The Company’s ability to respond to and deal with risks has been an important key to its continued growth and stable operations. President Chain Store Corporation is committed to maintaining a comprehensive risk management system that includes the Group’s organization and subsidiaries in the scope of risk management. To further ensure the effectiveness of enterprise risk management and align with international standards, the Company adopted the ISO 31000:2018 Risk Management System in 2024. In accordance with the internal audit system, the Audit Office conducted an internal audit of the overall risk management process in May 2025, reviewing procedures such as risk identification and exposure assessment, and issued an audit report. The 2024 audit results indicated that relevant processes were well executed in accordance with established procedures, with no major deficiencies identified. Looking ahead, internal audits are scheduled to be conducted regularly (at least once every two years) to ensure the continued effectiveness of risk control. Depending on the progress of system implementation, the Company will also consider appointing a third party to perform external audits of the risk management system.

 

 

Risk Management Structure

The Company’s Board of Directors is the highest risk management unit that is responsible for approving risk management policies and structures to ensure the effectiveness of risk management. the Integrity, Risk and Cybersecurity Management Committee is affiliated to the Board of Directors with the “Risk Management Execution Office” underneath that is a cross-departmental risk management decision-making. It exercises its powers independently of other business functions and operating activities, with the Executive Vice President of the Supportive Service Group serving as the convener. Task forces have been set up under the execution office for overall risk monitoring, assessment and measurement for President Chain Store Corporation, integrating and managing various strategic, operational, financial and other potential risks that may have an impact on the operations and profits, as well as regularly reporting to the Risk Management Execution Office. Annual plans and implementation results are submitted to the Board of Directors after discussion by the Integrity, Risk and Cybersecurity Management Committee.

 

Three Lines of Defense Model for Risk Management

Note: On July 30, 2025, the company renamed the "the Risk and Cybersecurity Management Committee" to the "Integrity, Risk and Cybersecurity Management Committee," which oversees the Risk Management Execution Office, the Cybersecurity Execution Office, and the Ethical Corporate Management Practice Team.

Risk Management Processes

The Risk Management Execution Office identifies, analyzes, measures, monitors, responds to, reports risks based on the risk characteristics and impact levels compiled by each task force, as well as improving response measures. The processes are as follows:

Process 1 Risk Identification	Each unit should identify risks associated with their tasks based on risk management policies and procedures, including strategic risks, operational risks, financial risks, information risks, legal compliance risks, integrity risks and other emerging risks (such as climate change or infectious diseases).
Process 2: Risk Analysis and Measuremen	All risks that have been identified should be assessed based on the “Table of Impact Degree Judgment Criteria” to analyze the cause and negative impact on the Company, as a reference for formulating subsequent corresponding measures.
Process 3: Risk Monitoring and Response	Based on the result of risk analysis, relevant personnel of each unit plan and implement risk response measures requiring prioritization, as well as serving as a reference for each operating unit to formulate and select improvement measures in the future.
Process 4: Risk Report	Regularly summarizing the status quo of risk management and control to report to the Integrity, Risk and Cybersecurity Management Committee and the Board of Directors.

Risk Identification and Ranking

President Chain Store Corporation’s scope of risk management includes but is not limited to operational risks, market risks, financial risks, compliance risks, climate risks and other risks that may cause significant losses to the Company. When identifying risks, each business unit analyzes the sources of risks (such as disasters/infectious diseases, contracts/laws, financial conditions, personnel behavior, asset losses, quality, supplier operating conditions, etc.) and their potential impacts (such as finance, production/products and services, personnel, reputation and image, etc.) to understand all potential types of risks.

 

Risk identification and prioritization are conducted using a dual-axis risk matrix. The X-axis represents the impact level (I) of the risk, rated on a scale from 1 to 5; the Y-axis represents the likelihood of occurrence (L), also rated from 1 to 5. The risk level (R) is calculated by multiplying the two scores. This serves as the standard for assessment. Scores are assigned to various risks, such as financial, food safety, franchising, and regulatory risks, and ranked according to the potential impact and consequences they may have, thereby highlighting the severity, likelihood, and significance of each risk to the Company.

For each level of risk, the divisions in charge implement preventive and improvement measures accordingly. When the risk level (R) exceeds 14 points, it may cause a significant impact on the Company’s operations. Therefore, this score is set as the risk appetite threshold. If any risk surpasses this level, the divisions in charge must respond and implement improvements promptly. In the current year, none of the assessed risks exceeded the risk appetite threshold. Therefore, after review and adjustment by the Risk Management Execution Office, the top three risks identified for 2024 are labor shortage, operational risk, and food safety risks (Note).

(Note) For the mitigation and response measures related to the 2024 risk identification results, please refer to the 2024 Sustainability Report.

 

Sensitivity Analysis and Stress Testing

Potential Risk	Description of Sensitivity Analysis and Stress Testing
Financial Risk	The Group’s exposure to foreign currency market risk due to significant exchange rate fluctuations is analyzed as follows: Exchange rate risk between USD and TWD primarily arises from USD-denominated cash and cash equivalents, accounts receivable, and accounts payable, resulting in foreign exchange gains or losses during currency conversion. Assuming a 5% appreciation or depreciation of USD against TWD, with all other variables held constant, net income for 2024 and 2023 would increase or decrease by $877 and $6,497, respectively. Exchange rate risk between JPY and TWD arises mainly from JPY-denominated cash, non-current financial assets measured at fair value through other comprehensive income, and accounts payable, also generating foreign exchange gains or losses during conversion. Assuming a 5% appreciation or depreciation of JPY against TWD, with other factors remaining unchanged, comprehensive income for 2024 and 2023 would increase or decrease by $25,917 and $10,843, respectively.   Price Risk: A. The Group is exposed to price risk through its equity investments classified as financial assets measured at fair value through profit or loss, and at fair value through other comprehensive income. To manage price risk, the Group diversifies its investment portfolio in accordance with internal policy guidelines. B. The Group primarily invests in equity securities issued by domestic companies and mutual funds. The prices of these equity instruments are affected by the uncertainty of the investees’ future value. Assuming a 5% increase or decrease in equity prices and a 0.25% fluctuation in mutual fund prices, with all other factors unchanged, post-tax profit for 2024 and 2023 would increase or decrease by $8,180 and $6,632, respectively, due to gains or losses on equity and fund investments measured through profit or loss. For other comprehensive income, profits or losses on equity investments classified through other comprehensive income would increase or decrease by $64,106 and $50,971, respectively.   Cash Flow and Fair Value Interest Rate Risk: A. The Group is exposed to interest rate risk from both short-term and long-term borrowings. Borrowings issued at floating interest rates expose the Group to cash flow interest rate risk. This is partially offset by cash and cash equivalents also held at floating rates. Fixed-rate borrowings, on the other hand, expose the Group to fair value interest rate risk. In 2024 and 2023, the Group’s floating-rate borrowings were primarily denominated in TWD and PHP.   B. Assuming interest rates increase or decrease by 0.25%, with all other factors unchanged, post-tax profit for 2024 and 2023 would decrease or increase by $37,226 and $16,396, respectively, mainly due to changes in interest expense from floating-rate borrowings.
Non-Financial: Operational Risk	Operational risks: If the logistics system does not expand in line with store growth, delivery delays may occur. Continuous store expansion increases the number of stores served by each logistics center, resulting in insufficient warehouse and sorting space. During new product launches or large promotional shipments, this can lead to delivery delays and customer complaints, as well as increased idle time for staff or missed sales opportunities. In recent years, the Company has planned to expand logistics parks to increase capacity and has diversified recruitment and cooperation channels to add more logistics personnel and delivery options. The Company estimates that the average annual impact from delivery delays will remain under 10%.

 

Incorporation of risk criteria in the development of products and services

President Chain Store Corporation places great importance on the safety and integrity of its products and services by incorporating risk standards into the product development and review process. Specific measures include conducting risk assessments using Hazard Analysis and Critical Control Point (HACCP) methods, offering training and guidance to suppliers on risk awareness and control, and, for food safety risks, performing regular and ad-hoc product sensitivity stress testing, food hazard factor inspections, and supplier capability assessments.

(Note: For results of food hazard factor inspections and supplier capability assessments, please refer to the Raw Material Management section.)

 

Financial incentives which incorporate risk management metrics

In 2025, President Chain Store Corporation incorporate sustainability performance into the compensation evaluation of senior executives. Given that food safety is one of the Company’s top three risks, the “Major Food Safety Violation Rate”(Note) has been designated as a key performance indicator, with a target of 0% for the 2025 fiscal year. This indicator will account for 2% of the performance evaluation for the President, Executive Vice Presidents, and Division Heads (including Deputy Division Heads), and will be scored based on the level of achievement.

(Note: The Major Food Safety Violation Rate is calculated as the number of stores and logistics centers with major food safety incidents divided by the number of stores and logistics centers inspected by the competent authority on food safety issues.)

 

Focused training throughout the organization on risk management principles

To foster a culture in which all employees actively participate in risk management, President Chain Store Corporation organizes regular annual training sessions for board members on risk management and internal controls to strengthen their professional judgment and capabilities in handling risk-related matters. In 2024, all board members completed two sessions of risk management training. Additionally, to ensure that every employee can identify, understand, and proactively manage risks, the company launched a corporate risk management awareness training in May 2024, with 60 participants attending a 3-hour session. In March 2025, a follow-up in-person training session (1.5 hours) was held, covering general knowledge, principles, identification, and assessment processes of risk management, with a total of 29 participants. This in-person training was also recorded and developed into a mandatory e-learning course for employees who could not attend the live session. As of 2024, the completion rate for company-wide risk management training reached 100%, demonstrating the Company’s strong commitment to embedding a culture of risk ownership throughout the organization.

(Note: Completion rate is based on all employees as of December 31, 2024, including both head office and store staff, excluding those who have resigned, who are on unpaid leave, or on long-term medical leave.)

Information Security and Privacy Protection

President Chain Store Corporation takes advantage of the power of digital technology to make consumers’ lives more convenient. To this end, it provides customers with cash flow, logistics and information flow services with digital tools such as the 7-ELEVEN online shopping site, ibon, OPEN Wallet, icash Pay, icash 2.0, OPENPOINT app (including iGroupbuying® and iPre-order) and MyShip. This allows consumers to make the most of President Chain Store Corporation as the base and service center for everything in life.

 

Cybersecurity Execution Office

The “Cybersecurity Execution Office” is the highest decision-making unit for President Chain Store Corporation’s information security management. It was originally under the “Sustainable Development Committee,” and moved under “the Integrity, Risk and Cybersecurity Management Committee” in 2023 with the Chief of Information Security as the convener.

Previously known as the Cybersecurity Committee, it was renamed as the Cybersecurity Execution Office in December 2024. The “Information Security Implementation Team,” “Emergency Response Team” and “Inspection Team” under the committee hold at least one review meeting a year, with e convener regularly reporting the implementation and results of information security implementation to the Integrity, Risk and Cybersecurity Management Committee (Note). There were no breaches of customer privacy data in 2024.

(Note) The policies, specific management plans and resources invested by the Cybersecurity Execution Office can be obtained from the Company website.

Note: On July 30, 2025, the company renamed the "the Risk and Cybersecurity Management Committee" to the "Integrity, Risk and Cybersecurity Management Committee," which oversees the Risk Management Execution Office, the Cybersecurity Execution Office, and the Ethical Corporate Management Practice Team.

 

Personal Data Protection Task Force

President Chain Store Corporation uses customer data for non-primary collection purposes, which include marketing or communications with customers in compliance with laws and with the consent of customers. We comply with relevant government regulations and information management principles to ensure that the acquisition and use of data must be within the scope of authorized data established by the Company, adopt appropriate technical and organizational security measures, and preserve data strictly in highly secure and stable data storage systems to fulfill the confidentiality obligations of personal data of customers and investors. In 2024, the proportion of customer personal data used by the Company for marketing and communications totaled at 99.5%. Digital technologies involve a lot of customers’ personal data. President Chain Store Corporation set up a special task force, reporting mechanism, as well as conducting training and internal audits to ensure the protection of consumers’ personal data.

 

The “Personal Data Protection Task Force” is an cross-departmental task force that regularly performs personal data inventory, risk analysis, internal system review, notification and revision, data destruction, education and training. The task force presents the final results of the previous month in the monthly report. Education and training are systemized with courses and forums for new employees to pass tests and senior employees to finish courses online with a 100% completion rate for internal training. In order to enhance the awareness and expertise of all employees regarding cybersecurity, we regularly publish cybersecurity e-newsletters to share the latest trends in cybersecurity, information on threat and protective measures. In addition to integrating personal data risk management into the overall risk management and audit mechanism of the Company, personal data protection management reports are formulated for each department, as well as adding personal data protection clauses to contracts when working with external suppliers to ensure that all operating units and suppliers comply with the Company’s personal data protection policy. President Chain Store Corporation’s internal evaluation plan and external verification system can effectively supervise and assist various departments in formulating corrective, preventive or improvement measures for non-conformities discovered during internal evaluations or audits. Records of improvement are equally made and kept. Corresponding penalties are also formulated for employees who violate the Company’s personal data management rules. Any violation will be reported to the supervisor and included in the employee’s personal performance evaluation and records.