The Board has ultimate responsibility for risk management, overseeing its design and implementation. The Board is supported by the Audit Committee. The Board has adopted the three lines of defence model of risk governance. The model is designed to minimise conflicts of interest and ensure independent oversight of risk management.
The First Line
In the first line, the Board is supported by the management of each division and functional committees. They are responsible for identifying, analysing, and managing the risks to us associated with achieving our business objectives, including those relating to sustainability.
The functional committees include representatives from our divisions. The Swire Group Environmental Committee (SGEC), Diversity, and Inclusion Steering Committee (DISC), and the Health and Safety Committee are tasked with the management and oversight of sustainability risks relevant to SwireTHRIVE. The members of the functional committees and working groups include specialists in their respective areas. Each committee is chaired by an individual with relevant experience.
They are responsible for identifying and managing specific areas of risk, proposing policies and reporting performance. Part of the role of the functional committees and working groups is to identify risks and opportunities which fall within their respective areas and to draw up policy recommendations for GRMC review and approval.
The policies approved by the GRMC apply to all companies in which Swire Pacific has a controlling interest. The boards of these operating companies are required to adopt these policies and to establish procedures to ensure compliance. Joint venture and associated companies are encouraged to adopt Group policies.
The Second Line
The role of the Second Line is to support the First Line and provide assurance to the Board that risk is being effectively managed. The Second Line includes two management committees, the Group Risk Management Committee (GRMC) which focuses on group-wide risks and the Swire Pacific Risk Management Committee (SPACRMC) which oversees risks to the Company itself.
The GRMC includes divisional heads, is chaired by the Finance Director and reports to the Board via the Audit Committee. It oversees the management of non-financial risks at both Group and operating company levels. The GRMC:
- Reviews the Group’s risk profile and Group and divisional risk registers
- Oversees the management of major risks at Group and operating company levels
- Identifies emerging risks and potential sources of future risk including ESG risks
- Analyses risk events which materialise, with a view to their resolution and to learning from them.
In relation to risks having a Group dimension the GRMC is supported by four risk forums covering, respectively: environmental, human, technology, and legal risks. In relation to those not having a Group dimension the GRMC is supported by the Second Line infrastructure within each operating company.
The SPACRMC identifies risks which have a Group dimension and proposes approaches to the management of such risks to the GRMC. The GRMC and the SPACRMC are chaired by the Finance Director, who is supported by the Chief Risk Officer.
The Third Line
The third line is supported by the Group Internal Audit Department. The Group’s Internal Audit provides independent and objective assurance that the risk management processes are implemented properly and operating effectively and that the risks which could impact our ability to achieve our business objectives are being properly identified, assessed, and mitigated.
The boards and management of operating companies are responsible for the management of risk at those companies.
The Group’s ERM framework is aligned with international standards such as ISO 31000. Our ERM process is both top down and bottom up. It accommodates for operating company specific risks and risks that are material at the Group level.
The Board gives guidance on its risk priorities, the operating companies assess their own risks, and the SPACRMC manages Group risks. All of these are reported to the GRMC and are consolidated into the Group risk register which is then presented to the Audit Committee and the Board.
The operating companies have adopted a common approach to ERM based on the development and management of their risk registers. Operating companies are responsible for the identification, assessment, mitigation, and monitoring of these risks in their respective businesses.
Risks considered to have a Group dimension are discussed by the GRMC, and potentially by the Audit Committee and the Board. Key risk focus areas for the Group that relate to SwireTHRIVE include climate change, greenwashing, and people and culture. Regulatory and policy change related to ESG has been identified as an emerging risk. Descriptions of these risks and details of our mitigation measures are provided in the Risk management section of the Annual Report, and the in the Climate, People, and Talent management sections of this report.
We use an enterprise risk management (ERM) process to identify, assess, monitor, and manage risks. The ERM process is aimed at ensuring robust and effective risk management by the Group and at fostering a risk aware culture. The implementation and execution of the ERM process follows our Enterprise Risk Management Policy. Each division and major operating company are required to implement the ERM process.
As part of this policy, operating companies must regularly submit corporate risk registers and changes in risk profiles to Swire Pacific. To ensure consistency of approach, these registers are prepared using a standard methodology and format and standard risk ranking criteria.
In 2023, our key risk management focus areas included: economic slowdown, evolution of Hong Kong, geopolitical risk, cybersecurity and data protection, greenwashing, people and culture, crisis management, portfolio discipline, and climate change. More details of our ERM process and our risk mitigation measures can be found in our Annual Report.
Risk management is an integral part of business management and is included in due diligence on major investments. In 2024, we are building on our current approach, which focuses on compliance with laws and regulations related to ESG, by layering in geospatial physical climate risk assessments for the assets of potential new investments. As part of our Internal Carbon Pricing pilot, our three largest operating companies are considering the operational emissions associated with key projects by applying a shadow carbon price which is then reviewed by the operating company or Group investment committee.
Swire Pacific has, and monitors compliance with, a cybersecurity and information security policy, and conducts regular cybersecurity maturity assessments based on the recognised US National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF). Several major operating companies also reference the ISO 27001 standard for information security management.
Swire Pacific has appointed a Group Chief Information Security Officer (CISO) and established a central Cybersecurity Centre of Excellence (CCoE) under the CISO’s direction. The CcoE team is dedicated to providing guidance, sharing best practices, conducting research, driving innovation, offering support, and delivering training to our operating companies. The central team is responsible for developing the Group cybersecurity strategy and creating and maintaining security policies and standards. The central team also managing cybersecurity programmes and projects, and establishes cybersecurity service lines which include, but are not limited to, Cybersecurity Maturity Assessment, Threat and Vulnerability Management, Managed Security Operation Centre, Incident Response Retainer, Attack Surface Management, and Red Teaming exercises.
The Swire Pacific CISO chairs the Cyber Security Working Group (CSWG), which is composed of cybersecurity professionals across the Group. The CSWG members meet regularly to facilitate the exchange of best cybersecurity practices and to bolster cybersecurity awareness throughout the Group. The CISO is a member of the IT Committee (ITC) which oversees the cybersecurity programs for the operating companies.
The CISO presents cybersecurity topics and reports significant cybersecurity risks to the GRMC and Audit Committee. Under Swire Pacific’s enhanced Risk Governance Structure, an IT, Data & Technology (IDT) Risk Forum has been established as part of the second line risk forums. The CISO provides oversight of the cybersecurity risk landscape from a Group perspective during the risk forum meetings.
Operating companies undertake a Control Self-Assessment from a cybersecurity perspective annually in response to requests from Group Internal Audit Department.
Cybersecurity measures | ||
Cybersecurity Maturity Assessment (CMA) Service Line | Group Information Security Policy (GISP) | |
Threat and Vulnerability Management (TVM) Service Line | Threat and Vulnerability Management Policy (TVMP) | |
Managed Security Operation Centre (MSOC) Service Line | Cyber and Technology Risk Management Policy (CTRMP) | |
Incident Response Retainer (IRR) Service Line | Cybersecurity Incident Management Policy (CIMP) | |
Attack Surface Management (ASM) Service Line | Regular Phishing Simulation | |
Red Team Attack Simulation (RTAS) Service Line | Security Awareness & Training |