Skip to content

Corporate Governance Practice

Corporate governance unit

The Company’s board approved by resolution the appointment of the Finance Department Manager as the corporate governance officer, to protect shareholders’ equity and strengthen the board functions. The Financial Division Manager is a manager of the Company and has at least three years of experience as a financial officer in a publicly listed company. The corporate governance officer is mainly responsible for handling matters related to board meetings and shareholders’ meetings in accordance with the law, preparing minutes of the board meetings and shareholders’ meetings, assisting directors in taking office and taking continuing education courses, providing directors with materials needed to perform duties, and assisting directors in complying with laws.The duties performed are as follows:

  1. Assisted independent directors and general directors in performing their duties, provided necessary materials they needed, and arranged for directors’ continuing education courses:
    • Submitted the latest amendments and developments of laws and regulations related to the Company’s business field and corporate governance to board members when they took office and updated them regularly.
    • Reviewed the confidentiality level of relevant information and provided the Company information required by directors to maintain smooth communication between directors and business managers.
    • Arranged for relevant meetings between the chief internal auditor and the CPAs when there was a need for them to meet in person, to understand the Company’s financial business in accordance with the Corporate Governance Best-Practice Principles.
    • Assisted independent directors and general directors in formulating annual training plans and arranged for courses based on the Company’s industry characteristics and directors’ education and experience.

2.Assisted in handling the procedures of board meetings and shareholders’ meetings and ensuring legal compliance for resolutions adopted:

    • Reported the Company’s corporate governance situation to the board, independent directors, and the audit committee, and confirmed if the Company’s shareholders’ meetings and board meetings were in compliance with applicable laws and the Corporate Governance Best-Practice Principles.
    • Assisted and reminded directors of the laws and regulations that should be followed when performing duties or formally adopting resolutions at board meetings, and provided advice when the board was about to pass a resolution illegally.
    • Was responsible for reviewing the release of material information on important resolutions passed by the board after a board meeting, to ensure the legality and accuracy of the content of the material information and information transparency for investors.

3. Notified directors of a board meeting no later than seven days before the board agenda was drafted, convened meetings, and provided meeting materials, reminded, in advance, directors of recusal from a proposal, in which personal interest was involved, if any, and completed board meeting minutes within 20 days after the meeting.


4. Registered, in advance, the date of a shareholders’ meeting in accordance with the law, prepared a meeting notice, meeting handbook, and minutes before a deadline as required by law, and registered any changes in the case of amendment to the articles of incorporation or an election of directors.

 

Corporate governance manager education
Date of the course Organizer Course Name Hours of education Total hours of education of the current year
2023.03.27 Chinese National Association of Industry and Commerce Workshop for directors and supervisors
“Corporate Resilience; Taiwan’s Competitiveness”
3.0 3.0
2023.06.02 Chinese National Association of Industry and Commerce Workshop for directors and supervisors
“2023 Taishin Net-Zero Electricity Summit Forum”
3.0 6.0
2023.07.13 Taiwan Stock Exchange Corporation Sustainable Development Action Plan Advocacy Meeting for TWSE/TPEx-listed Companies 3.0 9.0
2023.08.07 Taipei Foundation of Finance Sustainable Development and Sustainable Governance Trends 3.0 12.0
2023.08.17-18 Taiwan Corporate Governance Association Net Zero Sustainability Talent Education Course – Enterprises’ Low-carbon Transformation Strategy 9.0 21.0
2024.07.03 Taiwan Stock Exchange Corporation 2024 Cathay Sustainable finance and climate change summit 6.0 27.0
Corporate governance structure
Succession plan and its operation of important management team
  1. Our employees that are Assistant Vice President and above are considered in the important management team, in charge of operating management in the organization. Substitutes are available on all management levels.
  2. The Company organizes a strict selection and evaluation system for succession plan of top management (including the President). Internal corporate talents are evaluated fairly, justly, objectively to select potential talents for succession. The Company cultivates internal talents with high potential. Cultivation covers leadership potential, personality, professional knowledge and management function.
  3. The member of important management team shall possess necessary professional skills, experience and background. By executing different project tasks in normal times, three skills including management knowledge, management skill and management leadership are cultivated. The value and operation philosophy of the member must be consistent with our concept of “Ethical Company, Order Market, Responsible Work” and our corporate culture of “Integrity, Professionalism, Determination, Innovation.”
  4. As for the key of the internal training plan of the top management team, the Company provides supporting resources or designs or adjusts the function for our diverse medium and senior-level human resources. The top management team joins the monthly management meeting and arranges supervisors to share and interact with each other on management issues through project task. The online course learning platform is available, covering leadership, management, technology, innovation and industrial trend for the members of the management team to learn themselves and create their comprehensive operational competence.
  5. Meanwhile, by quarterly review and annual employee performance evaluation system, critical talents are rotated to different departments based on our development strategy to cultivate diverse talents, beneficial to talent inheritance. By observation and performance evaluation, the Company understands the area that requires improvement, personal development need and company expectation. The evaluation result is used as the reference for further succession plan. The overall training lasts one to two years.
    Risk management policies

    The Regulations Governing the Risk Control Procedures was passed by the board of directors’ meeting on November 4, 2020. The Company evaluates the risk once a year, sets up risk management policies for all kinds of risks and covers and implements the management goal, risk evaluation, risk response and risk control. The Company aims to identify, measure and control all kinds of risks effectively, keep the risks incurred from the business activity within an acceptable scope.

    To ensure our stable business operation and sustainable development, all kinds of risks are defined based on our operating strategy and goal. This aims to prevent possible losses within the bearable risk level, build an overall risk management organization structure and risk management system.

    In anticipation of economic, environmental, and social risks associated with our industry, we proactively manage various uncertainties. Moving forward, we will further strengthen our corporate risk management systems and continue to enhance our employees’ awareness of risk management. This will enable us to effectively identify, manage, and mitigate risks and their associated uncertainties.

    Organization name Scope of authority and responsibility
    Board of Directors/Audit Committee
    1. Approve the risk management policy and structure.
    2. Ensure effectiveness of risk control system and allocate resources.

    Top management team

    (CEO, Executive Vice-Presidents, Vice-Presidents)
    1. Carry out the risk control decisions.
    2. Coordinate the interaction and communication on risk control across departments.
    Managers on all levels
    1. Gather the result of the implementation of risk control activity.
    2. Assist and in supervise all kinds of risk control activities in the department.
    3. Change the decided risk type and suggest the way to take on risks depending on the external environment and internal strategy.
    4. Evaluate the performance and carry out coordination after risk adjustment.
    Managers on all levels under each department
    1. Carry out the daily risk control activities.
    2. Perform self-evaluation on risk control activities.


    Risk Control Architectural Diagram

    The company reports to the board of directors once a year the risk map and response measures after risk assessment analysis (as shown in the table below).

    Information security policy
    一、Foreword

    Due to the characteristics of the business of Senao International Co., Ltd. (hereinafter referred to as the Company), in order to protect the rights and interests of its customers, shareholders and the Company, the Company and all employees have the responsibility and obligation to jointly establish and maintain a safe information and communication operating environment, and to make information security a part of the corporate culture. The information security policy is formulated to clearly define security goals and requirements for compliance.

    二、Scope of application
        1. All employees of the Company

          Our related information system

          Manufacturer and visitor

          Other personnel or organizations applying for the policy according to regulations or contracts

      三、Purpose

      The purpose of the Company's information security policy is to provide a corporate information security guideline and direction that can be followed, to clearly define the Company's information security management goals, and to serve as a guiding principle for the Company's business units to regulate their business security responsibilities. Strengthen information security management to ensure the security of information data, systems, equipment and network communications to effectively reduce information assets from theft, improper use, leakage, tampering, damage or system interruption due to human negligence, vandalism, equipment failure or natural disasters. In addition, comply with the information security management system (ISMS) requirements to ensure the confidentiality, integrity and availability of information assets. 1. Confidentiality: Only authorized personnel can reasonably use the information to prevent improper disclosure. 2. Integrity: Ensure that the information is not falsified without authorization and that the information processing methods and results are correct. 3. Availability: Ensure that authorized users can obtain information and use relevant assets when needed.

        四、Information security organization
        Organization Scope of authority and responsibility
        Information Security Management Committee
        1. Serve as the verification representative for the information security management system.
        2. Supervise the implementation of the information security management system.
        3. Review the objective and implementation scope of the information security management system.
        4. Review the implementation and effectiveness of improvement for information security management-related operations.
        5. Review information security related policies and regulations, and coordinate the allocation and use of resources.
        6. Supervise the implementation of business continuity drills.
        7. Review the resources required for the implementation of corrective measures, including manpower, time and funds.
        8. Review the effectiveness of corrective measures.
        9. At least one management review meeting shall be convened each year.       Extraordinary meetings may be convened if necessary.
        Executive Secretary

         Responsible for various tasks of coordination of information security

        Information Security Team
        1. Responsible for the implementation of information security services within the unit and the promotion of related technologies.
        2. Collect and provide information security related information, such as protection, anti-virus and anti-hack, etc., and release announcements in a timely manner.
        3. Establish information security measures, implement information security monitoring and other safety precautions.
        4. Participate in external information security seminars, subscribe to information security related e-newsletters, or keep in touch with information security experts from time to time to obtain information security updates.
        5. Organize crisis handling procedures, check the causes of crisis events, determining the scope of impact and loss assessment, implement contingency measures, handle information security reporting, and implement resolution measures and other crisis handling matters.
        6. Execute the disaster recovery work in accordance with the relevant business continuity plan and information security incident notification management procedure.
        7. Identify the time the corrective measures were initiated, and regularly track and check the implementation results.
        8. Other information security services.
        Asset Inventory and Risk Assessment Team
        1. Conduct asset inventory and risk assessment.
        2. Participate in asset inventory and risk evaluation and discussion.
        3. Compile the data on asset inventory and risk assessment.
        4. Suggest risk control measures.
        5. Assist in the formulation of risk management plans.
        6. Assist in risk management.
        7. Confirm the risk treatment results.
        8. Update and review the information asset list and execute risk assessment at least once a year.
        Document Control Unit
        1. Issuance, recovery, safekeeping, borrowing and destruction, and version management of information security management system document.
        2. Electronic document announcement and update management of the information security management system.
        3. Recycling, storage and management of paper records.
        4. Assist in information security education and training.
        5. Report the implementation result of the annual corrective measures at the management review meeting.
        Audit Team
        1. Formulate the relevant audit plans and execute the audit operations.
        2. Review information security operations.
        3. Present audit reports and relevant suggestions.
        4. Review the corrective measures for non-conformities in the review report.
        5. Conduct an information security audit (including internal) once a year.
        6. Keep the information security audit report for future reference.

        五、Information security policy of the company

        The information security policy includes the following

          • (1) Each business unit of the Company must comply with the relevant government laws and regulations (such as the Patent Act, the Copyright Act, the Personal Information Protection Act, the Enforcement Rules of the Personal Information Protection Act, etc.) when conducting business.
          • (2) Establish the Information Security Management Committee, which is responsible for the establishment and promotion of the Company's information security management system.
          • (3)    Establish the organizational landscape evaluation mechanism to define the information security policy and the scope of implementation of the information security management system, and to understand the needs and expectations of the organizational landscape and concerned parties.
          • (4)    Establish the document control operation rules to define the management principles for establishment, modification, coding, and issuance of documents related to the information security system.
          • (5) Establish an information asset management mechanism to coordinate the allocation and effective use of limited resources to solve critical security issues.
          • (6) Establish risk assessment management measures and identify the risks of various types of assets in order to take appropriate risk treatment measures to control and reduce risks to an acceptable level.
          • (7) Regularly implement business-related information security education and training, and promote information security policies and related implementation regulations.
          • (8) Establish physical and environmental safety protection measures for the computer room, and perform relevant maintenance on a regular basis.
          • (9)    Clearly regulate the permissions of information systems, network services, and sensitive information, and prevent unauthorized access.
          • (10)  Establish procedures for information system acquisition, development, and maintenance, and clearly regulate the basis for system development and outsourcing. Before the establishment or launch of an information system or service, information security-related issues should be included to prevent endangering of the security of the system.
          • (11)  Formulate and execute internal audit activities of information security to implement the information security management system and corrective measures for non-compliance issues.
          • (12)  Establish a business continuity plan for information security and practice it to ensure the continuous operation of the Company's business in case of an emergency.
          • (13) All personnel of the Company are responsible for maintaining information security, shall understand and comply with relevant information security management regulations, and implement these in their duties.

          六、Information security measures

          Besides building a relevant information security management system, and continuing to respond to and monitor possible risks depending on the internal and external environment, the Company also reinforces the detection and protection stability of the existing internal information security system and builds a mechanism for continuous business operation, to reduce the risk of corporate information security and operation, and further prevents risk.

          Item Internal External

          Risk and trend monitoring

          • Perform risk audit regularly and make improvements based on the identified problems.
          • Use the intrusion detection monitoring platform, antivirus centralized management platform and integrated log centralized platform, to analyze threat traces and scans potential incidents automatically.
          •  After the information security attack occurred, relevant agencies will investigate and analyze incidents.
          • Always keep track of the trend of international standard and regulations.
          • Subscribe to information on information security threat and technical news, and keep track of and handle informational security information.
          • Periodically participate in international information security conference to obtain the latest technology and threat information
          • Join the Taiwan CERT/CSIRT Alliance to share information security information.

          Mechanism and protection

          • Implement log centralization, carry out automated association analysis and set up a warning mechanism for real-time information security.
          • Introduce malicious package monitoring system and host terminal protection system.
          • Intensify the protection of application, introduce the firewall for application and reduce the risk of applications being under attack.
          • Strengthen the system audit of database, introduce the database system and retain the activity trace of database.
          • Collaborate with information security suppliers to analyze the internal use immediately.
          • Regularly arrange the external service information system to perform the third-party testing, such as penetration test and red team assessment.
          • Comply with the inspection standard of international standard such as OWASP and OSSTMM. Discover informational security risks through professional white hat hackers to carry out modification and tracing.

          Continuous operation of business

          • Refer to ISO 22301:2012 and perform establishment and relocation of hybrid cloud structure.
          • Create the business continuity plan for critical business system and perform drill every year.
          • Implement the national information security policy, update and confirm compliance in real time and carry out information security education training and tests periodically
          • Carry out PDCA, strengthen preventive measures, surveillance during the event and post-response and reduce the corporate information security risk.

           七、Establishment and execution of information security

              1. In 2023, a total of NTD13 million was invested in information security-related systems. In the second quarter, numerous information security systems were implemented to continuously observe equipment and network behavior, update and protect the latest threats on the Internet in real time, cooperate with information security vendors to analyze various information, and take immediate action in accordance with the established information security policy.

              2. In 2023 Q3, ISO 27001:2013 certification has been obtained to meet the global IT standards and international standards to meet the international standard of information security management. It is expected to be updated to the latest ISO27001:2022 certification in 2024 in order to comply with the relevant information communication security guidelines and specifications of the competent authority .

              3. In 2023, the Information Security Management Committee was established. The existing unit responsible for information security "Information Security Section” was upgraded to the "Information Security Division", with a dedicated information security supervisor and two dedicated information security staffs. This year, five information security reports were delivered at the board meeting and one information security management review meeting was held to meet the needs of concerned parties and among different departments.

          八、Refer to the data in the past to assess the impact of the two information security incidents.

          Refer to the data in the past to assess the impact of the two information security incidents.:

              1. Senao systems encountered a DDOS attack and it cannot be visited or used. Emergency response and emergency service transfer plan have been conducted. Senaonline’s service has been affected for about two days, losing approximately NTD172 million of turnover.

              2. The main office of Senao is affected by the earthquake, and power supply and network are affected accordingly. It is estimated that employees cannot work and some services will be affected for two weeks. The service is transferred to the cloud host and operation is continued. About NTD 0.1 billion is lost for relevant service, manufacturing and equipment.

          Obtain relevant certifications

          The Company’s actual governance




          Select options Close