-
Risk Management Objectives
-
Risk Appetite
-
Risk Culture
-
Overview of the Risk Management Process
-
Risk Assessment and Treatment
-
Monitoring and Review
-
Consultation and Reporting
-
Integration of Risk Management
The Group's ERM Framework aims to enhance the ability to achieve our vision and mission, and fulfil the five core values. In support of this, the Group has established a robust ERM framework with the following risk management objectives:
- to fulfil our commitment to integrity, ethics and compliance as an integral part of our corporate governance
- to build agility and resilience amid uncertainty in dynamic business environment
- to facilitate risk-informed decisions and align the Group’s objectives, strategy and operations with the risk appetite
- to strengthen our capacity for seizing opportunities and safeguarding our assets to support our sustainable growth and create shared value
Risk appetite is defined to establish the extent and nature of risks the Group is willing to take in achieving our vision and mission. The Group’s risk appetite statement is disseminated across the Group and incorporated into our risk assessment criteria in order to align with our business objectives, core values, strategy, as well as risk management activities. The risk appetite statement is reviewed by the Board periodically to keep abreast of the ever-changing business environment and the latest development of the Group. The Group’s risk appetite is as follows:
- The Group upholds the highest standards of integrity, compliance, and ethics and has no tolerance for any material breaches of laws and regulations.
- The Group has no compromise on any threats which may significantly impact the health and safety of our people or any third parties.
- The Group has strong interest in protecting the environment and upholding social sustainability and does not engage in activities which will significantly damage the environment and society.
- The Group does not expose ourselves to any potential material damage to our reputation or brand.
- The Group endeavours to minimize any business interruptions and significant operational impacts to business continuity.
- The Group is prudent to make decisions which may threaten our long term financial viability and liquidity to meet our financial commitments.
- The Group balances risks and opportunities whilst implementing a strategy to minimize failure in business decisions and optimize the Group’s value.
The Group embraces a risk-aware culture and believes that an ingrained risk culture is the key to effective risk management, while training is a useful tool to promote and engage management and employees in ERM implementation. The Group promotes the risk culture with the following key themes:
- Effective ERM is beyond processes and forms – it is a change of culture in terms of mindset and behaviour.
- ERM is not a standalone programme – it should be tailored and embedded in the Group’s business processes.
- ERM deals with both risks and opportunities – appropriate risk-based treatments can control risks and even seize further opportunities of value creation.
The overall risk management process is overseen by the Board. With the emphasis on value creation and protection, the Group adopts the Three Lines Model as its risk governance structure. The model clearly defines the responsibilities for enhancing collaboration and communication among different roles, which facilitates alignment of risk management activities and provides assurance to the Board.
.webp)
- Hold the ultimate responsibility for risk oversight including setting and reviewing the risk appetite
- Ensure the Group maintains appropriate and effective risk management and internal control systems
- Empower and delegate the ERM oversight responsibility to the Audit Committee
- Oversee the risk management and internal control systems and review their adequacy and effectiveness
- Review the risk profile of the Group and advise the Board on the current and potential risk exposures and their corresponding risk treatment plans
- Determine and allocate sufficient resources to effectively implement the ERM system
- Review and prioritize the Group’s key risks and endorse the risk treatment plans
- Ascertain the effectiveness of the risk management and internal control systems
- Lead and supervise the ERM implementation
- Advise the Audit Committee and the Executive Committee on all ERM-related matters
- Improve risk awareness and promote risk-aware culture across the Group
- Act as risk owners to perform risk assessments to identify, analyze, and evaluate risks in daily operations and in areas of accountability
- Design, prioritize and implement risk treatment plans and report in the Risk Register
- Conduct periodic self-assessment on the effectiveness of risk treatment plans
- Act as risk owners and perform ERM responsibilities for respective departments
- Remain current with best practices and provide recommendations to the ERM Steering Group
- Assist management in the design and development of ERM processes and risk controls
- Facilitate the risk management process, including the identification and monitoring of the known and emerging risks, aggregation and prioritization of the key risks identified by the Group as well as reporting to senior management and committees
- Promote risk-aware culture across the Group
- Review the implementation of risk treatment plans
- Evaluate the adequacy, effectiveness and efficiency of the risk management and internal control systems
- Consider the key and emerging risks upon formulating the annual audit plan and planning for each audit
- Perform risk-based validation of the risk treatment plans
- Provide independent observations and recommendations on the Group’s processes and controls over financial reporting
- Advise on best practice and/or assure compliance, if necessary
- Execute regulatory oversight on relevant entities, areas or activities
- Provide an independent and confidential channel for stakeholders to directly report to GARA for any serious concerns about suspected or actual fraud, corruption, breach, malpractice, misconduct or irregularity of the Group and/or its staff member. Please refer to the Corporate Governance Report of the annual report for details
Risk management process starts from the establishment of context, by taking into the consideration of the external environment and megatrends, as well as risk universe of the Group. Risks are then identified, analyzed, evaluated and treated with measures. With constant review, monitoring, reporting and consultation, the risk management process integrates with various business processes and activities in optimizing the risk and return.
To facilitate a comprehensive and robust risk management process, top-down and bottom-up approaches are employed to gather risk insights as well as to monitor and manage risks from the perspectives of both sides, together with “ERM Policy” and “ERM Procedure” to provide proper guidance. Also, interactive communication between the risk owners and the GRM Team is in place to enable both parties to keep abreast of risk updates.
Risk Management Process
1. Establishment of Context
The Group defines the internal and external contexts (e.g. such as corporate objectives, core values, organizational structure, stakeholders, business segments, operating regions, regulatory environment) as well as the parameters for risk assessment criteria.
2. Risk Identification
The Group adopts both top-down and bottom-up approaches, complemented with outside-in and spread-out mechanisms to facilitate a comprehensive risk identification process.
 1.webp)
3. Risk Analysis
The Group adopts a two-phased methodology where business units and corporate office departments need to conduct a preliminary risk assessment to sort out key risks for undergoing comprehensive risk analysis, and a diverse spectrum of risk assessment criteria is applied throughout the process covering likelihood, impact, risk velocity, forecast risk movement, inherent risk level and residual risk level.
4. Risk Evaluation
The risk analysis results are compared with the risk appetite and tolerance level. This allows management to determine the risk response strategy for each risk and prioritize risk treatment plans.
5. Risk Treatment
Risk treatment plans for implementing risk mitigation measures are developed by respective business units and corporate office departments, based on the priority and nature of risks.
Continual tracking, review and validation of the implementation of our ERM framework have been in place to monitor various risks, change in risk exposure, their residual risk levels, as well as to ensure and increase the effectiveness and quality of ERM framework and outcomes.
Risk Register
Business units and corporate office departments perform self-assessment of the effectiveness of the risk treatment plans upon the submission of the Risk Register every half year.
Key Risk Indicator
KRIs are set by risk owners to measure and monitor changes in risk exposure of key risks. If there is any KRI value exceeding the pre-defined threshold, risk alerts to management will be mandated so that they can timely administer corresponding responses, and proper reporting to Executive Directors will be made.
Risk Treatment Validation
The GRM Team reviews the implementation of risk mitigation measures stated in the Risk Register. The Group Audit Team also performs risk-based validation to test risk mitigation measures of key risks during the internal audit process.
Early Flagging Mechanism
An early risk flagging mechanism is applied across the Group, to proactively identify and assess emerging risks and risks with high velocity, such as quality, health and safety, disaster and media events. When a potential risk is perceived with significant impact, the risk should be flagged and reported to line manager and risk oversight parties.
Whistleblowing Mechanism
The Group has established a whistleblowing policy and provided reporting channels for internal and external stakeholders. Whistleblowing cases are reported to the Executive Committee and the Audit Committee. For details, please refer to the Corporate Governance Report of the annual report.
Review on the Effectiveness of Risk Management and Internal Control Systems
The Board, with the assistance from the Audit Committee and ESG Committee, reviewed and evaluated the effectiveness of the Group’s risk management and internal control systems (including ESG risks and climate-related risks), including the consideration of the following factors:
- The scope of work performed by both internal and external auditors and any significant findings identified in their audit reports during the year, as well as the extent of any potential or actual impact derived from those findings on financial performance or conditions of the Group
- The scope and quality of our ongoing monitoring of risks (including ESG risks and climate-related risks) and internal controls (including financial, operational and compliance controls) as well as the communication mechanism for results of the ongoing monitoring systems including but not limited to KRIs and internal control reviews
- The adequacy of the resources, as well as staff experience, qualifications and training, of the Group’s risk management, internal audit, finance, and ESG functions
- The opportunities and progress of continuous improvement of risk management and internal control systems
- The design and implementation of the Group’s ERM framework, and outcomes of the risk management process
- The changes in the nature and extent of significant risks (including ESG risks and climate-related risks) and the Group’s risk profile since the last review, and the capacity and response strategies of the Group for changes in business, external environment and megatrends
- The effectiveness of financial reporting and regulatory compliance processes
In addition to the above, the Integrated Internal Control Self-Assessment Certificate is applied across the Group to evaluate the effectiveness of its risk management and internal control systems semi-annually by business units and corporate office departments, with reference to the COSO framework. Regarding the review of the effectiveness of the risk management and internal control systems and its results, please refer to the Corporate Governance Report of the annual report for details.
Regular reporting, regarding identified risks and the status of risk management activities, is provided to management, the ERM Steering Group, the Executive Committee and the Audit Committee to facilitate the risk management process and decision-making. The ERM Steering Group Meeting is held every half year to discuss key risk matters and updates.
ERM is embedded into decision-making and business processes, including but not limited to the following key organizational processes:
Business Planning
Potential risks, which may impact the achievement of business objectives, are identified and considered in strategic planning, and project and operational plans. This could better align business strategy and process with the risk appetite set at the early stage.
Investment
Investment proposals are reviewed with the consideration of risks (including ESG risks and climate-related risks) before decision-making. Feasibility study and/ or due diligence are conducted to identify and assess potential risks and relevant costs for risk treatment. Review and reporting processes are in place to analyze and monitor the change of risks throughout the investment management cycle. Response strategy is formulated and executed timely to address any material changes of risk exposure of an investment project.
Day-to-day Operations
The Group establishes a framework for business units and corporate office departments to understand and evaluate their risk profiles and exposures (including ESG risks and climate-related risks) systematically.
Risk treatment plans designed during the ERM process have been incorporated with their operational plans and implemented with regular monitoring. KRI mechanism is applied to detect abnormal changes to risk exposures for timely escalation and treatment.
The Group invests and operates a wide range of businesses predominantly in Hong Kong and the Mainland. Our businesses include toll roads, financial services, logistics, construction, and facilities management.
Through the comprehensive risk management process mentioned in the previous section, the Group identified major risks which may affect the achievement of the Group’s business objectives. However, risk evolves from the interactions of many dynamic forces and factors in the business environment. Some risks are not significant now but could become key ones in the future; certain risks exist but we are not aware of; and/or new risks come to light. Therefore, our risk portfolio would be reviewed and updated to react and respond to the changing risk landscape.
Over the past year, the global business landscape has continued to be shaped by heightened macroeconomic and geopolitical uncertainties. While Hong Kong’s economy remains on a recovery path, the momentum is uneven and fragile. In the Mainland, despite a targeted growth rate of around 5%, the economy may also face challenges in domestic demand recovery, particularly due to weakened consumer confidence and adjustments in the real estate market.
Escalating geopolitical tensions, prolonged trade disputes, and the uncertain trajectory of U.S. monetary policy, especially interest rate movements, have contributed to increased market volatility. In response, our Group remains vigilant, continuously assessing the macroeconomic environment to recalibrate financial strategies and optimize capital allocation to preserve long-term resilience. We have maintained robust liquidity and established a strong foundation of funding resources and will continue to expand our funding sources.
Despite fierce market competition and cautious consumer sentiment, the Group remains committed to delivering value through innovation, operational excellence, and leveraging synergies within the CTF Group’s diverse business network. Particularly, the emergence of evolving technology continues to reshape the business landscape across different industries at an unprecedented pace. Recognizing this fundamental shift, we have established dedicated teams or focus groups to actively explore opportunities to capitalize on these technological advancements, particularly in AI and related innovations, to maintain our competitive edge. Notable examples include the integration of AI into daily operations to enhance operational efficiency and early fraud detection capability in our insurance business, as well as the adoption of AI-backed Internet of Things (“IoT”) systems and robotics to improve workplace safety standards and cost effectiveness in our construction business.
While AI enhances our operational efficiency and performance, it also introduces new vulnerabilities, such as more sophisticated cyberattacks and data protection concerns related to the use of generative AI tools. Meanwhile, ethical considerations, such as the potential for AI to exacerbate societal inequalities require careful oversight. To address these issues, the Group is strengthening its cybersecurity posture through advanced threat detection systems, regular penetration testing, and employee training programs to foster a culture of cybersecurity awareness. In parallel, we are exploring responsible governance structure to ensure ethical deployment of AI technologies and safeguard data privacy.
Climate-related risks remain a pressing concern. The increasing frequency and severity of extreme weather events, such as typhoons, heavy rainfalls, and heat waves, continue to disrupt operations and pose health and safety risks. The Group is enhancing its Business Continuity Management framework and investing in climate scenario analysis to provide insight for our formulation of climate adaptation strategies. These efforts will contribute to strengthening our climate resilience and creating a healthier and safer working environment for our workforce.
Looking ahead, we will remain vigilant in monitoring the evolving risk landscape and cultivate agility to adapt and innovate while strengthening resilience to ensure long-term success in this dynamic environment. Please refer to the following table for the major risks identified by the Group and the corresponding mitigation measures. This table is neither intended to be exhaustive nor comprehensive.
Macroeconomic Risk
Risk Description
Global economic uncertainties and slow recovery affecting business growth and financial performance
Risk Trend
Mitigation Measures
- Evaluate the potential impacts from the economy by analyzing the financial performance and monitoring business and economic data continuously
- Optimize business / customer portfolios to reduce impact from economic fluctuation and diversify the risk
- Identify opportunities for business collaboration and partnership to leverage the synergies within the CTF Group's diverse business network
- Perform sensitivity assessment on potential impacts in relation to economic conditions leading to lower valuation
- Explore new business opportunities or new sources of income for new growth drivers
- Closely monitor movement of foreign currency exchange rates and consider to arrange currency hedging contracts should the need arises
Competition Risk 
Risk Description
Intense competition arising from existing competitors and/or new entrants to the market regarding the industries the Group is operating
Risk Trend
Mitigation Measures
- Expand and maintain the market share by effective customer incentive programs and sound customer relationship management
- Analyze competitors and the market for effective monitoring on the competitive situation and formulate corresponding strategic plans
- Utilize technology to enhance customer experience and to increase operational efficiency and effectiveness
- Leverage CTFS Group synergies to strengthen competitive advantage
Government Policy and Intervention
Risk 
Risk Description
Imposition of government policies, intervention, laws or regulations, exposing the Group to legal or regulatory liabilities, business disruption, reputational and/or financial losses
Risk Trend
Mitigation Measures
- Implement close monitoring of the change of applicable government policies, laws and regulations (including ESG or climate-related agenda)
- Formulate responsive strategy and plans for anticipated and upcoming changes
- Provide updates and/or training to staff to cope with the new government policies and practices
- Proactively communicate with external parties (e.g. the relevant council or association) to understand the changes and express opinions collectively
- Partner with consultants, scholars and university to get the advice on adapting changes in government policy
Geopolitical risk
Risk Description
Conflicts between nations, political issues towards individual business, political instability and etc., impacting the Group’s ability to sustain its profitability
Risk Trend
Mitigation Measures
- Pay close attention to the latest development of geopolitical issues and assess impact of the issues
- Seek professional advice on any regulatory changes due to political factors such as sanctions
- Widen investment universe by considering investors and assets from different background (e.g. industry, nationality, source of funds, etc.)
- Delay spending of capital expenditure in concerned regions based on the situation
- Diversify the impact of geopolitical issues by investing in business opportunities across different regions and markets
Credit/ Default Risk
Risk Description
Default or any other failure to fulfil their current or future obligation by an obligator (e.g. debtor, client, tenant) with which the company conducts business
Risk Trend
Mitigation Measures
- Perform comprehensive credit assessments and background checks on clients, subcontractors, and suppliers before engagement
- Impose limits or require deposit or retention money from counterparties and maintain a diversified client portfolio to mitigate risk
- Continuously monitor receivables and generate regular reports to flag overdue balances for recovery actions
- Implement robust debt collection procedures and use technology to automate alerts and reminders for overdue payments
- Ensure compliance with credit control procedures and maintain regular communication with clients
Cybersecurity Risk
Risk Description
Cybersecurity issues compromising data integrity, confidentiality and system availability, which may lead to adverse impacts on reputation, financial conditions, and operational performance
Risk Trend
Mitigation Measures
- Establish comprehensive information security protection with well-defined policies and security controls such as authorization and authentication mechanisms, firewalls with advanced threat controls, network immune system
- Provide periodic training and conduct phishing drill exercises to promote cyber security awareness
- Purchase cybersecurity insurance to cover losses arising from cyber incidents or data loss events
- Engage information security specialists to assess cyber security vulnerabilities and controls
- Ensure compliance with regulations and standards. Regularly update security protocols to maintain high standards and address emerging threats
Quality, Health and Safety Risk
Risk Description
Sub-standard or unsafe product, service or business activities impacting the achievement of the Group’s quality, health and safety goals
Risk Trend
Mitigation Measures
- Implement quality assurance program and review performance data to ensure consistent performance and service quality
- Develop procedures and guidelines to set standards for quality, health and safety and deliver regular training to employees to enhance their safety awareness as well as service performance
- Arrange customer satisfaction surveys to collect voice of the customers
- Perform evaluation of each accident or complaint to identify improvement areas and take follow-up actions
- Establish designated committee to enhance the governance on complaint handling
- Establish comprehensive safety management system and conduct regular safety inspection and audit
- Utilize advanced technologies to improve quality, health, and safety standards
Natural Disaster Risk
Risk Description
Major natural disaster and extreme weather events (e.g. typhoon, earthquake, tsunami, heavy rainstorm, etc.), interrupting the operations, production and service delivery, which may impact the company’s ability to sustain the operation
Risk Trend
Mitigation Measures
- Establish necessary procedures including business continuity and recovery plans to respond to various natural disaster
- Conduct regular drill exercises and periodic training
- Leverage on technology to strengthen inspection and perform enhancement work on physical assets and facilities that are vulnerable to natural disaster and extreme weather
- Conduct climate scenario analysis to evaluate the financial impact of climate-related risk to provide insight for prioritization and formulation of climate adaptation strategies
- Assess and ensure adequate insurance coverage to minimize potential financial loss
Talent Attraction and Retention Risk 
Risk Description
Failure to attract and/or retain qualified staff to support operations impacting the achievement of business objectives
Risk Trend
Mitigation Measures
- Review the existing remuneration packages and compare with industry benchmark periodically
- Provide development and training programs to improve staff’s competency and promote career progression
- Foster the caring culture by offering variety of wellness programs, employee engagement activities and channels to enhance cohesion between the Group and its employees, and to obtain voice of employees and address their needs
- Expand channels for reaching talents and promote the Group’s employer branding to increase the competitiveness in the talent market
Legal/Regulatory Compliance Risk
Risk Description
Violation to legal/regulatory requirements of the jurisdiction/ supervisory agency, exposing the company to legal/regulatory action, reputational and financial loss
Risk Trend
Mitigation Measures
- Closely monitor changes/updates on relevant legal and regulatory requirement, including ESG or climate-related regulations, and make timely action plans for adapting to the changes
- Develop detailed policies and procedures to provide guidance on executing compliance controls
- Perform regular monitoring of compliance status
- Seek external expertise to provide advice on implementing changes to comply with regulatory updates or to conduct independent reviews, offering recommendations for strengthening compliance
- Provide regular trainings to employees to ensure awareness and understanding of the latest legal and regulatory requirements
ESG issues and climate change are widely recognized as key topics that all sectors need to address, as it could bring multi-faceted impacts to sustainable business growth and community development. The Group emphasizes the importance of ESG risks and climate-related risks, and therefore has integrated those risks into our ERM framework in order to facilitate the achievement of the CTFS sustainability targets and develop resilience for both physical and transition impacts under climate change.
The Board takes ultimate responsibility for ESG and sustainability of the Group, which oversees the Group’s ESG strategy and progress against respective goals and targets. With the delegation from the Board, the Audit Committee oversees risks including ESG risks and climate-related risks and evaluates the effectiveness of mitigations to manage the risks.
The Group applies the aforementioned risk management process, ranging from risk assessment and treatment to consultation and reporting, to the management of ESG risks and climate-related risks which have been incorporated into the Group’s risk profile, such as talent attraction and retention, regulatory compliance, environmental, sustainability governance, which are also integrated into the regular reporting to the ERM Steering Group, Executive Committee, Audit Committee and ESG Committee.
Embedding ESG in our Risk Management Process
| Risk Identification | Associated material ESG issues and factors, including physical and transitional climate change elements, are integrated into the CTFS Risk Bank to facilitate the identi cation of ESG risks, which aligns with the strategic focus of the Group’s ESG Framework. GRM team works closely with Group ESG to obtain their risk insights regarding ESG issues and discuss corresponding ESG risk factors with risk owners during the risk identi cation stage. |
| Risk Assessment | The Group is committed to minimizing the impact on environment and society. It has integrated ESG-related impact assessment criteria (e.g. environmental, stakeholder reaction, health and safety, compliance) into its risk assessment process. Also, the Group adopts different time horizons in the assessment criteria for better evaluation of climate-related risks, considering the long-term effect of climate change may not be adequately re flected in the standard assessment criteria. To strengthen our assessment of the financial implications arising from both physical and transition risks associated with climate change, we have engaged external consultants to conduct climate scenario analyses for our business units on a phased basis, aiming to provide critical insights for better risk prioritization and formulation of robust climate adaptation strategies. |
| Risk Treatment & Monitoring | Similar to other risks, key risk indicators and risk mitigation measures are developed by respective business units and corporate offi ce departments. ESG risks are based on their risk nature and priorities. The GRM team will also share the ESG risk profi le to our Group ESG to drive better synergy in both the management of ESG risks and formulation of ESG initiatives. For the details on ESG-related matters, please refer to the Corporate Governance Report of the annual report and our separate Environmental, Social and Governance Report (“ESG Report”). |
| Risk Awareness Building | Periodic training sessions are conducted to share our approach to managing ESG-related risk, as well as information and knowledge about emerging trends and popular ESG and climate-related topics to our management, risk owners and relevant individuals. Dedicated sections regarding the ESG and climate factors consideration have also been incorporated in our regular risk induction training, refresher training and deep-dive workshop on risk assessment. We also actively engage Group ESG and external experts to share their insights and best practices on management of ESG risks. |
