PCSC’s ability to respond to and deal with risks has been an important key to its continued growth and stable operations. Our risk management covers the entire group and all its subsidiaries. To strengthen the management and control of cyber security and control risks in a more comprehensive manner, the “Risk & Information Security Management Office” was divided into the “Cybersecurity Committee” and “Risk Management Committee” at the end of 2022. The “Risk Management Committee” integrates and manages all potential risks associated with strategies, operations and finances that may have an impact on the operations and profits. The person in charge of risk issues is Head of Group Lua, Wen-Ji, and the unit in charge is the Sustainable Development Committee. The Audit Committee is responsible for conducting audits with Chief Auditor Lee, Kun-Feng as the person in charge.
In October 2022, a total of 5 risks were compiled and identified for the year. From 2023 onwards, all departments will monitor and give feedback every month ,and the Risk Management Committee will collect the risk identification data of all departments every six months and report to the Sustainable Development Committee once a year. The responsible units corresponding to each risk can feedback the risk response measures through the form designed by the committee, so as to achieve risk identification, measurement and reporting For the purpose to achieve risk identification, measurement, and reporting, the responsible units corresponding to each risk can provide feedback on the risk response measures through the form created by the committee. For the five categories of risks identified by the Company in 2022, the units evaluate the risk scores based on the level of impact of the risks on the Company and rank them according to the result of evaluation from the highest(Cybersecurity Risks) to the lowest(Franchisee Risks) . Currently, the units have countermeasures for the following risks.
Risk Identification
“The Company adopts a 6-level system from 1 to 6 to investigate various financial, food safety, franchising, regulatory and other risks, as well as sorting them according to the level of impact and results to highlight the level of impact and importance of each risk on the Company. Relevant units will take preventive and improvement measures for each level of risk. As personal injuries and negative news are included in level 3 with more evident damage to the Company’s operations, this should be adopted as the threshold of the risk appetite. If a risk above this level occurs, the relevant units should respond to and improve in a timely manner.”
| Type |
Risk Management Measures |
Dedicated Unit |
| Cybersecurity Risks |
PCSC takes stock of information and communication systems and services, assesses their management and technical vulnerabilities, as well as the types of threats they may face, the degree of impact and the probability of occurrence to invest in protection resources for risk management and control in line with the value and impact they bring to the Company’s operations. It continues to strengthen the cybersecurity risk management and control mechanism to reduce the threat of external hackers and internal human error, as well as building a cybersecurity management system that complies with laws and regulations to protect consumers’ personal information and the Company’s business secrets. |
Cybersecurity Committee |
| Food Safety Risks |
PCSC attaches a great deal of importance to consumer health and safety and has made food safety its top priority while continuing to invest each year to ensure rigorous quality control. Food safety risks can have a serious impact on the Company’s image as well as income and profits. To this end, a product safety process control mechanism has been set up to enhance management of the supply chain as a long-term effort on the part of the Company. The countermeasures are listed as follows:
- Establishing the Merchandise Safety Committee and holding regular meetings to discuss topics such as government laws and regulations, contract manufacturers and supplier assessment deficiencies, product safety information, food safety testing programs and implementation progress.
- Establishing the Product Safety Information Collection and Inventory Tracking Operational Standards, collecting private-label product safety information and setting up inventory and tracking procedures to ensure the safety of our products.
- With measures such as contractual cooperation, production site management, ingredient tracing mechanisms and systems, supplier grading, management and on-site assessment system, distribution centers and periodic store checks, as well as occasional sampling of raw materials and finished products, we continue to stay on top of the entire supply chain from production to store in order to set up a food safety net for our consumers.
|
Operations Group/Marketing Group |
| Compliance Risks |
Based on the functions, all departments and business units analyze and assess major policy, law and technological changes and adopt appropriate countermeasures to reduce potential operational risks in the future. Moreover, PCSC also has an inter-division Regulation Identification Committee that regularly holds “Regulation Identification Meetings” to keep abreast of the latest changes to laws and regulations so as to be able to adopt appropriate countermeasures. Additionally, each unit’s supervisor also sets up a “Crisis Management Task Force” to effectively control and manage any potential or current market risks or crisis. |
Various business units/Regulation Identification Committee/Crisis Management Task Force |
| Finance Risks |
PCSC’s Finance Office takes laws, policy and market changes into consideration when formulating various strategies, processes and indicators, regularly analyzing and assessing changes of relevant risk and taking appropriate countermeasures to reduce the Company’s overall potential risks. PCSC also continuously reviews and updates the cash flow forecast in order to adjust the cash level in a timely manner following the pandemic situation to ensure liquidity. |
Finance Office |
| Franchisee Risks |
To keep individual stores growing and the overall operations of the Company stable, PCSC continues to optimize its franchising mechanism, improving the remuneration to franchisees, and keeping franchises in good order as countermeasures |
Operations Group/Marketing Group |
| Potential risk |
Sensitivity analysis and stress testing |
| Non-financial:Cybersecurity risk |
In order to ensure the stability and safety of major IT&C operating systems, including consumer apps, official websites and shopping websites, load stress tests are conducted for information security risk sensitivity analysis in various extreme scenarios. By regularly performing information security health checks such as vulnerability scanning, penetration testing, mobile app information security inspection label verification, and red team exercises to simulate various emergency response to combined disaster scenarios, such as sensitive data leaks, computer room power outages, and large-scale network interruptions to confirm the resilience of the IT&C system. The evaluation shows that disaster backup and constant monitoring of communication security maintains the availability of major operating systems at 99.9999% to support the Company’s round-the-clock business model. Network interruption affects the operating time by about 0.5 hours with a financial impact on daily turnover at a single store of no more than 5%. |
| Non-financial:Food Safety Risks、Compliance Risks |
PCSC is a retail industry that relies heavily on the products provided by suppliers in the overall service system. To ensure the effectiveness of food product risk management, we implement regular and random sensitivity stress tests for food hazard factor inspections and supplier management. In addition to providing qualified inspection reports (food safety, packaging and packaging material regulations) before the product goes on the market, we implement market monitoring and commodity sampling inspections. The total number of products in 2022 reached 6,942, of which food products were sampled 5,411 times . For random testing, we have strengthened microbiological testing (such as Enterobacter and pathogenic bacteria) for important products such as ready-to-eat fresh food products with the passing rate of 100%. Important products must be pulled from the shelves if they fail random testing. If a product is pulled from the shelves and cannot be sold that year, it is estimated to cause a financial impact on about 1% of revenue. We can ensure the effectiveness of food safety management, reduce concerns about food safety and violations of food safety regulations in products sold in stores that might have an impact on consumer rights and company operations through testing. |
Emerging Risks
In order to stand firm in this fast-changing food retail industry, PCSC places great importance on significant social, economic, and environmental trends to better control risks that might affect the Company’s profits and sustainable operations.
PCSC has integrated the way we identify and respond to emerging risks into our risk management structure. Emerging risks that have been identified are as follows:
| Type |
Emerging Risk |
Future Impact |
Countermeasures |
| Social - employment and life crisis |
Changes in the demographic structure |
PCSC refers to the population estimation released by the National Development Council, and the information provided by government agencies such as the aging society and utilization of human resources to conduct scenario analysis, predict future population changes, and estimate the impact on the human resources and customer base of the stores in the medium and long term.
Convenience stores and logistics which is vital to their operations, require high labor input. In addition, an aging society will also lead to changes in the main consumer group. Therefore, PCSC may experience the impacts listed below as a result of this risk:
- Impact on talent recruitment and personnel costs
- The impact of different product structures and services required by the elderly consumer group
|
- 1-1.
- Plan to collaborate with schools to develop diverse employment channels, and establish a human resources recruitment platform to integrate resources for human recruitment
- 1-2.
- Create a local recruitment mechanism to increase the recruitment of middle-aged and elderly partners, and propose flexible work arrangements to rearrange the work processes for middle-aged and elderly partners
- 1-3.
- Plan to introduce various AI intelligence and labor-saving tools in stores, such as self-checkout machines and self-service coffee machines, to achieve the goal of saving labor and personal costs as well as meeting the needs for the workforce
- 2-1.
- Focus on developing products for the elderly and introduce the veggie selection lifestyle store
- 2-2.
- Evaluate the age-friendly store design to provide a friendly environment for consumption
|
| According to the statistics published by the Ministry of Interior, only 139,000 babies were born, making it the third consecutive year where there were more deaths than births. The low birth rate and an aging population are expected to lead to a reduction in the working age population and an aging consumer group in the next few years. |
| Economic - Inflation |
Recession |
Due to the impact of extreme weather events in recent years, the production and quality of raw materials for agricultural products have been unstable. The phenomenon is now coupled with geopolitical risks, making oil and energy prices skyrocket, which in turn has increased production and transportation costs and fluctuations in bulk staples. These two uncertainties have led the overall price to continue to increase and result in inflation.
The commodity structure of convenience stores focus on food, daily necessities and services. The potential risks associated with inflation are as follows:
- The rising price for raw materials leads to increased operating costs and reduced profits.
- The impact of recession reduces the consumer spending power.
- The energy price increase leads to the increase in operating costs and decrease in store profits.
|
- Engage with multiple suppliers to improve bargaining power and reduce the risk of shortage risk.
- Integrate companies in the Group for joint purchases that will lower the costs to maintain price competitiveness.
- Replace energy-saving equipment in the stores, such as energy-saving light bulbs, refrigerators, etc., to cope with the risk of electricity price hikes.
- Continue to develop innovative products and new brands, such as Star Rated Cuisine that launch new fresh food products with 5-star hotels/restaurants to enhance the sense of value and reduce price sensitivity.
|
Geopolitics and extreme weather events lead to unpredictable inflation. Tthe 2023 WEF Global Risks Report also pointed out that Taiwan will face rapid or continuous inflation and commodity price shocks, resulting in a great impact on the economic aspect of the food retail industry.
According to the Taiwan Institute of Economic Research, the annual growth rate of consumer price index was 2.95% in 2022, and the annual growth rate of the wholesale price index was 12.43%. Among them, the growth rate of the consumer price index has hit a new high since 2009. According to the latest forecast released by the Directorate General of Budget, Accounting and Statistics in February 2023, the annual growth rate of the consumer price index in 2023 will be 2.16%. |
Information Security and Privacy Protection
PCSC takes advantage of the power of digital technology to make consumers’ lives more convenient. To this end, it provides customers with cash flow, logistics and information flow services with digital tools such as the 7-ELEVEN online shopping site, ibon, OPEN Wallet, icash Pay, icash 2.0, OPENPOINT App (including iGroup-buying and i-Preorder) and MyShip. This allows consumers to make the most of PCSC as the base and service center for everything in life.
Cybersecurity Committee
The “Cybersecurity Committee” is the highest decision-making unit for PCSC’s information security management. It was turned into an independent unit from the “Risk & Information Security Management Office” originally under the “Sustainable Development Committee” in 2022, with the Chief Information Security Officer as the convener. The “Cybersecurity Action Team,” “Emergency Handling Team” and “Internal Audit Team” under the committee hold at least one review meeting a year, with the convener regularly reporting the implementation and results of cybersecurity implementation to the Sustainable Development Committee (Note).
Note: The policies, specific management plans and resources invested by the Cybersecurity Committee can be obtained from the Company website.
Personal Data Protection Task Force
Digital technologies involve a lot of customers’ personal data. PCSC set up a special task force, reporting mechanism, as well as conducting training and internal audits to ensure the protection of consumers’ personal data.
The “Personal Data Protection Task Force” is an cross-departmental task force that regularly performs personal data inventory, risk analysis, internal system review, revision of notification, data destruction, education and training. Education and training is systemized with online courses for new employees to pass tests and senior employees to finish courses online with a 100% completion rate for internal training. In addition to integrating personal data risk management into the overall risk management and audit mechanism of the Company, personal data protection management reports are formulated for each department, as well as adding personal data protection clauses to contracts when working with external suppliers to ensure that all operating units and suppliers comply with the Company’s personal data protection policy. PCSC’s internal evaluation plan and external verification system can effectively supervise and assist various departments in formulating corrective, preventive or improvement measures for non-conformities discovered during internal evaluations or audits. Records of improvement are equally made and kept. Corresponding penalties are also formulated for employees who violate the Company’s personal data management rules.
When the Company uses customer data for non-primary collection purposes, it refers to marketing or message pushes for customers under the premise of compliance with laws and regulations as well as customer consent. We comply with the laws and regulations, as well as information management principles from the government to ensure that the acquisition and use of data is done within the scope of data authorization stipulated by the Company, with appropriate technological and organizational security measures. All data is strictly kept in a data storage system with high security and stability, fulfilling the obligation of confidentially regarding the customers’ and investors’ personal data. In 2022, a total of 99% of the customers’ personal data was used by the Company for marketing and message pushes.
Organizational Structure of the PCSC Personal Data Protection Task Force
Adjustments will be made to the aforementioned task force by making the head of the Supportive Service Group the convener and the head of the Department of Legal Affairs the personal data management representative.