Copyright © 2024 Swire Pacific Limited. All rights reserved.
Effective risk management is critical in ensuring that the Group achieves its strategic objectives and protects its reputation, market position and financial strength. The Company and its operating companies adhere to the Group’s Enterprise Risk Management (ERM) policy. The ERM policy requires the identification, assessment, management, monitoring and reporting of current and emerging risks that are material to the Group.
Effective risk management is critical in ensuring that the Group achieves its strategic objectives and protects its reputation, market position and financial strength. The Company and its operating companies adhere to the Group’s Enterprise Risk Management (ERM) policy. The ERM policy requires the identification, assessment, management, monitoring and reporting of current and emerging risks that are material to the Group.
The Board has ultimate responsibility for establishing, implementing, and overseeing an effective ERM framework, including its design and implementation. The Board is supported by the Audit Committee in this regard.
The Group has adopted the three lines of defence model of risk governance, which is designed to minimise conflicts of interest and establish independent oversight of risk management. The Group’s enterprise risk management framework is aligned with international standards.
In the first line, the management of each operating company identifies, analyses and reports on the risks for which it is responsible. Risks are mitigated to the extent practical through management actions and controls implemented by the first line. Where risks cannot be eliminated, the related economic returns are required to reflect the risk. When risks originating within an operating company becomes material to the Group, the first line within the operating company is responsible for escalating these risks to the Group for further management.
The first line’s risk management responsibilities are supported by a number of Group functional committees. For financial risks, the Finance Committee sets the parameters for managing financial risks and oversees how the operating companies manage these risks within those parameters. For non-financial risks, functional committees such as IT, Legal, HR, Sustainability and Government Affairs Committees oversee operating company activities including risk mitigation. Senior Group and divisional management are members of these functional committees.
The second line refers to the internal processes and functions that help manage risk within the Company by supporting the first line and providing assurance to the Board that key risks are being managed effectively. There are two second line risk management committees at the Group level: the Group Risk Management Committee (GRMC) and the Swire Pacific Risk Management Committee (SPACRMC). Within the Company, the second line is supported by the Group Risk Management function led by the Chief Risk Officer
Reporting to the Audit Committee, the GRMC oversees the management of non-financial risks at Group and operating company levels. The GRMC comprises the Finance Director of the Group, the Director, People, the Group General Counsel, the Chief Risk Officer and heads of the Group’s major operating businesses. The GRMC is mandated to (i) regularly review the Group’s risk profile, (ii) oversee the management of major risks at Group and operating company levels, (iii) identify emerging risks and potential sources of future risk and (iv) analyse risk events which materialise, with a view to resolving and learning from them.
In relation to risks with a Group dimension, the GRMC is supported by risk forums in areas of human resources, health and safety; IT, data and technology; government, regulatory and legal; as well as environment and sustainable development. For risks specific to operating companies not material or relevant to the Group, the GRMC is supported by second line bodies in the operating companies.
The SPACRMC oversees risks specific to the Company itself, identifies risks which have a Group dimension and proposes approaches to the management of such risks to GRMC.
The GRMC and SPACRMC are chaired by the Finance Director, who is supported by the Chief Risk Officer.
The third line encompasses the independent assurance functions that evaluate the effectiveness of the Company’s risk management, control, and governance processes. It is primarily represented by the Group Internal Audit Department, which provides objective assessments over the adequacy and effectiveness of both the first and second lines of defence.
Group Internal Audit validates whether risk management processes are implemented properly and operating effectively, and whether the risks which could impact our ability to achieve our business objectives are being properly identified, assessed and mitigated.
The boards and management of the operating companies are responsible for the management of risks at their respective businesses. Risk management governance practices vary between operating companies – commensurate with their nature, size, and operating and regulatory environments – with some having dedicated board and executive risk committees, while others manage risks through their respective audit or executive management committees.
Risks that have a Group dimension will be considered by the GRMC, and, where appropriate, by the Audit Committee and the Board. Operating companies mitigate and monitor these risks in their respective businesses.
The risk forums oversee risks within their remit that are considered material to the Group. They advise the GRMC on emerging risks which may affect the Group, analyse risk events that have materialised and develop best practices for managing those risks.
The GRMC reviews Group and divisional risk registers and considers how effectively risks are being managed. It establishes policies applicable to operating companies and promotes risk culture in the Group. On occasion, the Board or Audit Committee may also identify risks relevant to the Group’s businesses, which will be cascaded to the GRMC and relevant operating companies for consideration within their risk registers and further handling.
The risk governance structure of the Company is established as follows.
The Board has ultimate responsibility for establishing, implementing, and overseeing an effective ERM framework, including its design and implementation. The Board is supported by the Audit Committee in this regard.
The Group has adopted the three lines of defence model of risk governance, which is designed to minimise conflicts of interest and establish independent oversight of risk management. The Group’s enterprise risk management framework is aligned with international standards.
In the first line, the management of each operating company identifies, analyses and reports on the risks for which it is responsible. Risks are mitigated to the extent practical through management actions and controls implemented by the first line. Where risks cannot be eliminated, the related economic returns are required to reflect the risk. When risks originating within an operating company becomes material to the Group, the first line within the operating company is responsible for escalating these risks to the Group for further management.
The first line’s risk management responsibilities are supported by a number of Group functional committees. For financial risks, the Finance Committee sets the parameters for managing financial risks and oversees how the operating companies manage these risks within those parameters. For non-financial risks, functional committees such as IT, Legal, HR, Sustainability and Government Affairs Committees oversee operating company activities including risk mitigation. Senior Group and divisional management are members of these functional committees.
The second line refers to the internal processes and functions that help manage risk within the Company by supporting the first line and providing assurance to the Board that key risks are being managed effectively. There are two second line risk management committees at the Group level: the Group Risk Management Committee (GRMC) and the Swire Pacific Risk Management Committee (SPACRMC). Within the Company, the second line is supported by the Group Risk Management function led by the Chief Risk Officer
Reporting to the Audit Committee, the GRMC oversees the management of non-financial risks at Group and operating company levels. The GRMC comprises the Finance Director of the Group, the Director, People, the Group General Counsel, the Chief Risk Officer and heads of the Group’s major operating businesses. The GRMC is mandated to (i) regularly review the Group’s risk profile, (ii) oversee the management of major risks at Group and operating company levels, (iii) identify emerging risks and potential sources of future risk and (iv) analyse risk events which materialise, with a view to resolving and learning from them.
In relation to risks with a Group dimension, the GRMC is supported by risk forums in areas of human resources, health and safety; IT, data and technology; government, regulatory and legal; as well as environment and sustainable development. For risks specific to operating companies not material or relevant to the Group, the GRMC is supported by second line bodies in the operating companies.
The SPACRMC oversees risks specific to the Company itself, identifies risks which have a Group dimension and proposes approaches to the management of such risks to GRMC.
The GRMC and SPACRMC are chaired by the Finance Director, who is supported by the Chief Risk Officer.
The third line encompasses the independent assurance functions that evaluate the effectiveness of the Company’s risk management, control, and governance processes. It is primarily represented by the Group Internal Audit Department, which provides objective assessments over the adequacy and effectiveness of both the first and second lines of defence.
Group Internal Audit validates whether risk management processes are implemented properly and operating effectively, and whether the risks which could impact our ability to achieve our business objectives are being properly identified, assessed and mitigated.
The boards and management of the operating companies are responsible for the management of risks at their respective businesses. Risk management governance practices vary between operating companies – commensurate with their nature, size, and operating and regulatory environments – with some having dedicated board and executive risk committees, while others manage risks through their respective audit or executive management committees.
Risks that have a Group dimension will be considered by the GRMC, and, where appropriate, by the Audit Committee and the Board. Operating companies mitigate and monitor these risks in their respective businesses.
The risk forums oversee risks within their remit that are considered material to the Group. They advise the GRMC on emerging risks which may affect the Group, analyse risk events that have materialised and develop best practices for managing those risks.
The GRMC reviews Group and divisional risk registers and considers how effectively risks are being managed. It establishes policies applicable to operating companies and promotes risk culture in the Group. On occasion, the Board or Audit Committee may also identify risks relevant to the Group’s businesses, which will be cascaded to the GRMC and relevant operating companies for consideration within their risk registers and further handling.
The risk governance structure of the Company is established as follows.
The Company and the operating companies across the Group have adopted a common ERM approach, involving the following key steps:
• Identification: Risks are identified through a variety of sources and categorised by reference to a common risk classification.
• Evaluation: The identified risks are assessed on their potential financial and non-financial impacts, and on the vulnerabilities associated with them. Non-financial impacts include dimensions such as reputation, regulatory compliance, and potential for significant business interruption while vulnerabilities pay regard to the effectiveness of related internal controls, the Company’s readiness to respond, and the degree of externality associated with the risk amongst other factors. The combined assessment of impact and vulnerability allow more significant risks to be prioritised for management attention.
• Mitigation: Designated risk owners are responsible for devising mitigation strategies aimed at reducing exposure to key risks and executing the agreed action plans.
• Reporting and Monitoring: Continuous tracking of key risks, progress and effectiveness of related mitigating actions, and escalation of material exposures and incidents to the appropriate governance bodies to ensure timely management and mitigation.
The ERM process incorporates both a “top down” and “bottom up” approach. The Board provides guidance from the top on its risk priorities, and the operating companies assess their risks from their respective perspectives. Material risks are reported to the GRMC and consolidated into a Group risk register, which is reviewed by the Audit Committee and the Board on a regular basis.
Integration of the ERM Framework into Business Processes
Risk management is an integral part of business management, with the ERM framework seamlessly integrated into fundamental business decision-making processes. This comprehensive approach ensures that potential risks are identified, assessed, and mitigated throughout the business life cycle:
• Key risks are identified and analysed at the Board level during strategic planning.
• The budgeting and planning cycle includes a focus on improving the Company’s risk profile.
• Satisfactory delivery of action plans to mitigate key risks are considered in performance management.
• Significant changes in risk profile are included in regular management reporting.
• Risk assessments are performed as part of due diligence on major investments.
The Company and the operating companies across the Group have adopted a common ERM approach, involving the following key steps:
• Identification: Risks are identified through a variety of sources and categorised by reference to a common risk classification.
• Evaluation: The identified risks are assessed on their potential financial and non-financial impacts, and on the vulnerabilities associated with them. Non-financial impacts include dimensions such as reputation, regulatory compliance, and potential for significant business interruption while vulnerabilities pay regard to the effectiveness of related internal controls, the Company’s readiness to respond, and the degree of externality associated with the risk amongst other factors. The combined assessment of impact and vulnerability allow more significant risks to be prioritised for management attention.
• Mitigation: Designated risk owners are responsible for devising mitigation strategies aimed at reducing exposure to key risks and executing the agreed action plans.
• Reporting and Monitoring: Continuous tracking of key risks, progress and effectiveness of related mitigating actions, and escalation of material exposures and incidents to the appropriate governance bodies to ensure timely management and mitigation.
The ERM process incorporates both a “top down” and “bottom up” approach. The Board provides guidance from the top on its risk priorities, and the operating companies assess their risks from their respective perspectives. Material risks are reported to the GRMC and consolidated into a Group risk register, which is reviewed by the Audit Committee and the Board on a regular basis.
Integration of the ERM Framework into Business Processes
Risk management is an integral part of business management, with the ERM framework seamlessly integrated into fundamental business decision-making processes. This comprehensive approach ensures that potential risks are identified, assessed, and mitigated throughout the business life cycle:
• Key risks are identified and analysed at the Board level during strategic planning.
• The budgeting and planning cycle includes a focus on improving the Company’s risk profile.
• Satisfactory delivery of action plans to mitigate key risks are considered in performance management.
• Significant changes in risk profile are included in regular management reporting.
• Risk assessments are performed as part of due diligence on major investments.
The Group is exposed to a broad range of risks. Current key risks and uncertainties faced by the Company are highlighted below. Key risks specific to our operating companies are specified in their respective risk registers.
The Group is exposed to a broad range of risks. Current key risks and uncertainties faced by the Company are highlighted below. Key risks specific to our operating companies are specified in their respective risk registers.
