Strengthen Sustainable Operations by Enhancing Risk Management and Control

Sharon Chiang, Chief Risk Officer at Risk Control and Management Office, CTCI

CTCI is a globally recognized engineering, procurement, and construction group, ranking among the top 100 global engineering contractors and the leading one in Taiwan. With approximately 50 offices worldwide and 8,000 employees, CTCI has experienced significant growth and international expansion in recent years. This expansion comes with increased risks and challenges, making effective risk management crucial for stable operations and sustainable development.

In response to the ever-changing world and to control and lower operational risks for a resilient organization, CTCI established a dedicated unit for risk management in 2022. This unit coordinates, promotes, and oversees risk management activities across the organization, continuously enhances risk management protocols, and ensures a systematic approach to identifying, assessing, and mitigating risks. These measures allow CTCI to systematically control and respond to internal and external risks and ensure that risks encountered can be effectively dealt with and controlled, thus enabling CTCI to achieve stable growth and the goal of sustainable operation.

This article provides a summary of the current status and future development of risk management in CTCI.

Follow the Global Trend: Establishing a Comprehensive Management Framework

To enhance the effectiveness of risk control, CTCI has been implementing the following measures to establish a comprehensive risk control mechanism and framework.

1.Establishment of the "Risk Management Committee" and Promotion of Governance Practices by Senior Executives
Since 2006, CTCI has established a Risk Management Committee chaired by the President, with senior executives as members. The committee convenes annual meetings to review the risk management performance of each unit and propose improvement plans. Moreover, it submits an annual risk management execution report to the Board of Directors and the Audit Committee.

2.Oversight of Risk Management Operations by the Audit Committee Under the Board of Directors
In 2020, CTCI formulated the "Risk Management Policy" and "Risk Management Guidelines" approved by the Audit Committee and the Board of Directors. These serve as the highest guiding principles and management procedures for risk management, clearly defining policies, objectives, scope, organizational structure, unit responsibilities, risk management mechanisms, and execution processes. The Audit Committee under the Board of Directors is responsible for overseeing the operation of risk management mechanisms to effectively manage operational risks.

3.Establishment of the Dedicated "Risk Management & Control Office" Coordinated by the Group's Chief Risk Officer
Since November 2022, CTCI has appointed a Chief Risk Officer and established a dedicated Risk Management & Control Office responsible for promoting and supervising risk management-related activities. This includes establishing risk management mechanisms and culture, conducting daily risk monitoring and audits, participating in the handling and prevention of emergency risk events, etc. Besides, following the establishment of the dedicated risk control unit, the Risk Management Committee is now chaired by the Chief Risk Officer, who reports annual execution results to the Board of Directors and the Audit Committee.

4.Appointment of Risk Control Representatives in Each Unit to Deepen Execution Effectiveness
To deepen the effectiveness of risk control, in addition to the group-level Risk Control Office, each business unit within the group must appoint risk control representatives to assist in promoting related activities. These activities include risk assessment operations, compiling risk files, cooperating with internal/external risk audits, promoting risk training, cultural activities, etc.

Enhancing Risk Management Systems in Response to Increased Risks

In terms of systems, although CTCI has established a risk management and control system according to ISO 31000, the company’s operational risks have intensified due to the expansion and increased complexity of contracted project scopes and scales. To address this trend, CTCI continues to review and revise management systems to enhance risk control effectiveness.

From 2022, a comprehensive review of current risk management-related SOPs was conducted. Legal requirements were assessed, compliance gaps were identified, existing guidelines were integrated, and control points were defined based on past experiences. A new group-level risk management SOP "GCP-011 Group Risk Management Guidelines" was formulated and issued.

The improved control mechanisms outlined in this guideline are briefly described as follows:

1.Addition of Group Risk Management Goals: The Risk Management & Control Office plans annual risk management goals, which, after approval from the Executive Committee of CTCI Group, are incorporated into the annual goals of various levels of management to enhance the importance and effectiveness of risk control.

2.Clear Definition of Group Risk Management Standards: There has been a reassessment of "corporate operational risks" and "project risks" in terms of their risk classification and their major risk aspects (as shown in the table below). The "criteria for alert" and "criteria for action" were established for each item as response and control benchmarks.

3.Strengthening Risk Control during Project Quotation Stage: The risk baseline check during the quotation stage serves as the vanguard of project risk control. Based on past experiences, CTCI reevaluated the critical items in the contract terms that need to be checked during the project quotation stage, and set risk baselines according to project types to ensure the contracted projects had fewer risks.

4.Clear Definition of Emergency Risk Control Mechanisms: Risk events are classified based on scope and severity, while control mechanisms for reporting, response, and handling were established to ensure effective handling of emergencies.

CTCI’s risk classification and major risk aspects

Cultivating Risk Culture and Uncovering Potential Risks

In addition to establishing a comprehensive system, the execution of risk management still relies on people. Therefore, building risk awareness and culture will be crucial for enhancing effectiveness. Through annual planning and implementation of risk advocacy or training activities, overall risk awareness of all employees can be enhanced, and a strong risk culture can be fostered. For example, lectures such as "Corporate Reputation Crisis Management" and "Trends and Risk Management of Digital Technology and Artificial Intelligence" were held in 2023.

Through improved advocacy and training, when an emergency risk event occurs in any business area managed by group colleagues, the colleagues will proactively report to their immediate supervisors. Next, the supervisors identify, analyze, and evaluate risks, making sure that significant risks are identified and addressed. Also, the Risk Management & Control Office assists units in identifying potential risks through meetings and reports. Through daily control measures such as categorizing high-risk projects and conducting risk audits, early detection and response to risks are ensured.

Responding to Emerging Risks: Continuously Innovating Risk Management and Control Mechanisms

Risk management is part of the governance aspect of ESG. In addition to the aforementioned risk management mechanisms and execution, CTCI also places great importance on internal and external issues as well as emerging risks. It actively monitors the potential impacts of these risks and opportunities by regularly collecting new information, identifying emerging risks, and paying attention to global environmental changes. Measures are actively formulated and implemented to address these risks, evaluate their impact on company operations, and incorporate them as references in strategy development. Furthermore, the risk management practices are disclosed on the CTCI’s official website, annual reports, and ESG reports, aligning with international risk management trends and demonstrating the commitment and ethos of ESG with sustainable governance.

Looking ahead, CTCI will continue to innovate and enhance risk management mechanisms, improve risk control effectiveness, reduce uncertainties faced by various aspects, as well as leverage digital tools and information systems for risk management, so that it can accomplish the long-term goal of sustainable governance.