U Ming Marine Transport : Risk Management Policies and Regulations

U-Ming Marine Transport Corporation

Risk management policies and regulations

Formulated by the board of directors on March 17, 2011

Article 1 (Purpose of risk management policies and regulations)

These policies and regulations have been formulated to strengthen corporate governance and implement sound risk management operations in order to guarantee the achievement of goals in a reasonable manner.

Article 2 (Application scope)

These policies and regulations shall be applicable to risk management operations of all levels of this Corporation.

Article 3 (Definition of event, opportunity, and risk)

The term "event" shall refer to events affecting goal achievement of this Corporation.

The term "opportunity" shall refer to favorable events affecting goal achievement.

The term "risk" shall refer to unfavorable events affecting goal achievement.

Article 4 (Definition of risk management)

Risk management serves the purpose of strategy formulation and identification and management of risk events to ensure a containment of risks within tolerable limits in order to guarantee the achievement of goals in a reasonable manner. Risk appetite shall refer to the amount of risk this Corporation is willing to accept during the pursuit of goals. The operational framework for risk management is shown in Fig.1, while the risk management process is illustrated in Fig.2.

Article 5 (Risk management operations)

These policies and regulations include the following nine operation types:

1. Establishment of awareness
2. Goal setting
3. Event identification
4. Risk analysis

1

	5.	Risk assessment
	6.	Responses to risks
	7.	Control operations
	8.	Information and communication
	9.	Risk monitoring
Article 6	(Risk management implementation)
		Competencies in the field of risk management are shown in Fig.3. Corporate operations shall be added to Article 5 of these
	regulations and recorded and tracked in accordance with practical needs.
Article 7	(Establishment of awareness)
		This Corporation shall actively establish risk management awareness and make dynamic adjustments in response to environmental
	changes.
		This Corporation shall organize educational training, seminars, and information meetings on risk management on a regular basis to
	strengthen the understanding of risk management policies and processes of this Corporation and risk identification among executives
	and personnel of all units of this Corporation.
Article 8	(Goal setting)
		Goal setting is a key prerequisite of event identification, risk assessment, and risk responses. This Corporation shall conduct
	strategic planning activities in all departments. During the setting of goals it shall be determined whether or not goals support the
	achievement of missions and visions and it shall be ensured that the risks sustained during goal achievement are within tolerable limits.
Article 9	(Event identification)
		Event identification shall refer to the process pertaining to an analysis of the business environment of this Corporation and
	determination of which events may occur and why and how they occur.
		Event identification shall include opportunities and risks. The identification of opportunities shall be redirected to the process of the
	formulation of strategies and KPIs in each department. All departments of this Corporation shall identify potential risk sources in their
	management operations. Relevant information shall be entered into the Control-Self Assessment System via risk identification items
	based on actual conditions. Sudden risks shall be reported in a prompt manner to make sure no risk events are overlooked.
	1.	External environment variables:

2

1. Politics and laws
2. Economic environment
3. Society and culture
4. Technology
5. Industry and market trends
6. Customers
7. Supply chain
8. Competitive environment
9. Alternative/complementary products and services
10. Creditor needs
11. Natural disasters
12. Other

2. Internal environment variables:

1. Strategy
2. Organization
3. Business activities
4. Adequacy of goals and resource allocation
5. Internal controls and audits
6. Implementation deviations
7. Other

Article 10 (Risk analysis)

Risk analysis shall refer to the determination of the likelihood of occurrence of risk events by utilizing different types of information and an assessment of the impact of the results on this Corporation. During the analysis of risks, it shall also be taken into account whether or not the current internal control system can prevent the incidence of risk events.

3

Upon conclusion of the risk analysis the risk level (high/medium/low) shall be determined and entered into the CSA system. In addition, necessary information shall be provided as a reference basis for risk assessments and risk responses.

All departments of this Corporation shall analyze identified risk events (KRI) in accordance with actual conditions and provide a clear description of the analysis results based on CSA statistical analysis reports

Article 11 (Risk assessment)

Risk assessment shall refer to a comparison of the risk level which was determined based on the results of the risk analysis with the risk appetite or risk acceptance threshold set by this Corporation as well as risk prioritizing.

Risk appetite is directly related to strategy formulation and affects resource allocation. Risk appetite for individual risk events is referred to as risk acceptance threshold. Risk appetites and risk acceptance thresholds shall be determined by individual departments of this Corporation based on actual circumstances and shall be approved by the General Manager upon countersignature by each department. They shall also be reported to the self-inspection committee for deliberation and approval.

The results of risk assessments shall serve as a reference for the follow-up adoption of risk responses (see Table 1)

If the determined risk level is lower than the risk appetite or risk acceptance threshold, continued monitoring and review shall suffice. If the determined risk level is higher than the risk appetite or risk acceptance threshold, the risk response plans specified in Article 12 shall be adopted.

Article 12 (Risk responses)

Risks response shall refer to the search for and assessment of risk response plans and the formulation of action plans for risk response programs and implementation hereof (this process is shown in Fig.4).

Risks response plans shall include risk avoidance, reduction of the incidence and incurred losses, risk transfer, and residual risk. Assessments of risk response plans shall take into consideration the cost effectiveness of each plan. Multiple risk response plans may be adopted simultaneously.

When formulating risk response programs and action plans, the selected risk response plans and implementation contents shall be specified. This shall include departments and personnel in charge of the implementation of risk response plans, resource demands, execution schedules, and monitoring and review mechanisms for risk response plans to facilitate the development of risk management measures at different operational levels.

4

Article 13 (Control operations)

Control operations shall refer to policies and procedures that ensure the implementation of risk responses.

Article 14 (Information and communication)

This Corporation shall convey information pertaining to risk events and risk response programs to internal and external stakeholders who are involved in said incident in a timely manner.

Material risk events and related risk response programs and action plans shall be reported to the self-inspection committee.

Risk management operations of this Corporation shall be handled in accordance with relevant policies and procedures prescribed in the Office Emergency Response Measures of this Corporation and the ISM Onboard Emergency Program unless stipulated otherwise in these regulations.

Article 15 (Risk monitoring)

Risk assessment operations shall be conducted regularly on an annual basis. Each department shall fill out the corresponding questionnaires in the CSA system. The Auditing Division compiles and organizes these data and reports them to the self- inspection (risk assessment) committee (attended by top executives, department-level executives, and relevant personnel) where risk levels and response measures for risk events are ratified. In case of a sudden emergence of new material risks which are unpredictable (changes that have a major impact on this Corporation such as newly released general accepted accounting principles, non-routine transactions, new information systems, or direct impacts generated by rapid corporate development, new products, new suppliers, new competitors, new overseas operations, or organizational readjustments) meetings shall be convened in a timely manner to conduct risk assessments and discuss response programs. Relevant forms and meeting minutes shall be preserved and archived as supporting evidence.

Major risks, risk response programs, and risk response plans shall be constantly monitored, tracked, and reviewed in business meetings in response to changes of the external environment.

Article 16 (Approval and amendment)

These regulations and all amendments hereof shall be implemented upon approval by the board of directors

5