Risk Management



Risk Management


 


In an environment where competition is fierce and changing rapidly, effective risk management can improve organizational resilience and promote sustainable development of enterprises. CTCI has implemented a strong risk governance framework and management process that includes stages such as risk identification, risk analysis, risk evaluation, risk response and treatment, residual risk evaluation, and improvement tracking. This framework enables the Company to implement risk-management strategies and measures such as prevention, reduction, transfer, or assumption when confronted with internal and external uncertainties. The goal is to increase risk awareness and tolerance while also strengthening competitive advantage and value creation capabilities.


  


Risk Management Framework


CTCI follows the COSO Enterprise Risk Management-Integrated Framework and ISO 31000 Risk Management framework and procedures to conduct comprehensive risk assessment and management, set risk management and control goals, and closely integrate risk management with the Company's goals to ensure the stability and sustainable development of business operations. The three-line of defense model of enterprise risk management is adopted. Each operating unit is responsible for grasping and managing risks in daily operations and implementing relevant risk control measures; the Risk Management Executive Committee is responsible for formulating relevant risk management standards, risk appetite, and supervising risk implementation to ensure the achievement of risk management objectives; and an independent audit unit is used to ensure the implementation of risk management policies.
 




The Board of Directors at CTCI is the highest governing body responsible for the Company's risk management. Among the board members, 6 non-executive directors have professional backgrounds in risk management. The Audit Committee, under the Board of Directors, supervises the risk management operations. Additionally, there is an Executive Risk Management Committee that reports the annual risk management performance to the Audit Committee each year. The 2023 risk management status has been reported to the Audit Committee and the Board of Directors on November 1, 2023.
    
In terms of risk management operations and Implementation, each responsible unit is responsible for identifying, analyzing, evaluating, treatling and reporting risks related to its business. Each operating unit and its risk management representatives act as the first line of defense and is responsible for promoting, supervising and managing major risks, and to report major risks and related improvement plans.
 
The "Risk Management Executive Committee" is a supervisory role at the company level. The President serves as the chairman, the Chief Risk Officer serves as the convener, and the Head of the Executive Management Office, the Heads of each Business Operations, and the Head of EPCO serve as the committee members. Regular meetings are held once every six months. The committee's major responsibilities are to examine risk management policy, examine risk management report, strategy and improvement plan of the Company, supervise execution of risk control measure and improvement plan, and examine and assess the effectiveness of risk management measure and implementation of improvement plan.
 
To ensure the independence of risk management, CTCI has set up a dedicated risk supervision and control unit, the "Risk Management and Control Office ", which is responsible for promoting various risk management operations such as the establishment of a risk management mechanism and culture, participation in the treatment and prevention of emergency risk events. The Chief Risk Officer is responsible for communicating risk policies, establishing and promoting risk control systems, supervising the implementation of risk control, disclosing risk information, etc., and reporting to the President.
 
The Audit Department plays an independent and detached role. It evaluates the effectiveness of risk monitoring in the first and second line of defense, and provides timely improvement suggestions; refers to the risk evaluation results to plan an annual audit plan, conducts internal audits accordingly and reports on a regular basis Audit Committee.
 


 


Risk Management Policy and Procedures


The Company's "Risk Management Policies" and "Risk Management Regulations", approved by the Audit Committee and Board of Directors in 2020, are the supreme guideline for risk management. Clear policies, objectives, scope, organizational structure, unit responsibilities, risk management mechanisms, and execution procedures are established for risk management. By integrating risk management into daily operations, employees are provided with clear guidelines. The Audit Committee, under the board of directors, is responsible for overseeing the risk management mechanisms to effectively manage the company's operational risks.
 
To mitigate operational impacts caused by internal and external uncertainties, CTCI employs a comprehensive risk management process. Through systematic identification, assessment, and response measures, we address and manage risks that may pose threats (or opportunities) to the company. All employees are responsible for identifying and reporting risks. Any significant risk events that may impact the company's operations should be immediately reported to their supervisors.
 






 


Risk Management Audit


To ensure the effectiveness and compliance of the Company's risk management processes, the relevant SOPs require a third-party audit of risk management principles, process architecture, and execution at least every two years. This is to confirm that the Company's risk management system complies with the international risk management standard ISO 31000. Furthermore, in order to assess the Company's risk management practice and improve overall risk management capabilities, SGS, an external verification 3rd party, conducts a risk maturity audit in 2024. The audit result was " Role Model," indicating that our company has a good understanding of risk management, has a well-developed risk management system, and performs risk management at an exceptional level.
 




 


Risk Training for All Employees


Every year, the Company organizes company-wide risk advocacy activities or training courses focused on specific risk dimensions or issues. In 2023, we planned and conducted the training on climate and natural, strategy / goals, legal compliance / intellectual property, integrity management, and HSE for all employees. These initiatives aim to increase risk awareness among all group members and integrate risk management knowledge into employee behaviors and daily operations.
 




 


Continuous Operation and Emergency Response


CTCI is mainly engaged in design, procurement and construction, and all operations rely on the information system as the main platform. In order to ensure the continuous operation of the business and reduce the impact of major accidents or disasters on key businesses, the Company implements relevant operations in accordance with the Business Continuity Plan (BCP) to reduce operating risks. The business continuity plan drills for 2023 took place in May and October, with a focus on testing 12 key systems related to design, procurement, construction (Engineering, Procurement, Construction, EPC), and project management. The results were all successfully completed. 
 


In addition, the Company has established an emergency risk event control mechanism, and established alert criteria and action criteria for key risk items of each risk aspect. When an emergency risk event occurs, the responsible unit for the risk event should identify and evaluate the level of the emergency risk event in accordance with the above criteria in order to activate the emergency risk event control mechanism. In addition to developing necessary countermeasures, the responsible unit should also follow through on the countermeasure and mitigation results on a weekly basis to reduce adverse influences and impacts. Depending on the severity of the emergency risk event, supervisors should also join the team in the emergency risk event response efforts. The control of emergency risk events is illustrated in the following figure.
 




Furthermore, CTCI regards its employees as the Company's most valuable asset, and it places a high value on their personal safety in the workplace as well as their ability to respond to emergencies. In order to reduce the Company's operation risks, CTCI has made the "Emergency Response Management Procedure," which covers the first and second headquarters buildings, as well as project construction sites. It focuses on specific major risk events such as fires, natural disasters, and environmental impact events, abnormalities in air conditioning, water supply disruptions, power outages, earthquakes, wind disasters, floods, protests, or riots. Through crisis scenario drills, colleagues will be more familiarized with contingency measures to better reduce impact in the event of a disaster. In March and September 2023, self-defense teams received fire safety training, and employees in the first and second headquarters buildings participated in annual fire evacuation drills.