Overview of the ERM Framework
With reference to the international standards published by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) and the International Organization for Standardization (“ISO”), the Group establishes its own tailor-made ERM framework, which fits in with the business nature, structure, sustainable growth and development of the Group. The ERM framework consists of three components:
Risk Culture

The Group embraces a risk-aware culture and believes that an ingrained risk culture is the key to effective risk management, while training is a useful tool to promote and engage management and employees in ERM implementation. The Group promotes the risk culture with the following key themes:

 

  • Effective ERM is beyond processes and forms – it is a change of culture in terms of mindset and behaviour.
  • ERM is not a standalone programme – it should be tailored and embedded in the Group’s business processes.
  • ERM deals with both risks and opportunities – appropriate risk-based treatments can control risks and even seize further opportunities of value creation.
Risk Management Objectives

The Group's ERM Framework aims to enhance the ability to achieve our vision and mission, and fulfil the five core values. In support of this, the Group has established a robust ERM framework with the following risk management objectives:

 

  • to fulfil our commitment to integrity, ethics and compliance as an integral part of our corporate governance
  • to build agility and resilience amid uncertainty in dynamic business environment
  • to facilitate risk-informed decisions and align the Group’s objectives, strategy and operations with the risk appetite
  • to strengthen our capacity for seizing opportunities and safeguarding our assets to support our sustainable growth and create shared value
Risk Appetite

Risk appetite is defined to establish the extent and nature of risks the Group is willing to take in achieving our vision and mission. The Group’s risk appetite statement is disseminated across the Group and incorporated into our risk assessment criteria in order to align with our business objectives, core values, strategy, as well as risk management activities. The risk appetite statement is reviewed by the Board periodically to keep abreast of the ever-changing business environment and the latest development of the Group. The Group’s risk appetite is as follows:

 

  • The Group upholds the highest standards of integrity, compliance, and ethics and has no tolerance for any material breaches of laws and regulations.
  • The Group has no compromise on any threats which may significantly impact the health and safety of our people.
  • The Group has strong interest in protecting the environment and upholding social sustainability and does not engage in activities which will significantly damage the environment and society.
  • The Group does not expose ourselves to material damage to our reputation or brand.
  • The Group endeavours to minimize any business interruptions and significant operational impacts to business continuity.
  • The Group is prudent to make decisions which may threaten our long term financial viability and liquidity to meet our financial commitments.
  • The Group balances risks and opportunities whilst implementing a strategy to minimize failure in business decisions and optimize the Group’s value.
Risk Governance Structure

The overall risk management process is overseen by the Board. With the emphasis on value creation and protection, the Group adopts the Three Lines Model as its risk governance structure. The model clearly defines the responsibilities with enhancing collaboration and communication among different roles, which facilitates alignment of risk management activities and provides assurance to the Board.

 

Snipaste_2023-02-06_11-20-24-update
Governing Body
Board of Directors
  • Hold the ultimate responsibility for risk oversight including setting and reviewing the risk appetite
  • Ensure the Group maintains appropriate and effective risk management and internal control systems
  • Empower and delegate the ERM oversight responsibility to the Audit Committee
Audit Committee
  • Oversee the risk management and internal control systems and review their adequacy and effectiveness
  • Review the risk profile of the Group and advise the Board on the current and potential risk exposures and their corresponding risk treatment plans
Executive Committee
  • Determine and allocate sufficient resources to effectively implement the ERM system
  • Review and prioritize the Group’s key risks and endorse the risk treatment plans
  • Ascertain the effectiveness of the risk management and internal control
ERM Steering Group
  • Lead and supervise the ERM implementation
  • Advise the Audit Committee and the Executive Committee on all ERM-related matters
  • Improve risk awareness and promote risk-aware culture across the Group
First Line
Business and Functional Units and Individuals (Frontline Staff and Operational Management)
  • Act as risk owners to perform risk assessments to identify, analyze, and evaluate risks in daily operations and in areas of accountability
  • Design, prioritize and implement risk treatment plans and report in the Risk Register
  • Conduct periodic self-assessment on the effectiveness of risk treatment plans
Second Line
Corporate Office Departments
  • Act as risk owners and perform ERM responsibilities for respective departments
  • Remain current with best practices and provide recommendations to the ERM Steering Group
Group Risk Management Team
  • Assist management in the design and development of ERM processes and risk controls
  • Facilitate the risk management process, including the identification and monitoring of the known and emerging risks, aggregation and prioritization of the key risks identified by the Group as well as reporting to senior management and committees
  • Promote risk-aware culture across the Group
  • Review the implementation of risk treatment plans
Third Line
Group Audit Team
  • Evaluate the adequacy, effectiveness and efficiency of the risk management and internal control systems
  • Consider the key and emerging risks upon formulating the annual audit plan and planning for each audit
  • Perform risk-based validation of the risk treatment plans
External Assurance
External Auditor
  • Provide independent observations and recommendations on the Group’s processes and controls over financial reporting
Independent Experts from Respective Professions
  • Advise on best practice and/or assure compliance, if necessary
Regulatory Authorities
  • Execute regulatory oversight on relevant entities, areas or activities 
Whistleblowing System
Whistleblowing
  • Provide an independent and confidential channel for stakeholders to directly report to GARA for any serious concerns about suspected or actual fraud, corruption, breach, malpractice, misconduct or irregularity of the Group and/or its staff member. Please refer to the Corporate Governance Report of the annual report for details
Overview of the Risk Management Process

Risk management process starts from the establishment of context, by taking into the consideration of the external environment and megatrends, as well as risk universe of the Group. Risks are then identified, analyzed, evaluated and treated with measures. With constant review, monitoring, reporting and consultation, the risk management process integrates with various business processes and activities in optimizing the risk and return.

 

To facilitate a comprehensive and robust risk management process, top-down and bottom-up approaches are employed to gather risk insights as well as to monitor and manage risks from the perspectives of both sides, together with “ERM Policy” and “ERM Manual” to provide proper guidance. Also, interactive communication between the risk owners and the GRM Team is in place to enable both parties to keep abreast of risk updates.

 

Risk Management Process

 


Risk_infographic-for-webEN 

 

Risk Assessment and Treatment

1. Establishment of Context

The Group defines the internal and external contexts, such as corporate objectives, core values, organizational structure, stakeholders, business segments, operating regions, regulatory environment, etc., as well as the parameters for risk assessment criteria.

 

2. Risk Identification

The Group adopts both Top-down and Bottom-up approaches, complemented with Outside-in and Spread-out mechanisms to facilitate a comprehensive risk identification process.

 

CG-report-website-graphics 2_EN-ZH-SC_Risk-Identification_EN

 

3. Risk Analysis

Business and functional units and corporate office departments assess the likelihood, impact, risk velocity, inherent risk level and residual risk level of the key risks identified.

 

4. Risk Evaluation

The risk analysis results are compared with the risk appetite and tolerance level. This allows management to determine the risk response strategy for each risk and prioritize risk treatment plans.

 

5. Risk Treatment

Risk treatment plans for implementing risk mitigation measures are developed by respective business and functional units and corporate office departments, based on the priority and nature of risks.

Monitoring and Review

Continual tracking, review and validation of the implementation of our ERM framework have been in place to monitor various risks, change in risk exposure, their residual risk levels, as well as to ensure and increase the effectiveness and quality of ERM framework and outcomes.

 

Risk Register

Business and functional units and corporate office departments perform self-assessment of the effectiveness of the risk treatment plans upon the submission of the Risk Register every half year.

 

Key Risk Indicator

KRIs are set by risk owners to measure and monitor changes in risk exposure of key risks. If there is any KRI value exceeding the pre-defined threshold, risk alerts to management will be mandated so that they can timely administer corresponding responses, and proper reporting to Executive Directors will be made.

 

Risk Treatment Validation

The GRM Team reviews the implementation and effectiveness of risk mitigation measures stated in the Risk Register. The Internal Audit Team also performs risk-based validation to test risk mitigation measures of key risks during the internal audit process.

 

Early Flagging Mechanism

An early risk flagging mechanism is applied across the Group, to proactively identify and assess emerging risks and risks with high velocity, such as quality, health and safety, disaster and media events. When a potential risk is perceived with significant impact, the risk should be flagged and reported to line manager and risk oversight parties.

 

Whistleblowing Mechanism

The Group has established a whistleblowing policy and provided reporting channels for internal and external stakeholders. Whistleblowing cases are reported to the Executive Committee and the Audit Committee. For details, please refer to the Corporate Governance Report of the annual report.

 

Review on the Effectiveness of Risk Management and Internal Control Systems

The Board, with the assistance from the Audit Committee, Corporate Governance Committee and Sustainability Committee, reviewed and evaluated the effectiveness of the Group’s risk management and internal control systems (including ESG risks and climate-related risks), including the consideration of the following factors:

 

  • The scope of work performed by both internal and external auditors and any significant findings identified in their audit reports during the year, as well as the extent of any potential or actual impact derived from those findings on financial performance or conditions of the Group

  • The scope and quality of our ongoing monitoring of risks (including ESG risks and climate-related risks) and internal controls (including financial, operational and compliance controls) as well as the communication mechanism for results of the ongoing monitoring systems including but not limited to KRIs and internal control reviews

  • The adequacy of the resources, as well as staff experience, qualifications and training, of the Group’s risk management, internal audit, finance, and ESG functions

  • The opportunities and progress of continuous improvement of risk management and internal control systems

  • The design and implementation of the Group’s ERM framework, and outcomes of the risk management process

  • The changes in the nature and extent of significant risks (including ESG risks and climate-related risks) and the Group’s risk profile since the last review, and the capacity and response strategies of the Group for changes in business, external environment and megatrends

  • The effectiveness of financial reporting and regulatory compliance processes

 

In addition to the above, the Integrated Internal Control Self-Assessment Certificate is applied across the Group to evaluate the effectiveness of its risk management and internal control systems semi-annually by business and functional units and corporate office departments, with reference to the COSO framework. Regarding the review of the effectiveness of the risk management and internal control systems and its results, please refer to the Corporate Governance Report for details.

Consultation and Reporting

Regular reporting, regarding identified risks and the status of risk management activities, is provided to management, the ERM Steering Group, the Executive Committee and the Audit Committee to facilitate the risk management process and decision-making. The ERM Steering Group Meeting is held every half year to discuss key risk matters and updates.

Integration of Risk Management

ERM is embedded into decision-making and business processes, including but not limited to the following key organizational processes:

 

Business Planning

Potential risks, which may impact the achievement of business objectives, are identified and considered in strategic planning, and project and operational plans. This could better align business strategy and process with the risk appetite set at the early stage.

 

Investment

Investment proposals are reviewed with the consideration of risks (including ESG risks and climate-related risks) before decision-making. Feasibility study and/ or due diligence are conducted to identify and assess potential risks and relevant costs for risk treatment. Review and reporting processes are in place to analyze and monitor the change of risks throughout the investment management cycle. Response strategy is formulated and executed timely to address any material changes of risk exposure of an investment project.

 

Day-to-day Operations

The Group establishes a framework for business and functional units and corporate office departments to understand and evaluate their risk profiles and exposures (including ESG risks and climate-related risks) systematically. Risk treatment plans designed during the ERM process have been incorporated in their operational plans and implemented with regular monitoring. KRI mechanism is applied to detect abnormal changes to risk exposures for timely escalation and treatment.

Risk Focus

The Group invests and operates a wide range of businesses predominantly in Hong Kong and the Mainland. Our businesses include toll roads, construction, insurance, logistics, and facilities management.

 

Through the comprehensive risk management process mentioned in the previous section, the Group identified major risks which may affect the achievement of the Group’s business objectives. However, risk evolves from the interactions of many dynamic forces and factors in the business environment. Some risks are not significant now but could become key ones in the future; certain risks exist but we are not aware of; and/or new risks come to light. Therefore, our risk portfolio would be reviewed and updated to react and respond to the changing risk landscape.

Overall Risk Trend

Despite the gradual recovery of the Mainland and Hong Kong economy over the past year, the rebound has been slower than anticipated and performance across various sectors has been uneven. Ongoing uncertainties stemming from geopolitical tensions, trade disputes, the direction of US interest rates and currency fluctuations particularly the impact from the weakening of RMB present unexpected challenges. The Group will stay alert and continuously monitor the business environment to adjust our business and financial strategies and optimize capital expenditure to sustain a robust financial standing. Throughout the years, we have been vigilant in navigating these conditions by implementing financial initiatives such as issuing Panda Bonds.

 

Under the uncertain macroeconomic condition, geopolitical dynamics, and higher-interest rate environment, market competition remains fierce as customers are exercising greater caution in their spending and competitors adopt more aggressive strategies to capture market share. To sustain our competitive advantage, we are focusing on enhancing the value of our products and services through innovation, optimizing operational efficiencies, and leveraging the diverse conglomerate of the Chow Tai Fook Group.

 

Meanwhile, the threat from climate change has become increasingly apparent to businesses, as we are witnessing more frequent and severe natural disasters such as extreme rainstorms, typhoons, and snowstorms, which cause significant disruptions to transportation and business operations. To enhance our business resilience, we have been revamping our business continuity management framework to adopt a more systematic approach to contingency planning. In addition to the impact of natural disasters, extreme heat poses health and safety risks, particularly for outdoor workers. Health and safety are among our top priorities in business operations, and we have spared no efforts in enhancing our standard to create a healthier and safer working environment for our people.

 

Last but not least, cybersecurity has remained a critical concern. While technological advancements, such as the rise of artificial intelligence, offer numerous benefits in terms of efficiency and innovation, it also introduces new vulnerabilities and risks. Cyber threats are becoming increasingly sophisticated, with malicious actors leveraging artificial intelligence to conduct more targeted and effective attacks. Protecting sensitive data and maintaining robust security protocols are essential to safeguarding our operations and reputation. To counter these evolving threats, we are committed to investing in robust cybersecurity technology, conducting regular security reviews, and fostering a culture of awareness and vigilance among our employees.

 

The Group will continue to monitor and manage uncertainties in pursuit of our business objectives. Please refer to the following table for the major risks identified by the Group and the corresponding mitigation measures. This table is not intended to be exhaustive or comprehensive. 

 

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

Risk Description

Risk Trend

Mitigation Measures

risk-lv-increased
Risk Level increased during the financial year
risk-lv-increased
Risk level decreased during the financial year
risk-lv-increased
Risk level remained similar to previous year
risk-lv-increased
Involve Environmental, Social, and Governance Risk
risk-lv-increased
Involve Climate-related Risk
Integration of ESG Risks And Climate-Related Risks

ESG issues and climate change are widely recognized as key topics that all sectors need to address, as it could bring multi-faceted impacts to sustainable business growth and community development. The Group emphasizes the importance of ESG risks and climate-related risks, and therefore has integrated those risks into our ERM framework in order to facilitate the achievement of the NWS Sustainability Target 2030 and develop resilience for both physical and transition impacts under climate change.

 

The Board takes ultimate responsibility for ESG and sustainability of the Group, which oversees the Group’s ESG strategy and progress against respective goals and targets. With the delegation from the Board, the Audit Committee oversees ESG risks and climate-related risks, monitors uncertainty affecting the achievement of ESG goals and targets, and evaluates effectiveness of mitigations to manage the risks.

 

The Group applies the aforementioned risk management process, ranging from risk assessment and treatment to consultation and reporting, to the management of ESG risks and climate-related risks which have been incorporated with the Group’s risk profile, such as talent attraction and retention, regulatory compliance, environmental, sustainability governance, etc. Other than ordinary risks, ESG and climate-related topics are also our discussion focus during the risk identification exercise to obtain insights and form the basis of the Group’s risk profile, which is part of the regular reporting to the ERM Steering Group, Executive Committee and Audit Committee.

 

In considering the characteristics of ESG risks and climate-related risks, the Group has made some appropriate adjustments during the integration of those risks into the ERM framework. For instance, different time horizons have been used in the assessment criteria of climate-related risks. Since FY2019, the Group has undertaken multiple climate-related risk assessments and disclosure reviews with external consultants. For example, a few major assets have been selected for a physical risk assessment and the assessment approach serves as a blueprint for replicating and scaling similar initiatives across our business units. Furthermore, for systematic climate-related risk management and integration, a technical guide has been established to articulate the procedures for identification, assessment and management of climate-related transition risks. To stay abreast of the future uncertainties of climate change, the Group has also developed a net zero roadmap in preparation for the upcoming transition to net zero. For the details on ESG and climate-related risk management initiatives, please refer to the Corporate Governance Report and the Sustainability Report.

 

Additionally, to enhance the awareness and understanding of ESG risks and climate-related risks, we have organized webinars and training sessions periodically to share information and knowledge about emerging trends and popular ESG and climate-related topics with management, risk owners and relevant individuals. For example, during the year, we organized cyber security risk training webinar and workshop for our staff, management and the Board to enhance their cyber security awareness. Moreover, in the refresher training this year, climate-related risk trend and assessment approach were explained to the risk owners and reporting persons.

Loading...