Risk Management | Sinyi Realty Inc. | Investor Relations

Sinyi Realty
Risk Management

Risk Management

Risk Management Framework

To counter the challenges of a fast-changing global economy and the sustainability risk, Sinyi Realty (hereinafter referred to as "the Company") developed a robust risk management framework and an effective policy. It was approved by the board of directors in 2009, including management objectives, organizational structure, ownership of rights and responsibilities, procedures, and other mechanisms. There is also a Risk Management Manual for the Company to monitor the risks arising from business activities within the acceptable range.

Given the increasing attention to risk management issues since 2019, the Risk Management Team follows the existing risk management framework and internal control system and manages the risks associated with its operations in the most cost-effective manner. The Company puts all heads of functional units(or departments) in charge of overseeing risk management and analyzing and monitoring risks in their own units in order to ensure effective execution of risk controls and procedures. Meanwhile, Auditor Office is responsible for assessing risks and presenting annual audit plans accordingly. Auditor Office is also responsible for delivering reports on risk management performance to the Audit Committee.

sinyi risk management structure
 

Board of Directors

The Board of Directors is the highest supervisory unit of risk management and is responsible for reviewing the annual risk management report, risk execution report and audit report to ensure the effective implementation of the risk management system. The conference unit of the Board of Directors interacts and communicates with the Chiefs of Staff on environmental and social issues related to the company from time to time, and regularly reviews the impact, performance, and strategic goals of ESG at the end of each year.

Total Ethical Management Committee

Resolved the material risk and the corresponding Risk Owner. Through risk identification, analysis, and preparation of specific methods to implement risk management, and regularly reports to the Board of Directors.

Risk Owner

Identify risk issues and discuss with the risk management executive unit to undertake management objectives.

Risk Execution Unit

Put forward risk management objectives and measures. Report the results to the risk management unit on a regular basis.

Risk Audit Unit (Auditor Office)

Evaluates the effectiveness of the operation of the risk management system and mechanism. Implement the internal audit operations and regularly submit risk management results to the Audit Committee and the Board of Directors.

 

Risk Management Process

In order to strengthen corporate governance and risk control capabilities, and continue to optimize risk management policies and procedures, the company has formulated the “Sinyi Realty Risk Management Policy" and approved by the Board of Directors to determine the group's material risk items from top-down.

The Material Risk will coordinate and control by the Risk Owner, set up key risk indicators (KRI) to provide early warning functions so that the Company can respond to and resolve the possible impacts of risks early. The risk execution unit conducts self-risk identification, analyzes the level of risk impact, and proposes a risk treatment improvement plan.

 
 

Information security policy and management programs

Information security-related risk and management framework

In Sinyi Realty Inc. (hereinafter referred to as the “Company”), the information security issues are undercharged by the Information Service & Information Security Management Department which assumes the responsibility for internal information security policies to map out and implement information security operations, execute and implement thoroughly the information security policies.

Here inside the Company, the Auditor Office implements information security management audit and reports the outcome to the Board of Directors on a regular basis. Whenever a defect or problem is noticed, the Auditor Office would request the submittal of relevant improvement plans and conduct the follow-up tracing of the improvement performance so as to ensure that the internal information security management mechanism would work continually and effectively.
In terms of organizational operation, the Company adopts Plan-Do-Check-Act (PDCA) circulatory management, set up integral information security management systems to effectively prevent information security related problem from an occurrence. In turn, through such efforts, the Company could satisfactorily accomplish the goals of information security and continually optimize the improvement.

 
Information Security Policy Sinyi Risk Management


 

Information security related goals and policies

1. Information security-related goals

The Company duly works out the information security policies well oriented to the Sinyi Group and invests appropriate resources to completely ensure confidentiality, integrity, and availability.

  • With adequate efforts to ensure confidentiality, implement thoroughly the information access control. Only such personnel having been adequately authorized with the required power are entitled to access to information.
  • The Company puts forth maximum possible efforts to ensure accurate and integral contents of the information and shall prevent a potential unauthorized amendment to the information.
  • The Company assures the availability of the information system and provides such a system to meet the need of the business operation.
  • The Company assures that all information operation would satisfy the requirements by laws and regulations.
2. The information security policies
  • The Company enhances the security of the Sinyi Group’s information system and network environment to prevent the potential disclosure of electronic confidential information.
  • The Company duly sets up the sound countermeasure procedures to deal with an information security incident to prevent the impairment from worsening.
  • The Company carries out information security-related educational & training programs, strengthens the consensus and awareness of the entire Sinyi Group staff about information security.
  • The Company promotes the information security management system, implements thoroughly the Sinyi Group’s information security management operation, and further reassesses the performance of the implementation to accomplish the goals of panoramic information security.
 
3. Concrete management programs-Information security-related management measures
 
Categories Descriptions Relevant operations
Privilege management The management systems over User ID, privilege management, and behaviors of system operations
  • Privilege management and review over User ID
  • Periodical inventory check over the privilege of User ID
Access control The control measures for the entire personnel in access to internal and external systems and information transmission channels.
  • The control measures over the access to internal and external systems
  • Control over sensitive information from being divulged.
  • Operation behavior track record
External threats Potential internal vulnerability, virus channels and protective measures thereof
  • Host/computer vulnerability protection and update measures
  • Protection against virus and malware detection
  • Source code inspection/penetration testing
  • Cyber threat monitoring
System availability System availability status and countermeasures against an event of service interruption
  • System/network availability monitoring and reporting mechanism
  • Contingency countermeasures against interruption of services
  • Information backup measures, principal site/offsite backup mechanism
  • Disaster restoration drills or exercises on a regular basis



 

Key Risks Items and Countermeasures

Sinyi Inc. identifies workplace personal safety, reputation (media coverage), financial, project schedule, information security, and climate risk as to its key risks and formulates countermeasures, including environment, social, corporate governance, and emerging global risks related to the company's operations. For detailed response measures, please refer to「CSR Report 1-4 Sustainable strategy management 」。

 

Implementation

  • In 2009, the Board of Directors approved the first version of the Company's "Risk Management Policies and Procedures". Starting from 2019, the auditor office reported the implementation of the risk management plan related to the six kinds of risk to the Audit Committee and the Board of directors once a quarter.
  • Since 2015, the Company has established a Risk Management Roadmap.
  • In 2019, the Company continued to revise "Risk Management Policies and Procedures" and "Risk Management Roadmap". Additionally, the Company conducted a Risk Management Manual and Key Risk Indicators related to the six kinds of risk to facilitate its monitoring mechanisms.
  • In 2019, The Company’s Risk Management Team reported that the Company conducted its risk assessment in response to the fast-changing environment, and came up with 2020 risk management plans in the Audit Committee meeting.
  • In 2020, the Auditor Office reported on the implementation of the risk management plan to the Audit Committee and the Board of Directors on the risk environment, the risk control measures that the Company has adopted, and the operation of risk management mechanisms for the year 2020.
  • Since 2020, in order to continuously strengthen risk management awareness and response capabilities, the Company has included risk management courses in the compulsory course for supervisors, with 78 trainees in total.