Our business

ESG risk management

Effective risk management is key to ensuring the long-term viability of the Group. It is embedded within all our operating companies. It is essential that every Swire Pacific employee works together to address the risks to which our Group is exposed.

The Board has ultimate responsibility for risk management, overseeing its design and implementation. The Board is supported by the Audit Committee.

The Board has adopted the three lines of defence model of risk governance. The model is designed to minimise conflicts of interest and ensure independent oversight of risk management.

The First Line

In the first line, the Board is supported by the management of each division and functional committees. They are responsible for identifying, analysing, and managing the risks to us associated with achieving our business objectives, including those relating to sustainability.

The functional committees include representatives from our divisions. The Swire Group Sustainability Committee (SGSC), the Diversity and Inclusion Steering Committee (DISC), and the Health and Safety Committee are tasked with the management and oversight of sustainability risks relevant to SwireTHRIVE. The members of the functional committees and working groups include specialists in their respective areas. Each committee is chaired by an individual with relevant experience.

Collectively, the committees are responsible for identifying and managing specific areas of risk, proposing policies and reporting performance. Part of the role of the functional committees and working groups is to identify risks and opportunities which fall within their respective areas and to draw up policy recommendations for GRMC review and approval.

The policies approved by the GRMC apply to all companies in which Swire Pacific has a controlling interest. The boards of these operating companies are required to adopt these policies and to establish procedures to ensure compliance. Joint venture and associated companies are encouraged to adopt Group policies.

The Second Line

The role of the Second Line is to support the First Line and provide assurance to the Board that risk is being effectively managed. The Second Line includes two management committees, the Group Risk Management Committee (GRMC) which focuses on group-wide risks, and the Swire Pacific Risk Management Committee (SPACRMC) which oversees risks to the Company itself.

The GRMC includes divisional heads, is chaired by the Finance Director, and reports to the Board via the Audit Committee. It oversees the management of non-financial risks at both Group and operating company levels.

The GRMC:

Reviews the Group’s risk profile and Group and divisional risk registers
Oversees the management of major risks at Group and operating company levels
Identifies emerging risks and potential sources of future risk including ESG risks
Analyses risk events which materialise, with a view to their resolution and to learning from them

In relation to risks having a Group dimension the GRMC is supported by four risk forums covering, respectively: environmental, social, and governance risks; human resources, health and safety risks; technology risks; and government, regulatory, and legal risks. In relation to those not having a Group dimension, the GRMC is supported by the Second Line infrastructure within each operating company.

The SPACRMC identifies risks which have a Group dimension and proposes approaches to the management of such risks to the GRMC. The GRMC and the SPACRMC are chaired by the Finance Director, who is supported by the Chief Risk Officer.

The Third Line

The third line is supported by the Group Internal Audit Department. The Group's Internal Audit provides independent and objective assurance that the risk management processes are implemented properly and operating effectively and that the risks which could impact our ability to achieve our business objectives are being properly identified, assessed, and mitigated.

The boards and management of operating companies are responsible for the management of risk at those companies.

Enterprise risk management

The Group’s ERM framework is aligned with international standards. Our ERM process is both top down and bottom up. It accommodates for operating company specific risks and risks that are material at the Group level.

The Board gives guidance on its risk priorities, the operating companies assess their own risks, and the SPACRMC manages Group risks. All of these are reported to the GRMC and are consolidated into the Group risk register which is then presented to the Audit Committee and the Board.

The operating companies have adopted a common approach to ERM based on the development and management of their risk registers. Operating companies are responsible for the identification, assessment, mitigation, and monitoring of these risks in their respective businesses.

Risks considered to have a Group dimension are discussed by the GRMC, and potentially by the Audit Committee and the Board. Key risk focus areas for the Group that relate to SwireTHRIVE include ESG integration and the long-term impact of climate change. Supply chain resilience related to ESG has been identified as an emerging risk. Descriptions of these risks and details of our mitigation measures are provided in the Risk Management section of the Annual Report, and in the climate-related sections of this report.

We use an enterprise risk management (ERM) process to identify, assess, monitor, and manage risks. The ERM process is aimed at ensuring robust and effective risk management by the Group and at fostering a risk aware culture. The implementation and execution of the ERM process follows our Enterprise Risk Management Policy. Each division and major operating company are required to implement the ERM process.

As part of this policy, operating companies must regularly submit corporate risk registers and changes in risk profiles to Swire Pacific. To ensure consistency of approach, these registers are prepared using a standard methodology and format and standard risk ranking criteria.

In 2024, our key risk management focus areas included but are not exclusive to: economic slowdown, business environment risk associated with Hong Kong's adaption to evolving global dynamics, geopolitical tension, people, and cybersecurity and data protection. More details of our ERM process and our risk mitigation measures can be found in our Annual Report.

ESG due diligence

Risk management is an integral part of business management and is included in due diligence on major investments. In 2024, we continued to build on our current approach, which focuses on compliance with laws and regulations related to ESG, by layering in geospatial physical climate risk assessments for the assets of potential new investments. As part of our internal carbon pricing pilot, our three largest operating companies are considering the operational emissions associated with key projects by applying a shadow carbon price which is then reviewed by the operating company or Group investment committee.

Cybersecurity

Swire Pacific has, and monitors compliance with, a Group Information Security Policy (GISP), and conducts regular cybersecurity maturity assessments based on the recognised US National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF). Several major operating companies also reference the ISO 27001 standard for information security management.

Swire Pacific has appointed a Group Chief Information Security Officer (CISO) and established a central Cybersecurity Centre of Excellence (CCoE) team under the CISO’s direction. The CCoE team is dedicated to providing guidance, sharing best practices, conducting research, driving innovation, offering support, and delivering training to our operating companies. The central team is responsible for developing the Group cybersecurity strategy and creating and maintaining security policies and standards. The central team also managing cybersecurity programmes and projects, and establishes cybersecurity service lines which include, but are not limited to, Cybersecurity Maturity Assessment, Threat and Vulnerability Management, Managed Security Operation Centre, Incident Response Retainer, Attack Surface Management, and Red Teaming exercises.

The Swire Pacific CISO chairs the Cyber Security Working Group (CSWG), which is composed of cybersecurity professionals across the Group. The CSWG members meet regularly to facilitate the exchange of best cybersecurity practices and to bolster cybersecurity awareness throughout the Group. The CISO is a member of the IT Committee (ITC) which oversees the cybersecurity programmes for the operating companies.

The CISO presents cybersecurity topics and reports significant cybersecurity risks to the GRMC and Audit Committee. Under Swire Pacific’s enhanced Risk Governance Structure, an IT, Data & Technology (IDT) Risk Forum has been established as part of the second line risk forums. The CISO provides oversight of the cybersecurity risk landscape from a Group perspective during the risk forum meetings.

Operating companies undertake a Control Self-Assessment from a cybersecurity perspective annually in response to requests from Group Internal Audit Department.

	Cybersecurity measures
Cybersecurity Maturity Assessment (CMA) Service Line			Group Information Security Policy (GISP)
Threat and Vulnerability Management (TVM) Service Line			Threat and Vulnerability Management Policy (TVMP)
Managed Security Operation Centre (MSOC) Service Line			Cyber and Technology Risk Management Policy (CTRMP)
Incident Response Retainer (IRR) Service Line			Cybersecurity Incident Management Policy (CIMP)
Attack Surface Management (ASM) Service Line			Regular Phishing Simulation
Red Team Attack Simulation (RTAS) Service Line			Security Awareness & Training