Corporate Governance

Your current location

Risk Management and Internal Control

(Extracted from the Corporate Governance Report contained in the Company's 2017/18 Annual Report dated 13 September 2018)

The Group has diverse business activities in Hong Kong, Mainland China and Singapore and is exposed to different risks in a dynamic environment. Effective risk management is therefore essential for the long-term growth and sustainability of the businesses of the Group. The Board is responsible for the overall strategy and development of the Group’s businesses; for setting its corporate goals and risk appetite; for establishing and maintaining sound and effective risk management and internal control systems to safeguard the Group’s assets and stakeholders’ interests; and for reviewing the effectiveness of the systems. The Board assesses the effectiveness of the risk management and internal control systems through the reviews performed by the Audit and Risk Management Committee, executive management and both internal and external auditors. It should be acknowledged that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.

Risk Management

The Group’s risk governance structure is guided by the “Three Lines of Defence” model as shown below:

Governance Structure

First Line of Defence

Each department has the duty to manage its own risks in the course of its daily operations, including:

  1. establishing its own risk management measures for identifying, measuring, mitigating and monitoring its own risks;
  2. completing a risk assessment template and submitting its assessment results to the Risk Management Steering Committee at least twice a year;
  3. operating in a manner that is in line with the risk appetite of the Group; and
  4. implementing any risk action plans as advised by the Risk Management Steering Committee and/or the Internal Audit Department and/or the Audit and Risk Management Committee to address any significant risk that may affect its operation.

Second Line of Defence

The Risk Management Steering Committee is under the direct supervision of the Executive Committee and also accountable to the Audit and Risk Management Committee. Members of this Committee comprise the two Deputy Managing Directors, the Company Secretary, the Head of Accounting, the Head of Internal Affairs, and the Risk Manager. The Risk Management Steering Committee is primarily responsible for:

  1. providing assistance to the Board and the Audit and Risk Management Committee in overseeing and monitoring the operation of the risk management and internal control systems;
  2. reviewing the risk assessment results submitted by each department and providing support and guidance to them;
  3. reporting its work done to the Audit and Risk Management Committee at least twice a year; and
  4. proposing any enhancement to the risk management and internal control systems for consideration by the Audit and Risk Management Committee and/or the individual department concerned.

Third Line of Defence

The Internal Audit Department is primarily responsible for:

  1. performing audits to evaluate the proper functioning of the risk management and internal control systems;
  2. reporting its findings to the Audit and Risk Management Committee and providing the Committee with an independent and objective assurance on the effectiveness of the risk management and internal control systems of the Group; and
  3. proposing any enhancement to the risk management and internal control systems for consideration by the Audit and Risk Management Committee and/or the Risk Management Steering Committee and/or the individual department concerned.

Audit and Risk Management Committee

The Audit and Risk Management Committee assists the Board in overseeing the risk management and internal control systems of the Group, including:

  1. reviewing, at least annually, the risk management and internal control systems of the Group with the Internal Audit Department to ascertain whether management has fulfilled its responsibilities in establishing and maintaining effective systems;
  2. reviewing the risk assessment results, including changes in the nature and extent of significant risks since the last review and the Group’s ability to respond to changes in its business and the external environment;
  3. discussing with management on the resources, staff qualifications and experience, training programmes and budget of the Group’s accounting, internal audit and financial reporting functions to ensure that these are adequate;
  4. considering major investigation findings on risk management and internal control matters as delegated by the Board or on its own initiative and management’s response to these findings;
  5. identifying any significant risks that should be drawn to the attention of the Board; and
  6. reviewing and considering any enhancement to the risk management and internal control systems as proposed by the Risk Management Steering Committee and/or the Internal Audit Department.

Board of Directors

The Board has the overall responsibility for establishing and maintaining sound and effective risk management and internal control systems, including:

  1. setting the Group’s strategies and corporate goals;
  2. evaluating and determining the nature and extent of the risks it is willing to take in achieving its strategic and business objectives;
  3. overseeing management in the design, implementation and monitoring of the risk management and internal control systems;
  4. overseeing the risk management and internal control systems on an ongoing basis, and ensuring that a review of the systems is conducted at least annually to ensure their effectiveness;
  5. reviewing the changes in the nature and extent of significant risks since the last review and the Group’s ability to respond to changes in its business and the external environment;
  6. considering the scope and quality of management’s ongoing monitoring of risks and of the internal control systems;
  7. considering the extent and frequency of communication of monitoring results to the Board; and
  8. considering any significant control failings or weaknesses that have been identified during the period.

Internal Control

Risk management is integrated with the Group’s internal control system which was developed based on the COSO (the Committee of Sponsoring Organizations of the Treadway Commission) principles as follows:

(i) Control Environment

  • demonstrates a commitment to integrity and ethical values
  • the Board demonstrates independence from management and exercises oversight of the development and performance of internal control
  • management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
  • demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
  • holds individuals accountable for their internal control responsibilities in the pursuit of objectives

(ii) Risk Assessment

  • specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
  • identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
  • considers the potential for fraud in assessing risks to the achievement of objectives
  • identifies and assesses changes that could significantly impact the system of internal control

(iii) Control Activities

  • selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
  • selects and develops general control activities over technology to support the achievement of objectives
  • deploys control activities through policies that establish what is expected and procedures that put policies into place

(iv) Information and Communication

  • obtains or generates and uses relevant, quality information to support the functioning of internal control
  • internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
  • communicates with external parties regarding matters affecting the functioning of internal control

(v) Monitoring

  • selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
  • evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board, as appropriate

The internal control system aims at safeguarding assets from inappropriate use, maintaining proper accounts, ensuring compliance with laws and regulations, and enabling timely identification and management of key risks that may have impact on the Group. Management is primarily responsible for the design, implementation and maintenance of the risk management and internal control systems. The Group’s internal control system includes a well-established organizational structure with clearly defined lines of responsibility and authority. Policies and procedures are laid down for its key business processes and business units covering project development, tendering, sales and leasing, financial reporting, human resources and computer systems.

The Group’s Code of Conduct, freely accessible on the Group’s intranet, is maintained and communicated to all employees for compliance. In addition, a whistleblowing policy was established for our employees to raise concerns in confidence about suspected misconducts, malpractices or fraudulent activities relating to the Group. The identity of the whistleblower will be treated with the strictest confidence.

The Company has a policy on inside information in place setting out the principles and procedures for handling and disclosing inside information of the Group in compliance with the relevant requirements under Part XIVA of the Securities and Futures Ordinance and the Listing Rules, and such policy has been communicated to the relevant senior executives of the Group. The policy contains provisions for establishing an internal committee to ascertain whether certain information constitutes inside information of the Group, and (where necessary) for escalating the matter to the senior management of the Group for final determination. To prevent inadvertent disclosure of inside information, the policy also prescribes certain measures in place, including restricting access to inside information to employees on a need-to-know basis, requiring documents and files containing inside information to be kept in a safe place, and requiring that confidentiality agreements be made with external parties in appropriate cases.

Key Risk Factors

The following section lists out the key risks and uncertainties facing the Group. It is a non-exhaustive list and there may be other risks and uncertainties further to the key risk areas outlined below:

Risks Pertaining to the Property Market in Hong Kong

A substantial part of the Group’s property portfolio is located in Hong Kong, and a substantial part of the Group’s revenue is derived in Hong Kong. As a result, general state of the economy and the property market, legislative and regulatory changes, government policies and political conditions, interest rate changes, labour market conditions, and availability of financing in Hong Kong have a significant impact on the Group’s operating results and financial conditions. For instance, profitability of property development business may be affected due to deteriorating economic conditions or intense competition from other developers and property owners. The government may introduce property cooling measures from time to time, which may have a significant bearing on the property market and adversely affect the Group’s property sales performance, and financial condition. Further growth of the Group’s property development business may also be impacted by the supply and price levels of land in Hong Kong.

Rental levels in Hong Kong are subject to competition arising from supply in the primary sector. In addition to the economic and market conditions mentioned above, other domestic and external economic factors including but not limited to supply and demand conditions, and stock market performance may affect the Group’s property investment business.

Risks Pertaining to the Property Market in Mainland China

The Group has material interests in residential and commercial property development and property investment in Mainland China and is therefore subject to the risks associated with China’s property market. The Group’s operations in Mainland China may also be exposed to the risks of policy changes, currency fluctuation, interest rate changes, demand-supply imbalance, changes in the overall economic conditions, competition in the labour market, and availability of financing, which may pose an adverse impact on the Group’s business, financial condition or results of operations.

Operational Risks

The Group’s operation is subject to a number of risk factors distinctive to property development, property investment, and property related businesses. Default on the part of our buyers, tenants and strategic business partners, inadequacies or failures of internal processes, people and systems, leakage of sensitive information by hacking or accidents, inadequate responses to negative events which may have adverse impact on reputation, or other external factors may have various levels of negative impact on the results of operations. Additionally, accidents may happen despite systems and policies set up for their prevention, which may lead to financial loss, litigation, or damage in reputation.

Mitigating Principal Risks Faced by the Group

The risk management and internal control systems have been designed to operate proactively to ensure that principal risks are not only identified, measured and monitored but also mitigated. Under such systems, management staff of various departments would identify suitable internal controls and countermeasures to mitigate principal risks faced by the Group. When formulating mitigating measures, important factors such as regulatory requirements, risk appetite, adequacy and effectiveness of mitigating actions proposed, risk owners in place to implement and availability to transfer risks to third parties were taken into consideration. The objective of these risk mitigating plans is to ensure that principal risks are well managed and governed effectively.

Past Performance and Forward-Looking Statements

The performance and the results of operation of the Group as set out in this annual report are historical in nature and past performance is not a guarantee of future performance. This annual report may contain forward-looking statements and opinions that involve risks and uncertainties. Actual result may also differ materially from expectations discussed in such forward-looking statements and opinions. Neither the Group nor the Directors, employees or agents of the Group assume (a) any obligations to correct or update the forward-looking statements or opinions contained in this annual report; and (b) any obligations or liabilities in the event that any of the forward-looking statements or opinions does not materialize or turns out to be incorrect.

Effectiveness of Risk Management and Internal Control Systems

During the year ended 30 June 2018, the Risk Management Steering Committee has worked with each department and senior management to enhance the risk management and internal control systems. Activities included updating the risk assessment templates to include matters such as key risk indicators and threshold for monitoring risk performance, adding new risk categories and providing risk training to and maintaining ongoing interactive dialogues with the departments. It has also reviewed the major risks for operations in Hong Kong and Mainland China.

The Group’s Internal Audit Department, which has been established for more than 20 years, performs independent appraisal of the adequacy and effectiveness of the Group’s risk management and internal control systems. The department has direct access to the Audit and Risk Management Committee and has rights to access all records, assets and personnel as stipulated in the Internal Audit Charter. The department follows a risk-based approach to formulate the audit plan that focuses on the top risks identified. The risks for departments and business units are assessed using the pre-determined risk criteria. The assessment results are consolidated and ranked from an enterprise-wide perspective. The Audit and Risk Management Committee reviews and approves annually the audit plan, which is formulated based on the risk assessment result. Summaries of major audit findings and control weaknesses, if any, are reviewed by the Audit and Risk Management Committee. The department monitors the follow-up actions agreed upon in response to recommendations.

The Board through the Audit and Risk Management Committee reviewed the risk assessment results, and the risk management and internal control systems of the Group for the year ended 30 June 2018, including financial, operational and compliance controls. The review includes considering the internal control evaluations conducted by executive management and the internal and external auditors as well as the adequacy of resources, staff qualifications and experience, training programmes and budget of the Group’s accounting, internal audit and financial reporting functions. Based on the result of the review, the Board considered that for the year ended 30 June 2018, the risk management and internal control systems of the Group were effective and adequate.

Back to top