Risk Management

We follow the Implementation Rules of the Internal Audit and Internal Control System to ensure strong business development, capital adequacy, and a reasonable risk return rate. The Risk Management Standards and Internal Operation Control Procedures serve as the key reference for risk management.

Risk Management Mechanism

To manage risks, we have set up a "three lines of defense" mechanism. The first line is guarded by the operations unit and business management unit, who are in charge of identifying, assessing, and controlling risks within the scope of their function and responsibility. The second line is held by Risk Management Units, Compliance Units and Business Management Units, who assess risk management regulations, assist and supervise according to each scope of the first line of defense with identification and control of risks, and current risk status, and make proper adjustments to countermeasures when necessary. The second line of defense also acts on abnormalities and reports to them to their superiors. The third line is the Audit Unit, which works independently and executes audits to ensure the implementation and completeness of risk management regulations and internal control procedure.

Unit	Responsibilities
Board of Directors	The highest decision-making unit for risk management responsible for approving all BOT risk management policies in accordance with overall operational strategies and environments. The Board also monitors the effective implementation of risk management mechanisms and ensures sufficient capital is reserved to meet all risks.
Risk Management Committee	Convenes quarterly to coordinate cross-departmental risk management matters based on Board-approved risk management decisions.
Department of Risk Management	Responsible for the independent and dedicated control of BOT risk management matters, monitoring and tracking of subsequent implementation by relevant units based on risk management decisions and instructions provided by the Board and the Risk Management Committee, and submitting risk management reports. Issues quarterly BOT risk monitoring reports, formulated 10 major business risks and 21 risk monitoring indicators, and regularly monitors, assesses, and classifies risks. Adopts appropriate measures and reports to the Board upon discovery of major incidents that could endanger financial, business, or legal compliance conditions.
HQ Departments	Identify, assess, and effectively control risks related to all business matters, new businesses, or new products, formulate various risk management regulations to serve as the basis for implementation and review, supervise management of related risks by all units, and ensure management of all risks in collaboration with the Department of Risk Management.
All business units	Implement risk management procedures in accordance with BOT's regulations when conducting business.

Risk Management Policy and Notification Mechanism

Under the Board, the Risk Management Committee follows "Risk Management Policy", and includes all risks on and off-balance sheet items under its remit. In response to emerging risks around the world, we also adopt mechanisms to regulate identification, evaluations, and countermeasures, ensuring effective response and management of applicable risks. We have adopted 10 business risk monitoring items and 21 monitoring indicators that reflect Article 2 and 3 of the "Regulations for Management of Detecting Major Business Risks".

In addition, to enhance our capacity to manage crises and emergencies, our regulations address crisis and disaster contingency plans, reporting procedures, and continuity of operations, ranging from internal control to significant events such as security maintenance, disasters, business issues, brand reputation, liquidity, information security, money laundering related transactions, strikes, and notifiable communicable diseases. When deemed necessary, we form a Crisis Management Task Force, Disaster and Emergency Task Force, and/or Emergency Task Force, and determine countermeasures in meetings to mitigate impact and redirect operations.

Risk Management and Identification

Business managing units	Stay aware of important business information, operation oversight, changes to the financial environment, and detection results of monitoring indicators. Upon discovering numbers exceeding limits, the unit shall conduct an analysis and form countermeasures, and disclose such information in the report.
Department of Risk Management	Coordinates and business managing units includes quarterly submissions into the risk monitoring report for review by the Risk Management Committee and the board.

Promotion measures	Content
Adoption of high climate risk sector monitoring mechanisms	1.To make emerging risks part of our risk management framework, and provide preliminary identification for the development of ESG, in 2023 we established 10 high transition risks of climate change sectors (electronics, power supply, oil refining, chemical materials manufacturing, cement, steel, aluminum, construction, automobile and motorcycle manufacturing, and aviation) based on BOT's TCFD Project. This list serves as an adjustment factor for the quota of each sector in 2024, and is disclosed in the "Climate Change Risk" chapter in the Risk Monitoring Report. 2.To establish high climate risk sector monitor mechanisms, at year-end 2022, we included "High Climate Transition Risk (HCTR) Sector Loan Risk Exposure Lookup" in the control parameters of the internal business management system/credit holder limit, which allows us to identify and evaluate HCTR sectors.
Reinforcement of the management mechanism for overseas high-risk businesses	In light of the escalation of the US-CN Trade War, global supply chain adjustments, and the US banning chips to cut off key technologies to China, all of which have caused extensive impact, we determined the risk assessment factors and the descriptions that reflect the importance of funding key industries, local compliance, increasing rates and recession, the development of strategic industry, high-end gear manufacturers, trade sanctions and disputes, and geopolitical risks. The results are incorporated when running credit checks, credit cases, and investment evaluations to reinforce control mechanisms.

Promotion measures

Content

Adoption of high climate risk sector monitoring mechanisms

1.To make emerging risks part of our risk management framework, and provide preliminary identification for the development of ESG, in 2023 we established 10 high transition risks of climate change sectors (electronics, power supply, oil refining, chemical materials manufacturing, cement, steel, aluminum, construction, automobile and motorcycle manufacturing, and aviation) based on BOT's TCFD Project. This list serves as an adjustment factor for the quota of each sector in 2024, and is disclosed in the "Climate Change Risk" chapter in the Risk Monitoring Report.

2.To establish high climate risk sector monitor mechanisms, at year-end 2022, we included "High Climate Transition Risk (HCTR) Sector Loan Risk Exposure Lookup" in the control parameters of the internal business management system/credit holder limit, which allows us to identify and evaluate HCTR sectors.

Reinforcement of the management mechanism for overseas high-risk businesses

In light of the escalation of the US-CN Trade War, global supply chain adjustments, and the US banning chips to cut off key technologies to China, all of which have caused extensive impact, we determined the risk assessment factors and the descriptions that reflect the importance of funding key industries, local compliance, increasing rates and recession, the development of strategic industry, high-end gear manufacturers, trade sanctions and disputes, and geopolitical risks. The results are incorporated when running credit checks, credit cases, and investment evaluations to reinforce control mechanisms.

Stress Tests

In recent years, the drastic progression of ESG has added uncertainties to business operations. Our "Regulations for Management of Stress Test" request voluntary stress tests quarterly to assess our risk assuming capacity against domestic/international economic development, COVID-19, inflation and rate increases, geopolitical risks, extreme climate events, and regionalized supply chains in a global economy. If test results do not meet standards, the Department of Risk Management may gather the heads of departments to determine countermeasures and improvement plans, and submit the proposals to the Risk Management Committee for approval. All four of the voluntary stress tests run in 2023 passed the minor scenario and severe scenario standard settings.

Voluntary stress tests

Description	Achievements in 2023
Frequency: Quarterly. Stress tests contain one or multiple risks and include one conducted in response to compliance with capital adequacy supervision and review principles to submit information as instructed by the central authority. Scenario: Stress settings are based on recent risk factors and BOT's risk characteristics. Results: Stress tests results are reported to the Risk Management Committee and the Board (or in meetings of the managing directors) and are submitted for future reference according to competent authority.	Voluntary stress tests passed the minor scenario and severe scenario settings (10.5% Total Capital Adequacy Ratio, 8.5% Tier 1 Capital Ratio, 7.0% Common Equity Tier 1 Ratio, and 3.0% Leverage Ratio, per FSC standards).

Description

Achievements in 2023

Frequency: Quarterly. Stress tests contain one or multiple risks and include one conducted in response to compliance with capital adequacy supervision and review principles to submit information as instructed by the central authority.

Scenario: Stress settings are based on recent risk factors and BOT's risk characteristics.

Results: Stress tests results are reported to the Risk Management Committee and the Board (or in meetings of the managing directors) and are submitted for future reference according to competent authority.

Voluntary stress tests passed the minor scenario and severe scenario settings (10.5% Total Capital Adequacy Ratio, 8.5% Tier 1 Capital Ratio, 7.0% Common Equity Tier 1 Ratio, and 3.0% Leverage Ratio, per FSC standards).

Stress tests reflect our progress in ESG execution and expected loss. We joined the Climate Change Stress Test Task Force under the Bank Association and completed a climate change scenario analysis for all banks in Taiwan per the FSC's instruction. The scenario analysis was concluded in May 2023, showed insights into BOT's climate risk strategies, our resilience and adaptability, and allowed us to make strategic adjustments accordingly. The task force will follow in the FSC's steps to determine the parameters to improve the scenario analysis approach. Please see 4.1 Climate-related Financial Disclosure for more information.

Raising Risk Awareness in our Culture

We integrate risk management into daily operations and transactions. The key is to establish awareness among all employee levels and form a strong business culture. In light of this, we initiated transparent, comprehensive risk communication mechanisms to guide risk information to upper and lower levels, as well as between departments. The information is disclosed to the public as a legal requirement.

Measure	Description
Risk management trainings	Cultivated professional risk management personnel and organized risk management training for general employees. Organized annual risk management seminars and began incorporating climate change issues into manager training from 2021.
Risk reporting measures	Established risk indicators and advance warning mechanisms, adopted appropriate risk monitoring mechanisms, and compiled quarterly reports submitted to the Risk Management Committee.
Measures for strengthening risk culture	E-newsletter to raise awareness of risk management. In 2023, a total of 51 "Risk Management Reports" were delivered. Trainings and seminars to communicate risk information. Assessed risks before developing new business areas or products, amending operational processes, establishing or launching information systems, and preparing appropriate documentation procedures and control measures.