Risk Management and Internal Controls

GRI 2-12, 201, 403
The Board is responsible for determining the Risk Appetite and maintaining the Risk Governance Structure that facilitate the Risk Management Process to identify and analyse the Risk Profile underlying for the achievement of business objectives of the Company, and to determine how such risks should be managed and mitigated. The Board oversees management in the design, implementation and monitoring of the risk management and internal control systems, and management provides confirmations to the Board on the effectiveness of these systems.
The effectiveness of the risk management process and internal control systems is subject to audit by internal audit, with support from external specialists where necessary.
Further discussion of risk management is set out in the sections of the Corporate Governance Report headed “Accountability and Audit – Risk Management and Internal Control”, “Audit Committee – Assessing the Effectiveness of Risk Management and Internal Control Systems” and “Internal Audit Department – Scope of Work” in Annual Report 2023 respectively.
Risk Appetite
The Board acknowledges its responsibility to determine the nature and extent of the risks the Company is willing to take in achieving the Company’s strategic objectives whilst not exposing the Company to excessive risk of financial losses, business disruption, negative reputation, regulatory incompliance and people’s health and safety. The Company has established and maintains an appropriate and effective risk management process and internal control systems to retain only risks that are manageable and at a reasonable level. In alignment with our risk appetite, the Company has established a risk assessment matrix and corporate risk register to evaluate and prioritise the key risks by taking into account of both financial and non-financial impact, as well as impact to our Sustainability Development 2030 (“SD 2030”) strategy. Moreover, the Company’s vulnerability and exposure to the key risks are assessed regularly to ensure that the appropriate internal controls and mitigating measures are in place for preventing and responding to any major incidents.

Risk Governance Structure

The Board has ultimate responsibility for risk management, overseeing its design and implementation. The Board is supported by the Audit Committee.
The Company has implemented the three lines of defence model of risk governance. The model is designed to minimise conflicts of interest and ensure independent oversight of risk management.
In the first line of defence, the management of each business and operating unit identifies, analyses and reports on the risks for which it is responsible. Risks are mitigated, minimised and eliminated, where practicable and economically viable. Where risk cannot be eliminated, the related economic returns are required to reflect the level of risk retained. The first line of defence is supervised by the functional heads and portfolio directors.
The second line of defence led by the Executive Committee ("EXCOM") supports the first line and provides assurance to the Board that risk is being managed effectively. The EXCOM chaired by the Chief Executive (also acting in the capacity of Executive Director) comprises two other Executive Directors and seven senior executives. It oversees all the risks to which the Company is subject and is responsible for the design, implementation and monitoring of the relevant risk management processes and internal control systems of the Company. Among the EXCOM meetings, review of the corporate risk register will be periodically conducted to evaluate the Company’s risk profile and exposure, to oversee the management of major risks, to identify emerging risks and to analyse risk events which materialise, with a view to their resolution and to learning from them. Sensitivity analysis or deep dive sessions on contemporary risk area such as geopolitical issues are conducted by EXCOM as appropriate. Matters of significance that arise are reported as appropriate to the Audit Committee and ultimately to the Board of Directors.
EXCOM is supported by committees with specialisation in respective corporate and operating functions across the Company including investment appraisal, joint venture management, health and safety, crisis management, information security and data protection. EXCOM is also supported by the risk management team headed by the Finance Director. In relation to the Company’s SD 2030 Strategy, the Environmental, Social and Governance (“ESG”) Steering Committee has been set up and reports to the Board. ESG Steering Committee is supported by working groups to manage the ESG risks with respect to the five SD pillars: places, people, partners, environmental and economic performances; and the SD Communication & Engagement Committee to oversee the implementation of communication and engagement initiatives. The Chairman of the Audit Committee, who is also an independent non-executive director of the Company and reports to the Board, is a member of the ESG Steering Committee. Details of the responsibilities of each SD 2030 Working Groups are documented in the SD Governance section.
The third line of defence is provided by the Swire Group Internal Audit Department to assist the Audit Committee in carrying out analysis and independent assessment of the adequacy and effectiveness of the risk management and the internal control systems through a systematic review of the processes and internal control. Details of the scope of work is set out in Annual Report 2023.

Risk Management Process

The following diagram illustrates the key risk management processes of the Company.
Risk Identification
Risks that impact the achievement of business objectives are identified by management and categorised with reference to a risk taxonomy.
Risk Analysis
Risk assessment matrix is established in accordance with the Company’s Risk Appetite to evaluate and prioritise the risks in terms of impact and vulnerability, and documented in corporate risk register.
Risk Mitigation
Internal control procedures and response protocols are designed, documented and implemented to manage the risks and mitigate their impact.
Risk Reporting
Risks are regularly reviewed and reported to the Audit Committee and other relevant governing parties.
Risk Monitoring
Adequacy and effectiveness of risk management and internal controls are closely monitored by management through regular review exercise.
Risk Identification
Risks that impact the achievement of business objectives are identified by management and categorised with reference to a risk taxonomy.
Risk Analysis
Risk assessment matrix is established in accordance with the Company’s Risk Appetite to evaluate and prioritise the risks in terms of impact and vulnerability, and documented in corporate risk register.
Risk Mitigation
Internal control procedures and response protocols are designed, documented and implemented to manage the risks and mitigate their impact.
Risk Reporting
Risks are regularly reviewed and reported to the Audit Committee and other relevant governing parties.
Risk Monitoring
Adequacy and effectiveness of risk management and internal controls are closely monitored by management through regular review exercise.
NaN / 5

Risk Profile

The following table provides an overview of our key risk profile (listed in alphabetical order), including what we consider to be Swire Properties’ principal existing and emerging risks, possible impacts, risk trend and mitigating measures that are in place or under development.
Existing Risks and Possible Impacts
Risk Trend
Mitigation Measures
Brand and image
The failure to maintain brand position and perception may make us less competitive. Social media, in particular, is considered as a high velocity risk which, if not properly managed, may cause disproportionate negative impact on the Company’s brand, image and reputation.
  • Crisis communication and social media policies are in place and are updated and tested regularly to ensure consistent, responsible and responsive communication (including when handling major incidents) in order to safeguard the Company’s reputation.
  • Closely monitor social media in order to evaluate and provide responses to negative social media content.
  • Engagement with third parties to understand their perceptions of the Company and to anticipate current and potential economic, political, social or environmental issues that may adversely affect our reputation.
Business disruption
Severe disruption to the business caused by acts of man or acts of nature such as extreme weather and pandemics may have adverse financial effects on the Company.
  • A business recovery plan for major incidents, and other business compliance measures for specific scenarios, operational emergencies and health and safety, are in place and are regularly updated and tested.
  • Strategic plans are regularly reviewed to maintain business resilience and sustainability.
  • Conduct site surveys and consult professional advisors to ensure properties in earthquake and hurricane zones are built to meet the relevant building codes and safety standards.
  • Purchase insurance to the extent practicable to cover financial loss due to property damage, business interruption and third-party liabilities.
Business risks
The lack of compelling development projects may lead to a slowdown in business. Disruptive business models, technologies and demographic factors are changing the behaviour and needs of tenant rapidly, leading to a new form of demand and space design.
  • Obtain suitable reserves of land, reinforce existing assets and actively explore investment opportunities especially to focus on strategic locations which will bring synergy with the existing portfolios and prime locations with strong growth prospect.
  • Monitor and evaluate disruptive business models, with a view to making our operations more robust.
  • Enhance competitiveness by increasing efficiency, using appropriate technology for customer proposition and operational procedures.
Cybersecurity and data protection
Delay in the compliance of fast changing regulatory requirements, insufficient data security protection system and policies may expose the Company to cyber-attack with potential financial and reputational consequences.
  • Policies on information and cyber security are in place with regular updates.
  • Staff trainings, incident response drills and simulation tests are conducted regularly to raise the awareness of data security across the Company.
  • Regular evaluation and upgrading of the latest technologies on information security.
  • Insurance policy for cyber and crime are in place to transfer the risk and to reduce financial losses.
Development risks
Delay in the completion of developments may have an adverse financial effect by delaying the timing of property sales and leasing. Cost inflation may also lead to significant financial impact due to economic volatilities, supply chain issues and labour shortage.
  • Closely work with contractors to monitor and manage construction progress to avoid delays in case of changing design and unexpected circumstances.
  • Stringent contractor prequalification requirements including financial position, manpower resources, resilience against geopolitical impact.
  • Build in contingencies for statutory approvals and communicate with government authorities on a timely basis.
Political risks
Changes in the global and local political landscape, policies and priorities may have significant impact on the business environment. Geopolitical risk and international tensions may impact the maintenance of the optimal portfolio mix. Any trade restrictions and international sanctions may adversely affect operating costs and tenant portfolio.
  • Regular review of investment strategy, business model and capital allocation in response to any impact of international tensions and geopolitical risk.
  • Maintain high level of sensitivities to political and social issues by closely monitoring social media and government policies with a timely response.
  • Senior management engagement with government authorities to anticipate political developments in order to plan appropriate responses and to ensure compliance with applicable laws and regulations.
  • Maintain robust corporate governance practice through oversight functions (internal audit, risk management, the company secretary, legal counsel and independent non-executive directors).
  • Conduct regular screening and monitoring on key business partners with reference to international sanctions.
Third-party risks
Misaligned interests, cultural fit and reneging on commitments of joint venture partners may lead to project delays, financial and reputational impact. Changes in financial position resulting in liquidity problems, changes in leadership and stance of joint venture partners resulting in a withdrawal or reduction of their shareholdings, contribution and commitments.
  • Conduct proper due diligence for potential joint venture partners and perform regular assessment as to credit rating and business performance.
  • Ensure a robust drafting of legal documents to include dispute resolution mechanism and exit strategy.
  • Ensure joint venture to adopt or to develop corporate codes with the same standard as that of Swire Properties.
  • Maintain robust governance structure to ensure open and timely discussions with joint venture partners by means of regular board meetings with proper agendas, maintenance of financial budgets, proper documentation of actions and responsibilities, pro-active partnership management and engagement to minimise miscommunication or disputes.
Emerging Risks and Possible Impacts
Risk Trend
Mitigation Measures
Climate change
Extreme weather conditions and climate change may increase the risks of physical damage to properties and adversely affect their valuation.
  • A Climate Change Policy is in place and is updated regularly.
  • Conduct climate risk assessments at all portfolios to manage the risks and to explore the opportunities arising from the transition to a target of net-zero carbon emission.
  • Science-based targets have been established to achieve long-term decarbonisation.
  • Monitor and reduce carbon emissions from construction activities and embodied carbon from major building and construction materials with the use of innovative technologies.
  • Piloting the use of internal carbon pricing (“ICP”) to determine the potential impacts of carbon emissions for our investments, quantify carbon risks to our business operations and better reallocate capital towards low-carbon investment and opportunities.
Nature and biodiversity risks
Deteriorating natural environment and biodiversity loss may impact material availability and adversely affect construction costs. Delay in response to growing market demand for nature-inclusive design in properties may have adverse financial effects on the Company.
  • A Biodiversity policy is in place and is updated regularly.
  • Participate in the Taskforce on Nature-related Financial Disclosures (TNFD) to formulate a global risk management and disclosure framework and contribute to collective nature-positive goals.
  • Partner with university to conduct a biodiversity assessment at our Hong Kong office portfolio to evaluate the state of urban biodiversity after the completion of the redevelopment and propose measures to further enhance urban biodiversity in future developments.
  • Conduct screening study of our global portfolio with biodiversity indicators to define a priority list and nature profile, and to identify the dependencies and impacts on natural assets and ecosystem services.
  • Explore opportunities to integrate nature-based solutions in future new development projects to further enhance urban biodiversity, increase climate resilience and promote tenant wellbeing.
Risk level increased during the year 2023
Risk level decreased during the year 2023
Risk level remained broadly the same

Geopolitical Risk Workshop

In June 2023, a geopolitical risk workshop was organised for Executive Committee members and senior management regarding key geopolitical risk scenarios that may affect the Company. Participants were divided into groups to identify and prioritise specific risk scenarios for our retail, office, residential, and hotels portfolios, and to propose, review and design mitigation controls and plans. As part of the workshop, a global sanctions training session was conducted, providing an overview of the latest global sanction regimes and an analysis of their impacts on the Company.
Geopolitical Risk Workshop