Risk Management

Safety is the core value of China Airlines and our absolute commitment to customers.

Risk Management

In early 2023, CAL re-examined its risk management governance structure, risk management components and operations, and risk management processes, including a three line of defense model consisting of an operational risk ownership unit (first line of defense), a risk management and compliance oversight unit (second line of defense), and an independent audit unit (third line of defense). The first line of defense is responsible for managing and controlling risks in day-to-day operations, the second line of defense is responsible for setting control standards and monitoring compliance, and the third line of defense is responsible for auditing and providing recommendations to ensure that the policy compliance and implementation process is in line with the management's chosen performance objectives and risk tolerance. Through the aforementioned three lines of defense, the responsibilities for risk management are clearly defined to ensure that risk management is promoted in a more systematic and structured manner.

CAL has established a Risk Management Committee under the Board of Directors, which meets regularly. The Auditor General is the highest risk auditor to assist the Board of Directors in reviewing the Company's risk management strategies, implementation results, and countermeasures, and to require each unit to be responsible for the control of each major type of risk, and the independent audit unit (third line of defense) closely monitors or even assists in advising on all the processes of risk management. Audits of the main risks are carried out annually, depending on their significance and the status of the response. The Risk Management Team, established in 2023, is independent of the business units and is responsible for the promotion of risk management processes and quarterly review of risk tracking implementation status. The responsible supervisor is responsible for the preparation of risk response measures and the actual implementation of risk items. The senior vice president of flight operations, who is the head of the Risk Management Team, is the highest risk management responsible person (second line of defense), who integrates and supervises all business units in the implementation of the risk management policy promotion of all aspects, and regularly reports to the Corporate Sustainability Committee (chaired by the President) on the results of the control of the different operational risk ownership units (first line of defense).

The Board of Directors is the highest governance unit for risk management, and the composition of the Risk Management Committee consists of independent or non-executive directors. In addition to directly overseeing traditional risks (including safety, business, financial, information security and personal data, etc.) and mid-term / long-term strategic risks through the Risk Management Committee, the mid-term / long-term strategic risks (including environmental risks and emerging risks) are also overseen through the Corporate Sustainability Committee - Risk Management Team.

Some of CAL's non-executive directors have experience in risk management related industries (including operational risk and financial risk). Meanwhile, the Board of Directors invites experts or scholars from outside organizations to provide 6 hours of related training courses for directors every year. In May and August 2023, a total of 12 directors attended the lectures on "Emerging Risks for Enterprises: Climate Change" and "Artificial Intelligence Explosion: Technological Development and Application Opportunities of ChatGPT" respectively, with a training rate of 92%.

Risk Governance and Structure of CAL

Enterprise Risk Management Model and Procedure

CAL's risk management framework mainly makes reference to Enterprise Risk Management (ERM) in order to establish and identify, accurately measure, effectively supervise and strictly control risk management mechanisms, and makes reference to the ISO 31000 guidelines and spirit of risk management, and continues to manage and control the Company's overall risks through a multi-level organization, as well as emphasizing possible correlations among risks to reduce impacts and seek sustainable operations. CAL's enterprise risk management is based on the principle of materiality, and identifies traditional risks and mid-term / long-term strategic risks. CAL analyzes and evaluates the impact of risk events on the Company and develops contingency plans in accordance with the four major steps of "event identification, risk analysis, risk assessment, and risk control", and follows and reviews them on a regular basis through the quarterly meetings of the Board of Directors' Risk Management Committee and the Corporate Sustainability Committee. CAL integrates the results of materiality analysis with its risk management mechanism, and considers the relationship between traditional risks, medium- and long-term strategic risks, and the results of materiality analysis on sustainability issues to ensure that the impacts and potential risks to the economy, environment and people (including human rights) are included in the corporate risk management and identification process. In 2023, two sustainability issues were identified: climate change mitigation and adaptation, and data security, which will be rigorously monitored through management objectives and action plans, and related mitigation measures.

Traditional Risks

Traditional risks refer to short-term risk incidents that have an impact on business operations for less than one year and can be solved in a short period of time. Traditional risks are divided into safety, operational, financial, personal information, and information security, and are managed with the goals of mitigating risks, strengthening resilience to crises, protecting stakeholders' interests, and enhancing corporate sustainability.

Safety and Security Risk Management

Safety is the foundation of the aviation industry. Customer trust can only be earned by having an outstanding record of flight safety. Based on the Safety Management System (SMS) and the procedures for safety risk management, the Corporate Safety Office reviews and evaluates internal and external operational risks with respect to flight operations, maintenance, cabin services, and ground operations, then proposes corrective measures.

Business Operational Risk Management

The aviation industry faces an ever-changing business environment. Apart from major political and economic turmoil, unexpected incidents internal and external to our organization can also have a considerable impact on the Company's business operations. The Corporate Development Office analyzes potential risk incidents that may have an impact on business operations, and develops concrete countermeasures based on the analysis results in order to reduce the impact of risks on the Business Strategies and the Annual Business Plan. For example, when China Airlines prepares for a new operating station, the relevant departments must adhere to operational procedures, perform risk assessments, and incorporate risk criteria in the development of products and services to ensure that the operations of new stations comply with the CAA regulations and CAL requirements.

Financial Risk Management

An unexpected turn of events in the economic and financial world, both at home and abroad, can affect a company's operating results. In particular, interest rates, exchange rates, inflation, and fuel represent the principal costs for airlines; these costs are very sensitive to external factors and can become quite volatile. Therefore, the Finance Division employs financial hedging instruments to confine the major costs listed above to preset limits and to monitor financial risks on a regular basis. The Division is also responsible for developing relevant strategies and measures to fulfill the objectives of finance-related risk management.

Information Security and Personal Data Risk Management

CAL's Data Security and Personal Information Management Division is a dedicated management unit for information security and personal information protection. It is headed by the Data Protection Officer (DPO) and the Chief Information Security Officer (CISO), who are in charge of the promotion of information security policies and resource allocation, and who lead the independent information security and personal information teams to adopt management measures that meet the international standards in order to implement information security and personal information protection. In order to strengthen the information security framework planning and management system, we continue to improve the multi-level defense depth, staff education and training, social engineering drills, and emergency response drills, to enhance the awareness of employees on information security, and to establish compliance with laws, regulations, and international information security standards to reduce the overall risk of information security.

Mid-term / Long-term Strategic Risks

Mid-term / long-term strategic risks refer to risk incidents that have a strategic or structural impact on business operations for more than one year, and which cannot be solved in a short period of time. CAL reviews and analyzes its market position and collects industry information, such as internal and external forecasts on market trends and competitor dynamics, every three to five years, then conducts SWOT analysis, and accordingly develops the company vision, mission, and mid-term / long-term strategies.

Environmental Risk Management

CAL recognizes the direct impact and importance of the climate issue on the aviation industry. In addition to supporting and responding to the initiatives of the International Civil Aviation Organization (ICAO), the International Air Transport Association (IATA), and the Civil Aviation Administration to promote voluntary carbon reduction by setting up three major milestones for corporate flight and ground operations, we established an inter-unit working group for the TCFD in 2019, and managed climate-related risks and opportunities through our Corporate Sustainability Committee and Environmental Committee. In 2022, we formulated and published the "Forest and Biodiversity Conservation Commitment" signed by the Chairman and the President, and in 2023, we further utilized tools such as the Biodiversity Risk Analysis Tool, the TNFD, the Natural Capital Protocol, and the Natural Target Network based on Science, to identify the impacts, dependencies, risks, and opportunities on biodiversity of our own and upstream and downstream operations, and to develop a response strategy and corresponding management targets and indicators. In addition, we have set two additional objectives for the sustainable development of biodiversity conservation. In 2024, we will further integrate the consideration of natural and climate-related issues into the scope of TCFD, and the key results will be submitted to the Board of Directors annually for monitoring and management, so as to achieve the goal of proactive management actions, such as taking early action to address risks and opportunities, and to deepen our carbon management practices and climate resilience.

Emerging Risk Management

The Global Risks Report published by the World Economic Forum (WEF) every January divides risks into five categories of critical risks, namely economic, environmental, geopolitical, social, and technological risks. New risk categories arising from the rapid development of emerging technologies, climate, demographic changes, information security, and cyber attacks have increased, along with gradually increasing likelihoods of such risk incidents. Therefore, CAL has incorporated these identified emerging risks within the scope of risk management, reviews emerging risks on a regular basis, and develops countermeasures.

Regulatory Compliance

Internal regulations and code of conduct

In order to establish a comprehensive corporate governance system and to build a corporate culture that values integrity, CAL has established the CAL Corporate Governance Principles, Board Directors' Code of Ethical Conduct, Executives Code of Ethical Conduct, China Airlines Ltd. Procedure for Handling Material Inside Information, Ethical Corporate Management Best Practices Principles, and Procedures for Ethical Management and Guidelines for Conduct.