Risk Management Mechanism

The purpose of risk management is to protect and enhance the value of the company, to have a structured and systematic assessment of the existing and potential risks that may be faced, and to make timely corresponding decisions in line with the company's operating goals and strategies, thereby contributing to continuous improvement. As a global industry leader, Advantech has always paid attention to and promoted major strategies and operational risk management.

Advantech has formulated risk management policy and business continuity plan to prepare for possible business interruption risks, goodwill or various emerging risks, to define operation procedures when risks occur to minimize the possible impact and impact when risks occur, and to achieve follow-up correction and management.

In addition, in response to various related risks, Advantech strives to provide transparent and timely message delivery and communication to stakeholders who may be affected.

Recent Enhancement

In view of the rapid changes in the global industry, international situation, and the wave of digitization, as well as the impact of the COVID epidemic and information security incidents, Advantech believes that it is necessary to strengthen the existing risk management mechanism. Therefore, at the end of 2020, we re-examined risk management governance structure, composition and operation of the risk management team, as well as the risk management processes, so that to promote in a more systematic and structured manner from 2021.

The board of directors and the audit committee are the highest governance entity for risk management, the risk management team is responsible for implementing risk management processes and monitoring of risk mitigation execution quarterly, while the accountable managers are responsible for formulating response measures and actual implementation of risk mitigation approach.

Major processes of Advantech risk management may refer to below:

2021 Risk Map

2021 Risk Management Scope and Operation Update
Time Forum Report/Discussion Agenda
2021.1.20 Risk Mgt Team Risk items count and summary
2021.3.5 Board Meeting Risk mgt. mechanism enhancement proposal
2021.4.15 Risk Mgt Team Risk Mgt Policy and Procedures, single production site risk, etc.
2021.4.29 Board Meeting Approval of Risk Mgt Policy and Procedures
2021.4.29 Audit Committee Single production site risk
2021.7.30 Audit Committee Material shortage and related mitigation, cyber security calendar
2021.10.15 Risk Mgt Team Cyber security risk management, Business Continuity Plan revision, etc.
2021.10.29 Board Meeting Risk mgt scope and operation update
Cyber security risk management
Information Security Risk Structure
  • A cross-departmental Information Security Governance Team is directed by the general manager of the company, which is promoted by the quality control and information security team, and coordinated information security issues of information technology, physical environment, product information, supply chain, and regulatory compliance.
  • The Information Security Governance Meet is held every six months and regularly reports the progress to the Risk Management Committee.

Organization Chart of the Information Security Governance Team

  • Information Security Team
    • Planning the security strategy and guidelines for the company's overall information architecture.
    • Establish and maintain the information security protection mechanism of the IT environment of the company.
    • Notification and handling of IT information security incidents.
  • Factory Security Team
    • Plan and implement information security management procedures in the factory.
    • Establish and maintain the company's OT environment information security protection mechanism.
    • Notification and handling of OT information security incidents.
  • Product Security Team
    • Plan and implement various control measures in the product safety development life cycle.
    • Respond to information security issues related to processing products.
  • Supply Chain Security Team
    • Identify information security risks in the production supply chain.
    • Plan and implement various control measures for related risks.
  • Supply Chain Security Team
    • Identify information security risks in the production supply chain.
    • Plan and implement various control measures for related risks.
  • Compliance Team
    • Assist and ensure that the company's operations and products meet the requirements of information security and privacy protection laws and regulations.
Information security control measures
  • Annual information security risk inspection and related risk improvement.
  • Regularly conduct social engineering drills and information security education and training.
  • The company’s employment contract contains confidentiality clauses. All employees have the responsibility and obligation to protect the information assets they obtain or use of the company to prevent unauthorized access, tampering, destruction or improper disclosure.
  • Critical information systems or equipment have built fault tolerance and load balancing mechanisms, and regularly exercise disaster recovery to maintain it’s availability.
  • Important system data are backed up and checked regularly.
  • Install anti-virus and protection software on the personal computer and regularly confirm the update of the virus code, and prohibit the use of unauthorized software.
  • A multi-factor authentication mechanism has been established to strengthen the identity of remote users and important system administrators.
  • Continue to patch and update the systems to reduce the risk of system weaknesses be exploited by cyberattack.
  • Continuously deploy and update information security protection equipment such as application firewalls, privileged account management, etc., to strengthen network attack protection capabilities.
  • Colleague account passwords are managed in accordance with password policies, and account permissions are regularly reviewed.
  • Monitoring mechanism is built for information security incidents, and procedures are followed to respond and deal with them to prevent the damage from expanding.
  • The company has implemented the ISO/IEC 27001: 2013 international information security management system and maintained continuously, it’s scope will be expanded to include the backbone network and computer room management.