Corporate Governance Officer
In the 11th meeting of the 7th session of the Board of Directors held on March 23, 2012, Mrs. Mian-Yuan Zhan, Assistant Manager of the Finance and Accounting Department, was appointed as the corporate governance officer responsible for corporate governance implementation and related reporting operations. The officer also set up a stock affairs unit to provide directors with the information required for business, assist directors in law compliance and a continuous learning program, take minutes of the Board and shareholder meetings per the regulations, handle company registration or file amendments to enhance the functions of the Board, safeguard the equal treatment of stakeholders/shareholders, and protect their rights and interests.
2023 Continuous learning program:
Organization | Course | Hours |
Securities & Futures Institute | Merger and acquisitions: Board of Directors responsibilities | 3 hours |
Securities & Futures Institute | The latest practices and analysis of trade secrets and the management risk for directors and supervisors | 3 hours |
Accounting Research and Development Foundation | Continuous learning courses for principal accounting officers of issuers, securities firms, and securities exchanges – Corporate governance | 3 hours |
Accounting Research and Development Foundation | Continuous learning courses for principal accounting officers of issuers, securities firms, and securities exchanges – Finance | 3 hours |
Accounting Research and Development Foundation | Continuous learning courses for principal accounting officers of issuers, securities firms, and securities exchanges – Professional ethics and legal responsibilities | 3 hours |
Accounting Research and Development Foundation | Continuous learning courses for principal accounting officers of issuers, securities firms, and securities exchanges – Audit | 3 hours |
Business Integrity and Legal Compliance
Adhering to the spirit of business integrity to conduct various internal management and external activities while following corporate governance procedures & codes and business integrity and complying with laws and regulations, AMAZING has established the “Sustainable Development Policy and Code of Conduct,” “Code of Ethics,” “Ethical Corporate Management Best Practice Principles,” and “Procedures for Ethical Management and Guidelines for Conduct” approved by the Board. The management policy is committed to pursuing competitiveness, profitability, and steady growth to give back to shareholders and customers and take care of employees. Keeping our corporate social responsibility in mind, we observe the laws and regulations and respect all policies associated with people, communities, and the environment to prevent unethical behaviors.
All workplace behaviors among employees and management must comply with the provisions of relevant systems to shape the company’s ethics. In addition, our official website has a relevant communication email service in the “Corporate Sustainable Development” zone. Grievance email service and hotline are available through the reporting channel for internal or external personnel to submit complaints. We also set up multiple reporting channels on the company intranet to ensure that all inappropriate conduct shall be reported and addressed, and we intent on responding to feedback from stakeholders promptly.
01
Legal Compliance
AMAZING is committed to running its business with integrity and adhering to the laws and ethical standards of the countries where it operates while enforcing compliance as an essential corporate policy. Furthermore, we implement regulatory identification by optimizing the management system, and we conduct education and training as an execution policy to continuously improve regulatory compliance. Regular monitoring is performed to detect any amendments in domestic and international regulations that may significantly impact our operations to ensure that all operating activities truly comply with the laws and standards in each country.
02
Business Integrity and Anti-corruption
AMAZING requires that none of its employees, supervisors, managers, or directors commit or incite someone to commit illegal or unethical conduct for any reason. Employees must comply with integrity disciplines. The employee code of conduct needs to be clearly defined, including work ethics, adherence to laws, interactions with colleagues, acceptance of gifts and entertainment, customer privacy, intellectual property rights, discrimination, bribery, conflicts of interest, protection of corporate assets & the company’s reputation, and other matters that employees should follow. Adhering to the laws and regulations and strictly abiding by disciplines during business activities, product design, sourcing & procurement, and other related operations, we firmly prohibit any active and passive briberies, illegal political contributions or donations, charitable giving, and sponsorships intended for the improper or non-charitable purpose, unreasonable gifts, entertainment, hospitality, or other illegitimate benefits or advantages, intellectual property infringement, and unfair competition as specified in the “Procedures for Ethical Management and Guidelines for Conduct.” We have developed prevention plans and procedures to prevent products or services from impairing stakeholder rights to ensure customer interests and avoid corporate asset losses, fines, and damage to goodwill.
In 2023, we held training courses, including the “Code of Business Integrity,” “Code of Ethics,” “Protection of Trade Secrets,” “Reporting Systems,” etc., to promote business integrity and ethical standards. A total of 128 personnel were trained, with a 100% completion rate.
03
Education and Training
We conduct education and training from time to time every year and disseminate the policy to all employees at least once or twice a year to maintain the company’s reputation and legal and ethical standards.
Number and Results of Litigation Involving Antitrust
As of today, we have not had any litigation involving fair dealing or antitrust violations.
Amount of Significant Fines Imposed for Violations of Laws and Regulations and the Number of Sanctions Other Than Fines Received
As of today, we have not suffered any significant fines due to violations of laws and regulations, and there have been no grievances involving integrity violations through the reporting channels.
Risk Management
Corporate organizations usually face many potential and unpredictable risks during their operations. In order to facilitate the Board’s supervision of the company’s risk management, we established the Risk Management Policies and Procedures in 2022 as the fundamental principles of risk management. To implement sustainable operations and improve corporate governance effectiveness while understanding the economic, environmental, social, and other internal and external risks that the company may face, we also create a risk management program, requiring the relevant departments to identify any operational risks, conduct risk monitoring, and implement the preventive measure to enhance the response capacity, which in turn protects shareholder rights and interests and boosts our competitiveness.
Meanwhile, to ensure that AMAZING is able to take immediate and effective response measures when an emergency occurs and keep the incident from expanding, we have developed the “Emergency Response Procedures” and “Manufacturing Emergency Response Procedures” to ensure personnel safety and normal operations in response to emergencies.
Through relevant risk management mechanisms, AMAZING may quickly control the situation in the face of risks and disasters, put response measures in place, and minimize the impact of risks on the company’s operations and related stakeholders. By continuously reviewing and adjusting, we optimize our risk management capabilities to achieve the goal of corporate sustainability.
Organizational Structure in Risk Management and Responsibilities
- Board of Directors:
The highest governance body for risk management in the company is responsible for approving risk management policies and structures to ensure their effectiveness. - Audit Committee:
It assists the Board of Directors in supervising its risk management responsibilities, reviewing risk management policies, and overseeing major risk management strategies. - Senior Management:
It is responsible for developing risk management policies, planning for matters related to major risk management, and improving risk control. It shall regularly report the operation status and risk management performance to the Board of Directors. - Planning Unit:
It is responsible for the implementation, promotion, and coordination of the risk management activities, including calling a risk management meeting, assisting senior management in establishing risk management policies, and carrying out risk communication with each operating unit. - Operating Units:
Responsible for the practical implementation of the risk program in each department, including risk identification, risk analysis and evaluation, risk response & control, and self-monitoring. Each operating unit should report the status of risk management in various risk categories to the senior management on a regular basis or when requested by the senior management. - Auditing Office:
An independent unit affiliated with the Board of Directors. It is responsible for internal audits, inspecting the implementation status of risk response and control at each operating unit. It has to provide timely information and suggestions for improvement to ensure proper Board supervision of the risk management mechanism and implementation.
Current Status of Risk Management
We actively promote the risk management mechanism by regularly running risk management meetings and reporting the current status to the Board of Directors once a year. The operations in 2023 were as follows:
- Two courses related to risk management were carried out in August 2023. A total of 25 people received training.
- The risk assessment, risk issues, and risk response measures adopted were reported to the Board of Directors on December 14, 2023, including:
- Production shifts in the supply chain – cost, inventory, production line
- Changing demand in sales markets – changes in market demand
- Trade control and risks – the control list
- Talent recruitment and development management – changes in labor force ecology
- Exchange rate risk – shifts in the global politics and economic conditions
- Interest rate fluctuations and tax changes – changes in interest rates
- Accounts receivable, capital flow – late payment, bad debts
- Pandemic and infectious diseases – current status
Identifying, evaluating, treating, and monitoring any potential risks that may affect the company’s achievements were conducted. Risk tracking has been performed periodically and included in the daily operations of each department to control risks arising from business activities within an acceptable range. In addition, we also formulated the “Supervision and Management over Subsidiaries” measure to establish a risk control system with affiliated companies.
Scope of Risk Management
Risk Type | Risk Issue | Response Measures |
---|---|---|
Operational Management Risk | Production shifts in supply chain | Based on the changes in supply chain technology/productivity/costs, the supply chain & resource integration department needs to conduct supplier assessments quarterly, set production strategies, and tier suppliers according to their assessment results to respond separately. |
Inventory risk management sets production limits based on different product categories and immediately adjusts production progress and inventory levels based on sales forecasts. | ||
When an emergency or disaster occurs in the outsourcing factory, relevant departments shall report and take response measures in accordance with the “Manufacturing Emergency Response Measures” to understand the situation immediately, report to the company, and adjust the production lines and shipments by identifying the disaster level, collecting the damage status data, determining the impact on production and shipment, taking response measures and follow-up actions until the problem is solved or production returns to normal. | ||
Changing demand in sales markets | In response to changes in market demand, the marketing department should track customer orders, monitor the achievement indicators, and provide real-time feedback on changes in market demand to avoid the risk of inaccurate sales forecasts resulting in material shortage or stagnant inventory. | |
Trade control and risks | Record and monitor the control list announced by the competent authorities in Taiwan or other countries or interested parties to avoid the risk of violating international trade regulations. | |
Talent recruitment and development management | As global environmental changes and trends cause shifts in the labor force ecology, the administration department shall regularly conduct workforce inventory and inspection. Through employee training and talent development programs, a well-designed and competitive salary structure and employee welfare measure shall be created. | |
Financial operations and risks | Exchange rate risks | Collect real-time exchange rate information based on the development of global politics and economic conditions and by maintaining close contact with financial institutions. The evaluation results shall be regularly reported to the top management every month. Natural hedge and pre-sale with Fx forward rate are mainly used to achieve the purpose of risk management. |
Interest rate fluctuations and tax changes | Observe closely the interest rate decisions made by the Central Bank of the Republic of China (Taiwan) and collect information on interest rate changes. If a short-term loan is needed, verify whether there is a sufficient supply of funds and consider comprehensively any other factors prior to submitting a loan application approved by the top management. | |
Accounts receivable, capital flow | Avoid delays in customer payments or bad debt events resulting in unstable operating cash flow. Conduct credit investigations on customers based on different payment terms and customer categories, collect collateral security, and insure accounts receivables (trade credit insurance) to reduce and transfer risks. | |
Hazardous events and risks | Pandemic and infectious diseases | Develop and implement relevant pandemic prevention measures in accordance with the guidelines issued by the government units to protect employee safety and health, and offer support, such as a pandemic supplies kit, as appropriate. |
Information Security Management
Structure of Information Security Management
- In 2021, the company created an information security organization consisting of the information security unit and the information security audit unit, which are responsible for establishing information security protection and the implementation & review of information security policies, respectively. The information security unit serves as the emergency response team in charge of information security-related incident response, reporting, damage isolation & control, system and service recovery, and the after-action review and improvement of response measures following an emergency event.
- Staffing of the information security organization: Chief Information Security Officer (CISO), who is in charge of managing and promoting overall information security policies and resource scheduling. There is one dedicated information security supervisor in the second line of defense who is responsible for planning the information security protection and system, and two members in the information security execution unit as the first line of defense who are responsible for the daily information security operations and abnormal monitoring. All members of the information security organization have obtained a total of 5 professional information security certificate approved by the Administration for Cyber Security, MODA, between 2021 and 2023.
Our information security organizational chart is shown below:
- For the information security systems such as antivirus, disaster prevention, hacking prevention, and data leakage prevention, the information security organization shall regularly submit a comprehensive report to the CISO. By performing an information security inspection every six months and holding an audit & review meeting, information security management will be continuously tracked and improved.
- We have established information security-related measures in accordance with ISO 27001:2013 to comply with international certification standards. By addressing anomalous activities and deviation corrections, we will achieve the objectives of information security management and control.
Information Security Policy
In order to enhance information security management, AMAZING integrates and strengthens its information security management system, establishes the institutionalized, documented, and systematic management practices, and continuously supervises and reviews management performance to implement the concepts of information security management and business continuity through the following measures:
- Establishment and implementation of information security management policies
- Comprehensive introduction of the Information Security Management System (ISMS)
- Information unit training to build professional capabilities in the field of information security
- Improvement of overall information security environment and information security incident response capabilities
- Measuring indicator fulfillment of information security management policy
With these measures, we expect to protect corporate information assets, prevent unauthorized access, use, control, leakage, damage, tampering, destruction, or other information security incidents, ensure normal operations, maintain the confidentiality, integrity, and availability of data, systems, equipment, and network environments to safeguard the rights and interests of the company’s stakeholders.
Current Status of Information Security Protection Implementation
1. Information risk management
- Establishment of information security policies and specifications
- Evaluations of information security risks and development of control mechanisms
- Investigation and Identification of information security incidents
2. Information security management
- Information security structure and project execution
- Evaluation and introduction of information security solutions
3. Information security audit
- Creation and implementation of information audit and handling procedures
4. Losses from significant information security incidents:
- As of today, we have not suffered any losses caused by information security incidents.
Information Security Work Items
- 13 information security-related specifications have been created and will be adjusted based on practical operations.
- 100% of new employees have been included in the information security education program and will complete their information security awareness training upon onboarding.
- In 2023, a total of 73 employees completed the information security training program.
- Four information security reports and promotions were made in 2023 to be in line with real-time information security incidents and relevant intelligence. They are used as references for all staff to respond to relevant incidents and enhance staff information security awareness.
- In 2023, an information security self-inspection program was conducted for all staff to verify the protection of confidential data and information security effectiveness.
- Investment for information security in 2023: hardware equipment - NT$113,000 / security control software - NT$4,800,000.
- An ISMS internal audit was conducted in October 2023. The ISMS review and improvement meeting was held in early January 2024. The meeting minutes have been submitted to the CISO and its management team.
- ISO/IEC 27001:2013 ISMS certification was obtained in February 2022.
- AMAZING became a TWCERT/CSIRT Alliance member in August 2021 for information sharing and joint defense.
Information Security Risks and Controls
-
Information Security Controls
Information security policy and training
Risk DescriptionWhether the information security policy has been approved by the management level and announced to all employees to ensure its appropriateness and effectiveness.
Response MeasuresThe management level and information security organization shall hold an information security management and review meeting every year to regularly review the implementation status of the information security policy and the appropriateness and effectiveness of related control measures. The policy shall be re-disseminated through employee information security training, and information security reporting shall be used to enhance staff information security awareness.
-
Information Security Controls
Information classification and protection
Risk DescriptionInformation shall be classified per unauthorized disclosure or legal requirements, and corresponding measures will protect its value, importance, or confidentiality according to the classification.
Response Measures- Block USB access and control data flow via request.
- All data and files must be encrypted during editing and applied for decryption when offering data outside the company.
- Establish dynamic watermarking as screen protection.
- Secure office data and information system with backup
-
Information Security Controls
System and application access control
Risk DescriptionWhether access to data and application & system functions are restricted, access to systems and applications is controlled by a secure login procedure according to access control policies.
Response Measures- Grant user permission that is approved by the responsible supervisor based on the principle of least privilege.
- Regularly check permissions to avoid improper handling of insufficient privileges.
-
Information Security Controls
Network security management
Risk DescriptionWhether the network is appropriately managed and controlled to protect the information security of systems and applications.
Response MeasuresA firewall shall be set up to separate internal networks from the public Internet. Data flow shall be controlled in key data areas, and firewall rules shall be reviewed regularly.
-
Information Security Controls
Computer virus protection
Risk DescriptionWhether the control measures of malicious code protection, detection, prevention, and recovery are in place with appropriate user awareness.
Response Measures- Establish an intrusion prevention system for cloud and terminal hosts to immediately block suspicious traffic and malicious activities and provide the information management unit with data for making decisions in real-time.
- Information security education shall include standard case analysis and abnormal reports with required backup measures to ensure information security.
-
Information Security Controls
Information security incident management
Risk DescriptionWhether management responsibilities and response procedures are established to ensure proper response to information security incidents.
Response MeasuresEstablish handling procedures based on the information security incident management procedures to quickly take necessary response measures and lower incidents’ impact on the organizational operations.
-
Information Security Controls
Operational continuity management
Risk DescriptionWhen an emergency occurrence affects the operational continuity, whether relevant response measures have been established to ensure information services and security.
Response MeasuresDevelop corresponding handling measures according to the operational continuity management procedure to maintain the minimum operation of the information system and restore normal operations within the shortest period of time, minimizing the impact on operational continuity.