Risk Governance

The Board of Directors has an overall responsibility for the governance of risks. The Audit and Risk Committee (ARC) assisted the Board of Directors in the oversight of risk management system, including the review of TSMC’s enterprise risk management (ERM) framework and process for the identification and management of risks and reports to the Board of Directors on material matters, findings and recommendations pertaining to risk management.

Risk Management Policy approved by the Board of Directors affirms TSMC’s commitment for mature and effective risk management system and culture in assisting management in making informed business decisions, by integrating and managing all potential risks to provide assurance that TSMC’s risks are known and within risk appetite and tolerance.

RM Policy v3 EN

 

Risk Management Policy

 

The Audit and Risk Committees supports the Board of Directors in its oversight of risk management. 

At the management level, it is supported by the various committees including risk management steering committee chaired by senior vice president of information technology and materials management and risk management, risk management executive council chaired by director of risk management division, risk management taskforces lead by risk management champions, supported by risk management division.

As part of the annual review of the risk management system, the key risks and mitigation efforts are reviewed by the Audit and Risk Committee at least twice a year in February and August.

 

RM_Org

Risk Management Organizations

 

Adhering closely to the International Organization for Standardization (ISO) 31000: 2018 Risk Management System and the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s Enterprise Risk Management– Integrated Framework, TSMC’s enterprise risk management (ERM) framework is a systematic approach that enables the Company to respond to the changing dynamics in the business environment, as well as to capitalize on business opportunities. 


The ERM framework specifies the risk governance structure, the management process that integrates business operations, and the tools that facilitate the identification, assessment and monitoring of risks. A formalized training and communication program to build risk competency and foster a risk-aware culture helps management in making informed risk-based decisions while implementing corporate strategies.

ERM Framework

Enterprise Risk Management Framework & Procedure

 

TSMC adopts the Three-Lines of Defense Model towards ensuring the adequacy and effectiveness of TSMC’s risk management system.  

  • Under the First Line, management is supported by their respective line functions and committees such as the Risk Management Council, comprising of risk management champions, responsible for the identification and mitigation of risks (including strategic, financial, operation, and compliance risks) facing the company. Risk Management Taskforces are formed in the management of specific risk areas. Guided by the TSMC’s Enterprise Risk Management Framework, appropriate policies and procedures are implemented and operationalized in line with the TSMC’s risk appetite to address such risks. Adoption of the 5-step risk management process ensures the integration of risk management process in business operations.
  • Under the Second Line, the TSMC’s Risk Management Policy is established to enable oversight and governance over operations and activities undertaken by management under the First Line. The Risk Management Steering Committee supports the Board in its oversight of the effectiveness of the risk management framework. Risk Management Division works alongside functions and business management to ensure relevant policies and processes are effectively designed and implemented to ensure risks are effectively managed and fostered by a risk-aware culture. 
  • The Third Line comprises independent assurance, including internal and external audit. TSMC conducts internal and external audits of the risk management framework and process periodically, to identify opportunities to improve the effectiveness of risk management and its processes. The Internal Audit Division reports quarterly to the Audit and Risk Committee.
     
3LoD

Three-Lines of Defense Model

 

Crisis Management and Business Continuity Management

TSMC is committed to maintaining operational resilience and business continuity by following standards that enable the Company to respond effectively to business disruption. The Company is cognizant of the major risks of natural and man-made disasters, including earthquakes, floods, typhoons, droughts, tsunamis, sandstorms, wildfires, volcanic eruptions, fire, gas/chemical leaks or spills, pandemics, cyber-attacks, supply chain disruption, geopolitical tension, sabotage, failure of critical facilities and equipment, and shortages in utilities such as water, electricity and natural gas – any or all of which could disrupt operations. 

To mitigate the operational impact of crisis events, the risk management division implements pre-crisis risk assessment, response procedures and recovery plans. Exercises and drills are also conducted to validate emergency responses, crisis management, business continuity plans to enhance operational preparedness. In major incidents or crisis events, the crisis management guidelines are followed. The central crisis command center (C4), headed by the Chairman and CEO and comprised of senior executives across key functions, provides guidance and decision-making to maintain response readiness, including timely communication to key stakeholders.

BCM Framework

Business Continuity Management (BCM) Framework and Procedure

 

Risk Appetite and Risk Management Scope

TSMC has defined its risk appetite in statements that outline the nature and extent of risks it is willing to take in pursuit of its business goals: 

  • The risk taken should be carefully evaluated, commensurate with rewards and in line with the Company’s strategic, investment, financial and corporate objectives.
  • Risk considerations are an integral part of business operations and managed within the risk tolerance of the divisions, of relevant functional units and of the Company itself.
  • The Company will not invest or participate in any business activities that exceed its risk tolerance.  
  • The Company does not tolerate safety related breaches or lapses, non-compliance with laws and regulations, or illegal acts such as fraud, bribery and corruption.

Following a five-step risk management process – identification, assessment, response, monitoring and review – risk assessments are performed by key functional units to form an enterprise-level risk map and mitigation plans, which are presented to the audit and risk committee. This process is supported by ongoing education and awareness efforts in fostering a risk-aware culture and building risk competencies. TSMC recognizes that its systems and processes provide reasonable but not absolute assurance and hence continually strives to improve its ability to manage and respond to risks and capitalize on opportunities.
 

Emerging Risk

Effective risk management is dynamic and encompasses the evaluation of both risks and opportunities. TSMC’s risk management framework and processes ensure that the evaluations stay effective and relevant. In a dynamic business environment, the Company recognizes the impact of global and emerging risks on corporate strategy. TSMC continues to scan our environment for risks that could impact us its business or operations. Where relevant, these risks are examined and discussed at various forums and by the RM steering committee to determine if any further actions or responses are warranted. TSMC is committed to evaluating all significant risks in a balanced and holistic manner with the objective of delivering sustainable long-term value to all stakeholders.

TSMC’s top emerging risks have been identified as:

  • Complexity in the cyber landscape giving rise to sophisticated cyber threats: The adoption of new technologies, such as AI and quantum computing, increases cybersecurity risks, which is further exacerbated by cyber espionage. The semiconductor ecosystem, including suppliers and customers, is also at risk from cyberattacks, which could potentially have a major impact on the supply chain resulting in business disruption, loss of business opportunities, reputational impact, etc. Mitigating actions include but are not limited to multi-layered defenses, continuous simulation exercises, and supply chain security management.
  • De-globalization leading to the polarization of high-tech industry: National security is expected to be a growing concern and top priority of major countries, which in turn have deployed strategic actions to secure semiconductor self-sufficiency and localization of supply chains. The multi-polarization effect of the high-tech industry is weakening globalization and restricting the free flow of goods and technology for geopolitical gain. TSMC’s business might face adverse impact arising from weakened operational efficiency and resilience, elevated costs, and loss of business opportunities, etc. Mitigating actions include but are not limited to risk-based strategic investment planning, localization and optimization of key operation resources, and enhancement of business continuity plans.
  • Climate transition action failure: Climate inaction is one of the major threats to the world. Ineffective responses to the changes needed to achieve a net-zero world pose risks to TSMC’s operations, value chain and markets, notwithstanding measures taken by others to address climate risks and opportunities. Mitigating actions include implementing plans targeting RE100 / net zero emission and collaborating with external parties and authorities.
     

Risk Review

TSMC conducts internal and external audits of the risk management framework and process periodically, to identify opportunities to improve the effectiveness of risk management and its processes.

 

Information Security Risk Management

Information Security and Proprietary Information Protection are TSMC’s commitments to customers, shareholders, and business partners. TSMC established information security requirements, standards, and practices to enhance the Company’s management system and technology continuously, setting multi-layer defenses of information security. TSMC regularly performs risk assessments and implements comprehensive risk controls to achieve TSMC’s goals of information security management.

LEARN MORE

 

Risk Management Academy

TSMC Risk Management Academy was established to raise risk awareness and competency across the Company. A series of tailored risk management programs e.g. trainings, exercises, conferences, workshops are rolled out on a regular and ongoing basis to equip all level of employees with risk management knowledge and to foster a risk-aware mindset, to manage risks effectively and timely.

RM Academy

 

2024 Accomplishments and Key Enhancements in 2025

Risk Management Initiatives implemented in 2024 & key enhancements in 2025, reported to the Audit and Risk Committee, are summarized below:

2025 RM Focus