Contact us
Home / Overview / Risk Management

Risk Management

Risk Management

Management Approach

Bora Pharmaceuticals adopts a top-down risk governance and management structure supervised by the Board of Directors and the Sustainability Committee, and coordinated by the Risk Management Team, integrating risk awareness into day-to-day decision-making and all operating units. Addressing strategic risk, operational risk, financial risk, information risk, compliance risk, integrity risk, and other emerging risks, we implement standardized procedures for risk identification, risk analysis, risk evaluation, risk response, and oversight and examination based on the established Risk Appetite. Through regular oversight and a dynamic management mechanism, we proactively respond to changes in the internal and external environment, optimizing the effective allocation of resources to minimize potential impacts, ensuring the accomplishment of objectives and strengthening long-term resilience. 

Risk Management Policy and Procedures

To establish a risk management system, ensure steady business operations, and advance toward sustainable corporate development goals, the Company has formulated the “Risk Management Policy and Procedures” applicable to the Company and its subsidiaries. This Policy references international standards such as the COSO ERM FrameworkISO 31000ICH Q9 (Quality Risk Management), and the “Risk Management Best Practice Principles for TWSE Listed Companies.” 

In accordance with Article 20 (Implementation and Amendment) of the Policy, this document was resolved by the Sustainable Development Committee and approved by the Board of Directors on November 13, 2025, serving as the highest guiding principle for the Group’s risk management. 

Implementation Status of Risk Management in 2025

The Company initiated the Enterprise Risk Management (ERM) in 2025. The annual operations focused on establishing a governance foundation and shaping a risk-aware culture. The key execution results are as follows: 

A. Establishment of Risk Management Organizational Structure 

Following the recommendations of the “Risk Management Best Practice Principles for TWSE Listed Companies,” the Company has established a comprehensive risk governance and management framework tailored to its operational scale, business characteristics, risk nature, and operational activities. The risk management organizational structure and responsibilities are clearly defined to ensure the implementation of risk management across all business areas through communication, coordination, and liaison among units. 

The structure and responsibilities, summarized from Article 13 (Risk Management Organizational Structure) of the Policy, are as follows: 

  1. Board of Directors: As the highest governance body for risk management, the Board aims to ensure legal compliance and promote the implementation of group-wide risk management. It holds ultimate responsibility for risk management, ensuring a clear understanding of operational risks and the effectiveness of risk management practices. 
  2. Sustainable Development Committee: A functional committee established under the Board, responsible for handling risk control-related issues and supervising the overall execution and coordination of risk management operations. 
  3. Risk Management Team: With the General Manager serving as the convener (or a representative appointed by the General Manager), the team convenes regular annual meetings to plan, execute, and supervise risk management-related affairs. 
  4. Internal Audit Office: Responsible for internal audits and periodically reporting audit results to the Sustainable Development Committee and the Board of Directors. 
  5. Risk Category Responsible Units: The primary units responsible for specific risk categories, charged with managing the various risks within their respective domains. 
  6. Operational Units: Heads of operational units are responsible for managing day-to-day risks. 

 

B. Formulation and Approval of Risk Management Policy and Procedures 

Taking into account the specific characteristics of the pharmaceutical industry and integrating the ICH Q9 Quality Risk Management concepts, the Company drafted a Group-level risk management policy referencing international standards (COSO ERM Framework, ISO 31000) and the “Risk Management Best Practice Principles for TWSE Listed Companies” to establish a unified risk language. 

Through the involvement of the Board of Directors, the Sustainable Development Committee, and senior management, risk management is aligned with the Company’s strategies and objectives. Major risk items were defined to enhance the comprehensiveness, foresight, and integrity of risk identification results. These were then cascaded down to promote corresponding risk controls and response measures, thereby reasonably ensuring the achievement of the Company’s strategic goals. 

The Risk Management Policy was submitted to the Sustainable Development Committee for resolution and implemented following approval by the Board of Directors. It serves as the highest guiding principle for the Group’s risk management and has been published on the Company’s official website. 

 

C. Operational Status for 2025 

Following the approval of the Risk Management Policy and Procedures by the Board of Directors on November 13, the Company held the “Enterprise Risk Management Project Kick-off Meeting and Risk Management Training” on December 23. This session educated senior executives and departmental representatives on the risk management policy, outlined the enterprise risk management framework, and explained the implementation plan for 2026. The objective was to enhance colleagues’ capabilities in risk identification and assessment, thereby embedding a culture of risk management throughout the entire workforce. 

Risk Identification and Response Measures

Risk Category Risk Impact Response Measures
Network Information Security  Cyberattacks could lead to data leaks, transaction impersonation, or network paralysis, causing operational interruptions, significant financial losses, and reputational damage, potentially leading to legal issues. Bora Group expanded its attack surface with mergers in 2023, necessitating attention to acquired companies’ potential cybersecurity risks. 
  • Replace old firewalls with new-generation ones. Implement strict firewall policies, exclude unsafe domains, and have cybersecurity personnel monitor, analyze, and manage daily anomalies. 
  • Conduct continuous education and training to enhance employee cybersecurity awareness. 
  • Execute vulnerability scans and update or replace outdated systems and equipment to improve security. 
  • Filter spam emails to reduce the risk of phishing attacks. 
  • Conduct social engineering drills to raise awareness and reduce the risk of falling into traps. 
  • Implement new backup systems to daily backup all systems and databases, and establish an off-site backup mechanism. 
  • Execute identity verification to reduce the risk of system account misuse. 
  • Conduct relevant cybersecurity checks and controls before and after mergers. 
Product Responsibility and Safety  During GMP-related regulatory changes, immediately assess whether the plant needs to implement corresponding measures to avoid non-compliance. Risks related to product manufacturing quality are evaluated according to PIC/S GMP regulations. If the process encounters abnormalities or test results do not meet standards, products are deemed non-compliant and not shipped, ensuring no risk to customers. 
  • Regularly assess the impact of domestic and international regulatory trends on the company and design corresponding measures. 
  • Conduct comprehensive investigations based on events to identify root causes, perform risk assessments when necessary, and implement corrective and preventive measures. If a recall is needed, immediately notify the regulatory authority (TFDA) to comply with PIC/S GMP requirements. 
Process Safety  The production environment for pharmaceutical manufacturing is primarily based on PIC/S GMP and Good Manufacturing Practice standards. The operating environment temperature is maintained at 23±4°C, and humidity is controlled below 60% RH. With global warming and climate change, maintaining operating environment temperature and humidity becomes increasingly challenging. 
  • Improve air conditioning systems, use energy-saving variable frequency air conditioning equipment, and adjust shift schedules to reduce the frequency of air conditioning startups and shutdowns, maintaining the stability of the operating environment and reducing the impact of external environmental changes. 
Regulatory Compliance  Pharmaceutical, food, cosmetics, and medical device regulations are becoming increasingly stringent. Products that do not meet regulatory standards cannot undergo inspection and registration or must be discontinued. 
  • Product labeling and advertising materials are controlled through the printing confirmation process and reviewed by the Pharmaceutical Regulatory Group. Non-compliant materials are returned to the marketing department for modification, reducing the risk of violations. 
  • Actively participate in regulatory training and meetings held by authorities or associations and communicate the information to relevant departments through internal training sessions. 
Supply Chain  Some raw materials are produced only in specific regions, making the supply chain vulnerable to regional natural disasters or political risks, leading to supply shortages or delays, affecting product production and sales. 
  • Establish a diversified supply chain to reduce dependence on a single region or supplier. Regularly conduct risk assessments and supplier evaluations to ensure supply chain stability and sustainability. 
  • Enhance supplier evaluation and supervision to ensure product quality and compliance. Improve communication and training with suppliers to increase their understanding and adherence to quality and compliance requirements.