OUR BUSINESS

ESG risk management

Effective risk management is key to ensuring the long-term viability of the Group. It is embedded within all our operating companies. It is essential that every Swire Pacific employee works together to address the risks to which our Group is exposed.

The Board has ultimate responsibility for risk management, overseeing its design and implementation. The Board is supported by the Audit Committee. The Board has adopted the three lines of defence model of risk governance. The model is designed to minimise conflicts of interest and ensure independent oversight of risk management.

In the first line, the Board is supported by the management of each division and functional committees. They are responsible for identifying, analysing and managing the risks to us associated with achieving our business objectives, including those relating to sustainability.

The functional committees include representatives from our divisions. The Swire Group Environmental Committee, Diversity and Inclusion Steering Committee (DISC), and the Health and Safety Committee are tasked with the management and oversight of sustainability risks relevant to SwireTHRIVE. The members of the functional committees and working groups include specialists in their respective areas. Each committee is chaired by an individual with relevant experience.

They are responsible for identifying and managing specific areas of risk, proposing policies and reporting performance. Part of the role of the functional committees and working groups is to identify risks and opportunities which fall within their respective areas and to draw up policy recommendations for GRMC review and approval.

The policies approved by the GRMC apply to all companies in which Swire Pacific has a controlling interest. The boards of these operating companies are required to adopt these policies and to establish procedures to ensure compliance. Joint venture and associated companies are encouraged to adopt Group policies.

The role of the Second Line is to support the First Line and provide assurance to the Board that risk is being managed effectively. The Second Line includes two management committees, the Group Risk Management Committee (GRMC) which focuses on Group-wide risks and the Swire Pacific Risk Management Committee (SPACRMC) which oversees risks to the Company itself.

The GRMC includes divisional chief executives, is chaired by the Finance Director and reports to the Board via the Audit Committee. It oversees the management of non-financial risks at both Group and Operating Company levels. The GRMC:

  • Reviews the Group’s risk profile and Group and divisional risk registers
  • Oversees the management of major risks at Group and operating company levels
  • Identifies emerging risks and potential sources of future risk including ESG risks
  • Analyses risk events which materialise, with a view to their resolution and to learning from them

In relation to risks having a Group dimension the GRMC is supported by four risk forums covering, respectively: environmental, human, technology and legal risks. In relation to those not having a Group dimension the GRMC is supported by the Second Line infrastructure within each Operating Company.

The SPACRMC identifies risks which have a Group dimension and proposes approaches to the management of such risks to the GRMC.

The third line of defence is the internal audit function of the Group and the audit functions in our Operating Companies.

The Group ERM process is both top down and bottom up. It accommodates for operating company specific risks and risks that are material at the Group level.

The Board gives guidance on its risk priorities, the operating companies assess their own risks and the SPACRMC manages Group risks. All of these are reported to the GRMC and are consolidated into the Group risk register which is then presented to the Audit Committee and the Board.

The operating companies have adopted a common approach to ERM based on the development and management of their risk registers. Operating companies are responsible for the identification, assessment, mitigation, and monitoring of these risks in their respective businesses.

Risks considered to have a Group dimension are discussed by the GRMC, and potentially by the Audit Committee and the Board. Key risk focus areas for the Group that relate to SwireTHRIVE include Climate change and Recruitment and retention. Details of our mitigation measures are provided in the Risk management section of the Annual Report, and the in the Climate, People and Talent management sections of this report.

We use an enterprise risk management (ERM) process to identify, assess, monitor and manage risks. The ERM process is aimed at ensuring robust and effective risk management by the Group and at fostering a risk aware culture. The implementation and execution of the ERM process follows our Enterprise Risk Management Policy. Each division and major operating company is required to implement the ERM process.

As part of this policy, operating companies must regularly submit corporate risk registers and changes in risk profiles to Swire Pacific. To ensure consistency of approach, these registers are prepared using a standard methodology and format and standard risk ranking criteria.

In 2022, our key risk management focus areas included: evolution of Hong Kong, regulatory changes, political – international tensions, climate change, crisis management, protection and use of data, portfolio discipline, people and culture. More details of our ERM process and our risk mitigation measures can be found in our Annual Report.

Swire Pacific has, and monitors compliance with, a cybersecurity and information security policy, and conducts regular cybersecurity maturity assessments based on the recognised US National Institute of Standards and Technology (NIST) Cybersecurity Framework. Several major operating companies also reference the ISO 27001 standard.

Our group-level Cybersecurity Centre of Excellence (CCoE), led by our Chief Information Security Officer (CISO), provides leadership, best practices, research and innovation, support and training to our operating companies. This central team is developing the Group cybersecurity strategy, managing cybersecurity programmes and projects, and establishing Group cybersecurity service lines. These service lines include Threat and Vulnerability Management, Managed Security Operation Centre, Incident Response Retainer, and Red Teaming whereby we test and strengthen our defences by identifying vulnerabilities and simulating attacks.

The Swire Pacific CISO is the Chair of the Cyber Security Working Group (CSWG) and is a member of the IT Committee (ITC). The CISO has responsibility for presenting cybersecurity topics to the GRMC and Audit Committee.

Under Swire Pacific’s enhanced Risk Governance Structure, an IT, Data & Technology (IDT) Risk Forum has been established as part of the second line risk forums. Swire Pacific CISO presents during the IDT Risk Forum to provide oversight of the cybersecurity risk landscape from a group perspective.

Regular cybersecurity reports are provided to the ITC, GRMC and to the Audit Committee. Our ITC oversees the cybersecurity programmes for our operating companies. A working group of cybersecurity professionals, which reports to the committee, meets regularly to promote the sharing of cybersecurity studies and best practices, and to enhance cybersecurity awareness across the Group.

Our operating companies complete a Control Self-Assessment from a cybersecurity perspective on an annual basis based on GIAD requests.

We have dedicated governance related to cybersecurity, including a GRMC risk forum to oversee IT, data and technology risks and to recommend best practice. Regular cybersecurity reports are provided to the IT Committee, GRMC and to the Audit Committee. Our IT Committee oversees the cybersecurity programmes of our operating companies. A working group of cybersecurity professionals, which reports to the committee, meets regularly to promote the sharing of cybersecurity studies and best practices, and to enhance cybersecurity awareness across the Group.

In 2021, we appointed a Chief Information Security Officer. We are building a dedicated team at group level to provide leadership, best practices, research and support to our operating companies. The central team is developing a Group cybersecurity strategy, managing cybersecurity programmes and projects, and establishing Group cybersecurity lines of service. These lines of service include threat and vulnerability management, a managed security operation centre, endpoint detection and response, and web application firewalls among others.

TCFD