Copyright © 2024 Swire Pacific Limited. All rights reserved.
Effective risk management is critical in ensuring that the Group achieves its strategic objectives and protects its reputation, market position and financial strength. The Company and its operating companies adhere to the Group’s Enterprise Risk Management (ERM) policy. The ERM policy requires the identification, assessment, management, monitoring and reporting of current and emerging risks that are material to the Group.
Effective risk management is critical in ensuring that the Group achieves its strategic objectives and protects its reputation, market position and financial strength. The Company and its operating companies adhere to the Group’s Enterprise Risk Management (ERM) policy. The ERM policy requires the identification, assessment, management, monitoring and reporting of current and emerging risks that are material to the Group.
The Board has ultimate responsibility for establishing, implementing, and overseeing an effective ERM framework, including its design and implementation. The Board is supported by the Audit Committee in this regard.
The Group has adopted the three lines of defence model of risk governance, which is designed to minimise conflicts of interest and establish independent oversight of risk management. The Group’s enterprise risk management framework is aligned with international standards.
In the first line, the management of each operating company identifies, analyses and reports on the risks for which it is responsible. Risks are mitigated to the extent practical through management actions and controls implemented by the first line. Where risks cannot be eliminated, the related economic returns are required to reflect the risk. When risks originating within an operating company become material to the Group, the first line within the operating company is responsible for escalating these risks to the Group for further management.
The first line’s risk management responsibilities are supported by a number of Group functional committees. For financial risks, the Finance Committee sets the parameters for managing financial risks and has oversight of how the operating companies manage these risks within those parameters. For non-financial risks, functional committees such as IT, Legal, and People Committees have oversight of operating company activities including risk mitigation. Sustainability-related risks are overseen by the Swire Group Sustainability Committee (SGSC) which ensures that the Group operates sustainably and effectively manages the Group’s sustainability-related risks, as well as the Swire Group Environmental Committee (SGEC) which oversees the effective management of climate and environmental risks. Senior Group and divisional management are members of these functional committees.
The second line refers to the internal processes and functions that help manage risk within the Company by supporting the first line and providing assurance to the Board that key risks are being managed effectively. Two second line risk management committees at the Group level – the Group Risk Management Committee (GRMC) and the Swire Pacific Risk Management Committee (SPACRMC) – served as risk oversight bodies throughout the year. Within the Company, the second line is supported by the Group Risk Management function.
Reporting to the Audit Committee, the GRMC oversees the management of non-financial risks at Group and operating company levels. Membership of the GRMC includes the Finance Director of the Group and heads of the Group’s major operating businesses. The GRMC is mandated to (i) regularly review the Group’s risk profile, (ii) oversee the management of major risks at Group and operating company levels, (iii) identify emerging risks and potential sources of future risk and (iv) analyse risk events which materialise, with a view to resolving and learning from them.
In relation to risks with a Group dimension, the GRMC was supported during the year by risk forums in areas of human resources, health and safety; IT, data and technology; environment and sustainable development; as well as Chinese Mainland operations. For risks specific to operating companies not material or relevant to the Group, the GRMC was supported by second line bodies in the operating companies.
During the year the SPACRMC had oversight of risks specific to the Company itself, identified risks which had a Group dimension and proposed approaches to the management of such risks to the GRMC.
The GRMC and SPACRMC meetings were chaired by the Finance Director and supported by Group Risk Management.
The third line encompasses the independent assurance functions that evaluate the effectiveness of the Company’s risk management, control, and governance processes. It is primarily represented by the group internal audit department, which provides objective assessments over the adequacy and effectiveness of both the first and second lines of defence.
Group Internal Audit validates whether risk management processes are implemented properly and operating effectively, and whether the risks which could impact our ability to achieve our business objectives are being properly identified, assessed and mitigated.
The boards and management of the operating companies are responsible for the management of risks at their respective businesses. Risk management governance practices vary between operating companies – commensurate with their nature, size, and operating and regulatory environments – with some having dedicated board and executive risk committees, while others manage risks through their respective audit or executive management committees.
Risks with a Group dimension are considered by the GRMC, and, where appropriate, by the Audit Committee and the Board. Operating companies mitigate and monitor these risks in their respective businesses.
The risk forums oversee risks within their remit that are considered material to the Group. They advise the GRMC on emerging risks which may affect the Group, analyse risk events that have materialised and develop best practices for managing those risks.
The GRMC reviews Group and divisional risk registers and considers how effectively risks are being managed. It establishes policies applicable to operating companies and promotes risk culture in the Group. On occasion, the Board or Audit Committee also identify risks relevant to the Group’s businesses, which are cascaded to the GRMC and relevant operating companies for consideration within their risk registers and further handling.
Following the year-end, the GRMC approved enhancements to the Group’s governance arrangements for risk management and sustainability to further improve coordination, reduce duplication, and deepen integration with existing governance bodies. In doing so, certain committees, risk forums, and working groups were concluded as their responsibilities have become well established within other governance structures and in the operations of the Group’s operating companies. The revised governance structure maintains strong oversight across the Group while supporting more effective and coherent governance.
The chart below shows the risk governance structure for the year.
The Board has ultimate responsibility for establishing, implementing, and overseeing an effective ERM framework, including its design and implementation. The Board is supported by the Audit Committee in this regard.
The Group has adopted the three lines of defence model of risk governance, which is designed to minimise conflicts of interest and establish independent oversight of risk management. The Group’s enterprise risk management framework is aligned with international standards.
In the first line, the management of each operating company identifies, analyses and reports on the risks for which it is responsible. Risks are mitigated to the extent practical through management actions and controls implemented by the first line. Where risks cannot be eliminated, the related economic returns are required to reflect the risk. When risks originating within an operating company become material to the Group, the first line within the operating company is responsible for escalating these risks to the Group for further management.
The first line’s risk management responsibilities are supported by a number of Group functional committees. For financial risks, the Finance Committee sets the parameters for managing financial risks and has oversight of how the operating companies manage these risks within those parameters. For non-financial risks, functional committees such as IT, Legal, and People Committees have oversight of operating company activities including risk mitigation. Sustainability-related risks are overseen by the Swire Group Sustainability Committee (SGSC) which ensures that the Group operates sustainably and effectively manages the Group’s sustainability-related risks, as well as the Swire Group Environmental Committee (SGEC) which oversees the effective management of climate and environmental risks. Senior Group and divisional management are members of these functional committees.
The second line refers to the internal processes and functions that help manage risk within the Company by supporting the first line and providing assurance to the Board that key risks are being managed effectively. Two second line risk management committees at the Group level – the Group Risk Management Committee (GRMC) and the Swire Pacific Risk Management Committee (SPACRMC) – served as risk oversight bodies throughout the year. Within the Company, the second line is supported by the Group Risk Management function.
Reporting to the Audit Committee, the GRMC oversees the management of non-financial risks at Group and operating company levels. Membership of the GRMC includes the Finance Director of the Group and heads of the Group’s major operating businesses. The GRMC is mandated to (i) regularly review the Group’s risk profile, (ii) oversee the management of major risks at Group and operating company levels, (iii) identify emerging risks and potential sources of future risk and (iv) analyse risk events which materialise, with a view to resolving and learning from them.
In relation to risks with a Group dimension, the GRMC was supported during the year by risk forums in areas of human resources, health and safety; IT, data and technology; environment and sustainable development; as well as Chinese Mainland operations. For risks specific to operating companies not material or relevant to the Group, the GRMC was supported by second line bodies in the operating companies.
During the year the SPACRMC had oversight of risks specific to the Company itself, identified risks which had a Group dimension and proposed approaches to the management of such risks to the GRMC.
The GRMC and SPACRMC meetings were chaired by the Finance Director and supported by Group Risk Management.
The third line encompasses the independent assurance functions that evaluate the effectiveness of the Company’s risk management, control, and governance processes. It is primarily represented by the group internal audit department, which provides objective assessments over the adequacy and effectiveness of both the first and second lines of defence.
Group Internal Audit validates whether risk management processes are implemented properly and operating effectively, and whether the risks which could impact our ability to achieve our business objectives are being properly identified, assessed and mitigated.
The boards and management of the operating companies are responsible for the management of risks at their respective businesses. Risk management governance practices vary between operating companies – commensurate with their nature, size, and operating and regulatory environments – with some having dedicated board and executive risk committees, while others manage risks through their respective audit or executive management committees.
Risks with a Group dimension are considered by the GRMC, and, where appropriate, by the Audit Committee and the Board. Operating companies mitigate and monitor these risks in their respective businesses.
The risk forums oversee risks within their remit that are considered material to the Group. They advise the GRMC on emerging risks which may affect the Group, analyse risk events that have materialised and develop best practices for managing those risks.
The GRMC reviews Group and divisional risk registers and considers how effectively risks are being managed. It establishes policies applicable to operating companies and promotes risk culture in the Group. On occasion, the Board or Audit Committee also identify risks relevant to the Group’s businesses, which are cascaded to the GRMC and relevant operating companies for consideration within their risk registers and further handling.
Following the year-end, the GRMC approved enhancements to the Group’s governance arrangements for risk management and sustainability to further improve coordination, reduce duplication, and deepen integration with existing governance bodies. In doing so, certain committees, risk forums, and working groups were concluded as their responsibilities have become well established within other governance structures and in the operations of the Group’s operating companies. The revised governance structure maintains strong oversight across the Group while supporting more effective and coherent governance.
The chart below shows the risk governance structure for the year.
The Company and the operating companies across the Group have adopted a common ERM approach, involving the following key steps:
• Identification: Risks are identified through a variety of sources and categorised by reference to a common risk classification.
• Evaluation: The identified risks are assessed on their potential financial and non-financial impacts, and on the vulnerabilities associated with them. Non-financial impacts include dimensions such as reputation, regulatory compliance, potential for significant business interruption, and strategy, while vulnerabilities pay regard to the effectiveness of related internal controls, the Group's readiness to respond, and the degree of externality associated with the risk amongst other factors. The combined assessment of impact and vulnerability allows more significant risks to be prioritised for management attention.
• Mitigation: Designated risk owners are responsible for devising mitigation strategies aimed at reducing exposure to key risks and executing the agreed action plans.
• Reporting and Monitoring: Continuous tracking of key risks, progress and effectiveness of related mitigating actions, and escalation of material exposures and incidents to the appropriate governance bodies to ensure timely management and mitigation.
The ERM process incorporates both a “top down” and “bottom up” approach. The Board provides guidance from the top on its risk priorities, and the operating companies assess their risks from their respective perspectives. Material risks are reported to the GRMC and consolidated into a Group risk register, which is reviewed by the Audit Committee and the Board on a regular basis.
There were no significant changes to the Group ERM process during the year.
Integration of the ERM Framework into Business Processes
Risk management is an integral part of business management, with the ERM framework seamlessly integrated into fundamental business decision-making processes. This comprehensive approach ensures that potential risks are identified, assessed, and mitigated throughout the business life cycle:
• Key risks are identified and analysed at the Board level during strategic planning.
• The budgeting and planning cycle includes a focus on improving the Group’s risk profile.
• Satisfactory delivery of action plans to mitigate key risks are considered in performance management.
• Significant changes in risk profile are included in regular management reporting.
• Risk assessments are performed as part of due diligence on major investments.
The Company and the operating companies across the Group have adopted a common ERM approach, involving the following key steps:
• Identification: Risks are identified through a variety of sources and categorised by reference to a common risk classification.
• Evaluation: The identified risks are assessed on their potential financial and non-financial impacts, and on the vulnerabilities associated with them. Non-financial impacts include dimensions such as reputation, regulatory compliance, potential for significant business interruption, and strategy, while vulnerabilities pay regard to the effectiveness of related internal controls, the Group's readiness to respond, and the degree of externality associated with the risk amongst other factors. The combined assessment of impact and vulnerability allows more significant risks to be prioritised for management attention.
• Mitigation: Designated risk owners are responsible for devising mitigation strategies aimed at reducing exposure to key risks and executing the agreed action plans.
• Reporting and Monitoring: Continuous tracking of key risks, progress and effectiveness of related mitigating actions, and escalation of material exposures and incidents to the appropriate governance bodies to ensure timely management and mitigation.
The ERM process incorporates both a “top down” and “bottom up” approach. The Board provides guidance from the top on its risk priorities, and the operating companies assess their risks from their respective perspectives. Material risks are reported to the GRMC and consolidated into a Group risk register, which is reviewed by the Audit Committee and the Board on a regular basis.
There were no significant changes to the Group ERM process during the year.
Integration of the ERM Framework into Business Processes
Risk management is an integral part of business management, with the ERM framework seamlessly integrated into fundamental business decision-making processes. This comprehensive approach ensures that potential risks are identified, assessed, and mitigated throughout the business life cycle:
• Key risks are identified and analysed at the Board level during strategic planning.
• The budgeting and planning cycle includes a focus on improving the Group’s risk profile.
• Satisfactory delivery of action plans to mitigate key risks are considered in performance management.
• Significant changes in risk profile are included in regular management reporting.
• Risk assessments are performed as part of due diligence on major investments.
The Group is exposed to a broad range of risks. Current key risks and uncertainties faced by the Company are highlighted below. Key risks specific to our operating companies are specified in their respective risk registers.
The Group is exposed to a broad range of risks. Current key risks and uncertainties faced by the Company are highlighted below. Key risks specific to our operating companies are specified in their respective risk registers.
