Risk is an inevitable part of company operations, particularly in the construction industry where various uncertainties that threaten operations often arise. Therefore, it is essential to establish a robust risk management system. Addressing risks related to corporate governance, environment, social aspects, and climate change requires the formulation of comprehensive risk policies to support business operations and growth, achieving sustainable business for the company. Kedge Construction follows the company’s “Risk Management Policy and Procedures” to establish systems, assess compliance with regulations across departments, enhance employee compliance awareness through continuous education, training, and self-assessment improvements, and strengthen business operations through early warning and robust management. Additionally, Kedge Construction ensures that all risk issues receive timely and comprehensive management from senior management through regular reporting meetings.
Risk Management Organizational Structure
Risk Measurement Methods and Management Strategies
According to the risk management policies and procedures established by Kedge Construction Co., Ltd., the Risk Management Implementation Team has formulated the 2024 Kedge Construction Risk Report. This report explores and effectively responds to various potential risks encountered in company management or construction processes. It assists management in understanding the company’s risk status to formulate corresponding and effective strategies, ensuring sustainable development and continuous value creation.
I. Scope of Risk Assessment
The scope includes six major categories: strategy, operations, finance, compliance, information security, and other risks. The report’s structure will analyze risks across multiple domains, with each domain including a description of the risk, assessment methods, risk scoring, and recommended risk response measures, providing relevant information. Environmental and occupational safety risks are assessed and controlled at project sites using a 5*5 matrix in accordance with ISO 14001 Environmental Management System and ISO 45001 Occupational Health and Safety Management System, and are not included in this report.
II. Risk Analysis
III. Risk Measurement
In 2024, through the practical and professional experience of the construction and management departments, the company’s potential risks were assessed based on their respective business scopes and operating processes, supplemented by the use of risk matrix assessment methods to target possible risk types. A total of 4,183 items were identified (145 items for strategic, operational, financial, compliance, information security, and other risks, and 4,038 items for environmental and occupational safety). Among these, the acceptable risks under existing management measures that fall under mild risk (Level 1), low risk (Level 2), and moderate risk (Level 3) total 3,920 items (87 items for strategic, operational, financial, compliance, information security, and other risks, and 3,833 items for environmental and occupational safety). The moderate risk (Level 3), high risk (Level 4), and major risk levels with severe or extremely severe severity total 263 items (58 items for strategic, operational, financial, compliance, information security, and other risks, and 205 items for environmental and occupational safety). After considering the control measures taken to reduce risks, the original risk levels changed to 6 items of mild risk (Level 1), 183 items of low risk (Level 2), and 74 items of moderate risk (Level 3). (Originally 263 unacceptable risks, all reduced to acceptable risks after implementing control measures).
Among these, under existing management measures, there are 87 acceptable risks and 58 unacceptable risks that require the development of risk reduction measures. After implementing control measures, all risks have been reduced to acceptable levels.
The construction industry in Taiwan has always faced numerous challenges and risks. Looking ahead, careful management is required to ensure the company’s steady development. In response to global economic fluctuations, geopolitical impacts, changes in raw material markets, and carbon fee collections, the company will develop flexible operating strategies. Additionally, labor and technical shortages will be execution bottlenecks. The company should focus on talent training, actively adopt new technologies and construction methods to improve production efficiency, use intelligent support systems to increase per capita output, and participate in different types of construction projects to mitigate market risks. Establishing a comprehensive risk management system, including monitoring market fluctuations and reasonably drafting contract terms, is essential. In terms of sustainable development, continuous efforts in energy saving and carbon reduction should be pursued to meet market demands and achieve the goals of diversification and sustainable operation.
IV. Emerging Risks
Implementation Roadmap for IFRS S1 and S2 Sustainability Standards
Responding to the Financial Reporting Standards (IFRS) sustainability disclosure standard alignment, the Company proactively plans implementation of IFRS S1 “General Requirements for Disclosure of Sustainability-related Financial Information” and IFRS S2 “Climate-related Disclosures” issued by the International Sustainability Standards Board (ISSB).
The Company has initiated preparatory operations while commissioning professional consultants for implementation planning across four phases:
Information Security
Information Security Management Policy and Measures
Our company actively promotes information applications and digital transformation while emphasizing the protection of information security and personal data. Therefore, we have appointed several information security specialists and a dedicated information security manager. Additionally, our company is a member of the Taiwan CERT/CSIRT Alliance and Taiwan CISO Alliance under the Ministry of Economic Affairs. All employees adhere to the “Kedge Construction Information Security Policy” approved by the Board of Directors, ensuring the protection of information security in response to identified risks and security norms. Furthermore, in accordance with the “Information Security Management Operational Procedures” developed by the Information Technology department, various information security operational procedures and responsibilities are planned and executed. The Information Security Manager supervises the implementation effectiveness.
To promote the Company’s information and communication security-
related policies and implement information and communication security practices and audit requirements, an “Information and Communication Security Promotion Group” has been specially established to continuously strengthen information and communication security protection and the overall management and joint defense mechanisms for information and communication security intelligence. The organizational structure is shown in the diagram below:
The General Convener of the Information and Communication Security Promotion Group is held by the Company’s General Manager, and the Information and Communication Security Management Representative is responsible by the Information Security Officer. Under this structure, the “Information and Communication Security Processing Group,” “Document Control Group,” and “Information and Communication Security Audit Group” are established. Members of each group are appointed by the convener and are responsible for planning and implementing information security operations and promoting and implementing information security policies. They report information security implementation status to the Board of Directors regularly every year.
The management of the Company’s information and communication security incidents follows the “Information Security Incident and Accident Operating Standards.” The General Convener of the Information and Communication Security Management Promotion Group appoints personnel to form an “Emergency Response Implementation Group” according to task organization to be responsible for business continuity management and major information security incident handling. Information security incidents are classified according to procedures to determine whether they constitute information security accidents. Rapid notification according to procedures and appropriate necessary handling or response measures are taken to reduce potential damage from accidents and prevent similar accidents from recurring.
Key Information Security Control Measures
The Company actively promotes information application and digital transformation while placing great importance on information and communication security and personal information protection. The Company has appointed dedicated Information Security Officers and Information Security Engineers responsible for the Company’s information security planning, technology implementation, and related audit matters to maintain and continuously strengthen information security. The Company strengthens corporate information and communication protection capabilities through four aspects: “Information Security Protection,” “Information Security Response,” “Governance,” and “Personnel Education.” The main information security work points for 2024 are as follows:
Simultaneously, to strengthen the Company’s information security technology and security protection, a budget of approximately NT$10.98 million was allocated for 2024 (averaging NT$19,000 per employee) for the construction of information and communication security-related hardware and software and information security enhancement services, including but not limited to the following items:
Information Security Awareness Enhancement
Employees are the most vulnerable link in enterprise attacks. To strengthen employees’ information security awareness, help employees recognize the importance of information security, and adopt corresponding security measures, the Company commissions external professional consulting teams to conduct at least two information security awareness enhancement courses for colleagues annually, making these courses mandatory for all colleagues.
Establishment of network equipment monitoring and log management system
In response to increasing cybersecurity threats and risks, our company has implemented a Security Information and Event Management (SIEM) system, led by the Information Technology department. This system monitors the application systems and network devices across our headquarters and all branch offices. Simultaneously, it centralizes log records collected from various cybersecurity products, integrating event alerts, correlation analysis, and generating data reports. This helps our cybersecurity personnel efficiently enhance overall environment visibility and promptly rule out problems. Strengthening our information service monitoring capabilities ensures the continuous operation and protection of our company’s information assets and business activities.
To ensure the confidentiality, integrity, and availability of group business information and fully protect the privacy of colleagues and customers, Kindom Group launched the latest ISO 27001:2022 implementation plan in April 2024 for the three major business entities under the group: “Kindom Construction,” “Kedge Construction,” and “Global Mall,” establishing ISMS (Information Security Management System) management mechanisms for core systems, e-commerce platforms, and customer membership systems. The project work schedule and main work content are as follows:
The ISO 27001 information security international standard adopts the PDCA management cycle (Plan-Do-Check-Act) framework. Kindom Group’s Information Technology Department introduced various security testing tools during the project development process, combined with a comprehensive ISMS information security 114 control management systems. Information security awareness education and training, communication security, information security incident handling, and other aspects are all included in process control. Through the implementation of the ISMS information security management system, information asset management is established, information security risk assessment is enhanced, outsourcing management and information security incident handling are strengthened in various control aspects of planning and execution. This not only helps reduce the possibility and impact of information security incidents such as hacker attacks, data breaches, and operational interruptions, but also ensures IT operational compliance and overall operational efficiency improvement, strengthening corporate competitiveness.
Through the efforts of information and communication security promotion group members and continuous process improvement, “Kindom Construction,” “Kedge Construction,” and “Global Mall” all successfully passed SGS Taiwan Ltd. audit verification at the end of 2024, successfully obtaining ISO 27001 information security certification. The current certificate validity period is from November 24, 2024, to November 24, 2027, and third-party certification will be obtained regularly in the future.
Goals and Prospects
Looking to the future, the Company will maintain high standards to enhance the company’s network information and communication system architecture. In addition to strictly complying with relevant legal regulations, all colleagues are required to implement information security management regulations with a rigorous work attitude. Through the promotion of ISO 27001 certification and mechanisms
such as information asset and risk assessment, monitoring operational impact analysis, and business continuity drills, complete information security protection capabilities are constructed. Information security awareness and concepts are integrated as part of the company’s corporate culture, continuously advancing toward the goal of building a zerotrust network architecture to enhance enterprise security and strengthen sustainable business competitiveness.
