuring the adequacy and effectiveness of TSMC’s risk management system.  

• Under the First Line, management is supported by their respective line functions and committees such as the Risk Management Council, comprising of risk management champions, responsible for the identification and mitigation of risks (including strategic, financial, operation, and compliance risks) facing the company. Risk Management Taskforces are formed in the management of specific risk areas. Guided by the TSMC’s Enterprise Risk Management Framework, appropriate policies and procedures are implemented and operationalized in line with the TSMC’s risk appetite to address such risks. Adoption of the 5-step risk management process ensures the integration of risk management process in business operations.
• Under the Second Line, the TSMC’s Risk Management Policy is established to enable oversight and governance over operations and activities undertaken by management under the First Line. The Risk Management Steering Committee supports the Board in its oversight of the effectiveness of the risk management framework. Risk Management Division works alongside functions and business management to ensure relevant policies and processes are effectively designed and implemented to ensure risks are effectively managed and fostered by a risk-aware culture. 
• The Third Line comprises independent assurance, including internal and external audit. TSMC conducts internal and external audits of the risk management framework and process periodically, to identify opportunities to improve the effectiveness of risk management and its processes. The Internal Audit Division reports quarterly to the Audit and Risk Committee.
   

Three-Lines of Defense Model

Business Continuity Management and Crisis Management (BCM & CM) 

TSMC is committed to maintaining operational resilience and business continuity by following standards that enable the Company to respond effectively to business disruption. The Company is cognizant of the major threats of natural and man-made disasters, including earthquakes, floods, typhoons, droughts, tsunamis, sandstorms, wildfires, volcanic eruptions, fire, gas/chemical leaks, pandemics, cyber-attacks, supply chain disruption, geopolitical tension, sabotage, failure of critical facilities and equipment, and shortages in utilities such as water, electricity and natural gas – any or all of which could disrupt operations. 

To mitigate the operational impact of incidents, the risk management division implements pre-incident risk assessment, response procedures and recovery plans. Exercises and drills are also conducted to validate emergency responses, communication protocols, business continuity plans, and crisis management to enhance operational preparedness. In crisis, the crisis management guidelines are followed. The central crisis command center (C4), headed by the Chairman and CEO and comprised of senior executives across key functions, provides guidance and decision-making to maintain response readiness, including timely communication to key stakeholders.

Business Continuity Management and Crisis Management (BCM & CM) Framework

TSMC's BCM & CM framework guides the Company effectively and swiftly responding to business disruptions, thereby safeguarding the interests of the Company and its stakeholders. The framework outlines the governance structure, processes across the incident lifecycle, under the key risk aspects, with core capabilities, supported by a resilient culture.

Business Continuity Management and Crisis Management (BCM & CM) Framework

Risk Appetite and Risk Management Scope

TSMC has defined its risk appetite in statements that outline the nature and extent of risks it is willing to take in pursuit of its business goals: 

• The risk taken should be carefully evaluated, commensurate with rewards and in line with the Company’s strategic, investment, financial and corporate & sustainability objectives.
• Risk considerations, including ESG factors, are an integral part of business operations and managed within the risk tolerance of the divisions, of relevant functional units and of the Company itself.
• The Company will not invest or participate in any business activities that exceed its risk tolerance or that conflict with our commitment to ESG principles.  
• The Company does not tolerate safety related breaches or lapses, non-compliance with laws and regulations, or illegal acts such as fraud, bribery and corruption and extends this zero-tolerance policy to include environmental violation, human rights abuses and governance failure.

Following a five-step risk management process – identification, assessment, response, monitoring and review – risk assessments are performed by key functional units to form an enterprise-level risk map and mitigation plans, which are presented to the audit and risk committee. This process is supported by ongoing education and awareness efforts in fostering a risk-aware culture and building risk competencies. TSMC recognizes that its systems and processes provide reasonable but not absolute assurance and hence continually strives to improve its ability to manage and respond to risks and capitalize on opportunities.
 

Emerging Risks

Effective risk management is dynamic and encompasses the evaluation of both risks and opportunities. TSMC’s risk management framework and processes ensure that the evaluations stay effective and relevant. In a dynamic business environment, the Company recognizes the impact of global and emerging risks on corporate strategy. TSMC continues to scan our environment for risks that could impact us its business or operations. Where relevant, these risks are examined and discussed at various forums and by the RM steering committee to determine if any further actions or responses are warranted. TSMC is committed to evaluating all significant risks in a balanced and holistic manner with the objective of delivering sustainable long-term value to all stakeholders.

TSMC’s top emerging risks have been identified as:

• Evolving Complexity in the Cyber Landscape: Advancements in AI, quantum computing, and cloud technologies, alongside geopolitical tensions, have amplified cybersecurity risks. Critical industries tied to TSMC, like semiconductor ecosystems and infrastructure (electricity and telecommunications), face growing vulnerabilities. Cyber incidents could disrupt supply chains, operations, and reputations, causing interruptions, legal scrutiny, and financial losses. Impacts include operational disruptions, confidence erosion, compliance breaches, reputational harm, and costs from recovery efforts and legal issues. Mitigating actions involve regular oversight via the Audit and Risk Committee, multi-layered defenses, simulation exercises, zero-trust systems, boundary shields, external intelligence collaboration, and audits with awareness initiatives.
• De-Globalization and Fragmentation of the High-Tech Industry: Rising national security concerns have accelerated semiconductor self-sufficiency efforts, spurring export restrictions, tariffs, and protectionist policies in major economies like the U.S., China, EU, and Japan. Measures such as onshoring and friend-shoring disrupt supply chains, raise production costs, and undermine globalization by restricting trade, technology flow, and market access. TSMC faces challenges like elevated costs, operational risks, compliance complexities, supply chain inefficiencies, and lost business opportunities. Mitigating actions include developing localized supply chains, strengthening business continuity frameworks, monitoring regulations, diversifying operations, and securing subsidies to adapt to geo-economic shifts.
• Challenges in ESG Transition by 2050: TSMC aims to achieve net-zero emissions by 2050 to meet global standards, and customer demands for sustainable practices. Taiwan's limited renewable energy infrastructure, where most facilities are located, hinders progress and impacts operations, reputation, and customer alignment. Failing to meet net-zero goals risks reputational damage, operational delays, customer loss, revenue impacts, and non-compliance with sustainability regulations. Mitigating actions include forming a Renewable Energy Task Force, low-carbon supply chain management, optimizing energy use, deploying advanced GHG technologies, acquiring carbon credits, building green-certified fabs, innovating carbon capture, and partnering with governments for renewable energy expansion.

Risk Review

TSMC conducts internal and external audits of the risk management framework and process periodically, to identify opportunities to improve the effectiveness of risk management and its processes.

Information Security Risk Management

Information Security and Proprietary Information Protection are TSMC’s commitments to customers, shareholders, and business partners. TSMC established information security requirements, standards, and practices to enhance the Company’s management system and technology continuously, setting multi-layer defenses of information security. TSMC regularly performs risk assessments and implements comprehensive risk controls to achieve TSMC’s goals of information security management.

LEARN MORE

Risk Management in Research & Development

TSMC adopts a proactive, risk-informed approach in our product development lifecycle. Risk considerations are embedded as part of the research and development process, in ensuring that TSMC continues to deliver advanced, competitive semiconductor technologies to our customers.

Financial Risks:

1. Investment Optimization: Product development priorities are aligned with strategic investment goals, ensuring that R&D expenditures correspond with projected returns on investment and market demand. TSMC tracks R&D return ratios and product yield improvements to evaluate the effectiveness of investments, ensuring optimized resource utilization and reduced waste.

Regulatory & Compliance Risks:

1. Compliance Standards: TSMC monitors regulatory requirements across regions, including environmental laws, export controls, intellectual property protections, and industry standards. Compliance checkpoints are embedded into the design process to guarantee adherence to both global and local regulations.
2. ESG compliance: TSMC performs LCAs during early-stage design to assess environmental risks and ensure energy-efficient and low-carbon innovations. TSMC develops low-power process technologies (FinFET, GAAFET) to help clients meet climate targets. These innovations reduced energy consumption by 30% and water usage by 20%, contributing to measurable sustainability outcomes.  New technologies must pass safety, ethics, and environmental assessments before full development or commercialization. This includes minimizing hazardous chemicals, reducing energy and water usage, and improving wafer yield rates to reduce waste. By embedding compliance checkpoints into all stages of development, TSMC ensures adherence to global standards while mitigating regulatory risks.

Operational Risks:

1. Supply Chain Sustainability: Technology development is planned with consideration of supply chain sovereignty and U.S.–China tensions.  R&D involves vetting the availability and sustainability of critical raw materials like rare earths, gallium, and cobalt. TSMC collaborates with suppliers to ensure ethical and sustainable sourcing, achieving a 90% supplier sustainability compliance rate.
2. Environmental Health and Safety: During the research and development phase and prior to any changes in chemical use, TSMC implements a rigorous chemical review and control process, to meet environmental protection, occupational safety and health standards. In 2022, this process achieved a 15% reduction in hazardous chemical consumption, demonstrating measurable progress in environmental safety.
3. Emerging Risks: R&D includes developing chips that are more resilient to extreme heat and electrical stress—a growing concern under physical climate risks. Cybersecurity and data privacy risks are also addressed through robust stress testing, reducing vulnerability to breaches by 25%.

Risk Management Academy

TSMC Risk Management Academy was established to raise risk awareness and competency across the company. In addition to training on regulatory changes, a series of tailored risk management programs such as trainings, exercises, conferences, and workshops are rolled out on a regular and ongoing basis to equip employees at all levels with risk management knowledge and to foster a risk-aware mindset, enabling them to manage risks timely and effectively.

2025 Accomplishments and Key Enhancements in 2026

Risk Management Initiatives implemented in 2025 & key enhancements in 2026 are summarized below: