Effective risk management is key to ensuring the long-term viability of the Group. It is embedded within all our operating companies. It is essential that every Swire Pacific employee works together to address the risks to which our Group is exposed.
The Board and the management of each division are responsible for identifying, analysing and managing the risks to us associated with achieving our business objectives, including those relating to sustainability.
Two key management committees monitor the risks affecting the Group, the Group Risk Management Committee (GRMC) and the Finance Committee.
In 2021, the Group’s risk governance structure was reviewed and a three lines of defence model was adopted.
The first line of defence manages risk and comprises executive management committees at Group and operating company level, as well as functional committees.
The second line of defence consists of the GRMC, supported by four new risk forums that provide specialist oversight and support to operating companies in implementing the enterprise risk management process, advise the GRMC on emerging risks, analyse risk events that have materialised and develop best practices for managing risks.
In addition, a new Swire Pacific Risk Management Committee (SPACRMC) has been established to oversee risks specific to Swire Pacific itself. It identifies risks that have a Group dimension and proposes approaches to the management of such risks to the GRMC.
The third line of defence is the internal audit function.
The GRMC provides oversight on all the risks to which the Group is exposed, except for those expressly covered by the Finance Committee. It includes divisional chief executives, is chaired by the Finance Director and reports to the Board via the Audit Committee.
- Reviews divisional risk registers which set out current and emerging risks, including ESG risks
- Sets group risk management policies and strategies
- Oversees functional committees and working groups
The members of the functional committees and working groups are specialists in their respective areas. Each committee is chaired by an individual with relevant experience. Part of the role of the functional committees and working groups is to identify risks and opportunities which fall within their respective areas and to draw up policy recommendations for GRMC review and approval.
The policies approved by the GRMC apply to all companies in which Swire Pacific has a controlling interest. The boards of these operating companies are required to adopt these policies and to establish procedures to ensure compliance. Joint venture and associated companies are encouraged to adopt Group policies.
We use an enterprise risk management (ERM) process to identify, assess, monitor and manage risks. The ERM process is aimed at ensuring robust and effective risk management by the Group and at fostering a risk aware culture. The implementation and execution of the ERM process follows our Enterprise Risk Management Policy. Each division and major operating company is required to implement the ERM process.
As part of this policy, operating companies must regularly submit corporate risk registers and changes in risk profiles to Swire Pacific. To ensure consistency of approach, these registers are prepared using a standard methodology and format and standard risk ranking criteria.
In 2021, our key risk management focus areas included: evolution of Hong Kong, regulatory changes, political – international tensions, climate change, crisis management, protection and use of data, portfolio discipline, people and culture. More details of our ERM process and our risk mitigation measures can be found in our Annual Report.
Swire Pacific has, and monitors compliance with, a cybersecurity and information security policy, and conducts regular cybersecurity maturity assessments based on the recognised US National Institute of Standards and Technology (NIST) Cybersecurity Framework. Several major operating companies also reference the ISO 27001 standard.
We have dedicated governance related to cybersecurity, including a GRMC risk forum to oversee IT, data and technology risks and to recommend best practice. Regular cybersecurity reports are provided to the IT Committee, GRMC and to the Audit Committee. Our IT Committee oversees the cybersecurity programmes of our operating companies. A working group of cybersecurity professionals, which reports to the committee, meets regularly to promote the sharing of cybersecurity studies and best practices, and to enhance cybersecurity awareness across the Group.
In 2021, we appointed a Chief Information Security Officer. We are building a dedicated team at group level to provide leadership, best practices, research and support to our operating companies. The central team is developing a Group cybersecurity strategy, managing cybersecurity programmes and projects, and establishing Group cybersecurity lines of service. These lines of service include threat and vulnerability management, a managed security operation centre, endpoint detection and response, and web application firewalls among others.