Risk is an inevitable part of company operations, particularly in the construction industry where various uncertainties that threaten operations often arise. Therefore, it is essential to establish a robust risk management system. Addressing risks related to corporate governance, environment, social aspects, and climate change requires the formulation of comprehensive risk policies to support business operations and growth, achieving sustainable business for the company. Kedge Construction follows the company’s “Risk Management Policy and Procedures” to establish systems, assess compliance with regulations across departments, enhance employee compliance awareness through continuous education, training, and self-assessment improvements, and strengthen business operations through early warning and robust management. Additionally, Kedge Construction ensures real-time and comprehensive risk management through regular reporting meetings.
Kedge Construction Regular Meetings
According to the risk management policies and procedures established by Kedge Construction Co., Ltd., the Risk Management Implementation Team has formulated the 2023 Kedge Construction Risk Report. This report explores and effectively responds to various potential risks encountered in company management or construction processes. It assists management in understanding the company’s risk status to formulate corresponding and effective strategies, ensuring sustainable development and continuous value creation.
I. Scope of Risk Assessment
The scope includes six major categories: strategy, operations, finance, compliance, information security, and other risks. The report’s structure will analyze risks across multiple domains, with each domain including a description of the risk, assessment methods, risk scoring, and recommended risk response measures, providing relevant information. Environmental and occupational safety risks are assessed and controlled at project sites using a 5*5 matrix in accordance with ISO 14001 Environmental Management System and ISO 45001 Occupational Health and Safety Management System, and are not included in this report.
II. Risk Analysis
III. Risk Measurement
In 2023, through practical and professional experience in construction and management departments, our company evaluated potential risks in their respective business areas and processes. Utilizing the risk matrix assessment method, 132 risks were identified.
Compliance Risk:
Evaluated as high risk for violations of criminal law. Even after implementing control measures, it remains a very significant moderate risk. It is necessary to further strengthen and implement internal controls, document reviews, and legal education training to reduce the likelihood of occurrence.
Information Security Risk:
Evaluated as high risk for malicious hacking via the internet or physical environment. Even after implementing control measures, it remains a very significant moderate risk. It is necessary to further strengthen quarterly social engineering drills, semi-annual general information security training for all employees, annual vulnerability scans for servers and employee computers, and regular system updates to reduce the likelihood of occurrence.
Other Risks:
Evaluated as high risk for contractual risks. Even after implementing control measures, it remains a significant moderate risk. It is necessary to further strengthen contract content provision, departmental communication and information transparency, and involve legal counsel or external lawyers in negotiations to reduce the likelihood of occurrence.
The construction industry in Taiwan has always faced numerous challenges and risks. Looking ahead, careful management is required to ensure the company’s steady development. In response to global economic fluctuations, geopolitical impacts, changes in raw material markets, and carbon fee collections, the company will develop flexible operating strategies. Additionally, labor and technical shortages will be execution bottlenecks. The company should focus on talent training, actively adopt new technologies and construction methods to improve production efficiency, use intelligent support systems to increase per capita output, and participate in different types of construction projects to mitigate market risks. Establishing a comprehensive risk management system, including monitoring market fluctuations and reasonably drafting contract terms, is essential. In terms of sustainable development, continuous efforts in energy saving and carbon reduction should be pursued to meet market demands and achieve the goals of diversification and sustainable operation.
Climate Change Risk Management
The world is currently very focused on the issue of climate change and global warming. Due to the severe changes in the Earth’s environment, the probability of extreme weather events continues to increase, significantly impacting the construction industry. The increasing frequency of extreme weather severely affects construction schedules and adds to the burden on construction workers. Kedge Construction adheres to the spirit of providing high-quality, healthy, and safe operations, with comprehensive and innovative management standards, continuously revising and serving customers with the highest market standards.
Information Security Management Policy and Measures
Our company actively promotes information applications and digital transformation while emphasizing the protection of information security and personal data. Therefore, we have appointed several information security specialists and a dedicated information security manager. Additionally, our company is a member of the Taiwan CERT/CSIRT Alliance and Taiwan CISO Alliance under the Ministry of Economic Affairs.
All employees adhere to the “Kedge Construction Information Security Policy” approved by the Board of Directors, ensuring the protection of information security in response to identified risks and security norms. Furthermore, in accordance with the “Information Security Management Operational Procedures” developed by the Information Technology department, various information security operational procedures and responsibilities are planned and executed. The Information Security Manager supervises the implementation effectiveness.
Our company strengthens its information security through “Protection,” “Response,” “Governance,” and “Education.” Key information security focuses for 2023 include:
Establishment of network equipment monitoring and log management system
In response to increasing cybersecurity threats and risks, our company has implemented a Security Information and Event Management (SIEM) system, led by the Information Technology department. This system monitors the application systems and network devices across our headquarters and all branch offices. Simultaneously, it centralizes log records collected from various cybersecurity products, integrating event alerts, correlation analysis, and generating data reports. This helps our cybersecurity personnel efficiently enhance overall environment visibility and promptly rule out problems. Strengthening our information service monitoring capabilities ensures the continuous operation and protection of our company’s information assets and business activities.
Organizing ICT topic seminars, actively promoting digital transformation
In response to changes in the market environment and the flourishing development of AI technology, which brings challenges and opportunities, our company collaborated with MIC (Institute for Information Industry) to host five online ICT topic seminars in 2023. The topics included “Future Applications of Big Data in Construction Industry,” “Trends in Chat GPT Applications,” “Integrated Virtual-Reality Industry Innovation Models,” “Analysis of Global Web3 Ecosystem and Application Services,” and “Observation of International Low-Earth Orbit Satellite Innovation Applications and Operator Development Dynamics.” Through expert explanations and insightful analyses by MIC professionals, our executives and colleagues explored the application of new technologies in the construction industry, leading Taiwan’s construction sector on the path of digital transformation.
Information Security Incident Reporting Procedure
The company’s information security incident reporting procedure follows the “Information Security Management Operating Procedure.” The head of the company’s information department or their designated representative serves as the convener of the response team, responsible for disaster control, damage assessment, unified reporting, and directing information system disaster recovery operations. The reporting and handling of information security incidents comply with the regulations of this management method and are carried out according to the following operating procedures:
