Risk management

Diamond Biofund > Investors > Governance > Risk management

Risk management

Risk Management Policy and Procedures

To manage the various risks that may be encountered in operations and to cultivate a strategy and organizational culture that emphasizes risk management, the ” Risk Management Policies and Procedures ” serve as the Company’s highest guiding principles for risk management. The Board of Directors, the “Sustainable Development and Nominating Committee,” the “Sustainable Development and Risk Management Task Force,” and employees all participate in promoting and implementing these principles. The “Sustainable Development and Risk Management Task Force” reports on risk management operations to the “Sustainable Development and Nominating Committee” and the Board of Directors at least once a year.

Risk Governance

The Board of Directors is the highest decision-making body for risk management. It is responsible for approving, reviewing, and supervising the Company’s risk management policies to ensure their effectiveness and bears ultimate responsibility. The Board has established the “Sustainable Development and Nominating Committee” as a functional committee to regularly receive reports from the Company’s Sustainable Development and Risk Management Task Force, supervise the implementation of risk management by the Company and its key subsidiaries, and provide suggestions for improvement regarding the design of risk management policies and procedures. The “Sustainable Development and Nominating Committee” currently comprises five members, including three independent directors, with an independent director serving as the convener and chairperson of the meetings.

The “Sustainable Development and Risk Management Task Force” is the authority responsible for executing risk management. It is mainly in charge of executing tasks such as monitoring, measuring, and assessing the Company’s risks. It shall exercise its powers independently from business units and operational activities. The task force is organized under the Office of the President and reports to the “Sustainable Development and Nominating Committee” and the Board of Directors.

Supervisors of each functional department or business handlers are the first-line responsible units as risk owners for their respective areas. They must carry out their duties in accordance with internal control systems and internal regulations relevant to their businesses and serve as the direct units for initial risk identification, measurement, and monitoring. As second-line responsible parties, departmental supervisors shall be responsible for the risk management of related business operations, and based on the actual operations, review, revise, or supplement internal regulations accordingly.

The relevant risk factors are identified from a company-wide operational perspective by the responsible department heads, who assess and analyze the impact of these risks on the company’s operations. Response measures are then developed to ensure that the various risks the company may face in its operations are controlled within an acceptable range.

Establishment of a Risk Culture

Risk management principles are integrated into the company’s operational strategies, emphasizing that risk management is not confined to specific departments but is a shared responsibility across all employees.

  1. Training Programs
    The company provides training for directors and employees, covering topics such as risk management, information security, and social engineering exercises, to embed a risk management culture.
  2. Investment Risk Decision-Making
    The company has established the “Investment Risk Control Measures,” regulating decision-making processes and post-investment management, including approval authority, stop-loss and take-profit thresholds, and risk evaluations. Employees follow these measures to identify, measure, and analyze potential risks, thereby mitigating investment losses.
  3. Incorporating Risk Assessment into the Development Process for New Funds, M&A, or Licensing-In
    When the company establishes a new fund, pursues M&A, or undertakes licensing-in, the associated risks must be incorporated into a comprehensive assessment. Using a risk matrix (Likelihood × Impact), the company evaluates risks across financial, compliance, operational, and reputational dimensions, and compares them against the established Risk Appetite:
    • Low Risk (Acceptable) → May proceed directly.
    • Medium Risk (To be shared or monitored) → Mitigation measures must be implemented or ongoing monitoring required.
    • High Risk (Not acceptable) → Must be avoided, or only pursued after the risk has been reduced to an acceptable level.
  1. Incentive Measures
    The company has implemented a reward system to encourage employees to proactively identify potential risks. For example, employees who identify potential causes of errors and obstacles in work processes may be recognized. In cases of fraud or incidents that could harm the company’s interests, employees who report or prevent such issues in advance, thereby protecting the company from harm or mitigating damages, may be rewarded with minor merits. These contributions are directly integrated into performance evaluations, influencing promotions, salary adjustments, and bonuses.

Recent Risk Management Assessments and Operations

  • 2023 Risk Assessment: The 2023 annual risk assessment was completed and approved by the Board of Directors on February 29, 2024.
  • Revision of Risk Management Policies: On December 23, 2024, the “Sustainable Development and Risk Management Task Force” submitted amendments to certain articles of the Company’s Risk Management Policies and Procedures. The amendments were reviewed and approved by the “Sustainable Development and Nominating Committee” and subsequently by the Board of Directors.
  • 2024 Risk Assessment: In the fourth quarter of 2024, each department conducted its respective risk assessment, which was then consolidated. On January 13, 2025, the consolidated results were discussed in the meeting of the “Sustainable Development and Risk Management Task Force,” chaired by the President. The Task Force quantified and identified material risk factors based on the risks and events recognized by relevant units, confirmed the accountable departments and the corresponding mitigation measures, and submitted the 2024 Risk Assessment Report to the “Sustainable Development and Nominating Committee” and approved by the Board of Directors on February 25, 2025.
  • 2025 Risk Assessment Mitigation Measures Implementation:
    On December 22, 2025, the Company submitted a report to the Sustainable Development and Nominating Committee and the Board of Directors on the implementation results of the mitigation measures addressing the significant risk factors identified in the 2024 risk assessment process.

Risk Identification

In identifying risk factors, the company considers a wide range of risks that may affect its business objectives or cause operational disruptions. Sustainability-related aspects, including emerging ESG issues, are also incorporated into the risk identification process. The assessment takes into account the complexity of each issue, relevant scenarios and assumptions, and, where necessary, third-party data sources. Key risk events are identified, and response plans are established to enhance operational resilience. In 2024, a total of 31 risks were identified and assessed.

Risk Assessment

The likelihood of occurrence and the degree of impact of risk events are used as factors to quantify the risks.

Rating Likelihood Description Definition
1 Extremely Unlikely Expected to occur less than once in 10 years
2 Unlikely Expected to occur about once in 10 years
3 Probably Expected to occur about once in 5 years
4 Likely Expected to occur about once in 3 years
5 Almost Certainly Expected to occur about once in 1 year
Rating Description of Impact Severity Financial Impact Operational Impact Personnel Impact (Including Employees) Human Resources Impact
1 Negligible Loss or additional expenditure amounting to 0.01% or less of capital (including)
(NTD 850,000 or less
 No damage to buildings or equipment; operations unaffected Causes temporary discomfort or no impact Replacement manpower accounts for less than 10% of total personnel or recruitment cycle time is less than 1 month
2 Minor Loss or additional expenditure amounting to 0.01%–0.05%of paid-in capital
(NT$850,000–NT$4.25million)
 Partial damage to buildings or equipment; operations can resume within one day Causes temporary injury, no follow-up medical treatment or surgery required Replacement labor accounts for 10%–20% of total workforce or staff recruitment cycle time exceeds one month
3 Moderate Loss or additional expenditure amounting to 0.05%–0.5% of paid-in capital
(NT$4.25 million to NT$42.5 million)
 Partial damage to buildings or equipment; operations can resume within three days Causes temporary injury, requiring follow-up medical treatment or surgery Replacement labor accounts for 20%–30% of total workforce or staff recruitment cycle time exceeds two months
4 Major Loss or additional expenditure amounting to 0.5%–1% of paid-in capital
(NT$42.5 million to NT$85 million)
 Partial damage to buildings or equipment; operations can resume within one week Causes permanent or irreversible injury Replacement labor accounts for 30%–50% of total workforce or staff recruitment cycle time exceeds three months
5 Substantial Loss or additional expenditure amounting to more than 1% of paid-in capital
(Over NT$85 million)
 Severe damage to buildings or equipment; operations interrupted for more than one week Causes death Replacement labor accounts for over 50% of total workforce or staff recruitment cycle time exceeds six months

Risk Monitoring and Reporting

A company-level risk matrix is compiled based on risk management practices, with each department formulating corresponding control measures. The “Sustainable Development and Risk Management Task Force” reports the implementation results of risk management operations at least once a year to the “Sustainable Development and Nominating Committee” and the Board of Directors. Ongoing training programs are conducted to strengthen a mindset and culture with heightened risk awareness.

Risk Assessment Results:

The results of the post-control risk matrix comply with the following criteria:

  • For Low risk level: The control measures are highly effective, and the company accepts this level of risk.
  • For Medium risk level: The control measures are effective, but continuous enhancement should be considered. The company can still accept this level of risk.
  • For High risk level: The control measures are not sufficiently effective and must be immediately strengthened. The company does not accept this level of risk.
Score Risk Level Risk Response
13~25 High Risk Avoidance and/or Risk Mitigation
6~12 Medium Risk Sharing
1~5 Low Risk Acceptance

Example

Risk Factor Risk Event Likelihood of Occurrence Impact Severity Risk Rating Risk Level
Market Concentration Risk The investment targets are concentrated in a single market; if that market contracts or experiences high volatility, it may result in losses. 4 5 20 High
Intellectual Property Management Improper management of intellectual property (including trade secrets and trademarks) may affect the company’s operations or business interests. 2 4 8 Medium

Risk Response

Significant Risk Factors and Corresponding Mitigation Measures/Strategies Identified in the 2024 Risk Assessment

Significant Risk Factors Mitigation Measures / Strategies
Investment Risk
  • Establishment and implementation of the “Investment Operations Procedure,” “Investment Risk Control Procedure,” and “Investment Target Valuation Procedures.
  • Maintain close communication with senior executives of current investment projects to stay informed of the latest developments.
  • Incorporate broader perspectives into the evaluation and valuation of new investment projects, carefully selecting sources with clear capital market opportunities and considering contingency measures for international political and economic impacts.
  • Regularly track global economic indicators and capital market trends to promptly grasp market dynamics and adjust operational plans jointly with investment targets in response to market conditions.
Responsible Investment
  • Strengthen the “Responsible Investment Policy” by requiring that both the company’s proprietary fund investments and externally raised or managed private equity funds comply with and implement the “Responsible Investment Policy.”
  • Incorporate ESG and other sustainability factors into all stages of the investment process, including project sourcing and selection, evaluation, investment decision-making, and post-investment management.
  • Require investment targets to sign an “ESG Declaration,” committing to comply with ESG review items. Based on the items in the “ESG Declaration,” conduct an annual review.
Talent Recruitment, Development, and Retention
  • Establish diverse recruitment channels and strengthen industry-academia collaboration; attract top international talent with global experience through professional agencies or active participation in international forums.
  • Show care for employees and emphasize two-way communication to foster a positive work environment and a workplace culture that values gender equality, thereby enhancing employee cohesion and retention.
  • Develop comprehensive employee development programs and implement on-the-job training systems to continuously improve employee performance.
  • Offer competitive compensation and benefits, and uphold the principle of sharing achievements with employees, while actively developing and motivating talent.
Cybersecurity
  • Introduced the ISO 27001 Information Security Management System and obtained third-party certification.
  • Joined the TWCERT/CC Cybersecurity Alliance to broaden the scope of cybersecurity defense.
  • Established a dedicated cybersecurity unit and completed training for designated cybersecurity personnel.
  • Regularly conduct cybersecurity awareness education and training, as well as cybersecurity incident response drills.
  • Implement software and hardware mechanisms for cybersecurity defense, along with comprehensive backup drill plans.
  • Set up a remote access cybersecurity detection platform.
Policy Risk
  • Established and complied with the “Sustainable Development Best Practice Principles” and the “Sustainability Information Management Guidelines”.
  • Conduct greenhouse gas (GHG) inventory and verification in accordance with ISO 14064, and disclose governance, strategy, risk management, and metrics in line with the TCFD framework
  • Responded to government policies by setting sustainability goals and actively promoting “energy conservation and carbon reduction,” “water conservation,” and “resource recycling and reuse” to minimize environmental impact.

Emerging Risk Management

To strengthen the control and response to future risks, in addition to forecasting the aforementioned risks based on past experience, the company also refers to literature published by domestic and international institutions to conduct emerging risk assessments, in order to understand potential impacts and formulate corresponding mitigation measures.

Emerging Risk Assessment in 2024

Emerging Risk Factors Risk Description Risk Response
Geopolitical Conflicts Investment targets may be affected by geopolitical factors, such as the U.S. Biosecure Act, which reduces opportunities for cross-border investment cooperation
  • Strengthen the analysis and collection of international political and economic intelligence to reduce the concentration of investments in a single region.
  • During periods of medium to high risk, allocate idle funds to other markets or seek emerging markets less affected by geopolitical conflicts as potential sources of growth.
Climate Strategies and Actions Under the impact of global climate change, physical risks such as droughts and typhoons are intensifying, thereby increasing operating costs.
  • Conduct disaster prevention awareness campaigns from time to time to reduce the severity of disaster impacts.
  • Set sustainability goals and promote “energy saving and carbon reduction,” “water conservation,” and “resource recycling and reuse” to slow the pace of climate change.
Declining Birthrate and Talent Gap Facing a declining birth rate and the strong talent attraction of Taiwan’s technology industry, the company is at risk of a talent gap that could potentially impact operations. For example, a shortage of cybersecurity professionals may expose the company to information security risks, while a lack of skilled investment personnel could directly hinder the development and post-investment management of investment projects, ultimately affecting revenue.
  • Enhance the talent development system and regularly conduct employee competency assessments aligned with the company’s strategic direction. Annual training programs are implemented to bridge identified skill gaps.
  • Promote digital transformation to optimize operational processes, and improve labor efficiency by breaking down and analyzing job tasks, thereby easing the burden on workers and addressing shortages in front-line labor.

Internal Audit Status

The Audit Office, in accordance with the Company’s “Risk Management Policies and Procedures” and other relevant regulations, conducted the 2024 risk management audit for Diamond Biofund and its subsidiaries. Through sampling audits of risk assessment reports, forms, records, and operating procedures, it was confirmed that the identification, assessment, monitoring, reporting, and response of risk evaluation were all implemented in accordance with the risk management process, and no major violations were found.