Risk Management and Internal Control
The Board is responsible for maintaining sound and effective systems of risk management and internal control, which include financial, operational and compliance controls, to safeguard the Group’s assets and Shareholders’ interests, as well as for reviewing the effectiveness of such systems. While sound and effective systems of risk management and internal control play an important role in identifying and managing the risk of failure to achieve business objectives, it should be acknowledged that such systems are designed to manage rather than eliminate risk of failure to achieve business objectives, and can only provide reasonable but not absolute assurance against material misstatement or loss.
The Group has formulated and adopted a risk management policy (the “Policy”) that depicts the systems to effectively identify, assess, mitigate, report and monitor key business risks across all business units. A “Top-Down” approach is adopted in the Policy, which is facilitated by strong oversight exercised by the Board, the Audit Committee, the Risk Management Taskforce (the “RMTF”) and senior management in the establishment and maintenance of the Policy, framework and programme. At least on an annual basis, the RMTF identifies risks, including environmental, social and governance (“ESG”) risks, that would adversely affect the achievement of the Group’s objectives, and assesses and prioritises the identified risks according to a set of standard criteria. Risk owners are assigned for different risks and mitigation plans are then formulated by risk owners for those risks considered to be significant.
Principal Risks and Uncertainties
The following are the key risks that are considered to be of the most significance to the Group at this time. They may adversely impact the Group’s businesses, financial conditions, results of operations and growth prospects if they are not managed or mitigated effectively. These key risks are not comprehensive, and there may be other risks, in addition to those set out below, which are not known to the Group or which may not be material now but could turn out to be material in the future.
Key risks related to the Group’s businesses and to the industries in which the Group operates include:
Project development risks - On time completion of new data centres and upgrade of existing data centres – The Group’s operations depend on its ability to provide adequate and relevant data centre capacity that can meet the latest specification requirements by the market demand on a timely basis so as to maintain or increase its market share. The Group identified critical milestones and expedited achievement through priority planning and proper resources management to ensure on-time completion of the projects.
Geopolitical risks – Market demand for the data centre capacity of the Group is dependent on the regional economy and geopolitical environment in which the Group operates. Increasing geopolitical tensions may impact the Group’s business, including the potential delays in landing and/or rerouting of international submarine cables to Hong Kong or the potential loss of business from current or potential customers. The risk of adverse geopolitical tensions is managed by ensuring an appropriate diversification in terms of operation and customer portfolio, proper monitoring of business performance, and constant assessment of current trading conditions and the appropriateness of prevailing business strategy.
The borrowings increase and high gearing ratio under the current interest rate hike environment – In recent years, the Company is in a peak investment cycle as it is increasing the data centre capacity on a substantial basis through development of new sites in order to capture the strong market demand. At the same time, the market interest rate has been staying at a high level for a prolonged period. The Company is implementing a comprehensive strategy, including capital expenditure optimisation, enhanced liquidity management and exploring the opportunities for diversification of financing sources. Through these disciplined measures as well as the strong support from the major shareholder, the Company is confident on its ability to navigate the high interest rate environment and maintain a strong financial footing for upcoming periods.
Mitigating Principal Risks Faced by the Group
The risk management and internal control systems have been designed to operate proactively to ensure that principal risks are not only identified, measured and monitored but also mitigated. Under such systems, management staff of various departments would identify suitable internal controls and countermeasures to mitigate principal risks faced by the Group. When formulating mitigating measures, important factors such as regulatory requirements, risk appetite, adequacy and effectiveness of mitigating actions proposed, risk owners in place to implement and possibility of transferring risks to third parties were taken into consideration. The objective of these risk mitigating plans is to ensure that principal risks are well managed and governed effectively.
The risk management process is embedded into the day-to-day operations of the Group and is an on-going process carried out by everyone in the Group. Key procedures are being established and implemented to ensure that there are appropriate and effective risk management and internal control systems which include (a) setting core values and beliefs which form the basis of the Group’s overall risk philosophy and appetite; (b) having an organisational structure in place with defined lines of responsibility and delegation of authority which hold individuals accountable for their risk management and internal control responsibilities; (c) imposing an organisational structure which provides necessary information flow for risk analysis and management decision-making; (d) imposing budgetary and management accounting controls to efficiently allocate resources and providing timely financial and operational performance indicators to manage business activities and risks; (e) ensuring effective financial reporting controls to record complete, accurate and timely accounting and management information; and (f) expanding the roles and responsibilities of the Audit Committee to include the review of risk management and internal control systems.
In addition, the Group has an Internal Audit Department which is responsible for performing independent reviews on the effectiveness of the Group’s risk management and internal control systems. Deficiencies in the design and implementation of such systems are identified and recommendations are proposed for improvement. Significant internal control deficiencies are reported to the RMTF, the Audit Committee and the Board on a timely basis to ensure prompt remediation actions are taken.
The Audit Committee, as delegated by the Board, discussed the risk management and internal control systems for the financial year under review with the Management to ensure that the Management has performed its duty to have effective risk management and internal control systems in place. Such discussion covered, among other things, (a) the changes in the nature and extent of significant risks (including ESG risks) and the Company’s ability to respond to changes in its business and the external environment; (b) the scope and quality of the Management’s ongoing monitoring of risks (including ESG risks) and of the internal control systems as well as the work of the Internal Audit Department and other assurance providers; (c) extent and frequency of communication of monitoring results; (d) significant control failings or weaknesses identified, if any; and (e) the effectiveness of the Company’s processes for financial reporting and compliance with the Listing Rules.
The Board, through the Audit Committee and with the assistance of the Internal Audit Department, had conducted an annual review on the effectiveness of the risk management and internal control systems of the Group for the financial year ended 30 June 2024 to ensure that the resources, staff qualifications and experience, training programmes and the budget of the Group’s accounting, internal audit, financial reporting functions as well as ESG performance and reporting were adequate. The review had shown that, in general, the Group had set up control environment and installed necessary control mechanisms to monitor and correct non-compliance or material internal control defects, if any. Accordingly, the Board considers that the Group’s risk management and internal control systems for the financial year were effective and adequate. No significant areas of concern that may affect the financial, operational, compliance controls, and risk management functions of the Group have been identified.