Risk Management - EVA Air - Flying Toward Sustainability

Home Management & Governance Risk Management

Risk Management

Enterprise Risk Management

In order to improve and implement the risk management mechanism, the Company has established the “Risk Management Policy and Procedures” to carry out risk management aimed at uncertain factors that may threaten the Company's operations, improve the efficiency in division of labor in risk management, and ensure the achievement of the Company's operational goals.

Risk Management Framework

The Corporate Sustainability Committee is responsible for carrying out risk management-related tasks; their quarterly meetings oversee all departments’ implementation of risk management policies and controls. The Board of Directors is the highest supervisory body for EVA Air’s risk management, responsible for approving risk management policies. Under the Board of Directors, the Sustainability Committee reviews risk management policies and oversight their implementation. The Corporate Sustainability Committee reports on overall performance to both the Sustainability Committee and the Board of Directors annually. EVA Air ensures the compliance and effectiveness of our risk management processes through annual internal control self-assessment audits, and through external audits conducted every two years by a third-party verification body. Our most recent external audit for risk management process compliance and operating performance was completed by Bureau Veritas Certification (BVC) on May 14, 2024.

Enterprise Risk Management Process

Step 1 Risk Identification

Sub-committees of the CSC identify the risks that may be faced during business operation

Step 2 Risk Assessment

Assess the impact, likelihood, vulnerability and speed of onset of the identified risk factors to prioritize the identified risks

Step 3 Risk Management

Each responsible departments shall assess their risk appetite/tolerance level, propose the mitigation and response plan, and report to the CSC for regular tracking

Step 4 Disclosure and Communication

The CSC reports the Company's overall risk management results to the Sustainability Committee and Board of Directors every year, and disclose information in accordance with regulatory requirements.

We reference the ISO 31000 Risk Management, and the Risk Assessment in Practice methodology published by the Committee of Sponsoring Organizations (COSO). Based on materiality principles, we identify, assess, manage, and disclose risks related to economic (including corporate governance), environmental, social, and other key topics that may arise in our operating processes. Risk assessment involves evaluating its impact, likelihood, vulnerability, and speed of onset (magnitude). Risk categories include strategic, operational, financial, environmental, and medium-to-long-term emerging risks.

Sensitivity analysis of non-financial risks

Strategic Risk

This includes risks to EVA’s operations presented by changes in the external environment, such as the international political/ economic situation, industry development trends, market competition, branding, intellectual capital, etc.

Operational Risk

This includes risks that may create negative impacts on EVA’s operations, such as market changes, flight safety, information security, privacy protections, labor relations, legal compliance, supply chain management, and other risks that might potentially create negative operational impacts.

Financial Risk

Foreign exchange risk, investment risk, capital risk, liquidity risk, credit risk, hedging operations, etc., that may cause possible losses.

Environmental Risk

This includes risks arising from actions in response to climate change, natural disasters, and other such issues. Specific issues include greenhouse gas emissions management, carbon credit management, energy management, biodiversity, natural resources, and other such issues, as well as risks arising from requirements to comply with international and local environmental laws or environmental assessments.

Mid- and Long-term Emerging Risk

Emerging risks that may result in a certain level of impact on EVA’s management, operations, strategy, etc. over the next three to five years.

Emerging Risk Identification

With the increasing regulatory requirements of global aviation authorities, climate change, information security, political influence, the rapid development of emerging technologies, etc., the risks faced by enterprises are accompanied by uncertainties. Furthermore, “emerging risks” are undoubtedly one of the important issues that require airlines to be cautious with the assessment, which needs further identification, analysis, and formulation of response measures in order to respond to new forms of potential risks as soon as possible as well as to reduce the impact on operations. With reference to the “The Global Risks Report” published by the World Economic Forum (WEF) at the beginning of each year, the sub-committee of Corporate Sustainability Committee (CSC) identify possible emerging risks in accordance with their business area and conduct assessment on risk factors. After integrating risk mitigating actions formulated by related departments, the CSC regularly reports the risk mitigations and recommendations to the Sustainability Committee and Board of Directors.

Step 1 Initiate emerging risk assessment procedures

Step 2 Identify emerging risks by each sub-committee

Step 3 Identify and analyze emerging risks by CSC and develop mitigating actions

Step 4 Report the status of implementation to the Sustainability Committee and Board of Directors

Emerging Risk Identification Results

01 AI technology and misinformation / Technology Generative AI technology emerged as a hot topic in the IT landscape of 2023, and was rapidly applied due to its convenience. However, as AI capabilities advance, improper use of this technology could also lead to significant ramifications for businesses. Deepfakes, in particular, present a looming threat. A proliferation of AI used to create misinformation in videos, images, and URLs will reduce individual and corporate abilities to identify and fight that misinformation.
Impact on Our Operations	Due to the widespread adoption of AI technology, over-reliance and improper use may lead to errors in the Company’s decision-making. Moreover, malicious individuals leveraging AI to spread false information could have a negative impact on the Company’s brand image. Additionally, if our employees lack sufficient knowledge of such technologies or we don’t have sufficient endpoint detection and response (EDR) systems in place, this could result in other operational risks or financial losses.
Mitigating Actions	Continuously monitor evolving trends in AI usage. Enhance employees’ information security awareness; strengthen vigilance against AI-generated false information through education, training, and regular awareness campaigns. This will enable employees to recognize potential fraud patterns, verify message sources, and cross-reference information to prevent business losses and sensitive data leaks. Enhance management of data access permissions to strengthen authentication, and regularly monitor or upgrade company information security systems to prevent unauthorized remote access resulting from stolen credentials. Establish real-time information verification mechanisms, to promptly confirm and clarify any false information from the internet and media. This helps prevent any negative impact on the Company’s brand image and disruption to business operations. By disseminating accurate information through official channels, stakeholders are reminded to be wary of phishing websites and emails, and to refrain from clicking on links or opening attachments from unknown sources. Improve information security incident reporting procedures, and establish effective cross-departmental communication channels. Conduct regular simulations of information security incidents to make sure that response measures are promptly initiated, and to minimize potential losses resulting from risks.

01 AI technology and misinformation / Technology

Generative AI technology emerged as a hot topic in the IT landscape of 2023, and was rapidly applied due to its convenience. However, as AI capabilities advance, improper use of this technology could also lead to significant ramifications for businesses. Deepfakes, in particular, present a looming threat. A proliferation of AI used to create misinformation in videos, images, and URLs will reduce individual and corporate abilities to identify and fight that misinformation.

Impact on Our Operations

Due to the widespread adoption of AI technology, over-reliance and improper use may lead to errors in the Company’s decision-making. Moreover, malicious individuals leveraging AI to spread false information could have a negative impact on the Company’s brand image. Additionally, if our employees lack sufficient knowledge of such technologies or we don’t have sufficient endpoint detection and response (EDR) systems in place, this could result in other operational risks or financial losses.

Mitigating Actions

Continuously monitor evolving trends in AI usage. Enhance employees’ information security awareness; strengthen vigilance against AI-generated false information through education, training, and regular awareness campaigns. This will enable employees to recognize potential fraud patterns, verify message sources, and cross-reference information to prevent business losses and sensitive data leaks.
Enhance management of data access permissions to strengthen authentication, and regularly monitor or upgrade company information security systems to prevent unauthorized remote access resulting from stolen credentials.
Establish real-time information verification mechanisms, to promptly confirm and clarify any false information from the internet and media. This helps prevent any negative impact on the Company’s brand image and disruption to business operations. By disseminating accurate information through official channels, stakeholders are reminded to be wary of phishing websites and emails, and to refrain from clicking on links or opening attachments from unknown sources.
Improve information security incident reporting procedures, and establish effective cross-departmental communication channels. Conduct regular simulations of information security incidents to make sure that response measures are promptly initiated, and to minimize potential losses resulting from risks.

02 Insufficient airport infrastructure capacity / Other Due to increasing air traffic volumes, there may be air traffic control issues arising from insufficient aircraft stands and apron areas. The current hourly takeoff and landing standards and routine maintenance requirements at Taoyuan International Airport may also cause constraints on flight schedules, increased holding times, or diversions to other airports. Airlines may even need to reduce flights to cope with these challenges, impacting both company operations and passenger rights.
Impact on Our Operations	Flight schedules could be affected, potentially leading to flight reductions or even the need to cancel flights, thus impacting company revenue, increasing labor costs, and affecting passenger rights and interests. Flight delays could increase, adding difficulties for ground operations, increasing risks of aircraft damage, and impacting both flight on-time performance and aircraft utilization.
Mitigating Actions	Proactively work with airport authorities to add more aircraft stands and maximize available apron areas. If needed, seek support from the Airline Operators Committee to press the airport company for improvements. Compile flight delay data for reference by airport authorities. Discuss reducing separations between aircraft to optimize air traffic control operations and decrease the likelihood of taxiway congestion. Enhance communication between all operating units to ensure that information is accurately conveyed to decision-making departments. This will improve the accuracy of ground handling operations and enable better advance planning, thus preventing subsequent flight delays caused by incomplete preparatory work. By increasing the turnover rate of available apron areas, we can mitigate the impact of limited aircraft stands on the Company’s flight operations, thus ensuring smooth flight operations while maintaining ground handling safety. Keep in constant communication with airport authorities. Preemptively negotiate and carefully plan schedules for runway closures due to maintenance needs. Adjust flights in advance and optimize ground handling operations accordingly. Notify passengers and provide appropriate assistance. Assess the extent and severity of event impacts on flight operations. Inform impacted passengers in advance to minimize potential compensation liabilities arising from delayed notifications of flight disruptions. Handle situations appropriately to mitigate impacts on Company revenue, and address any subsequent issues stemming from customer complaints.

02 Insufficient airport infrastructure capacity / Other

Due to increasing air traffic volumes, there may be air traffic control issues arising from insufficient aircraft stands and apron areas. The current hourly takeoff and landing standards and routine maintenance requirements at Taoyuan International Airport may also cause constraints on flight schedules, increased holding times, or diversions to other airports. Airlines may even need to reduce flights to cope with these challenges, impacting both company operations and passenger rights.

Impact on Our Operations

Flight schedules could be affected, potentially leading to flight reductions or even the need to cancel flights, thus impacting company revenue, increasing labor costs, and affecting passenger rights and interests.
Flight delays could increase, adding difficulties for ground operations, increasing risks of aircraft damage, and impacting both flight on-time performance and aircraft utilization.

Mitigating Actions

Proactively work with airport authorities to add more aircraft stands and maximize available apron areas. If needed, seek support from the Airline Operators Committee to press the airport company for improvements.
Compile flight delay data for reference by airport authorities. Discuss reducing separations between aircraft to optimize air traffic control operations and decrease the likelihood of taxiway congestion.
Enhance communication between all operating units to ensure that information is accurately conveyed to decision-making departments. This will improve the accuracy of ground handling operations and enable better advance planning, thus preventing subsequent flight delays caused by incomplete preparatory work.
By increasing the turnover rate of available apron areas, we can mitigate the impact of limited aircraft stands on the Company’s flight operations, thus ensuring smooth flight operations while maintaining ground handling safety.
Keep in constant communication with airport authorities. Preemptively negotiate and carefully plan schedules for runway closures due to maintenance needs. Adjust flights in advance and optimize ground handling operations accordingly. Notify passengers and provide appropriate assistance.
Assess the extent and severity of event impacts on flight operations. Inform impacted passengers in advance to minimize potential compensation liabilities arising from delayed notifications of flight disruptions. Handle situations appropriately to mitigate impacts on Company revenue, and address any subsequent issues stemming from customer complaints.

Risk Education and Training

EVA Air values both “top-down” and “bottom-up” risk management approaches. Each year, external experts are invited to conduct six-hour training courses for our directors. Directors’ professional backgrounds and needs are assessed as a basis for course arrangements. In 2023, a July session was held on “Risks and Opportunities of Climate Change and Net-Zero Emissions Policy to Corporate Operation”; in October, a session was held on “The Application of AI in Law and Auditing”. Additionally, to ensure all employees understand the importance of risk management, departments responsible for operations conduct diverse educational training courses on operational risks annually. Regular reminders are also communicated to employees to deeply engrain a safety mindset for all EVA Air staff. In 2023, there were 22,641 trainees and 47,646 hours of training.

Risk Management Incentive Mechanism

EVA Air comprehensively evaluates employees’ individual performance, project implementation efficiency, and risk management capabilities in different job categories as reference criteria for awarding incentive bonuses. This system helps motivate employees to strive for excellence in risk management.

Increasing Risk Awareness

EVA Air has held annual Safety Week activities since 1996. It is hoped that through the promotion of different activities such as education competitions, safety/life lectures, Safety Symposium and Safety Workshop, the mindset of safety will be deeply rooted in the mind of every employee. The theme of the 2023 Safety Week is “Protecting Safety Starts with the Heart; Passenger Safety, Doing My Part”, emphasizing that each employee is a guardian of passenger safety. Whether they’re in-flight, providing cabin service, conducting maintenance, managing flight dispatch, overseeing airport operations, or performing administrative tasks, every employee gains a deep commitment to flight safety and implements standard operating procedures (SOP) in their work to prevent errors. Each departure signifies more than just a journey; it embodies passengers’ expectations and trust in EVA Air to provide comfortable and safe flights. Training videos are also produced for Safety Week, providing clear guidance and enabling all flight and ground crew members, as well as supervisors at all levels, to consistently remind themselves that safety starts with the heart, and to become a Worthy Guardian of Safety. EVA Air has held our Safety Week activities for 28 years now, and ten consecutive safety culture surveys have shown an increase in employees’ identification with EVA Air’s safety culture.