Corporate Governance Risk Management

Risk Culture
Risk Management Objectives
Risk Appetite

Overview of the Risk Management Process
Risk Assessment and Treatment
Monitoring and Review
Consultation and Reporting
Integration of Risk Management

Overview of the ERM Framework

With reference to the international standards published by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) and the International Organization for Standardization (“ISO”), the Group establishes its own tailor-made ERM framework, which fits in with the business nature, structure, sustainable growth and development of the Group. The ERM framework consists of three components:

Risk Culture

The Group embraces a risk-aware culture and believes that an ingrained risk culture is the key to effective risk management, while training is a useful tool to promote and engage management and employees in ERM implementation. The Group promotes the risk culture with the following key themes:

Effective ERM is beyond processes and forms – it is a change of culture in terms of mindset and behaviour.
ERM is not a standalone programme – it should be tailored and embedded in the Group’s business processes.
ERM deals with both risks and opportunities – appropriate risk-based treatments can control risks and even seize further opportunities of value creation.

Risk Management Objectives

The Group's ERM Framework aims to enhance the ability to achieve our vision and mission, and fulfil the five core values. In support of this, the Group has established a robust ERM framework with the following risk management objectives:

to fulfil our commitment to integrity, ethics and compliance as an integral part of our corporate governance
to build agility and resilience amid uncertainty in dynamic business environment
to facilitate risk-informed decisions and align the Group’s objectives, strategy and operations with the risk appetite
to strengthen our capacity for seizing opportunities and safeguarding our assets to support our sustainable growth and create shared value

Risk Appetite

Risk appetite is defined to establish the extent and nature of risks the Group is willing to take in achieving our vision and mission. The Group’s risk appetite statement is disseminated across the Group and incorporated into our risk assessment criteria in order to align with our business objectives, core values, strategy, as well as risk management activities. The risk appetite statement is reviewed by the Board periodically to keep abreast of the ever-changing business environment and the latest development of the Group. The Group’s risk appetite is as follows:

The Group upholds the highest standards of integrity, compliance, and ethics and has no tolerance for any material breaches of laws and regulations.
The Group has no compromise on any threats which may significantly impact the health and safety of our people.
The Group has strong interest in protecting the environment and upholding social sustainability and does not engage in activities which will significantly damage the environment and society.
The Group does not expose ourselves to material damage to our reputation or brand.
The Group endeavours to minimize any business interruptions and significant operational impacts to business continuity.
The Group is prudent to make decisions which may threaten our long term financial viability and liquidity to meet our financial commitments.
The Group balances risks and opportunities whilst implementing a strategy to minimize failure in business decisions and optimize the Group’s value.

ERM Governance

The overall risk management process is overseen by the Board. With the emphasis on value creation and protection, the Group adopts the Three Lines Model as its risk governance structure. The model clearly defines the responsibilities with enhancing collaboration and communication among different roles, which facilitates alignment of risk management activities and provides assurance to the Board.

Governing Body

Board of Directors

Hold the ultimate responsibility for risk oversight including setting and reviewing the risk appetite
Ensure the Group maintains appropriate and effective risk management and internal control systems
Empower and delegate the ERM oversight responsibility to the Audit Committee

Audit Committee

Oversee the risk management and internal control systems and review their adequacy and effectiveness
Review the risk profile of the Group and advise the Board on the current and potential risk exposures and their corresponding risk treatment plans

Executive Committee

Lead and supervise the ERM implementation
Advise the Audit Committee and the Executive Committee on all ERM-related matters
Improve risk awareness and promote risk-aware culture across the Group

ERM Steering Group

Determine and allocate sufficient resources to effectively implement the ERM system
Review and prioritize the Group’s key risks and endorse the risk treatment plans
Ascertain the effectiveness of the risk management and internal control systems

First Line

Business and Functional Units and Individuals (Frontline Staff and Operational Management)

Act as risk owners to perform risk assessments to identify, analyze, and evaluate risks in daily operations and in areas of accountability
Design, prioritize and implement risk treatment plans and report in the Risk Register
Conduct periodic self-assessment on the effectiveness of risk treatment plans

Second Line

Corporate Office Departments (including the Executive Office)

Act as risk owners and perform ERM responsibilities for respective departments
Remain current with best practices and provide recommendations to the ERM Steering Group

ERM Team

Assist management in the design and development of ERM processes and risk controls
Facilitate the risk management process, including the identification and monitoring of the known and emerging risks, aggregation and prioritization of the key risks identified by the Group as well as reporting to senior management and committees
Promote risk-aware culture across the Group
Review the implementation of risk treatment plans

Third Line

Internal Audit

Provide independent assurance on the adequacy, effectiveness and efficiency of the risk management and internal control systems
Consider the key and emerging risks upon formulating the annual audit plan and planning for each audit
Perform risk-based validation of the risk treatment plans

External Assurance

External Auditor

Provide independent assurance on the Group’s processes and controls over financial reporting

Independent Experts from Respective Professions

Advise on best practice and/or assure compliance, when applicable

Regulatory Authorities

Execute regulatory oversight on relevant entities, areas or activities

Whistleblowing System

Whistleblowing

Provide an independent and confidential channel for stakeholders to directly report to GARA for any serious concerns about suspected or actual fraud, corruption, breach, malpractice, misconduct or irregularity of the Group and/or its staff member. Please refer to the Corporate Governance Report of the annual report for details

Overview of the Risk Management Process

Risk management process starts from the establishment of context, by taking into the consideration of the external environment and megatrends, as well as risk universe of the Group. Risks are then identified, analyzed, evaluated and treated with measures. With constant review, monitoring, reporting and consultation, the risk management process integrates with various business processes and activities in optimizing the risk and return.

To facilitate a comprehensive and robust risk management process, top-down and bottom-up approaches are employed to gather risk insights as well as to monitor and manage risks from the perspectives of both sides, together with “ERM Policy” and “ERM Manual” to provide proper guidance. Also, interactive communication between the risk owners and the ERM Team is in place to enable both parties to keep abreast of risk updates.

Risk Management Process

Risk Assessment and Treatment

1. Establishment of Context

The Group defines the internal and external contexts as well as the parameters for risk assessment criteria.

2. Risk Identification

The Group adopts both Top-down and Bottom-up approaches, complemented with Outside-in and Spread-out mechanisms to facilitate a comprehensive risk identification process.

CG report website graphics 2_EN ZH SC_Risk Identification_EN

3. Risk Analysis

Business and functional units and corporate office departments assess the likelihood, impact, risk velocity, inherent risk level and residual risk level of the key risks identified.

4. Risk Evaluation

The risk analysis results are compared with the risk appetite and tolerance level. This allows management to determine the risk response strategy for each risk and prioritize risk treatment plans.

5. Risk Treatment

Risk treatment plans for implementing risk mitigation measures are developed by respective business and functional units and corporate office departments, based on the priority and nature of risks.

Monitoring and Review

Continual tracking, review and validation of the implementation of our ERM framework have been in place to monitor various risks, change in risk exposure, their residual risk levels, as well as to ensure and increase the effectiveness and quality of ERM framework and outcomes.

Risk Register

Business and functional units and corporate office departments perform self-assessment of the effectiveness of the risk treatment plans upon the submission of the Risk Register every half year.

Key Risk Indicator

KRIs are set by risk owners to measure and monitor changes in risk exposure of key risks. If there is any KRI value exceeding the pre-defined threshold, risk alerts to management will be mandated so that they can timely administer corresponding responses, and proper reporting to Executive Directors will be made.

Risk Treatment Validation

The ERM Team reviews the implementation and effectiveness of risk mitigation measures stated in the Risk Register. The Internal Audit Team also performs risk-based validation to test risk mitigation measures of key risks during the internal audit process.

Early Risk Flagging Mechanism

An early risk flagging mechanism is applied across the Group, to proactively identify and assess emerging risks and risks with high velocity, such as quality, health and safety, disaster and media events. When a potential risk is perceived with significant impact, the risk should be flagged and reported to line manager and risk oversight parties.

Whistleblowing Mechanism

The Group has established a whistleblowing policy and provided reporting channels for internal and external stakeholders. Whistleblowing cases are reported to the Executive Committee and the Audit Committee. For details, please refer to the Corporate Governance Report of the annual report.

Review on the Effectiveness of Risk Management and Internal Control Systems

The Board, with the assistance from the Audit Committee, Corporate Governance Committee and Sustainability Committee, reviewed and evaluated the effectiveness of the Group’s risk management and internal control systems (including ESG risks and climate-related risks), including the consideration of the following factors:

The scope of work performed by both internal and external auditors and any significant findings identified in their audit reports during the year, as well as the extent of any potential or actual impact derived from those findings on financial performance or conditions of the Group
The scope and quality of our ongoing monitoring of risks (including ESG risks and climate-related risks) and internal controls (including financial, operational and compliance controls) as well as the communication mechanism for results of the ongoing monitoring systems including but not limited to KRIs and internal control reviews
The adequacy of the resources, as well as staff experience, qualifications and training, of the Group’s risk management, internal audit, finance, and sustainability functions
The opportunities and progress of continuous improvement of risk management and internal control systems
The design and implementation of the Group’s ERM framework, and outcomes of the risk management process
The changes in the nature and extent of significant risks (including ESG risks and climate-related risks) and the Group’s risk profile since the last review, and the capacity and response strategies of the Group for changes in business, external environment and megatrends
The effectiveness of financial reporting and regulatory compliance processes

In addition to the above, the Integrated Internal Control Self-Assessment Certificate is applied across the Group to evaluate the effectiveness of its risk management and internal control systems semi-annually by business and functional units and corporate office departments, with reference to the COSO framework. Regarding the review of the effectiveness of the risk management and internal control systems and its results, please refer to the Corporate Governance Report for details.

Consultation and Reporting

Regular reporting, regarding identified risks and the status of risk management activities, is provided to management, the ERM Steering Group, the Executive Committee and the Audit Committee to facilitate the risk management process and decision-making. The ERM Steering Group Meeting is held every half year to discuss key risk matters and updates.

Integration of Risk Management

ERM is embedded into decision-making and business processes, including but not limited to the following key organizational processes:

Business Planning

Potential risks, which may impact the achievement of business objectives, are identified and considered in strategic planning, and project and operational plans. This could better align business strategy and process with the risk appetite set at the early stage.

Investment

Investment proposals are reviewed with the consideration of risks (including ESG risks and climate-related risks) before decision-making. Feasibility study and/ or due diligence are conducted to identify and assess potential risks and relevant costs for risk treatment. Review and reporting processes are in place to analyze and monitor the change of risks throughout the investment management cycle. Response strategy is formulated and executed timely to address any material changes of risk exposure of an investment project.

Day-to-day Operations

The Group establishes a framework for business and functional units and corporate office departments to understand and evaluate their risk profiles and exposures (including ESG risks and climate-related risks) systematically. Risk treatment plans designed during the ERM process have been incorporated in their operational plans and implemented with regular monitoring. KRI mechanism is applied to detect abnormal changes to risk exposures for timely escalation and treatment.

Risk Focus

The Group invests and operates a wide range of businesses predominantly in Hong Kong and the Mainland. Our businesses include toll roads, construction, insurance, logistics, and facilities management.

Through the comprehensive risk management process mentioned in the previous section, the Group identified major risks which may affect the achievement of the Group’s business objectives. However, risk evolves from the interactions of many dynamic forces and factors in the business environment. Some risks are not significant now but could become key ones in the future; certain risks exist but we are not aware of; and/or new risks come to light. Therefore, our risk portfolio would be reviewed and updated to react and respond to the changing risk landscape.

Overall Risk Trend

As the pandemic gradually recedes, its impact on our operation has been much less significant and the business has transitioned back to normalcy. While it no longer remains our primary concern, we stay attentive to any potential hazards that could unexpectedly arise and develop into immediate challenges.

In the post-pandemic era, market competition has become intense as businesses strive to regain lost ground. We pay close attention to the competition and remain committed to refining strategies, optimizing efficiency, and fostering innovation to maintain a competitive edge.

Corporations does not only compete for customers, but talents. Talent competition has been a hot topic as economic activities steadily recover together with the shrinking talent pool. This trend has become particularly evident following the implementation of enhanced talent attraction policies in different cities and countries. Therefore, effective talent attraction and retention strategies have been our top priority so as to support business development.

During the year, the macroeconomic environment remains relatively unstable due to concerns about surging inflation and interest rates, fluctuating exchange rates, and economic downturn. Throughout the years, we have been vigilant in navigating these conditions and capitalizing on emerging opportunities by implementing strategic and financial initiatives such as the disposal of commercial aircraft leasing platform and issuance of Panda Bonds to strengthen our financial position.

Meanwhile, geopolitical risk has been an increasing attention to the Group due to the geopolitical conflicts including the China-United States tensions, cross-Strait relations, and Russo-Ukrainian War during the year. Since the shock arising from those conflicts could be tremendous, we keep a close eye on the development of various geopolitical issues including but not limited to new restrictive policies, sanctions, tariffs and military conflicts for the purpose of timely and appropriate reaction and mitigation measures.

Aside from geopolitical risk, climate change and sustainability risks continue to be major concerns for our business, as it has been amplifying the breadth and depth of the impact such as more frequent extreme weather events and tightening regulatory requirements. Consequently, we have continually increased our attention and efforts in managing these impacts on our business, the community and the planet.

The Group will keep monitoring and managing the uncertainties in achieving the business objectives.

Please refer to the following table of the major risks identified by the Group and the corresponding mitigation measures for the Group’s efforts in managing the major risk profile. The table below is neither intended to be exhaustive nor comprehensive.

Risk Description

Risk Trend

Mitigation Measures

Global economic uncertainties and slow recovery affecting business growth and financial performance

Evaluate the potential impacts from the economy by analyzing the financial performance and monitoring business and economic data continuously
Optimize business / customer portfolios to reduce impact from economic fluctuation and diversify the risk
Identify opportunities for business collaboration and partnership to leverage the synergies within the Group ecosystem
Perform sensitivity assessment on potential impacts in relation to economic conditions leading to lower valuation
Explore new business opportunities or new sources of income for new growth drivers

Imposition of government policies, intervention, laws or regulations, exposing the Group to legal or regulatory liabilities, business disruption, reputational and/or financial losses

Implement close monitoring of the change of applicable government policies, laws and regulations
Formulate responsive strategy and plans for anticipated and upcoming changes
Provide updates and/or training to staff to cope with the new government policies and practices
Proactively communicate with external parties (e.g. the relevant council or association) to understand the changes and express opinions collectively
Partner with consultants, scholars and university to get the advice on adapting changes of government

Conflicts between nations, political issues towards individual business, political instability and etc., impacting the Group’s ability to sustain its profitability

Pay close attention to the latest development of geopolitical issues and assess impact of the issues
Develop and maintain response and contingency plan for handling the situation arising from political issues
Seek professional advice on any regulatory changes due to political factors such as sanctions

Intense competition arising from existing competitors and/or new entrants to the market regarding the businesses the Group is operating

Expand and maintain the market share by effective customer incentive programs and sound customer relationship management
Analyze competitors and the market for effective monitoring on the competitive situation and formulate corresponding strategic plans
Utilize technology to enhance customer experience and to increase operational efficiency and effectiveness

Poor corporate image, depreciating reputation and brand value, impacting the stakeholder confidence towards the company

Uphold quality controls on our services and products, and collect voice of customers
Engage service vendors to monitor and address negative comments on social media platforms and negative media coverage
Develop communication plan for designating a spokesperson and responding to the news or media enquiries especially during a crisis
Actively promote our brands through promotional materials, marketing and branding campaigns with proper reviews and controls
Maintain good relationship and communication with the press and stakeholders

Lack of effective sustainability strategy and related governance structure to execute proper measures and monitoring, exposing the company to weak growth, reputation issue and financial loss

Establish a comprehensive sustainability governance structure, in which the Sustainability Committee facilitates the oversight and management of the Group’s sustainability matters
Establish the ESG Management Task Force to monitor sustainability performance, target progress and action plans across business units so as to ensure the alignment with the Group’s strategy and vision
Liaise with key stakeholders regularly and conduct stakeholder engagement to understand their expectations and align their views to our strategy and focuses
Engage subject matter experts and advisors to help develop sustainability strategy and compliance with disclosure requirements
Develop and update sustainability-related policies and guides to address the latest trends and regulatory requirements
Organize training and maintain adequate communication with business units and employees to communicate the latest ESG trends and requirements

Adverse change in exchange rate of foreign currency, exposing the company to higher cost of business or financial loss

Closely monitor movement of foreign currency rates and consider to arrange currency hedging contracts should the need arises
Periodically review foreign currency assets, cashflow forecast and funding needs, and convert surplus foreign currency to domestic currency
Set up a RMB cash pool in Mainland China to enhance the flexibility of intercompany RMB transactions
Adjust the loan portfolio based on the Group’s assets and liabilities exposure to foreign exchange rates

Failure to attract and/or retain qualified staff to support operations impacting the achievement of business objectives

Review the existing remuneration packages and compare with industry benchmark periodically
Provide development and training programs to improve staff’s competency and promote career progression
Foster the caring culture by employee engagement activities and channels to enhance cohesion between the Group and its employees, and to obtain voice of employees and address their needs
Expand channels of reaching talents and promote the Group’s employer branding to increase the competitiveness in the talent market

Cyber security issues compromising data integrity, confidentiality and system availability, which may lead to adverse impacts on reputation, financial conditions, and operational performance

Establish comprehensive information security protection with well-defined policies and security controls such as authorization and authentication mechanisms, firewalls with advanced threat controls, network immune system, etc.
Provide periodic training and conduct phishing drill exercises to promote cyber security awareness
Purchase cyber security insurance to cover losses arising from cyber incidents or data loss events
Engage information security specialists to assess cyber security vulnerabilities and controls

Major non-natural disasters, crises or incidents, interrupting the operations, production and service delivery, which may impact the company’s ability to sustain the operation

Establish contingency plan and disaster recovery procedures in response to emergency events systematically and effectively
Apply technologies to reduce occurrence of accidents and detect accidents timely for remediation
Conduct drill exercises and provide periodic training on handling incidents and emergency events
Assess and ensure sufficient insurance coverage
Implement precautionary measures such as regular facility maintenance and safety inspection

Risk Level increased during the financial year

Risk level decreased during the financial year

Risk level remained similar to previous year

Involve Environmental, Social, and Governance Risk

Involve Climate-related Transition Risk

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Level increased during the financial year

Risk level decreased during the financial year

Risk level remained similar to previous year

Involve Environmental, Social, and Governance Risk

Involve Climate-related Transition Risk

Managing ESG Risks And Climate-Related Risks

ESG issues and climate change are widely recognized as key topics that all sectors need to address, as it could bring multi-faceted impacts to sustainable business growth and community development. The Group emphasizes the importance of ESG risks and climate-related risks, and therefore has integrated those risks into our ERM framework in order to facilitate the achievement of the NWS Sustainability Target 2030 and develop resilience for both physical and transition impacts under climate change.

The Board takes ultimate responsibility for ESG and sustainability of the Group, which oversees the Group’s ESG strategy and progress against respective goals and targets. With the delegation from the Board, the Audit Committee oversees ESG risks and climate-related risks, monitors uncertainty affecting the achievement of ESG goals and targets, and evaluates effectiveness of mitigations to manage the risks.

The Group applies the aforementioned risk management process, ranging from risk assessment and treatment to consultation and reporting, to the management of ESG risks and climate-related risks which have been incorporated with the Group’s risk profile, such as talent attraction and retention, regulatory compliance, environmental, sustainability governance, etc. Other than ordinary risks, ESG and climate-related topics are also our discussion focus during the risk identification exercise to obtain insights and form the basis of the Group’s risk profile, which is part of the regular reporting to the ERM Steering Group, Executive Committee and Audit Committee.

In considering the characteristics of ESG risks and climate-related risks, the Group has made some appropriate adjustments during the integration of those risks into the ERM framework. For instance, different time horizons have been used in the assessment criteria of climate-related risks. Since FY2019, the Group has undertaken multiple climate-related risk assessments and disclosure reviews with external consultants. For example, a few major assets have been selected for a physical risk assessment and the assessment approach serves as a blueprint for replicating and scaling similar initiatives across our business units. Furthermore, for systematic climate-related risk management and integration, a technical guide has been established to articulate the procedures for identification, assessment and management of climate-related transition risks. To stay abreast of the future uncertainties of climate change, the Group has also developed a net zero roadmap in preparation for the upcoming transition to net zero. For the details on ESG and climate-related risk management initiatives, please refer to the Corporate Governance Report and the Sustainability Report.

Additionally, to enhance the awareness and understanding of ESG risks and climate-related risks, we have organized webinars and training sessions periodically to share information and knowledge about emerging trends and popular ESG and climate-related topics with management, risk owners and relevant individuals. For example, during the year, we organized cyber security risk training webinar and workshop for our staff, management and the Board to enhance their cyber security awareness. Moreover, in the refresher training this year, climate-related risk trend and assessment approach were explained to the risk owners and reporting persons.

Risk Management

Risk Culture

Risk Management Objectives

Risk Appetite

Overview of the Risk Management Process

Risk Assessment and Treatment

Monitoring and Review

Consultation and Reporting

Integration of Risk Management

ERM Framework

ERM Principles

Risk Culture

Risk Management Objectives

Risk Appetite

ERM Governance

Risk Management Process

Overview of the Risk Management Process

Risk Assessment and Treatment

Monitoring and Review

Consultation and Reporting

Integration of Risk Management

Risk Focus

Managing ESG Risks And Climate-Related Risks

Risk Management Process