Risk management system

Chapter I General Provisions Article 1 is the risk management of the company, establishing a standardized and effective risk control system, improving the risk prevention capability, ensuring the safe and steady operation of the company and improving the management level. According to the relevant provisions of laws, regulations and normative documents such as the Company Law of the People's Republic of China, the Basic Rules for Internal Control of Enterprises, and in combination with the company's Article 2 The purpose of this system is to provide reasonable guarantee for the company to achieve the following objectives: (1) Control the risks within an acceptable range that is compatible with the overall objectives; (2) Realizing the truthfulness and reliability of internal and external information communication of the company; (three) to ensure compliance with laws and regulations; (four) to improve the efficiency and efficiency of the company's operation; (5) Ensure that the company establishes a crisis handling plan for all major risks, so that it will not suffer heavy losses due to catastrophic risks or human errors. Article 3 Company risk refers to the influence of future uncertainty on the company's realization of its business objectives. Article 4 Risks are classified according to different company objectives. Company risks are divided into strategic risks, operational risks, financial risks and legal risks. (1) Strategic risk: the negative factors that affect the realization of strategic objectives due to incorrect strategic decisions that have not been formulated or formulated. (2) Business risks: improper business decisions, factors that hinder or affect the realization of business objectives. (3) Financial risks: including the risk of financial report distortion, the risk of asset security being threatened and the risk of fraud. 1. Risk of financial report distortion. Failing to organize accounting and prepare financial accounting reports in full accordance with relevant accounting standards, and failing to disclose relevant information as required, resulting in incomplete, inaccurate and untimely financial accounting reports and information disclosure. 2. Asset security is threatened. The failure to establish or implement the relevant asset management system leads to the decrease or disappearance of the use value and liquidity of the company's assets such as equipment, inventory, securities and other assets. 3. Risk of fraud. Obtaining unfair or improper benefits by intentional behavior. (4) Legal risk: factors that affect the realization of compliance objectives due to the failure to fully and conscientiously implement the national laws, regulations and policies and the provisions of relevant documents of Shenzhen Stock Exchange (hereinafter referred to as "Shenzhen Stock Exchange"). Article 5 Risks can be divided into pure risks and opportunity risks according to whether they can bring profit opportunities to the company. Article 6 According to the influence degree of risks, risks can be divided into general risks and important risks. Article 7 This system is applicable to companies and their holding subsidiaries. Chapter II Risk Management and Division of Responsibilities Article 8 All departments of the company are the first line of defense for risk management; The Audit Department and the Audit Committee under the Board of Directors are the second line of defense for risk management; The board of directors and shareholders' meeting are the third line of defense for risk management. Article 9 The main responsibilities of each department of the company in risk and control management: (1) Each department of the company shall identify and analyze the risks of relevant business processes according to the overall risk assessment plan formulated by the internal control department of the company and the business division, and determine the risk response plan with the cooperation of the internal control project team. (2) According to the identified risks and the determined risk response plan, design and record relevant controls according to the control design methods and description tools determined by the company, and modify and improve the control design according to the requirements of risk management. Including: establishing control management system, describing business process according to specified methods and tools, and compiling risk control documents and program files. (three) to organize the implementation of the control system, supervise the implementation of the control system, find, collect and analyze the control defects, and put forward suggestions for improving the control defects and implement them. For major defects and substantive loopholes, in addition to reporting to the department in charge, feedback should also be given to the company's board of directors, so that the company can monitor the operation of the internal control system. (four) to cooperate with the audit department and other departments to investigate and deal with the events that caused great losses or adverse effects due to control failure. Article 1 The risk management and division of responsibilities of holding subsidiaries shall be formulated with reference to the provisions of Articles 8 and 9 above respectively. Chapter III Collection of Initial Information of Risk Management Article 11 Collect the internal and external initial information related to the company's risk and risk management extensively and continuously, including historical data and future forecast, and implement the division of responsibilities for collecting the initial information to all departments and holding subsidiaries. Article 12 In terms of strategic risks, we shall extensively collect domestic and foreign cases of loss caused by out-of-control strategic risks of companies, and collect important information related to the company's macroeconomic policies, technical environment, market demand, competition situation, etc., focusing on the company's development strategy and planning, investment and financing plans, annual business objectives, business strategies, and the relevant basis for compiling these strategies, plans, plans and objectives. Article 13 In terms of financial risks, we shall extensively collect cases of crisis caused by out-of-control financial risks of domestic and foreign companies, collect important information related to the company's profitability, asset operation ability, solvency and development ability, and focus on business processes or links that have occurred or are prone to errors in cost accounting, fund settlement and cash management. Article 14 In terms of operational risks, we shall collect extensively the cases in which domestic and foreign companies neglected market risks and lacked countermeasures, and collect important information about the company's product structure, market demand, competitors, major customers and suppliers, supervise, evaluate and continuously improve the operation of existing business processes and information systems, and analyze the current situation and capabilities of the company's risk management. Article 15 In terms of legal risks, we shall extensively collect the cases in which domestic and foreign companies neglected the risks of laws and regulations and lacked countermeasures, which led to the company's losses, and collect information on the company's legal environment, employee ethics, major agreements and contracts, and major legal disputes. Article 16 The Company shall screen, refine, compare, classify and combine the collected initial information in order to carry out risk assessment. Chapter IV Risk Assessment Article 17 A company's risk assessment is mainly carried out through five basic procedures, namely, establishing risk management concept and risk acceptance, setting targets, risk identification, risk analysis and risk countermeasures. Article 18 Establishing the company's risk management concept and risk acceptance degree is the basis of the company's risk assessment. (1) The company's risk management concept is the belief and attitude of the company * * * which is characterized by how the company recognizes the risks in the whole business process (from strategy formulation and implementation to the company's daily activities). The company implements a sound risk management concept and takes a cautious approach to high-risk investment projects. (2) The degree of risk acceptance refers to the degree of risk that the company is willing to accept in the process of pursuing the goal. Generally speaking, companies can classify risk acceptance into three categories: "high", "medium" or "low". The company considers the degree of risk acceptance from a qualitative point of view. On the whole, the company defines the degree of risk acceptance as "low", that is, the company can accept a lower degree of risk occurrence by adopting a cautious risk management attitude in the process of operation and management. The company's risk acceptance degree is also consistent with the company's risk management philosophy. Article 19 Goal setting is the premise of risk identification, risk analysis and risk countermeasures. Companies must first set goals, after which, they can identify and evaluate the risks that affect the realization of goals and take necessary actions to control these risks. Company objectives include strategic objectives, business objectives, compliance objectives and financial reporting objectives. Target determination must comply with national laws and regulations and industry development plans, with the company's strategic development plan, and with the provisions of Shenzhen Stock Exchange and regulatory agencies. Article 2 Risk identification is to identify the factors that may hinder the realization of the company's goals, prevent the company from creating value or erode the existing value. Companies can identify risks by questionnaire survey, group discussion, expert consultation, scenario analysis, policy analysis, industry benchmarking comparison, interviews, etc. The company should accurately identify the internal risks and external risks related to the realization of control objectives, so as to determine the corresponding risk tolerance. (1) When identifying internal risks, the company should pay attention to the following factors: 1. The professional ethics of directors, supervisors, managers and other senior management personnel, professional competence of employees and other four human resources factors. 2. Management factors such as organization, operation mode, asset management and business process. 3, research and development, technology investment, information technology application and other independent innovation factors. 4. Financial factors such as financial status, operating results and cash flow. 5. Safety and environmental protection factors such as operational safety, employee health and environmental protection. 6. Other internal risk factors. (II) When identifying external risks, companies should pay attention to the following factors: 1. Economic factors such as economic situation, industrial policy, financing environment, market competition and resource supply. 2, laws and regulations, regulatory requirements and other legal factors. 3. Social factors such as security and stability, cultural tradition, social credit, education level and consumer behavior. 4, technological progress, process improvement and other scientific and technological factors. 5, natural disasters, environmental conditions and other natural environmental factors. 6. Other external risk factors. Article 21 Risk analysis mainly analyzes and ranks the identified risks from two angles: the possibility of risk occurrence and the degree of influence on the company's objectives, and determines the focus and priority control risks. Risk analysis methods are generally a combination of qualitative and quantitative methods. In the case that quantitative analysis is not suitable for risk analysis, or when reliable enough data for quantitative analysis is not available, or the acquisition cost is high, companies usually use qualitative analysis. The company analyzes the risks to confirm which risks should be paid attention to and which risks should be paid general attention to, and further divides the risks that need attention into "important risks" and "general risks" respectively, thus laying the foundation for risk countermeasures. The judgment of the importance of the risk is mainly based on the possibility and influence of the risk: (1) If the possibility of the risk is "extremely unlikely", the risk can be ignored; (2) If the probability of occurrence of a risk is higher than or equal to "possible occurrence" and the impact of the risk is small, this kind of risk is determined as general risk; (3) If the possibility of a risk is equal to or higher than "the risk may occur" and the impact of the risk is great, this kind of risk is determined as an important risk. When conducting risk analysis, the company should fully absorb professionals, form a risk analysis team, and carry out work according to strict and standardized procedures to ensure the accuracy of risk analysis results. Article 22 Risk countermeasures. According to the results of risk analysis, combined with the causes and tolerance of risks, the company should weigh the risks and benefits, and choose the risk response plan: avoiding risks, accepting risks, reducing risks or sharing risks. 5 (1) Risk Avoidance: refers to the company's countermeasures to avoid and mitigate losses by giving up or stopping business activities related to risks that exceed the risk tolerance. For example, stop expanding business to a new geographical market or sell a branch of the company. (2) Risk reduction: refers to the countermeasures that the company is prepared to take appropriate control measures to reduce risks or losses and control risks within the risk tolerance after weighing the cost and benefit. (III) Risk sharing: refers to the countermeasures that the company is prepared to control the risk within the risk tolerance by means of subcontracting, purchasing insurance and other appropriate control measures with the help of others. (4) Accepting risks: refers to the strategy that the company is not prepared to take control measures to reduce risks or losses after weighing costs and benefits. When determining the specific risk response plan, the company should consider the following factors: 1. The impact of the risk response plan on the possibility and degree of risk, and whether the risk response plan is consistent with the company's risk tolerance; 2. Compare the cost and benefit of the scheme; 3. Compare the possible opportunities and related risks in the scheme; 4. Fully consider the combination of various risk response schemes; 5. Reasonably analyze and accurately grasp the risk preferences of directors, managers, other senior managers and employees in key positions, and take appropriate control measures to avoid serious losses caused by personal risk preferences to enterprise operations; 6. In combination with different development stages and business expansion, continuously collect information related to risk changes, conduct risk identification and risk analysis, and adjust risk response strategies in a timely manner. Chapter V Risk Management Solutions Article 23 The company shall formulate risk management solutions for various risks or each major risk according to the risk response strategy. Generally, the plan should include the specific objectives of risk resolution, the required organization and leadership, the management and business processes involved, the required conditions, means and other resources, the specific response measures taken before, during and after the risk event, and the risk management tools. Article 24 Based on the principle that the business strategy is consistent with the risk strategy and the risk control is balanced with the operational efficiency and effect, the company formulates the internal control plan for risk resolution, and formulates the whole process control measures covering all links for all management and business processes involved in major risks; For the business processes involved in other risks, we should take key links as control points and take corresponding control measures. Article 25 The Company shall formulate reasonable and effective internal control measures, including the following contents: (1) Establish an authorization system for internal control posts. Clearly stipulate the authorized object, conditions, scope and amount of each post involved in internal control, and no organization or individual may make risky decisions beyond authorization; (2) Establish an internal control reporting system. Clearly define the reporter and the receiver, the time, content, frequency, transmission route, departments and personnel responsible for handling the report, etc.; (3) Establish an internal control approval system. For important matters involved in internal control, clearly stipulate the approval procedures, conditions, scope and quota, necessary documents, departments and personnel with the right to approve and their corresponding responsibilities; (4) Establish an internal control responsibility system. In accordance with the principle of the unity of rights, obligations and responsibilities, clearly define the responsibilities and reward and punishment systems of all relevant departments and business units, posts and personnel; (V) Establish an internal control audit inspection system. In combination with the relevant requirements, methods, standards and processes of internal control, clearly define the objects, contents, methods and departments responsible for audit inspection; (six) the establishment of internal control evaluation system. Conditional companies should link the implementation of risk management of each business unit with performance pay; (seven) the establishment of major risk early warning system and emergency response mechanism. Clear risk early warning standards, formulate emergency plans, clarify responsible personnel and standardize disposal procedures for possible major risks or emergencies to ensure that emergencies are properly handled in a timely manner; (VIII) Establish and improve the company's legal adviser system. Vigorously strengthen the construction of the company's legal risk prevention mechanism, and form a legal risk responsibility system led by the company's decision-making level, provided by the company's legal counsel, and participated by all employees. Improve the filing management system of major legal disputes in the company; (nine) to establish a system of checks and balances of power in important positions, and clearly stipulate the separation of incompatible responsibilities. It mainly includes: authorization and approval, business handling, accounting records, property custody and audit inspection. The important positions involved in internal control can be set up with one post, two people, two jobs and two responsibilities, which restrict each other; Clarify the supervisory measures and responsibilities that the superior departments or personnel of this position should take; Take this position as the focus of internal audit, etc. Article 26 the company shall, in accordance with the division of responsibilities of all relevant departments and business units, carefully organize and implement