It is commonly known that every enterprise will confront numerous potential risks in their management. To pursue sustainable management, it is a prerequisite to perform risk management (RM) well to reduce the impact of risks on management. Taipower's RM system not only integrates the existing relevant emergency countermeasure mechanisms but also divides RM tasks into four levels: RM policy promotion, RM implementation, RM control and RM inspection.

1. RM Policy Promotion
     In view of the importance of RM, the company decided to include RM policies in its corporate strategies. This will enable the units of the company to take uniformed action for potential risks while implementing their business plans. Thus, in drawing up the company's Long-term Corporate Strategic Plan, except for RM strategies and operation risk analysis, analyses on the scope, evaluation and measures of the major risk items are also included: power supply, fuel supply, finance, information security, anti-terrorism, people's resistance to power construction projects, etc. The guidelines of risk management were specified in relevant implementation plans.

2. RM Implementation
     A“Risk Evaluation Criteria”was formulated according to the probability of risk incidents and their possible impacts. The following risk scenarios were listed as major control items: large power plants failure, the North and South EHV Transmission Lines failure, power outage in science parks, fuel supply insufficiency or interruption, major power facilities and dams suffering terrorist attacks, etc. A Risk Profile Organization was established. Departments of System Operations, Nuclear Generation, Business, Fuels, Civil Service Ethics were responsible for implementation based on a“Risk Management Plan”they drafted.

3. RM Control
     Before the start of a new year, the aforementioned departments drafted their own“Risk Management Plan”according to the above scenarios, including control mechanism, countermeasures, simulation drills, education of employees on risk awareness, etc. The Department of Planning will undertake periodical follow-ups on RM control, drills, emergency response, improvement, etc. The final report was submitted to the president and the vice presidents who supervised the said departments. It was expected that the risk probability could be effectively reduced and their impact could be avoided or mitigated.

4. RM Inspection
     In order to raise employees' awareness on RM and to substantiate RM tasks, the Internal Inspection Office performed on-the-spot checks on the status of execution and the improvement of RM tasks. The results were reported to the president and relevant vice presidents. A deadline was set for required improvement.


     The company makes repeated checks on the impact caused by risks and control the major risk scenarios through the above four levels. It is in an attempt to take preventive measures in advance to rid the company of management impact.

     Meanwhile, in order to upgrade service quality and to establish a safe, stable IT environment, the company continued promoting the Information Security Management System. At the end of 2006, 5 A-class units passed the certification for the Information Security Management System. The accomplishments were:

1. Formulated Information Security Management Measures

(1) Established control measures including Information Security Policy, Information Security Promotion System, Information Security Operation Standards, Information Security Internal Auditing Standards, Information Security Event Reporting Guidelines, Information Assets Grading Guidelines, Information Security Awarding Guidelines, etc.

(2) Revised Information Security Policy, and Information Security Internal Auditing Standards.

2. Handled ISO 27001 Certification for A-Class and B-Class Units

(1) Five A-class units passed the BS 7799-2 certification in 2004 and 2005. The First Nuclear Power Plant passed the ISO 27001 in 2006. It is expected that the other A-class units will pass the certification by June 2007.

(2) Five B-class units established the Information Security Management System in 2006. It is expected that they will all pass the ISO 27001 by the end of 2007.