The Board of Directors plays a key role in helping TSMC identify and manage risks. According to the Audit Committee’s charter, approved by the Board of Directors, the Audit Committee is authorized to review TSMC’s enterprise risk management (ERM), including business continuity management policy and plans, ERM procedures and implementation execution status. The risk management organization annually briefs the Audit Committee on TSMC’s ever-changing risk environment, the key points of TSMC’s ERM, and risk assessment and mitigation efforts. The Audit Committee’s Chairperson also reports to the Board of Directors on the risk environment and risk mitigation measures to be taken.
TSMC operates an ERM program based on its corporate vision and its long-term, sustainable responsibility to both industry and society, integrating and managing potential sustainability risks including strategic, operational, financial and hazardous risks. ERM seeks to provide the appropriate management of risks on behalf of all stakeholders. TSMC applies a risk management framework (including risk identification and assessment, risk control and mitigation, risk response, risk monitoring and reporting) and a risk map to assess the risk levels by defining likelihood and impact severity of events on TSMC’s operations, and to prioritize controls and implement corresponding mitigation measures.
Scope of Risk Management
- Changes in technology and industry
- Decrease in demand and average selling price
- Changes in the government policies and regulatory environment
- IT security
- Capacity expansion
- Sales concentration
- Purchasing concentration
- Intellectual property rights
- Litigious and non-litigious matters
- Mergers and acquisitions
- Recruiting quality personnel
- Future R&D plans and expected R&D spending
- Corporate reputation
- Change in management
- Interest rate fluctuation, foreign exchange volatility, amendments to tax regulations or implementation of new tax laws
- External financing
- High-risk/highly leveraged investments; lending, endorsements, and guarantees for other
- Impairment charges
Hazardous Event Perspective
- Earthquakes and natural hazards
- Fire or chemical spills
- Climate change
- Utility supply disruption
Risk Management Organization
RM Steering Committee
- Consists of functional heads, with internal audit head sitting in as an observer
- Reports to the Audit Committee of the Board of Directors
- Reviews and approves risk control prioritization
- Reviews and approves continuous improvement for risk management
RM Executive Council
- Consists of director-level representatives from each function
- Identifies and implements risk controls
- Continuously improves risk management practices and effectiveness
- Consolidates ERM reports and updates the RM Steering Committee
- Coordinates and facilitates the RM Executive Council’s risk management activities
- Supports RM task forces to enhance the effectiveness of risk controls
RM Task Force
- Identifies potential scenarios and business impacts
- Plans and executes risk prevention and mitigation actions in accordance with various scenarios
- Establishes crisis management procedures and conducts exercises
Enterprise Risk Management Framework and Procedure
The Implementation in 2021
Systemic Risk Management Enhancement
- Current RM task forces perform risk identification and assessment, and RM program conducts compliance check, lessons learned from major internal and external incidents, and benchmark against worldwide class practices. In addition, a series of risk interviews are conducted to identify any unknown systemic risks. Thus, through cross-functional collaborations, systemic risks are identified and mitigating actions are taken.
New Site Risk Management Enhancement
- Risk assessment is conducted for global capacity expansion projects, and mitigation measures are implemented to address any identified risks.
Third-Party Risk Management Enhancement
- Risk assessment is conducted for key third parties, and mitigation measures are taken to address any identified risks.
Continue Existing ERM Organization’s Activities
- All RM task forces conduct enterprise risk assessment periodically to identify potential risk scenarios and plan prevention, mitigation, crisis management procedures and corresponding exercises.
- The RM executive council meets quarterly to review and follow up on the progress of RM task force activities, including addressing systemic and emerging risks, improving opportunities identified from compliance check, and sharing of best practices.
- The RM steering committee meets semi-annually to direct and approve the prioritization of risk controls and review the continuous improvement in managing systemic risks.
- The Audit Committee is briefed annually on TSMC’s ever-changing risk environment, the key points of TSMC’s ERM, and risk assessment and mitigation efforts. The Audit Committee’s Chairperson also reports to the Board of Directors on the risk environment and risk mitigation actions to be taken.