Risk Management Policy and Procedure
The "Risk Management Best-Practice Principles" was established and approved by the Board of Directors on July 29, 2025. We combined the "Risk Management Best-Practice Principles" with the "New Drug Research and Development Risk Management Strategy" as the highest guiding principles of our risk management. We shall conduct risk factor identification periodically to identify relevant risks that potentially affect sustainable business development, identify the scope of risk management, and monitor potential risks and implement precaution measures in accordance with the development and guidance requirement of the latest internal audit, to strengthen risk management.
Each department shall conduct risk assessment and implement relevant risk management based on all kinds of actual and potential risk situations. The management team shall report on the implementation of our business strategy and risk control at least once a year in board meetings. The Board of Directors will examine, discuss and supervise the implementation of business strategy and the implementation of risk control of the managing department during the quarterly meetings.
The Board of Directors shall periodically review the overall external economic environment at least once a year, identify the risks to assess their impact on medium and long-term operations and strategies, implement risk management procedures and other mechanisms, and control each risk arising from business activities within an acceptable range.
Each department shall conduct risk assessment and implement relevant risk management based on all kinds of actual and potential risk situations. The management team shall report on the implementation of our business strategy and risk control at least once a year in board meetings. The Board of Directors will examine, discuss and supervise the implementation of business strategy and the implementation of risk control of the managing department during the quarterly meetings.
The Board of Directors shall periodically review the overall external economic environment at least once a year, identify the risks to assess their impact on medium and long-term operations and strategies, implement risk management procedures and other mechanisms, and control each risk arising from business activities within an acceptable range.
Risk Management Scope
We promise to integrate and manage all strategies, operations, finances, hazards and other potential risks that may affect operations and profits in a proactive and cost-effective way through risk management and to take corresponding risk management strategy based on risk levels. Our risk management includes management of "new drug research and development risk", "climate change, accident, disaster, political and social risk", "regulation compliance risk", "operation risk", "cyber security risk", "corporate governance risk", "financial/taxation risk", "human resources risk", "business management risk", and "other risk".
Risk Management Framework
PharmanEngine's risk management framework and risk management responsibilities by department as follow:
| Department | Risk Management Responsibility |
| Audit Committee | Review risk management policies and their implementation. |
| President & CEO Office | Risk management of business decision-making, intellectual property rights, and product quality. |
| Audit Office | Risk management of internal control and internal audit related. |
| Clinical & Regulatory Affairs | Risk management of research and development of clinical trials, pharmaceutical compliance, and product registration. |
| Corporate Development | Risk evaluation of new drugs research from competitors and new project introduction, and risk management of sales market after product launch |
| Finance & Administration | Risk evaluation management of financial matters, response strategy implementation, operations, and information security evaluation |
| Research & Development | Risk management of pre-clinical animal pharmacology, toxicology, pharmacokinetics and clinical trials related research, external research and development management and project planning, implementing, controlling related matters, new drugs research and development, manufacturing, and analysis. |
| Marketing & Sales | Risk evaluation management of products related supply, marketing or sales and account related matters. |
Risk Evaluation
| Major Themes | Risk Evaluation Items | Risk Management Policy and Strategy |
| Environment |
|
|
| Social |
|
|
| Governance |
|
|
Implementation
1. Implementation of risk management policy and risk assessment standard
(1) New drug research and development risk management
The management for research and development risks in PharmaEngine includes the evaluation and introduction for new projects, project management execution, quality management, process development control, pharmacology and toxicology research management, clinical research management, regulatory inspection and registration management, project outcome management, promotion of new product outcomes, and document maintenance and preservation operation.
(2) Climate change, accident, disaster, political and social risk management
Systemic risks normally significantly affect company operations and require a special taskforce. For example, in response to the global spread of the new coronavirus (COVID-19), the President & CEO of the Company called each department head to set up an epidemic prevention group to discuss the risk environment, risk management priorities, risk assessment, response measures and operational conditions we faced, and to formulate guidance on emergency response operations and related control measures for the COVID-19 Pandemic.
(3) Regulation compliance risk management
1. Protect subjects in clinical trials to ensure their rights, safety, and wellbeing
The Company conducts clinical trials in accordance with the "Guidelines for Good Clinical Practice (GCP)" of ICH and upholds the ethical principles of medical research in the Declaration of Helsinki to ensure the rights, safety and well-being of subjects. Each participant in the human clinical trials will be fully informed and protected. In addition, the Company provides relevant insurance for the clinical trials. If there is any physical harm due to participation in the trial, there will be clinical trial insurance to compensate the subject for damage.
2. Quality policy
The Company upholds the spirit of innovation, manages new drug research and development projects, adheres to quality and focuses on total quality management. The Company also complies with GMP, GDP, GLP, GCP and international regulations, and achieves new drug development research that meets the goals of safety, effectiveness, and consistent quality to enhance the development level of new drugs, promote the development of medicine and continuously improve the quality of medicines.
3. Notification for adverse drug reaction in clinical trials
For the Company's clinical trials, if there is any serious adverse reactions caused to the subjects due to the drugs, regardless of the location in Taiwan or other regions, the Company will notify Ministry of Health and Welfare or Taiwan National Adverse Drug Reaction Reporting System of Taiwan Drug Relief Foundation in accordance with the regulations.
4. Drug safety monitoring management
The Company's post-market risk management of drugs is targeted at drug safety, and a drug safety reporting system is established to ensure the monitoring and tracking of adverse reactions after new drugs are launched to avoid serious adverse drug reactions. The risk management methods are conducted to reduce or avoid medication risks. The Company pays attention to and monitors possible adverse reactions caused by drugs, provides relevant drug information, and informs possible risks and possible adverse reactions in great detail during the medication process.
(4) Operation (Drug Inventory Risk Management)
Our product is a pancreatic cancer drug. The focus of inventory risk management is to control the inventory cost, expiration date and avoid short supply. To control related inventory risks, we formulate a reasonable mechanism for safety stock, early warning, and inventory information circulation among different departments, and to ensure drug supply, inventory stability, and notification, the management methods for notification of drug supply shortages. By implementing drug inventory risk management and control to ensure the effective operation and management of drug procurement, drug safety stock and drug supply shortage notification. In addition, in response to the impact of COVID-19, we coordinated with suppliers to increase the flexibility of the supply schedule. We also appropriately and timely increase the safety stock level, and uses the inventory buffer, adjust and balance the inventory to ensure supply of medicines to domestic medical institutions normally during the product supply fluctuation.
(5) Cyber Security
To implement the Company’s cyber security policy and build a continuously improving secure cyber environment to ensure the cyber security management system is effective, the Company adopted the ISO27001 Information Security measures in 2022 and obtained the certificate in January 2023. Moreover, we completed the annual audit based on the updated version of IS027001:2022 (Information security, cybersecurity and privacy protection — Information security management systems).
(6) Corporate Governance
The Company established important internal policies and mechanisms such as “Corporate Governance Best Practice Principles”, “Codes of Ethical Conduct”, and “Insider Trading Prevention and Management Measures” with methodical implementation.
(7) Finance and Taxation
1. Finance: The finance personnel communicates closely with the bank to regularly monitor the Company's capital, interest rates, and foreign exchange rate trends.
2. Taxation: The accounting personnel communicates closely with the accountant to regularly monitor the international taxation trends to reduce tax-related risks.
(8) Human Resources
The Company deeply values humanized method of management and provides full respect and care to employees including group insurance, regular health check up , on-the-job training and other benefits. The Company implements these benefits and strengthens dynamic employee care to provide a quality work environment.
(9) Business Management
The Company entrusts professional stock affairs agencies for all stock-related matters and established the spokesperson system, investor relations personnel, and company website to build and strengthen communication channels with external stakeholders and the Company public image.
(10) Others
Each department evaluates their specific risk management duties and measures.
The management for research and development risks in PharmaEngine includes the evaluation and introduction for new projects, project management execution, quality management, process development control, pharmacology and toxicology research management, clinical research management, regulatory inspection and registration management, project outcome management, promotion of new product outcomes, and document maintenance and preservation operation.
(2) Climate change, accident, disaster, political and social risk management
Systemic risks normally significantly affect company operations and require a special taskforce. For example, in response to the global spread of the new coronavirus (COVID-19), the President & CEO of the Company called each department head to set up an epidemic prevention group to discuss the risk environment, risk management priorities, risk assessment, response measures and operational conditions we faced, and to formulate guidance on emergency response operations and related control measures for the COVID-19 Pandemic.
(3) Regulation compliance risk management
1. Protect subjects in clinical trials to ensure their rights, safety, and wellbeing
The Company conducts clinical trials in accordance with the "Guidelines for Good Clinical Practice (GCP)" of ICH and upholds the ethical principles of medical research in the Declaration of Helsinki to ensure the rights, safety and well-being of subjects. Each participant in the human clinical trials will be fully informed and protected. In addition, the Company provides relevant insurance for the clinical trials. If there is any physical harm due to participation in the trial, there will be clinical trial insurance to compensate the subject for damage.
2. Quality policy
The Company upholds the spirit of innovation, manages new drug research and development projects, adheres to quality and focuses on total quality management. The Company also complies with GMP, GDP, GLP, GCP and international regulations, and achieves new drug development research that meets the goals of safety, effectiveness, and consistent quality to enhance the development level of new drugs, promote the development of medicine and continuously improve the quality of medicines.
3. Notification for adverse drug reaction in clinical trials
For the Company's clinical trials, if there is any serious adverse reactions caused to the subjects due to the drugs, regardless of the location in Taiwan or other regions, the Company will notify Ministry of Health and Welfare or Taiwan National Adverse Drug Reaction Reporting System of Taiwan Drug Relief Foundation in accordance with the regulations.
4. Drug safety monitoring management
The Company's post-market risk management of drugs is targeted at drug safety, and a drug safety reporting system is established to ensure the monitoring and tracking of adverse reactions after new drugs are launched to avoid serious adverse drug reactions. The risk management methods are conducted to reduce or avoid medication risks. The Company pays attention to and monitors possible adverse reactions caused by drugs, provides relevant drug information, and informs possible risks and possible adverse reactions in great detail during the medication process.
(4) Operation (Drug Inventory Risk Management)
Our product is a pancreatic cancer drug. The focus of inventory risk management is to control the inventory cost, expiration date and avoid short supply. To control related inventory risks, we formulate a reasonable mechanism for safety stock, early warning, and inventory information circulation among different departments, and to ensure drug supply, inventory stability, and notification, the management methods for notification of drug supply shortages. By implementing drug inventory risk management and control to ensure the effective operation and management of drug procurement, drug safety stock and drug supply shortage notification. In addition, in response to the impact of COVID-19, we coordinated with suppliers to increase the flexibility of the supply schedule. We also appropriately and timely increase the safety stock level, and uses the inventory buffer, adjust and balance the inventory to ensure supply of medicines to domestic medical institutions normally during the product supply fluctuation.
(5) Cyber Security
To implement the Company’s cyber security policy and build a continuously improving secure cyber environment to ensure the cyber security management system is effective, the Company adopted the ISO27001 Information Security measures in 2022 and obtained the certificate in January 2023. Moreover, we completed the annual audit based on the updated version of IS027001:2022 (Information security, cybersecurity and privacy protection — Information security management systems).
(6) Corporate Governance
The Company established important internal policies and mechanisms such as “Corporate Governance Best Practice Principles”, “Codes of Ethical Conduct”, and “Insider Trading Prevention and Management Measures” with methodical implementation.
(7) Finance and Taxation
1. Finance: The finance personnel communicates closely with the bank to regularly monitor the Company's capital, interest rates, and foreign exchange rate trends.
2. Taxation: The accounting personnel communicates closely with the accountant to regularly monitor the international taxation trends to reduce tax-related risks.
(8) Human Resources
The Company deeply values humanized method of management and provides full respect and care to employees including group insurance, regular health check up , on-the-job training and other benefits. The Company implements these benefits and strengthens dynamic employee care to provide a quality work environment.
(9) Business Management
The Company entrusts professional stock affairs agencies for all stock-related matters and established the spokesperson system, investor relations personnel, and company website to build and strengthen communication channels with external stakeholders and the Company public image.
(10) Others
Each department evaluates their specific risk management duties and measures.
4. Implementation Results
(1) The result of risk management policy and procedure, scope, organization structure, and implementation for 2025 (including cyber security risk management) were reported to the board of directors on October 30, 2025.
(2) In 2025, in addition to continuing general risk management operations, we will continue to implement several risk management projects, including flu vaccination, information security, and regulatory compliance management. We also expect to complete the ongoing certification of our information security management system (ISO/IEC ISO27001:2022) by the end of 2025, confirming that our information security management activities, such as drug sales processes, new drug research and development processes, and data center maintenance and management, comply with the ISO27001:2022 standards.
(3) Major events and risk management implementations in 2025:
1. Company website outage incident
1. On September 11, 2025, at approximately 5:55 PM, the server of the company's official website hosting provider, JD Digital Tech Co., Ltd. (hereinafter referred to as JDDT), suffered a DDoS attack, causing the company's official website to shut down.
2. Upon discovering that our company website had been hacked, the Company immediately activated its cybersecurity defense review mechanism, collaborated with technical experts from an external cybersecurity company, and immediately conducted cybersecurity scans on all of the Company's systems to ensure information security. Additionally, the company requested JDDT to restart the host and restore the backup data. The Company's official website was restored to normal operation at approximately 2:20 PM on September 12 of the same year.
3. Given that this incident demonstrates the continued risk of hacker attacks on the Company's official website, cybersecurity experts recommend that JDDT and our company should evaluate whether to implement a Content Delivery Network (CDN) protection plan. This plan would use a geographically distributed set of servers to distribute traffic, hide website sources, strengthen caching and filtering mechanisms, prevent service interruptions, and improve security.
2. Currency fluctuations
1. At the end of 2024, the USD-NTD currency rate was at 32.785, the highest exchange rate in 25 years. After examining global geopolitical and financial shifts, plus USD forecasts presented by financial institutions, the Company predicts the depreciation of USD in 2025. Therefore, if we continued to hold a large quantity of assets in USD, there will be a significant evaluation loss risks of the exchange rate. The Company held a Exchange Rate Response Project Meeting and resolved to keep a certain level of assets in USD to support our pipeline projects for the next 3-5 years, the execution team should actively reduce USD-based assets within a certain range of exchange rates. The team exchanged US$56 million of assets to NTD at the average exchange rate of 32.97 in the first quarter of 2025 and recognized NT$10.58 million in realized exchange gain.
2. However, starting in second-quarter 2025 to mid-2025, due to global trade uncertainties caused by US tariff policies, the global USD weakened, coupled with the general strengthening of Asian currencies, many Taiwanese exporters actively "sold off" their foreign exchange reserves, and foreign capital inflows into the Taiwanese stock market, leading to a sharp rise in NTD against USD The highest daily closing price in second-quarter 2025 reached 29.10, and in third-quarter 2025, it reached a higher daily closing price of 28.93, demonstrating significant fluctuations in the USD exchange rate. As of the end of September, the USD to NTD exchange rate was 30.455, and the Company's total foreign currency assets amounted to US$27.13 million (including US$22.63 million in cash assets and US$4.5 million in foreign currency receivables), with a recognized exchange loss of NT$36.55 million.
3. Due to the Company's forecasts, discussions, and implementation of exchange rate conditions at the beginning of 2025, the company's US dollar assets decreased significantly. As a result, the impact of large fluctuations in the US dollar exchange rate on the financial statement profit and loss was effectively reduced in the first three quarters of 2025. In the future, the Company will continue to monitor the dynamics of the financial market in order to reduce the financial risks of exchange rate fluctuations.
(2) In 2025, in addition to continuing general risk management operations, we will continue to implement several risk management projects, including flu vaccination, information security, and regulatory compliance management. We also expect to complete the ongoing certification of our information security management system (ISO/IEC ISO27001:2022) by the end of 2025, confirming that our information security management activities, such as drug sales processes, new drug research and development processes, and data center maintenance and management, comply with the ISO27001:2022 standards.
(3) Major events and risk management implementations in 2025:
1. Company website outage incident
1. On September 11, 2025, at approximately 5:55 PM, the server of the company's official website hosting provider, JD Digital Tech Co., Ltd. (hereinafter referred to as JDDT), suffered a DDoS attack, causing the company's official website to shut down.
2. Upon discovering that our company website had been hacked, the Company immediately activated its cybersecurity defense review mechanism, collaborated with technical experts from an external cybersecurity company, and immediately conducted cybersecurity scans on all of the Company's systems to ensure information security. Additionally, the company requested JDDT to restart the host and restore the backup data. The Company's official website was restored to normal operation at approximately 2:20 PM on September 12 of the same year.
3. Given that this incident demonstrates the continued risk of hacker attacks on the Company's official website, cybersecurity experts recommend that JDDT and our company should evaluate whether to implement a Content Delivery Network (CDN) protection plan. This plan would use a geographically distributed set of servers to distribute traffic, hide website sources, strengthen caching and filtering mechanisms, prevent service interruptions, and improve security.
2. Currency fluctuations
1. At the end of 2024, the USD-NTD currency rate was at 32.785, the highest exchange rate in 25 years. After examining global geopolitical and financial shifts, plus USD forecasts presented by financial institutions, the Company predicts the depreciation of USD in 2025. Therefore, if we continued to hold a large quantity of assets in USD, there will be a significant evaluation loss risks of the exchange rate. The Company held a Exchange Rate Response Project Meeting and resolved to keep a certain level of assets in USD to support our pipeline projects for the next 3-5 years, the execution team should actively reduce USD-based assets within a certain range of exchange rates. The team exchanged US$56 million of assets to NTD at the average exchange rate of 32.97 in the first quarter of 2025 and recognized NT$10.58 million in realized exchange gain.
2. However, starting in second-quarter 2025 to mid-2025, due to global trade uncertainties caused by US tariff policies, the global USD weakened, coupled with the general strengthening of Asian currencies, many Taiwanese exporters actively "sold off" their foreign exchange reserves, and foreign capital inflows into the Taiwanese stock market, leading to a sharp rise in NTD against USD The highest daily closing price in second-quarter 2025 reached 29.10, and in third-quarter 2025, it reached a higher daily closing price of 28.93, demonstrating significant fluctuations in the USD exchange rate. As of the end of September, the USD to NTD exchange rate was 30.455, and the Company's total foreign currency assets amounted to US$27.13 million (including US$22.63 million in cash assets and US$4.5 million in foreign currency receivables), with a recognized exchange loss of NT$36.55 million.
3. Due to the Company's forecasts, discussions, and implementation of exchange rate conditions at the beginning of 2025, the company's US dollar assets decreased significantly. As a result, the impact of large fluctuations in the US dollar exchange rate on the financial statement profit and loss was effectively reduced in the first three quarters of 2025. In the future, the Company will continue to monitor the dynamics of the financial market in order to reduce the financial risks of exchange rate fluctuations.
Risk Management Documents