Corporate Governance

Your current location

Risk Management and Internal Control

(Extracted from the Corporate Governance Report contained in the Company's 2016/17 Annual Report dated 14 September 2017)

The Group has diverse business activities in Hong Kong, Mainland China and Singapore and is exposed to different risks in a dynamic environment. Effective risk management is therefore essential for the long-term growth and sustainability of the businesses of the Group. The Board is responsible for the overall strategy and development of the Group’s businesses; for setting its corporate goals and risk appetite; for establishing and maintaining sound and effective risk management and internal control systems to safeguard the Group’s assets and stakeholders’ interests; and for reviewing the effectiveness of the systems. The Board assesses the effectiveness of the risk management and internal control systems through the reviews performed by the Audit and Risk Management Committee, executive management and both internal and external auditors. It should be acknowledged that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.

Risk Management

The Group’s risk governance structure is guided by the “Three Lines of Defence” model as shown below:

Governance Structure

First Line of Defence

Each department has the duty to manage its own risks in the course of its daily operations, including:

  1. establishing its own risk management measures for identifying, measuring, mitigating and monitoring its own risks;
  2. completing a risk assessment template and submitting its assessment results to the Risk Management Steering Committee at least twice a year;
  3. operating in a manner that is in line with the risk appetite of the Group; and
  4. implementing any risk action plans as advised by the Risk Management Steering Committee and/or the Internal Audit Department and/or the Audit and Risk Management Committee to address any significant risk that may affect its operation.

Second Line of Defence

The Risk Management Steering Committee is under the direct supervision of the Executive Committee and also accountable to the Audit and Risk Management Committee. Members of this Committee comprise the two Deputy Managing Directors, the Company Secretary, the Head of Accounting, the Head of Internal Affairs, and the Risk Manager. The Risk Management Steering Committee is primarily responsible for:

  1. providing assistance to the Board and the Audit and Risk Management Committee in overseeing and monitoring the operation of the risk management and internal control systems;
  2. reviewing the risk assessment results submitted by each department and providing support and guidance to them;
  3. reporting its work done to the Audit and Risk Management Committee at least twice a year; and
  4. proposing any enhancement to the risk management and internal control systems for consideration by the Audit and Risk Management Committee and/or the individual department concerned.

Third Line of Defence

The Internal Audit Department is primarily responsible for:

  1. performing audits to evaluate the proper functioning of the risk management and internal control systems;
  2. reporting its findings to the Audit and Risk Management Committee and providing the Committee with an independent and objective assurance on the effectiveness of the risk management and internal control systems of the Group; and
  3. proposing any enhancement to the risk management and internal control systems for consideration by the Audit and Risk Management Committee and/or the Risk Management Steering Committee and/or the individual department concerned.

Audit and Risk Management Committee

The Audit and Risk Management Committee assists the Board in overseeing the risk management and internal control systems of the Group, including:

  1. reviewing, at least annually, the risk management and internal control systems of the Group with the Internal Audit Department to ascertain whether management has fulfilled its responsibilities in establishing and maintaining effective systems;
  2. reviewing the risk assessment results, including changes in the nature and extent of significant risks since the last review and the Group’s ability to respond to changes in its business and the external environment;
  3. discussing with management on the resources, staff qualifications and experience, training programmes and budget of the Group’s accounting, internal audit and financial reporting functions to ensure that these are adequate;
  4. considering major investigation findings on risk management and internal control matters as delegated by the Board or on its own initiative and management’s response to these findings;
  5. identifying any significant risks that should be drawn to the attention of the Board; and
  6. reviewing and considering any enhancement to the risk management and internal control systems as proposed by the Risk Management Steering Committee and/or the Internal Audit Department.

Board of Directors

The Board has the overall responsibility for establishing and maintaining sound and effective risk management and internal control systems, including:

  1. setting the Group’s strategies and corporate goals;
  2. evaluating and determining the nature and extent of the risks it is willing to take in achieving its strategic and business objectives;
  3. overseeing management in the design, implementation and monitoring of the risk management and internal control systems;
  4. overseeing the risk management and internal control systems on an ongoing basis, and ensuring that a review of the systems is conducted at least annually to ensure their effectiveness;
  5. reviewing the changes in the nature and extent of significant risks since the last review and the Group’s ability to respond to changes in its business and the external environment;
  6. considering the scope and quality of management’s ongoing monitoring of risks and of the internal control systems;
  7. considering the extent and frequency of communication of monitoring results to the Board; and
  8. considering any significant control failings or weaknesses that have been identified during the period.

Internal Control

Risk management is integrated with the Group’s internal control system which was developed based on the COSO (the Committee of Sponsoring Organizations of the Treadway Commission) principles as follows:

(i) Control Environment

  • demonstrates a commitment to integrity and ethical values
  • the Board demonstrates independence from management and exercises oversight of the development and performance of internal control
  • management establishes, with Board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
  • demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
  • holds individuals accountable for their internal control responsibilities in the pursuit of objectives

(ii) Risk Assessment

  • specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
  • identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
  • considers the potential for fraud in assessing risks to the achievement of objectives
  • identifies and assesses changes that could significantly impact the system of internal control

(iii) Control Activities

  • selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
  • selects and develops general control activities over technology to support the achievement of objectives
  • deploys control activities through policies that establish what is expected and procedures that put policies into place

(iv) Information and Communication

  • obtains or generates and uses relevant, quality information to support the functioning of internal control
  • internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
  • communicates with external parties regarding matters affecting the functioning of internal control

(v) Monitoring

  • selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
  • evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the Board, as appropriate

The internal control system aims at safeguarding assets from inappropriate use, maintaining proper accounts, ensuring compliance with laws and regulations, and enabling timely identification and management of key risks that may have impact on the Group. Management is primarily responsible for the design, implementation and maintenance of the risk management and internal control systems. The Group’s internal control system includes a well-established organizational structure with clearly defined lines of responsibility and authority. Policies and procedures are laid down for its key business processes and business units covering project development, tendering, sales and leasing, financial reporting, human resources and computer systems.

The Group’s Code of Conduct, freely accessible on the Group’s intranet, is maintained and communicated to all employees for compliance. In addition, a whistleblowing policy was established for our employees to raise concerns in confidence about suspected misconducts, malpractices or fraudulent activities relating to the Group. The identity of the whistleblower will be treated with the strictest confidence.

The Company has a policy on inside information in place setting out the principles and procedures for handling and disclosing inside information of the Group in compliance with the relevant requirements under Part XIVA of the Securities and Futures Ordinance and the Listing Rules, and such policy has been communicated to the relevant senior executives of the Group. The policy contains provisions for establishing an internal committee to ascertain whether certain information constitutes inside information of the Group, and (where necessary) for escalating the matter to the senior management of the Group for final determination. To prevent inadvertent disclosure of inside information, the policy also prescribes certain measures in place, including restricting access to inside information to employees on a need-to-know basis, requiring documents and files containing inside information to be kept in a safe place, and requiring that confidentiality agreements be made with external parties in appropriate cases.

Effectiveness of Risk Management and Internal Control Systems

During the year ended 30 June 2017, the Risk Management Steering Committee has worked with each department and senior management to enhance the risk management and internal control systems. Activities included updating the risk assessment templates to include matters such as key risk indicators and threshold for monitoring risk performance, and providing risk training to and maintaining ongoing interactive dialogues with the departments.

The Group’s Internal Audit Department, which has been established for more than 20 years, performs independent appraisal of the adequacy and effectiveness of the Group’s risk management and internal control systems. The department has direct access to the Audit and Risk Management Committee and has rights to access all records, assets and personnel as stipulated in the Internal Audit Charter. The department follows a risk-based approach to formulate the audit plan that focuses on the top risk identified. The risks for departments and business units are assessed using the pre-determined risk criteria. The assessment results are consolidated and ranked from an enterprise-wide perspective. The Audit and Risk Management Committee reviews and approves annually the audit plan, which is formulated based on the risk assessment result. Summaries of major audit findings and control weaknesses, if any, are reviewed by the Audit and Risk Management Committee. The department monitors the follow-up actions agreed upon in response to recommendations.

The Board through the Audit and Risk Management Committee reviewed the risk assessment results, and the risk management and internal control systems of the Group for the year ended 30 June 2017, including financial, operational and compliance controls. The review includes considering the internal control evaluations conducted by executive management and the internal and external auditors as well as the adequacy of resources, staff qualifications and experience, training programmes and budget of the Group’s accounting, internal audit and financial reporting functions. Based on the result of the review, the Board considered that for the year ended 30 June 2017, the risk management and internal control systems of the Group were effective and adequate.

Back to top