Risk Management
CAL regularly reviews its risk management governance, structure, and processes, adopting a three lines of defense model: the first line (operational units) manages day-to-day risks; the second line (risk management and compliance units) sets standards and monitors compliance; and the third line (independent audit unit) audits and provides recommendations to ensure alignment with the Company’s risk appetite and objectives. This structure clearly defines responsibilities and ensures systematic and structured risk management.
CAL has established a Sustainability & Risk Management Committee under the Board of Directors, which meets regularly. On November 8, 2024, the Board approved updated risk management policies and procedures. The Committee assists the Board in quarterly reviews of risk strategies, implementation outcomes, and response measures, and ensures responsible units manage major risks accordingly. The Auditor General, as the highest risk audit authority, supports the Board in reviewing the formulation and implementation of risk strategies, and ensures responsible units manage their assigned risks. The independent audit unit (third line of defense) closely monitors all aspects of risk management and provides advice. Major risks are audited annually based on their materiality and the effectiveness of response measures. Established in 2023, the Risk Management Team operates independently from business units. It promotes the risk management framework and conducts quarterly reviews of risk tracking progress. Designated supervisors are responsible for formulating and implementing risk response plans. The Senior Vice President of Flight Operations, as head of the Risk Management Team, serves as the chief risk officer (second line of defense), overseeing the implementation of risk management policies across all business units. Results from each operational risk owner (first line of defense) are regularly reported to the Corporate Sustainability Committee, chaired by the President.
The Board of Directors serves as the highest governing body for risk management. The Sustainability & Risk Management Committee, composed of independent and non-executive directors, directly oversees both traditional risks (e.g., safety, business, financial, information security, and personal data) and mid- to long-term strategic risks. Environmental and emerging risks are managed through the Corporate Sustainability Committee and its Risk Management Team.
Some of the non-executive directors of the Company have experience in industries related to risk management, including operational and financial risks. Additionally, the Board of Directors annually invites experts or scholars from external organizations to provide directors with 6 hours of relevant training courses. In June and August 2024, courses titled "Establishing a Friendly Workplace under the Labor Standards Act - Latest and Unlawful Infringement Cases" and "Corporate Cybersecurity Posture under Digital Resilience" were respectively delivered to the directors. A total of 12 directors participated, with a training completion rate of 92%.
| Non-executive director | Risk management related experience (including operational and financial risk) |
|---|---|
| Chen, Chih-Yuan | Since the late 1990s, he has held several prominent positions, including Director of Wan Hai Lines, Chairman of Yi Chun Express, President of Wan Hai Japan, Director of Wan Hai Shipping Singapore, Chief Executive Officer of New Sincere Transportation, and General Manager of New Speed Transportation. Additionally, he has served as Vice Chairman of TACT for an extended period and is the longest-serving Director of CAL. He has the extensive experience in land, sea, and air transportation necessary to direct all essential operations of the Company in accordance with the Group's risk and crisis management policies. He has served as chairman, vice chairman, and director for several publicly listed companies in Taiwan and Singapore in industries such as property insurance, semiconductors, optoelectronics, paper, venture capital, and tourism hotels. He has also been invited to serve as one of the few foreign independent directors for a Singaporean government-owned enterprise. He has extensive involvement across various industries and possesses comprehensive capabilities and experience in risk management. |
| Ting, Kwang-Hung | He is currently the Chairman of Phu Yung An Corporation and the President of Phu My Hung Holdings Group. He has accumulated 27 years of industrial operation and risk management practice and experience, including industrial strategy, operation (including data security), finance (including climate change), market (including finance) and legal affairs. In 2017, on behalf of Taiwan enterprises, he shared with the international community his successful experience in building infrastructure, power plants, processing and export zones, and townships in Vietnam at APEC. He was also appointed as a visiting professor at the College of Management of National Taiwan Normal University to cultivate industrial elites. |
| Chen, Maun-Jen | Everpar Enterprise Corp., which he founded, is one of the nation's leading companies in environmental protection, mobility pollution prevention management, planning, and legislation, consistently ranking first in the industry in terms of scale and reputation. Particularly, the company has established a high-quality corporate culture characterized by internal harmony and external integrity, ensuring quality control for government administration. It directly supervises and manages business development, market planning, and channel management. At the same time, it is also responsible for overseeing risk assessment, hedging action planning, and execution in the aforementioned operational areas. The Company operates steadily and has invested in the largest domestic vehicle testing centers to conduct quality testing for domestic automobile manufacturers and import car dealers. It is the most authoritative certification for testing quality in the country and is also the largest vehicle testing company domestically. |
Risk Governance and Structure of CAL
Enterprise Risk Management Model and Procedure
CCAL’s risk management framework is primarily based on Enterprise Risk Management (ERM) principles, with reference to ISO 31000 guidelines, to ensure the accurate identification, measurement, supervision, and control of risks. CAL adopts a multi-level structure to manage overall risks while emphasizing inter-risk correlations to reduce potential impacts and support sustainable operations. Risk management follows the principle of materiality, identifying both traditional and mid- to long-term strategic risks. CAL assesses the potential impact of risk events and formulates contingency plans through four key steps: event identification, risk analysis, risk assessment, and risk control. These are regularly reviewed at quarterly meetings of the Board’s Sustainability & Risk Management Committee and the Corporate Sustainability Committee.
Materiality analysis results are integrated into the risk management mechanism, ensuring that the interconnections between traditional risks, strategic risks, and sustainability issues are addressed. This process helps incorporate potential impacts on the economy, environment, and people (including human rights) into enterprise risk identification and control. In 2024, CAL identified two key sustainability risks: the aging of fleet aircraft and the leakage of confidential information. These issues are being closely monitored through defined management objectives, action plans, and mitigation measures.
Traditional Risks
Traditional risks refer to short-term risk incidents that have an impact on business operations for less than one year and can be solved in a short period of time. Traditional risks are divided into safety, operational, financial, personal information, and information security, and are managed with the goals of mitigating risks, strengthening resilience to crises, protecting stakeholders' interests, and enhancing corporate sustainability.
Safety and Security Risk Management
Safety is the foundation of the aviation industry. Customer trust can only be earned by having an outstanding record of flight safety. Based on the Safety Management System (SMS) and the procedures for safety risk management, the Corporate Safety Office reviews and evaluates internal and external operational risks with respect to flight operations, maintenance, cabin services, and ground operations, then proposes corrective measures.
Business Operational Risk Management
Operating in a dynamic environment, CAL is exposed to political, economic, and organizational shifts. The Corporate Development Office evaluates potential disruptions and formulates contingency strategies to align with strategic goals and annual plans. For example, during preparations for a new terminal, departments follow risk assessment protocols and integrate risk standards into service development to ensure compliance with civil aviation and Company regulations.
Financial Risk Management
An unexpected turn of events in the economic and financial world, both at home and abroad, can affect a company’s operating results. In particular, interest rates, exchange rates, inflation, and fuel represent the principal costs for airlines; these costs are very sensitive to trends in the international economy and can become quite volatile. Therefore, the Finance Division employs financial hedging instruments to confine the major costs listed above to preset limits and to monitor financial risks on a regular basis. The Division is also responsible for developing relevant strategies and measures to fulfill the objectives of finance-related risk management.
Information Security and Personal Data Risk Management
CAL's Information Security & Personal Data Protection Division is a dedicated management unit for information security and personal information protection. It is headed by the Data Protection Officer (DPO) and the Chief Information Security Officer (CISO), who are in charge of the promotion of information security policies and resource allocation, and who lead the independent information security and personal information teams to adopt management measures that meet the international standards in order to implement information security and personal information protection. In order to strengthen the information security framework planning and management system, we continue to improve the multi-level defense depth, staff education and training, social engineering drills, and emergency response drills, to enhance the awareness of employees on information security, and to establish compliance with laws, regulations, and international information security standards to reduce the overall risk of information security.
Mid-term / Long-term Strategic Risks
Mid-term / long-term strategic risks refer to risk incidents that have a strategic or structural impact on business operations for more than one year, and which cannot be solved in a short period of time. CAL reviews and analyzes its market position and collects industry information, such as internal and external forecasts on market trends and competitor dynamics, every three to five years, then conducts SWOT analysis, and accordingly develops the company vision, mission, and mid-term / long-term strategies.
Environmental Risk Management
CAL recognizes the direct impact and importance of the climate issue on the aviation industry. In addition to supporting and responding to the initiatives of the International Civil Aviation Organization (ICAO), the International Air Transport Association (IATA), and the Civil Aviation Administration to promote voluntary carbon reduction by setting up three major milestones for corporate flight and ground operations, we established an inter-unit working group for the TCFD in 2019, and managed climate-related risks and opportunities through our Corporate Sustainability Committee and Environmental Committee. In 2022, we formulated and published the "Forest and Biodiversity Conservation Commitment" signed by the Chairman and the President, and in 2023, we further utilized tools such as the Biodiversity Risk Analysis Tool, the TNFD, the Natural Capital Protocol, and the Natural Target Network based on Science, to identify the impacts, dependencies, risks, and opportunities on biodiversity of our own and upstream and downstream operations, and to develop a response strategy and corresponding management targets and indicators. In addition, we have set two additional objectives for the sustainable development of biodiversity conservation. In 2024, we will further integrate the consideration of natural and climate-related issues into the scope of TCFD, and the key results will be submitted to the Board of Directors annually for monitoring and management, so as to achieve the goal of proactive management actions, such as taking early action to address risks and opportunities, and to deepen our carbon management practices and climate resilience.
Emerging Risk Management
Emerging risks are those not yet fully realized or widely recognized, characterized by high uncertainty and evolving due to technological, regulatory, social, or environmental changes. These risks can significantly impact CAL’s operations, finances, or reputation. Although not fully manifested, their potential effects may already be present and long-term. Therefore, CAL must regularly assess, monitor, and address emerging risks to avoid threats to operations and safety. Key characteristics of emerging risks are: (1) new or rapidly increasing in significance, (2) long-term potential impact, possibly already affecting CAL, (3) potential to cause significant impact that could severely disrupt operations, (4) external origin, arising from outside the Company, (5) specific to CAL, not uniformly affecting the entire industry, (6) require public disclosure.
The World Economic Forum (WEF) publishes the Global Risks Report every January, outlining key global risks across five categories: economic, environmental, geopolitical, societal, and technological. In response to the rapid advancement of emerging technologies—such as misleading results caused by AI hallucinations—and growing protectionism and trade tensions driven by new government policies (including sanctions, tariffs, and investment reviews), the potential impact on businesses is rising. CAL has incorporated these identified emerging risks into its group-wide risk management framework, conducting regular reviews and establishing appropriate countermeasures.
| Risk Identification | Analysis and Evaluation | Risk Management | Risk Report |
| Identify potential risks that may impact the organization's objectives, which are the responsibility of the operational risk management unit (first line of defense). Identify emerging or previously unaddressed risks that are growing in significance but lack sufficient knowledge or preparedness. |
Assess the likelihood and impact of risks, and determine their priority, to be monitored and evaluated by Risk Management and Compliance Oversight (the second line of defense). The potential impact of risk analysis is significant and could severely affect the operations of CAL. The risk is classified as external, caused by events outside the Company. The assessment of the risk's impact is specific to CAL, rather than applicable to the entire industry. |
Develop and implement strategies to reduce or eliminate the impact of risks. This process is executed by the operational risk responsibility unit (first line of defense) and supervised by risk management and compliance oversight (second line of defense). | Regularly report on risk management activities and results, and disclose them publicly to ensure transparency and continuous improvement. This process is overseen by an independent audit unit (the third line of defense) and is supervised by the Corporate Sustainability Committee - Risk Management Group for medium- and long-term strategic risks. |
Regulatory Compliance
Internal regulations and code of conduct
In order to establish a comprehensive corporate governance system and to build a corporate culture that values integrity, CAL has established the CAL Corporate Governance Principles, Board Directors' Code of Ethical Conduct, Executives Code of Ethical Conduct, China Airlines Ltd. Procedure for Handling Material Inside Information, Ethical Corporate Management Best Practices Principles, and Procedures for Ethical Management and Guidelines for Conduct.
- CAL Code of Corporate Governance
- CAL Ethical Corporate Management Best Practice Principles
- CAL Procedures for Ethical Management and Guidelines for Conduct
- CAL Procedures for Handling Material inside Information
- CAL Board Directors' Code of Ethical Conduct
- CAL Executives Code of Ethical Conduct
- CAL Group_Code of Conduct
- CAL Employee Workplace Code of Conduct
- CAL Supplier Code of Conduct