The purpose of risk management is to protect and enhance the value of the company, to have a structured and systematic assessment of the existing and potential risks that may be faced, and to make timely corresponding decisions in line with the company's operating goals and strategies, thereby contributing to continuous improvement. As a global industry leader, Advantech has always paid attention to and promoted major strategies and operational risk management.

Advantech has formulated risk management policy and business continuity plan to prepare for possible business interruption risks, goodwill or various emerging risks, to define operation procedures when risks occur to minimize the possible impact and impact when risks occur, and to achieve follow-up correction and management.

In addition, in response to various related risks, Advantech strives to provide transparent and timely message delivery and communication to stakeholders who may be affected.

At end of 2020 Advantech re-examined risk management governance structure, risk management team composition and functions, risk management processes, to ensure risk management to be proceeded in a more systematic and structured manner. Board of directors is the highest governance entity for risk management, and directly supervise pan-strategic risks other risks like cyber security risk, Sustainable Development Committee and Compensation also supervise dedicated strategic risks, while Audit Committee is mainly responsible for supervising pan-operational risks.

Risk management team is responsible for implementing risk management processes and monitoring of risk mitigation actions quarterly, while function managers are responsible for formulating risk mitigation actions and actual execution. Internal Audit closely monitors and even assists to implement all risk management processes and provide suggestions, and performs audit on major risk subjects according to materiality and mitigation status each year.

Advantech launches risk identification and assessment process in 4th quarter of each year, and will conclude risk management and mitigation plan in early next year. In light of quick changes of overall business environment, Risk Management Team and all management team will agilely observe and highlight changes of major risks, to add or adjust mitigation approach, and will include such agenda in quarterly risk management meeting and routine management meeting.

Timing	Organization	Reporting and Discussion Agenda
2022.2.9	Risk Mgt Team	Annual risk assessment and review plan Enhancement action needed for DJSI requirement Proposed revision of risk management policy
2022.2.25	Board of Directors	Reported 2022 annual risk management plan Approved revision of risk management policy
2022.2.26	Board of Directors (extended)	Talent cultivation and succession rotation
2022.4.15	Risk Mgt Team	Material shortage and inventory increase
2022.4.29	Audit Committee Board of Directors	Material shortage and inventory increase
2022.7.11 2022.7.15	Risk Mgt Team	TCFD financial impact quantitative report Low carbon requirement, green product design
2022.7.29	Audit Committee	Climate change risks and low carbon product enhancement
2022.10.14	Risk Mgt Team	Cyber Security taskforce report Energy saving KPI and goal Proposed revision of risk management policy
2022.10.18 2022.10.19	Sustainable Development Committee	Climate transformation projects (RE100, green energy) Global investment structure & tax impact
2022.10.28	Board of Directors	Annual risk management scope and implementation Cyber security projects progress and plan Approved revision of risk management policy

Risk Item	Paradigm Shift related to Industrial IoT Platform Click for more	Talents Shortage for IoT Industry and Advantech's transformation Click for more
Description of the Risk	Emerging risk derived from IoT industry paradigm shift: The future of IoT industry opportunities are in application, consulting and services Customer shift focus from IoT platforms to IoT-enabled applications	Advantech businesses are transforming to phase II/III AIoT solutions and services selling model. Hence, the talents we need will be more diverse. There is risk that talent shortage and acquisition competition between companies are getting more serious.
Impact to Advantech	Advantech launched IoT platform called WISE-PaaS, which has gradually gained market awareness, however the risk still bring the following impacts: Competition is more intense Falling short of customer expectations Not fast enough to catch up market changes	Hardware engineer shortage owing to unbalanced supply and demand Innovative talents shortage in Phase II & III businesses such as AI and cloud experts, SW engineers, go-to-market veteran, B2B e-commerce experts, etc. Talent development is needed to shorten the gap
Mitigation actions	Formation of solution BUs Encouraging close partnerships Investment in IoT solution providers IoT solution ready systems Recruit talent for IoT services Building and growing an online sales business Establishment of Advantech Service+	Establishing SDC (Sustainability & Development Committee) and TA&C team (Talent Acquisition & Cultivation) Talent acquisition program: campus hiring, Elite Champion, referral, headhunter, social media, etc. Talent development program: Elite LEAP Workout, Elite mentoring Program, training & certification, etc. Establishing digital HR: Achieve global talent database integration and global talent mobility.

• Information Security Policy

• A cross-departmental Information Security Governance Team is directed by the general manager of the company, which is promoted by the quality control and information security team, and coordinated information security issues of information technology, physical environment, product information, supply chain, and regulatory compliance.
• The Information Security Governance Meet is held every six months and regularly reports the progress to the Risk Management Committee.

Organization Chart of the Information Security Governance Team

• Information Security Team
• • Planning the security strategy and guidelines for the company's overall information architecture.
  • Establish and maintain the information security protection mechanism of the IT environment of the company.
  • Notification and handling of IT information security incidents.
• Factory Security Team
• • Plan and implement information security management procedures in the factory.
  • Establish and maintain the company's OT environment information security protection mechanism.
  • Notification and handling of OT information security incidents.
• Product Security Team
• • Plan and implement various control measures in the product safety development life cycle.
  • Respond to information security issues related to processing products.
• Supply Chain Security Team
• • Identify information security risks in the production supply chain.
  • Plan and implement various control measures for related risks.
• Supply Chain Security Team
• • Identify information security risks in the production supply chain.
  • Plan and implement various control measures for related risks.
• Compliance Team
• • Assist and ensure that the company's operations and products meet the requirements of information security and privacy protection laws and regulations.