Comprehensive Risk Management System
CITIC Limited is committed to enhancing the integrity, foresight, execution, and coordination of its comprehensive risk management system. By aligning business development with control models, the company establishes a tiered and categorised risk management policy framework, implements targeted improvements to various risk management mechanisms, and strengthens the development of risk and compliance culture, effectively creating a robust “protective net” and solid “firewall” to safeguard the company’s high-quality development.
Risk strategy and preference
CITIC Limited established a five-year risk strategy in 2021, systematically planning the development of a comprehensive risk management system in three phases. In 2025, the company introduced the Risk Strategy (2025), defining the work plan for the “Year of Comprehensive Deepening” and driving its implementation. Efforts were intensified to enhance the risk and compliance control mechanisms. By adhering to the principle of “early identification”, “early warning”, “early exposure” and “early disposal” of risks, the company strengthened consolidated and penetrated management, alongside the establishment and improvement of a hard-constraint early risk correction mechanism. It focused on reinforcing risk control in overseas operations, actively advanced the resolution and mitigation of risk projects, and ensured the comprehensive risk management system delivered tangible results at the business frontline. These efforts continuously improved the effectiveness of risk and compliance management. By the end of 2025, the five-year risk strategy was successfully concluded, achieving its pre-set work goals.
Risk management organisational framework
The company has established a comprehensive risk management organisational structure characterised by “Four Levels” and “Three Lines of Defence”. The board of directors holds overall responsibility for maintaining a robust and effective risk management system. The Audit and Risk Management Committee, representing the board, oversees the company’s financial reporting and risk management systems, reviews the effectiveness of the internal audit function, and evaluates the company’s corporate governance policies and practises. The Audit and Compliance Department plays a leading role in risk management, while relevant functional departments act as specialised units for managing various types of risks. Each subsidiary identifies and effectively manages its risk status within the framework of the comprehensive risk management system, ensuring timely reporting.
The company utilises CITIC Financial Holdings to strengthen the specialised management of financial risks. Subsidiaries in banking, securities, trust, and insurance have established risk management committees, which are led by the risk management department to implement comprehensive practises. Each subsidiary forms dedicated departments or assigns specific personnel to handle risk management activities based on its business nature and organisational capacity.
Risk management policy framework
The company establishes a tiered and categorised risk management policy framework to systematically regulate risk management efforts. It continuously advances the “establishment, revision, abolition, and interpretation” of policies, consistently enhancing their applicability and effectiveness. In 2025, in response to changes in the internal and external environment, the company revised its comprehensive risk management measures and supplemented major risk categories as appropriate. It also formulated country-specific risk management measures to strengthen country-specific risk management.
Risk management process mechanism
Focusing on the characteristics of key business areas and associated risks, the company progressively develops a standardized, regulated and tiered control mechanism. A series of control mechanisms, including unified credit and concentration management, risk identification and assessment, risk monitoring and early warning, risk reporting, major risk response, comprehensive risk management, and risk supervision and accountability, are functioning in an orderly manner, with an emphasis on delivering tangible results.
Risk digitalisation
The company deeply implements the philosophy of “no digitalization, no work” and systematically advances the digital transformation of risk management to strengthen technical support for risk management activities. In 2025, the company focused on fulfilling the requirements of “early identification”, “early warning”, “early exposure” and “early disposal” of risks, actively solidified internal and external data foundations, promoted the upgrade of digital applications, enhanced process control, and explored intelligent applications, so as to improve the forward-looking and penetrating nature of risk management.
Risk and compliance culture development
The company promotes the principle that “effective risk management creates value” and actively leverages the guiding role of risk and compliance culture. In 2025, the chairman of the board of the company issued the Risk Compliance Culture Initiative, putting forward the “Three Persistences, Three Enhancements, and Two Balances” (namely, persisting in legal awareness, bottom-line thinking, and strategic focus; enhancing risk anticipation awareness, risk mitigation capabilities, and risk prevention mechanisms; and balancing development planning with risk prevention, and balancing innovation with safety promotion). This further articulates the cultural ethos of “adhering to compliance and mastering risks”, seamlessly integrating risk compliance culture into the entire process of business management, including management mechanisms, policies, business rules, and codes of conduct. The objective is to transform the concept of risk management into voluntary actions embraced by all employees.
Major Risk Management
CITIC Limited faces various risks, including but not limited to financial and liquidity risk, market risk, credit risk, strategic risk, investment risk, legal and compliance risk, reputation risk, work safety risk, and information technology risk. The company has established a comprehensive risk management and internal control system that spans all its business segments to identify, assess, and manage the various risks associated with its operations.
Financial and liquidity risk
CITIC Limited monitors the financial and liquidity risk of the Group in accordance with relevant financial risk management policies.
The objective of liquidity risk management is to ensure that CITIC Limited always has sufficient cash to repay its maturing debt, perform other payment obligations and meet other funding requirements for normal business development.
CITIC Limited’s liquidity management involves the regular cash flow forecast for the next three years and the consideration of its liquid assets level and new financings necessary to meet future cash flow requirements.
CITIC Limited centrally monitors and graded manages its own liquidity and that of its major non-financial subsidiaries and improves the efficiency of fund utilisation. With flexible access to domestic and overseas markets, CITIC Limited seeks to diversify sources of funding through different financing instruments, in order to raise low-cost funding of medium and long terms, maintain a mix of staggered maturities and minimise refinancing risk.
As at 31 December 2025, consolidated debt of CITIC Limited(1) was RMB1,765,611 million, including loans of RMB245,710 million and debt instruments issued(2) of RMB1,519,901 million. Debt of CITIC Bank(3) accounted for RMB1,211,428 million. CITIC Limited attaches importance to cash flow management, the head office of CITIC Limited had cash and deposits of RMB1,835 million and available committed facilities of RMB74,935 million.
The details of debt are as follows:
| As at 31 December 2025 | RMB million |
|---|---|
| Consolidated debt of CITIC Limited | 1,765,611 |
| Among which: Debt of CITIC Bank | 1,211,428 |
Note:
(1)
Consolidated debt of CITIC Limited is the sum of “bank and other loans” and “debt instruments issued” in the Consolidated Statement of Financial Position of CITIC Limited excluding interest accrued;
(2)
Debt instruments issued include corporate bonds, notes, subordinated bonds, certificates of interbank deposit issued, convertible corporate bonds and beneficiary certificates excluding interest accrued;
(3)
Debt of CITIC Bank refers to CITIC Bank’s consolidated debt securities issued, including debt securities, subordinated bonds and certificates of interbank deposit excluding interest accrued.
| RMB million | Consolidated |
|---|---|
| Debt | 1,765,611 |
| Total equity(4) | 1,496,661 |
| Debt to equity ratio | 118% |
Note:
(4)
Total consolidated equity is based on the “total equity” in the Consolidated Statement of Financial Position.
Market risk
CITIC Limited is exposed to varying degrees of market risks, including fluctuations in interest rates, exchange rates and commodity prices, due to its comprehensive financial services, cross-border and overseas operations, and commodity-related businesses.
Adhering to the principle of a prudent and low-risk appetite, CITIC Limited continuously identifies, monitors, and manages various risk exposures while ensuring that market risks are identifiable, controllable and tolerable. To mitigate the adverse effects of market fluctuations and enhance operational stability, the company prioritizes natural hedging methods and prudently utilizes financial derivative instruments.
●
Interest rate risk
CITIC Limited regularly monitors current and projected interest rate changes, with each of the operating entities of the Group implementing its own interest rate risk management system covering identification, measurement, monitoring and control of market risks. Interest rate risk is managed by taking into account market conditions and controlled at a reasonable level.For our financial subsidiaries, repricing risk and benchmark risk are the main sources of interest rate risk. Observing the principle of prudent risk appetite, they closely track changes in the macroeconomic situation and internal business structure, continue to optimise the maturity structure of deposits, make timely adjustments to the loan repricing lifecycle, and take the initiative to manage sensitive gaps in interest rates for the overall objective of achieving steady growth both in net interest income and economic value within a tolerable level of interest rate risk.
For our head office and non-financial subsidiaries, the interest rate risk arises primarily from debt. Borrowings at floating rates expose CITIC Limited to cash flow interest rate risk, while borrowings at fixed rates expose CITIC Limited to fair value interest rate risk. Based on its balance sheet and market conditions, CITIC Limited and its non-financial subsidiaries will conduct analysis and sensitivity testing on interest rate risk, adopt a flexible approach in choosing financing instruments at floating and fixed rates, or choose to employ, at the suitable time, the interest rate swaps and other derivative instruments approved for use by the Group to manage interest rate risk.
●
Currency risk
CITIC Limited has major operations in Chinese Mainland, Hong Kong SAR and Australia, with Renminbi (“RMB”), Hong Kong dollar (“HKD”) and United States dollar (“USD”) as functional currencies respectively. The Group’s member companies are exposed to currency risk from gaps between financial assets and liabilities, future commercial transactions and net investments in foreign operations that are denominated in a currency that is not the member company’s functional currency. The reporting currency of the consolidated financial statements of CITIC Limited is RMB. Translation exposures from the consolidation of subsidiaries, whose functional currency is not RMB, are not hedged by using derivative instruments as no cash exposures are involved.CITIC Limited measures its currency risk mainly by currency gap analysis. Where it is appropriate, the Group seeks to lower its currency risk by matching its foreign currency denominated assets with corresponding liabilities in the same currency or using forward contracts, cross currency swaps and other derivative instruments, provided that hedging is only considered for firm commitments and highly probable forecast transactions.
●
Commodity risk
Some businesses of CITIC Limited involve the production, procurement, and trading of commodities, and they face exposure to price risks of commodities such as iron ore, crude oil, gas and coal.To manage some of its raw material exposures such as supply shortages and price volatility, CITIC Limited has entered into long-term supply contracts for certain inputs or used plain vanilla futures, forward contracts and other derivative instruments for hedging. While CITIC Limited views that natural offsetting is being achieved to a certain extent across its different business sectors, it performs a continual risk management review to ensure commodity risks are well understood and controlled within its business strategies.
●
Market price risk
CITIC Limited holds investments in financial assets classified as Derivative financial instruments or Investments in financial assets in the Consolidated Statement of Financial Position, including shares of listed company. To control price risks arising from such investments, the Group actively monitors the price changes and diversifies the relevant investment risks through appropriate asset allocation.Credit risk
Credit risk refers to the potential loss incurred when a debtor or counterparty fails to fulfil their obligations as agreed. The company primarily faces credit risk associated with activities such as issuing loans and advances, bond investments, debt plans, investments in debt-like financial products, accounts receivable, margin financing, financial guarantees, and loan commitments.
CITIC Limited adheres strictly to regulatory guidelines on credit risk management. Under the leadership of the board and senior management, the company utilises the CITIC Financial Holding platform to conduct unified monitoring, analysis, and control of credit risk exposures related to loans, investments and other financial activities: 1. Guiding its subsidiaries in establishing and enhancing their credit risk management systems: This includes improving the tracking and assessment of credit risks, refining due diligence, review, approval, and post-lending management processes, optimising credit risk rating tools, clarifying risk asset classification standards, and prudently provisioning for credit asset losses. 2. Enhancing control of unified credit and concentration limits: A risk limit management mechanism ensures coordination between the parent company and its subsidiaries. The company adheres to the principle of “One CITIC, One Client”, creating a cross-entity concentration limit management system to effectively control large risk exposures. Subsidiaries are required to establish risk limits based on industry, region, and client dimensions, ensuring proper asset portfolio management to prevent risk concentration. 3. Coordinating risk mitigation in key areas: CITIC implements central government’s policy requirements by actively supporting the funding of “white list” projects in real estate and local government debt management. It establishes risk disposal strategies for real estate and local government debt businesses and formulates risk resolution plans while increasing efforts in risk management. 4. Leveraging the benefits of integrated industry and financial services to enhance collaborative risk mitigation efforts: By enhancing resource integration and innovation and establishing of the CITIC collaborative risk mitigation fleet, the company provides comprehensive risk management services for risk projects, including incremental funding, asset operation, and brand enhancement. This creates a distinctive CITIC model for collaborative risk management, working together to effectively address significant project risks.
In 2025, key credit risk indicators in the comprehensive financial services segment showed continued improvement, with asset quality steadily enhancing. CITIC Bank’s year-end non-performing loan (NPL) ratio was 1.15%, down 0.01 percentage points from the start of the year, representing seven consecutive years of decline. CITIC Securities and CITIC Trust maintained stable asset quality. The company demonstrated effective risk management in critical areas. Seizing the favourable window for real estate policy, the company expedited its efforts to address key risk projects within the sector. Additionally, the company capitalised on opportunities from the hidden debt replacement policy to accelerate the disposal of existing risks. The concentration and NPL ratios in these two key areas dropped continuously, leading to a narrowing risk exposure. The risk of large clients remains contained. The implementation of the large client limit management mechanism has yielded tangible results. The business proportion accounted for by the top twenty clients remained stable, and the customer structure continued to optimise.
Strategic risk
Strategic risk management aims to effectively respond to changes in external policies and the macroeconomic environment, mitigate the risk of deviation from strategic objectives, and ensure the scientific implementation and dynamic optimisation of strategic planning. Based on the strategic framework, the company aligns its development goals with the “14th Five-year Plan” targets. It seeks to deepen industry-finance collaboration, enhance core business competitiveness, and accelerate the transformation towards high-end, intelligent, and green development, thereby strengthening strategic resilience. The company conducts regular in-depth analyses of internal and external environments, paying particular attention to key variables such as domestic and international industrial policies and geopolitical shifts. This process facilitates continuous updates on the progress of annual strategic implementation and enables proactive identification of deviation risks. By integrating medium-term planning adjustments with budgeting mechanisms, the company promotes the effective decomposition and execution of strategic objectives. This approach aims to maintain controllable risks and ensure sustainable development in complex environments, ultimately creating long-term value for shareholders.
Investment risk
The investment risk management at CITIC Limited aims to ensure that investments align with national policies and adhere to the group’s strategic planning and business strategy. The focus is on continuously enhancing the management of investment projects while mitigating significant investment risks. The company concentrates on national strategic priorities and industrial policies, actively engaging in sectors such as comprehensive financial services, advanced intelligent manufacturing, advanced materials, new consumption, and new-type urbanisation, meanwhile accelerating the development of strategic emerging industries. The company strictly follows a primary business list and a negative list for investment projects, enhancing pre-investment approvals and post-investment management to effectively meet investment risk control requirements.
Legal and compliance risk
CITIC Limited is committed to operating in full compliance with laws and regulations, ensuring a stable and compliant business operation. The company focuses on enhancing the prevention and management of legal risks, conducting thorough legal reviews of major investment projects, and effectively addressing significant litigation and arbitration cases. Additionally, it reinforces the protection of intellectual property, including the “CITIC” trademark. The company has established and refined a comprehensive compliance management and internal control system, continuously optimising policies, processes, and systems in key business and management areas. Regular evaluations of the effectiveness of the compliance management system are conducted. CITIC Limited actively supervises subsidiaries to meet their compliance obligations, improve reporting mechanisms and enhance early-warning capabilities of compliance risks. With the objectives of “risk-based, comprehensive coverage, accountability enforcement, stable operations, and value creation”, CITIC Limited continually refines its anti-money laundering management framework and internal control mechanisms, as well as supervises subsidiaries to achieve effective closed-loop management of money laundering risks, implement tailored and scenario-specific risk classification and control measures, and balance money laundering risk management with the optimisation of financial services, supporting sustainable development.
Reputation risk
CITIC Limited follows the guiding principles of “source prevention, comprehensive management, tailored strategies, and systematic implementation” to effectively mitigate major negative reputation risk events. The company emphasises full-cycle and full-process management, focusing on preventing and mitigating reputation risks at the operational management level to continuously enhance predictability and proactivity of public opinion management. CITIC Limited encourages participation across all entities to integrate its reputation risk management with the overall risk management and comprehensive oversight frameworks. The company promotes coordinated responses by creating a public opinion monitoring mechanism that facilitates collaboration both internally and externally. Furthermore, CITIC Limited prioritises education and training, enhancing education for employees and management on media-related awareness. It intensifies professional training to enhance capability to handler public opinions.
Work safety risk
CITIC Limited strictly complies with work safety laws, regulations and standards, holding the notion of people-oriented, upholding the supremacy of the people and the life. The company has established and improved the work safety responsibility systems and work safety polices and rules in all personnel, implemented a double-prevention mechanism featuring graded management and control of work safety risks and the screening and treatment of potential hazards. To improve risk prevention and mitigation mechanisms, CITIC Limited continuously improves the level of standards and information technology of work safety. The company is dedicated to prevent and reduce work safety accidents, with a strong commitment to prevent major accidents. By ensuring the health and safety of employees and protecting corporate assets, CITlC Limited supports the sustainable development of its operations.
Information technology risk
CITIC Limited steadfastly balances development with security, with the core objective of rigorously upholding the bottom line of cybersecurity and data security, thereby strengthening its capabilities in information technology risk prevention and control. The company continuously optimizes its cybersecurity and data security management systems, enriches the dimensions and methods of risk assessment, and constructs a full-chain, defence-in-depth security mechanism. It regularly conducts tracking, monitoring, and notification of technology and digital risk postures, organizes security attack and defence drills, and strengthens the timely discovery and closed-loop management of risk vulnerabilities. Key efforts include conducting special targeted risk inspections both internally and externally, as well as systematic security risk capability assessments to ensure the continuity of core business operations. An administrative measure for generative artificial intelligence has been issued, carrying out risk assessments for AI applications based on large model risk detection and security protective guardrails, gradually establishing an AI security management system. Through multiple rounds of risk governance, the company deepens its security foundation, thereby building a solid digital security barrier for its high-quality development.