In accordance with the Group’s development strategy, CITIC Limited has established a risk management system covering all business segments to identify, assess and manage various risks in the Group’s business activities.

The risk management system of CITIC Limited is established along the core concepts of risk management and internal control released by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and the Basic Standard for Enterprise Internal Control jointly issued by five ministries and commissions (Ministry of Finance, CSRC, National Audit Office, CBRC and CIRC) in 2008, as well as relevant guidelines and governmental policies.

The risk management system of CITIC Limited comprises “Four Levels” and “Three Lines of Defence” based on the corporate governance structure. The “Four Levels” are the (i) board of directors, (ii) management and several committees, (iii) risk management functions of CITIC Limited, and (iv) member companies. The “Three Lines of Defence” are the (i) first line of defence comprised by business units of each level of CITIC Limited, (ii) second line of defence comprised by the risk management functions of each level of CITIC Limited, and (iii) third line of defence comprised by the internal audit departments or functions of each level of CITIC Limited.