Accountable Governance

Risk Management
In an environment where competition is fierce and changing rapidly, effective risk management can improve organizational resilience and promote sustainable development of enterprises. CTCI has implemented a strong risk governance framework and management process that includes stages such as risk identification, risk analysis, risk evaluation, risk response and treatment, residual risk evaluation, and improvement tracking. This framework enables the Company to implement risk-management strategies and measures such as prevention, reduction, transfer, or assumption when confronted with internal and external uncertainties. The goal is to increase risk awareness and tolerance while also strengthening competitive advantage and value creation capabilities.
Risk Management Framework
CTCI follows the COSO Enterprise Risk Management-Integrated Framework and ISO 31000 Risk Management framework and procedures to conduct comprehensive risk assessment and management, set risk management and control goals, and closely integrate risk management with the Company's goals to ensure the stability and sustainable development of business operations. The three-line of defense model of enterprise risk management is adopted. Each operating unit is responsible for grasping and managing risks in daily operations and implementing relevant risk control measures; the Risk Management Executive Committee is responsible for formulating relevant risk management standards, risk appetite, and supervising risk implementation to ensure the achievement of risk management objectives; and an independent audit unit is used to ensure the implementation of risk management policies. CTCI has established "Risk Management Policies" and "Risk Management Regulations" are the supreme guideline for risk management. The Board of Directors at CTCI is the highest governing body responsible for the Company's risk management. Among the board members, 6 non-executive directors have professional backgrounds in risk management. The Audit Committee, under the Board of Directors, supervises the risk management operations. Additionally, there is an Executive Risk Management Committee that reports the annual risk management performance to the Audit Committee each year. The 2024 Risk Management Operations has been reported to the Audit Committee and the Board of Directors on November 5, 2024.

CTCI adopts the three line of defense model for enterprise risk management. The first line of defense comprises the operating units, which are responsible for grasping and managing risks in daily operations and implementing relevant risk control measures. The second line of defense is the Risk Management Executive Committee, chaired by the President and convened by the Chief Risk Officer, with members including the Head of Executive Management Office, Business Operations and EPCO. The committee convenes semiannually and holds ad hoc meetings as needed. Its responsibilities include examining risk management policies, establishing relevant standards and risk appetite, reviewing risk management reports and proposed improvement plans, evaluating the effectiveness of risk control mitigation measures, and overseeing the implementation of risk mitigation measures and improvement plans. To ensure the independence of risk oversight, CTCI has established the Risk Management and Control Office as a dedicated risk supervision unit. This office is tasked with promoting the risk management mechanism, establishing risk management culture, participating in the treatment and prevention of emergency risk events, and supporting the overall execution of risk management activities. The Chief Risk Officer is responsible for communicating risk management policies, establishing and promoting risk management and control systems, overseeing the implementation of risk management, and disclosing risk-related information, and reports directly to the President. The independent audit unit under the Board of Directors serves as the third line of defense, responsible for evaluating the effectiveness of risk monitoring performed by the first and second lines of defense and providing timely recommendations for improvement. Internal audits are conducted regularly on an annual basis and reported to the Audit Committee to ensure the effective implementation of the company’s risk management policies.
Risk Management Review
Each unit shall conduct risk identification, risk analysis, risk evaluation, and risk control processes at least once every six months to identify potential risks within their respective business scopes. The likelihood and conseuence of each risk shall be analyzed to evaluate the risk rating. Appropriate risk control measures shall be determined for each risk, and corresponding mitigation plans shall be formulated. The consolidated risk management report shall be reviewed and approved by the Head of responsible risk control unit and submitted to the "Risk Management Executive Committee" for review, in order to examine risk exposure and the effectiveness of mitigation plans, and to ensure continued tracking of risk mitigation progress. The Risk Management Executive Committee’s resolutions and directives shall be implemented and promoted up by the Risk Management and Control Office. For projects, project risk review meetings are convened by the risk representatives of each project on a quarterly basis to discuss newly identified risks, review the progress of existing risks and agreed countermeasures, and evaluate the effectiveness of risk strategies. Major risk issues are also reported to the corresponding BU and top management through regular Project Review Meetings.


Risk Management Audit
To ensure the effectiveness and compliance of the Company's risk management processes, the relevant SOPs require a third-party audit of risk management principles, process architecture, and execution at least every two years. This is to confirm that the Company's risk management system complies with the international risk management standard ISO 31000. Furthermore, in order to assess the Company's risk management practice and improve overall risk management capabilities, SGS, an external verification 3rd party, conducts a risk maturity audit in May 2024. The audit result was " Role Model," indicating that our company has a good understanding of risk management, has a well-developed risk management system, and performs risk management at an exceptional level.

Risk Training for All Employees
Every year, the Company plans risk awareness activities or training courses for all employees in response to specific risk aspects or issues. In 2024, we planned and conducted relevant training courses on financial, climate and natural, strategy/goals, legal compliance/intellectual property, integrity management, and HSE. The Company has also conducted "Group Risk Management Requirements Awareness Training" for all employees in the Group to enhance the risk awareness, and introduce the awareness of risk management into the behavior and daily operations of employees.

Continuous Operation and Emergency Response
CTCI is mainly engaged in design, procurement and construction, and all operations rely on the information system as the main platform. In order to ensure the continuous operation of the business and reduce the impact of major accidents or disasters on key businesses, the Company implements relevant operations in accordance with the Business Continuity Plan (BCP) to reduce operating risks. The business continuity plan exercises for 2024 took place in June and October, with a focus on testing 12 key systems related to design, procurement, construction (Engineering, Procurement, Construction, EPC), and project management. The results were all successfully completed. The Company has established an emergency risk event control mechanism, setting alert and action criterias for key risk items that may cause emergencies. In the event of an emergency risk, the responsible unit shall assess and classify the incident based on the established criteria to initiate the emergency risk control mechanism. If the identified emergency risk event reachs the action criterias, the responsible unit must immediately report it to the relevant business unit (BU) Head, who will assign a responsible supervisor for the emergency risk response team. An emergency risk response team will then be formed to plan and execute countermeasures, with regular updates on the latest progress of the response actions. During the disposal period, the responsible units must track and manage the progress of mitigation efforts on a weekly basis to minimize impacts and consequence. Depending on the severity of the emergency risk event, top management may be engaged in the response and remain involved until the risk is mitigated and the event is formally closed. Furthermore, CTCI regards its employees as the Company's most valuable asset, and it places a high value on their personal safety in the workplace as well as their ability to respond to emergencies. In order to reduce the Company's operation risks, CTCI has made the "Emergency Response Management Procedure," which covers the first and second headquarters buildings, as well as project construction sites. It focuses on specific major risk events such as fires, natural disasters, and environmental impact events, abnormalities in air conditioning, water supply disruptions, power outages, earthquakes, wind disasters, floods, protests, or riots. Through crisis scenario drills, colleagues will be more familiarized with contingency measures to better reduce impact in the event of a disaster. In March and September 2023, self-defense teams received fire safety training, and employees in the first and second headquarters buildings participated in annual fire evacuation drills.