Accountable Governance



Risk Management


 


In an environment where competition is fierce and changing rapidly, effective risk management can improve organizational resilience and promote sustainable development of enterprises. CTCI has implemented a strong risk governance framework and management process that includes stages such as risk identification, risk analysis, risk evaluation, risk response and treatment, residual risk evaluation, and improvement tracking. This framework enables the Company to implement risk-management strategies and measures such as prevention, reduction, transfer, or assumption when confronted with internal and external uncertainties. The goal is to increase risk awareness and tolerance while also strengthening competitive advantage and value creation capabilities.


  


Risk Management Framework


CTCI follows the COSO Enterprise Risk Management-Integrated Framework and ISO 31000 Risk Management framework and procedures to conduct comprehensive risk assessment and management, set risk management and control goals, and closely integrate risk management with the Company's goals to ensure the stability and sustainable development of business operations. The three-line of defense model of enterprise risk management is adopted. Each operating unit is responsible for grasping and managing risks in daily operations and implementing relevant risk control measures; the Risk Management Executive Committee is responsible for formulating relevant risk management standards, risk appetite, and supervising risk implementation to ensure the achievement of risk management objectives; and an independent audit unit is used to ensure the implementation of risk management policies.
 




CTCI has established "Risk Management Policies" and "Risk Management Regulations" are the supreme guideline for risk management.  The Board of Directors at CTCI is the highest governing body responsible for the Company's risk management. Among the board members, 6 non-executive directors have professional backgrounds in risk management. The Audit Committee, under the Board of Directors, supervises the risk management operations. Additionally, there is an Executive Risk Management Committee that reports the annual risk management performance to the Audit Committee each year. The 2024 Risk Management Operations has been reported to the Audit Committee and the Board of Directors on November 5, 2024.

CTCI adopts the three line of defense model for enterprise risk management. The first line of defense comprises the operating units, which are responsible for grasping and managing risks in daily operations and implementing relevant risk control measures. The second line of defense is the Risk Management Executive Committee, chaired by the President and convened by the Head of Legal and Compliance Division, with members including the Head of Executive Management Office and Business Operations. The committee convenes semiannually and holds ad hoc meetings as needed. The main responsibilities include reviewing risk management policies and related regulations, approving the risk appetite, and reviewing risk management reports and proposed improvement plans, evaluating the effectiveness of risk control mitigation measures, and overseeing the implementation of risk mitigation measures and improvement plans. To ensure the independence of risk oversight, CTCI has established the Risk Management and Control Section as a dedicated risk supervision unit. This section is tasked with promoting the risk management mechanism, establishing risk management culture, being aware of and controlling daily risks, promote and coordinating with activities related to risk management, and convene risk management review meeting. The independent audit unit under the Board of Directors serves as the third line of defense, responsible for evaluating the effectiveness of risk monitoring performed by the first and second lines of defense and providing timely recommendations for improvement. Internal audits are conducted regularly on an annual basis and reported to the Audit Committee to ensure the effective implementation of the company’s risk management policies.
 


 


Risk Management Mechanism


CTCI has established "Risk Management Policies" and "Risk Management Regulations" are the supreme guideline for risk management. In order to reduce the impact of internal and external uncertainties on operations, CTCI has a complete risk management process to systematically identify, evaluate and respond to threats (or opportunities) that may bring to the Company to avoid or mitigate the impact on business operations. All employees are also responsible for identifying and reporting risks. If any material risk event that may affect the Company's operations is discovered, they shall be reported to their supervisors immediately.






 


Risk Management Audit


To ensure the effectiveness and compliance of the Company's risk management processes, the relevant SOPs require a third-party audit of risk management principles, process architecture, and execution at least every two years. This is to confirm that the Company's risk management system complies with the international risk management standard ISO 31000. Furthermore, in order to assess the Company's risk management practice and improve overall risk management capabilities, SGS, an external verification 3rd party, conducts a risk maturity audit in November 2025. The audit result was "Role Model," indicating that our company has a good understanding of risk management, has a well-developed risk management system, and performs risk management at an exceptional level.
 




 


Risk Training for All Employees


Every year, the Company plans risk awareness activities or training courses for all employees in response to specific risk aspects or issues. In 2024, we planned and conducted relevant training courses on financial, climate and natural, strategy/goals, legal compliance/intellectual property, integrity management, and HSE. The Company has also conducted "Group Risk Management Requirements Awareness Training" for all employees in the Group to enhance the risk awareness, and introduce the awareness of risk management into the behavior and daily operations of employees.
 




 


Continuous Operation and Emergency Response


CTCI is mainly engaged in design, procurement and construction, and all operations rely on the information system as the main platform. In order to ensure the continuous operation of the business and reduce the impact of major accidents or disasters on key businesses, the Company implements relevant operations in accordance with the Business Continuity Plan (BCP) to reduce operating risks. The business continuity plan exercises for 2024 took place in June and October, with a focus on testing 12 key systems related to design, procurement, construction (Engineering, Procurement, Construction, EPC), and project management. The results were all successfully completed.
The Company has established an emergency risk event control mechanism, setting alert and action criterias for key risk items that may cause emergencies. In the event of an emergency risk, the responsible unit shall assess and classify the incident based on the established criteria to initiate the emergency risk control mechanism. If the identified emergency risk event reachs the action criterias, the responsible unit must immediately report it to the relevant business unit (BU) Head, who will assign a responsible supervisor for the emergency risk response team. An emergency risk response team will then be formed to plan and execute countermeasures, with regular updates on the latest progress of the response actions. During the disposal period, the responsible units must track and manage the progress of mitigation efforts on a weekly basis to minimize impacts and consequence.  Depending on the severity of the emergency risk event, top management may be engaged in the response and remain involved until the risk is mitigated and the event is formally closed.
 
Furthermore, CTCI regards its employees as the Company's most valuable asset, and it places a high value on their personal safety in the workplace as well as their ability to respond to emergencies. In order to reduce the Company's operation risks, CTCI has made the "Emergency Response Management Procedure," which covers the first and second headquarters buildings, as well as project construction sites. It focuses on specific major risk events such as fires, natural disasters, and environmental impact events, abnormalities in air conditioning, water supply disruptions, power outages, earthquakes, wind disasters, floods, protests, or riots. Through crisis scenario drills, colleagues will be more familiarized with contingency measures to better reduce impact in the event of a disaster. In March, April and September 2024, self-defense teams received fire safety training, and employees in the first and second headquarters buildings participated in annual fire evacuation drills.