70   Part 1
             Business Operation and Performance









                (E)  Reputation Risk
                Reputation risk is risk of damage to the Company arising from its tarnished reputation due to the negative
          perception of customers, trade partners, shareholders and/or regulatory agencies towards the Company.

                The tool for managing the reputation risk
                •  A customer satisfaction survey is conducted.
                •  The Company has in place a system for both internal and external persons to lodge their complaints through
                    channels such as submission of the complaints to the Company’s Customer Relations Division, executives
                    or directors, whether in writing or by telephone or via the Company’s website or other channels of the
                    government agencies.
                •  The Company assigns a department to always keep abreast of news and information about the Company
                    in order to prevent or reduce the impact of reputation risk to the Company.


                (F)  Information Technology Risk (IT Risk) refers to risk potentially arising from the use of IT which will affect
          the Company’s systems or operations, including risk from cyber threat. The framework and guidelines on IT risk
          management have been formulated.

                The tool for managing the IT risk
                •  The Company requires that all units concerned with the IT system must perform their risk assessment and
                    control self-assessment (CSA) on a yearly basis, and devises the plans for corrective actions and follow-up.
                •  The Company determines the IT key risk indicators so as for the concerned departments to track the IT risk
                    at the group level through departments under the group, which is deemed as a risk early warning to prevent
                    it from becoming an enterprise-level risk in the future.

                The Company has set up Corporate Governance and Compliance Department with role and duty to monitor
          and ensure that other units comply with the relevant regulations applicable to the transactions and in line with
          the corporate governance principles, and to coordinate with both the external regulatory agencies and internal units
          in establishing measures, rules, orders and manuals that align with the requirements of the regulatory agencies, the
          anti-money laundering policy, the counter-terrorism and proliferation of weapon of mass destruction financing policy
          under guidelines of the Anti-Money Laundering Office (AMLO), the Company’s rules and regulations.


                The Company also emphasizes the business continuity management and the management of external risks that
          are beyond the Company’s ability to control, such as, natural disasters, flood, fire, terrorism, riot, strike, epidemic, etc.
          And for this, the Company appoints the Business Continuity Management Committee, with the responsibility of preparing
          the business continuity management policies and plans. The Company also creates the backup data center, in case of
          disasters and the secondary operation center, whereas it tests its business continuity plan (BCP) regularly, at least once
          a year.