City Developments Limited
Risk management continues to play an important part in the Company’s business activities and is an essential component of its planning process. The Board has overall responsibility to ensure that the Company has the capability and necessary framework to manage risks in new and existing businesses and that business plans and strategies accord with the risks appetite that the Company undertakes to achieve its corporate objectives. To assist the Board in its risk management oversight, the Audit & Risk Committee (ARC) has been authorised by the Board to provide oversight and review on matters relating to the risk management policies and systems of the Company.

The ARC’s risk management function is assisted by a Risk Management Committee (RMC), whose members comprise Senior Management and the Heads of Divisions, Business Units and Corporate Functions. The RMC is responsible for ensuring the effectiveness of the risk management framework of the Company, the objective of which is to provide an enterprise-wide view of the risks involved in property investment, development and management activities and a systematic risk assessment methodology for the identification, assessment, management and reporting of such risks on a consistent and reliable basis. The RMC is mandated to focus on key strategic risks whilst also ensuring that the business units are responsible for the day-to-day tracking, monitoring and control of risks within their operations.

Since 2013, an Enterprise Risk Management (ERM) function has been established to provide the RMC with the quarterly status of the key strategic risks, assessment of key risk exposures and any new emerging risks that may require mitigations. The ERM function also assists the RMC to report quarterly to the ARC on the overall strategic and operational risks positions, including mitigating measures, treatment plans and the occurrence or potential occurrence of significant risk events.

The RMC has established a formal risk management framework. This framework provides the Company with a structured and consistent process for the identification, assessment, evaluation, monitoring and reporting of risks. In 2014, the Company’s strategic risks were reviewed so that the Company’s risk profile remains relevant with the business environment and organisational structure. The risk governance structure of the Company is regularly reviewed against international standards and best practices in risk management. The Company recognises that the risk management process is an on-going process and aims under its risk governance structure to continually to look for ways to improve in the following areas:

  • increase monitoring and control capabilities in its review of significant strategic business risks;
  • review the effectiveness of the systems of internal controls to limit, mitigate, manage and monitor identified risks;
  • ensure that the operating systems deliver adequate and timely information required for effective risk management;
  • build on and integrate into its existing governance and management systems the appropriate tools for
    effective management of strategic business risks which are reflective of changes in markets, products and emerging
    best practices, and
  • embed risk management process into our culture and all our business operations.

The Company strongly believes that the most senior executive in the company sets the “tone from the top” towards risk management and instills an effective risk culture. This is crucial for the success of the risk management framework at the operational and strategic levels. To reinforce the desired risk culture and to promote accountability and ownership at all levels, Management and staff are engaged regularly on risk management related activities such as risk identification and assessment workshops, topical talks by external consultants as well as Control Self-Assessment (CSA) exercises.

The Company’s risk management framework has categorised its risks into the following main risk types:


The risk management process is progressively integrated into the operational levels, with the respective management at divisions and departments being responsible for identifying, assessing, mitigating and managing the operational risks within each of their functional areas. The implementation and use of a system of internal controls, and operating, reporting and monitoring processes and procedures (including processes involving due diligence and collation of market intelligence and feedback), supported by information technology systems and constant development of human resource skills through recruitment and training, are important elements of the risk management process, to mitigate risks relating to product and service quality assurance management, costs control management, design and product innovation, market intelligence, marketing/sales and leasing management, financial control management and regulatory compliances in the Company’s operations. Since 2013, the Company has implemented a CSA programme to infuse a greater sense of ownership and accountability in managing risks in the operating divisions. This programme will augment independent audits by the Internal Audit team and will add assurance to our Senior Management and the Board that operational risks are being effectively and adequately managed and controlled. The Company is also in the process of developing tailored CSA programmes for its key subsidiaries to further enhance risk awareness, “buy-in” and accountability at our subsidiaries.

The maintenance of adequate insurance coverage for the Company’s assets, and the protection of and continued investment in the security and integrity of its information technology systems and database which are highly integrated with its business processes, are also part of the Company’s measures for the management of operational risks. The Company also maintains close working relationships with its business partners and relevant authorities to keep abreast with developments and changes in the regulatory framework and business environment.


Risk evaluation forms an integral aspect of the Company’s investment strategy. Balancing risk and return across asset types and geographic regions are primary considerations to achieve continued corporate profitability and portfolio growth. This risk assessment includes macro and project specific risks analysis encompassing rigorous due diligence, feasibility studies and sensitivity analysis on key investment assumptions and variables. Each investment proposal is objectively evaluated to fit the corporate strategy and investment objective. Potential business synergies including collaboration risks assessments are identified early to ensure business partnership objectives and visions are well-aligned and collaboration partners are like-minded and compatible.


The Group is exposed to financial risks arising from its operations and the use of financial instruments. The key financial risks include credit risk, liquidity risk and market risk, as well as interest rate risk and foreign currency risk.

The Group has a system of controls in place to create an acceptable balance between the cost of risks occurring and the cost of managing the risks. The management continually monitors the Group’s risk management process to ensure that an appropriate balance between risk and control is achieved. Risk management policies and systems are reviewed regularly to reflect changes in market conditions and the Group’s activities. It is, and has been throughout the current and previous financial year, the Group’s policy that no derivatives shall be undertaken for speculative purposes except for use as hedging instruments where appropriate and cost efficient.

Credit Risk – The Group has a credit policy in place and the exposure to credit risk is monitored on an ongoing basis. Credit evaluations are performed on all customers requiring credit over a certain amount. The Group does not require collateral in respect of these financial assets.

Transactions involving financial instruments are entered into only with counterparties that are of acceptable credit quality. Cash and fixed deposits are placed with banks and financial institutions which are regulated.

Liquidity Risk – The Group monitors its liquidity risk and maintains a level of cash and cash equivalents, and credit facilities deemed adequate by management to finance the Group’s operations and to mitigate the effects of fluctuations in cash flows.

Interest Rate Risk – The Group’s exposure to market risk changes in interest rates relates primarily to its interest-bearing financial assets and debt obligations. The Group adopts a policy of managing its interest rate exposure by maintaining a debt portfolio with both fixed and floating rates of interest. Where appropriate, the Group uses interest rate derivatives to hedge its interest rate exposure for specific underlying debt obligations.

Foreign Currency Risk – The Group is exposed to foreign currency risks on sales, purchases and borrowings that are denominated in a currency other than the respective functional currency of the Group’s entities.

The Group manages its foreign exchange exposure by a policy of matching receipts and payments, and asset purchases and borrowings in each individual currency. Forward foreign exchange contracts are used purely as a hedging tool, where an active market for the relevant currencies exists, to minimise the Group’s exposure to movements in exchange rates on firm commitments and specific transactions.

Wherever necessary, the Group finances its property, plant and equipment purchases by using the relevant local currency cash resources and arranging for bank facilities denominated in the same currency. This enables the Group to limit translation exposure to its balance sheet arising from consolidation of the Group’s overseas net assets.


The Company recognises HR as an important contributing factor towards the stable growth of the Company. Efforts are taken to enhance the processes for recruitment, remuneration, training and development of employees.

Identification, development and retention of talents are key areas for HR risk management. Leadership development programmes are in place to groom talents and ensure smooth succession planning for key positions. Enhancement of the Performance Appraisal system, coupled with career development and training programmes, are part of the Company’s HR strategy to improve feedback and work performance, level up competencies and increase employees’ commitment. To further improve staff retention, the management also supports work-life harmony programmes and family-friendly policies as part of its efforts to help employees achieve a balanced life between work and family and at the same time create a quality workplace.


Operating in an environment with potential threats of terrorism, epidemic outbreaks and information systems failure, the management has put in place a company-wide Business Continuity Plan (BCP) to mitigate the risks of interruption and catastrophic loss to its operations and information database arising from such potential threats.

The RMC is responsible for overseeing the maintenance of the BCP. Procedures and processes of the BCP include identification of alternate recovery centres, operational procedures to enable communication, continuity of critical business functions and recovery of database in the event of a crisis incident. Periodic incident management drills are conducted to familiarise employees with the emergency response plans of the Company. The plans to carry out periodic tests on BCP, results of the tests, as well as recommendations and corrective actions are reviewed by the RMC annually and reported to the ARC. Further enhancement during the year included the alignment of corporate BCP to various operating departments’ emergency procedures. Action plans have been put in place to ensure newly established business units are equipped with the respective BCPs to meet their needs.


The Company has maintained an uncompromising stand on information availability, control and governance, as well as data security. Over the years, it has adopted a multi-pronged approach to effectively manage our information risks. Up-to-date information security policies are implemented and enforced company-wide. High availability and resilience are built into all critical information systems. Its enterprise IT systems and infrastructures are constantly monitored to proactively identify and mitigate risks. IT disaster recovery exercises are carried out regularly to ensure uptime business recovery objectives are met. Since 2013, an IT risk management framework has also been established to formalise risk governance, approach and assessment of IT related risks and has been implemented progressively across the Company. At the staff level, information security materials are put in place to educate employees of the prevailing risks when handling corporate data. Finally, to ensure effective IT risk management, external auditors are engaged annually to review and enhance the Company's IT risk posture.


As a developer with extensive operations, strategic and concerted efforts have been put in to mitigate the impact of the Company's operations on the environment and to reduce the workplace safety and health risks. The Company’s EHS Policy (established in 2003) sets the strategic direction for all departments, employees and stakeholders to take practical effort to ensure effective EHS management in its operations.

To manage its EHS risks, the Company has since 2003 integrated an EHS Management System within its operations, certified to the ISO 14001 Environmental Management System and OHSAS 18001 Occupational Health and Safety Management System, and audited on an annual basis.

Through this system, the Company identifies its key EHS hazards, determining the risk level based on a quantitative risk assessment technique consisting of the likelihood of the occurrence and severity of the impact. Control measures are promptly applied to mitigate all significant EHS risks. This involves setting objectives and targets, establishing programmes and/or putting in place work procedures and work instructions.

The guiding principle in EHS risk management is to follow the hierarchy of control, starting with elimination, and then moving to substitution, isolation, use of engineering control, use of administrative control and last of all, use of personal protective equipment.

The Company’s EHS targets and performance are measured and reviewed by the Management Representatives and audited annually by internal and external auditors. Irregularities and possible deviations are identified for prompt rectification and continual improvement.


The risk management activity of M&C, the Group’s hotel arm, is directed by its Global Management Committee, led by its Group Chief Executive Officer (CEO). The Group CEO and members of the Global Management Committee undertake regular reviews of (i) the risk registers, compiled and updated to map the nature of the risks relative to their likelihood of occurrence, severity and associated trends, and (ii) the progress of the risk treatment plans devised to eliminate, minimise or transfer risks. The board of directors of M&C has overall responsibility for the risk management processes of the M&C Group and for ensuring that its risks are managed appropriately and, either directly or through the ARC of M&C, reviews the effectiveness of the M&C Group’s risk management processes and other internal controls. Information on M&C’s principal risks can be found in its most recent annual report and accounts.

In respect of EHS, M&C’s UK region has published and launched health and safety management policies and procedures certified to OHSAS 18001 (externally audited by the British Standards Institution). Management of M&C’s European region is currently in the process of rolling out across the remaining UK hotels the system which is designed to ensure robust and comprehensive risk assessment and recognition across the business. These efforts are being supported by new compliance management software resulting in tighter control of statutory/mandatory activities, inspections and creation of audit trails.

Whilst M&C continually assesses its environmental impact and actively seeks ways to reduce it through improvements in its hotels’ operating infrastructure and by improving work practices, the management team also works with its suppliers to minimise the environment impact of their activities. Environmental performance is being integrated into the operational objectives of the hotel teams, a key requirement of the ISO 14001 management system certification, also attained through external audit from the British Standards Institution. The M&C Group has been producing a global carbon footprint for all of its owned and managed properties since 2010 and each year a summary of results is included within its annual report and accounts.


Despite best efforts, the Company recognises that risks cannot be eliminated but can only be managed to acceptable levels. Nevertheless, the Company commits to continuously refine and improve its risk management framework, systems and processes to ensure that risks are being well managed and monitored throughout the organisation, in order to thrive in the increasingly dynamic and changing business environment of today.