Effective risk management is key to ensuring that the Group achieves its strategic objectives and protects its reputation, market position and financial strength. The Company itself and its operating companies follow the Group’s Enterprise Risk Management (ERM) policy. The ERM policy requires identification, assessment, management, monitoring and reporting of current and emerging risks.
Effective risk management is key to ensuring that the Group achieves its strategic objectives and protects its reputation, market position and financial strength. The Company itself and its operating companies follow the Group’s Enterprise Risk Management (ERM) policy. The ERM policy requires identification, assessment, management, monitoring and reporting of current and emerging risks.
The Board has ultimate responsibility for risk management, overseeing its design and implementation. The Board is supported by the Audit Committee.
The Group has adopted the three lines of defence model of risk governance. The model is designed to minimise conflicts of interest and ensure independent oversight of risk management by the Board. The Group’s enterprise risk management framework is aligned with international standards such as ISO 31000.
In the first line, the management of each operating company identifies, analyses and reports on the risks for which it is responsible. Risks are mitigated and, where practicable and economically viable, eliminated. Where risks cannot be eliminated, the related economic returns are required to reflect the risk.
The first line is supported by a number of Group functional committees. For financial risks, the Finance Committee determines the parameters within which financial risks are managed and oversees the management by the operating companies of financial risks within those parameters. For non‑financial risks, functional committees such as IT, Legal, HR, Sustainability and Government Affairs Committees oversee operating company activities including risk mitigation. Senior Group and divisional management are members of these functional committees.
The second line supports the first line and provides assurance to the Board that all key risks are being managed effectively. There are two second line risk management committees at the Group level: they are the Group Risk Management Committee (GRMC) and the Swire Pacific Risk Management Committee (SPACRMC).
GRMC oversees the management of non‑financial risks at Group and operating company levels. It reports to the Audit Committee. GRMC comprises the Finance Director, an Executive Director, the Staff Director, the Group General Counsel, the Chief Risk Officer and heads of operating businesses. GRMC (i) regularly reviews the Group’s risk profile, (ii) oversees the management of major risks at Group and operating company levels, (iii) identifies emerging risks and potential sources of future risk and (iv) analyses risk events which materialise, with a view to their resolution and to learning from them.
In relation to risks having a Group dimension, GRMC is supported by risk forums in areas of human resources, health and safety, IT, data and technology, government, regulatory and legal as well as environment and sustainable development. In relation to risks not having a Group dimension, GRMC is supported by second line bodies in the operating companies.
SPACRMC oversees risks specific to the Company itself, identifies risks which have a Group dimension and proposes approaches to the management of such risks to GRMC.
The Finance Committee, GRMC and SPACRMC are chaired by the Finance Director, who is supported by the Chief Risk Officer.
The third line is supported by the Group Internal Audit Department. The Group’s Internal Audit provides independent and objective assurance that the risk management processes are implemented properly and operating effectively and that the risks which could impact our ability to achieve our business objectives are being properly identified, assessed and mitigated.
The boards and management of the operating companies are responsible for the management of risk at those companies. Risk management governance varies between operating companies with some having dedicated board and executive risk committees, while others manage risks through their respective audit or executive management committees.
The risk structure is shown below:
The Board has ultimate responsibility for risk management, overseeing its design and implementation. The Board is supported by the Audit Committee.
The Group has adopted the three lines of defence model of risk governance. The model is designed to minimise conflicts of interest and ensure independent oversight of risk management by the Board. The Group’s enterprise risk management framework is aligned with international standards such as ISO 31000.
In the first line, the management of each operating company identifies, analyses and reports on the risks for which it is responsible. Risks are mitigated and, where practicable and economically viable, eliminated. Where risks cannot be eliminated, the related economic returns are required to reflect the risk.
The first line is supported by a number of Group functional committees. For financial risks, the Finance Committee determines the parameters within which financial risks are managed and oversees the management by the operating companies of financial risks within those parameters. For non‑financial risks, functional committees such as IT, Legal, HR, Sustainability and Government Affairs Committees oversee operating company activities including risk mitigation. Senior Group and divisional management are members of these functional committees.
The second line supports the first line and provides assurance to the Board that all key risks are being managed effectively. There are two second line risk management committees at the Group level: they are the Group Risk Management Committee (GRMC) and the Swire Pacific Risk Management Committee (SPACRMC).
GRMC oversees the management of non‑financial risks at Group and operating company levels. It reports to the Audit Committee. GRMC comprises the Finance Director, an Executive Director, the Staff Director, the Group General Counsel, the Chief Risk Officer and heads of operating businesses. GRMC (i) regularly reviews the Group’s risk profile, (ii) oversees the management of major risks at Group and operating company levels, (iii) identifies emerging risks and potential sources of future risk and (iv) analyses risk events which materialise, with a view to their resolution and to learning from them.
In relation to risks having a Group dimension, GRMC is supported by risk forums in areas of human resources, health and safety, IT, data and technology, government, regulatory and legal as well as environment and sustainable development. In relation to risks not having a Group dimension, GRMC is supported by second line bodies in the operating companies.
SPACRMC oversees risks specific to the Company itself, identifies risks which have a Group dimension and proposes approaches to the management of such risks to GRMC.
The Finance Committee, GRMC and SPACRMC are chaired by the Finance Director, who is supported by the Chief Risk Officer.
The third line is supported by the Group Internal Audit Department. The Group’s Internal Audit provides independent and objective assurance that the risk management processes are implemented properly and operating effectively and that the risks which could impact our ability to achieve our business objectives are being properly identified, assessed and mitigated.
The boards and management of the operating companies are responsible for the management of risk at those companies. Risk management governance varies between operating companies with some having dedicated board and executive risk committees, while others manage risks through their respective audit or executive management committees.
The risk structure is shown below:
The operating companies have a common approach to ERM. It involves:
• Identification: Risks are identified and categorised by reference to a common risk classification.
• Assessment: The identified risks are regularly assessed by senior executives based on their potential financial and non‑financial impact (including reputation, regulatory, environmental etc.), and on the vulnerabilities associated with them. The assessment has regard to effectiveness of internal controls, readiness to respond, and the extent to which the risks can be mitigated.
• Mitigation: Designated risk owners are responsible for mitigating the risk and implementing agreed action plans.
Risks considered to have a Group dimension will be discussed by GRMC, and, where appropriate, by the Audit Committee and the Board. Operating companies mitigate and monitor these risks in their own businesses.
The risk forums oversee the risks within their remit that are considered material to the Group. They advise GRMC on emerging risks which may affect the Group, analyse risk events that have materialised and develop best practices for managing those risks.
GRMC reviews Group and divisional risk registers and considers how effectively risks are being managed. It issues policies to the operating companies and promotes risk culture in the Group. The Board may also identify risks relevant to the Group’s businesses, which will be passed to GRMC and the relevant operating companies for incorporation into their risk registers and further handling.
The ERM process involves a “top down and bottom up” approach. The Board provides guidance on its risk priorities and the operating companies assess their own risks. All of this is reported to GRMC and consolidated into a Group risk register, which is reviewed by the Audit Committee and the Board.
Risk management is an integral part of business management:
• Strategic planning is informed by the risk identification process
• Improving the risk profile is part of budgeting and planning
• Action plans are included in performance management
• Changes in risk profile are included in management reporting
• A risk assessment is performed during due diligence on major investments.
The operating companies have a common approach to ERM. It involves:
• Identification: Risks are identified and categorised by reference to a common risk classification.
• Assessment: The identified risks are regularly assessed by senior executives based on their potential financial and non‑financial impact (including reputation, regulatory, environmental etc.), and on the vulnerabilities associated with them. The assessment has regard to effectiveness of internal controls, readiness to respond, and the extent to which the risks can be mitigated.
• Mitigation: Designated risk owners are responsible for mitigating the risk and implementing agreed action plans.
Risks considered to have a Group dimension will be discussed by GRMC, and, where appropriate, by the Audit Committee and the Board. Operating companies mitigate and monitor these risks in their own businesses.
The risk forums oversee the risks within their remit that are considered material to the Group. They advise GRMC on emerging risks which may affect the Group, analyse risk events that have materialised and develop best practices for managing those risks.
GRMC reviews Group and divisional risk registers and considers how effectively risks are being managed. It issues policies to the operating companies and promotes risk culture in the Group. The Board may also identify risks relevant to the Group’s businesses, which will be passed to GRMC and the relevant operating companies for incorporation into their risk registers and further handling.
The ERM process involves a “top down and bottom up” approach. The Board provides guidance on its risk priorities and the operating companies assess their own risks. All of this is reported to GRMC and consolidated into a Group risk register, which is reviewed by the Audit Committee and the Board.
Risk management is an integral part of business management:
• Strategic planning is informed by the risk identification process
• Improving the risk profile is part of budgeting and planning
• Action plans are included in performance management
• Changes in risk profile are included in management reporting
• A risk assessment is performed during due diligence on major investments.
The Group is exposed to a broad range of risks. The following table deals with the current key areas of focus. Significant risks specific to the operating companies are included in their respective risk registers.
The Group is exposed to a broad range of risks. The following table deals with the current key areas of focus. Significant risks specific to the operating companies are included in their respective risk registers.