Risk Management Process and Risk Culture Statement
2025/11/27 16:54Publisher:Onewo
Onewo Inc.
Risk Management Process and Risk Culture Statement
Onewo Inc. (hereinafter referred to as "Onewo", "The Company" or "we")attaches great importance to risk management. The Company has established a comprehensive Enterprise Risk Management (ERM) system designed with reference to the COSO ERM Framework and the ISO 31000:2018 Risk Management Standard. Onewo is committed to fostering a proactive and forward-looking risk culture to ensure that risk management is embedded throughout its corporate governance, strategic decision-making, and day-to-day operations.
1. Risk Governance Structure
In accordance with the Listing Rules, the Company’s internal control standards, and the COSO Internal Control Framework, Onewo has established an internal control management system to enhance its headquarters governance structure, strengthen and standardize internal control management, and ensure the Company’s operations and management are conducted in a lawful and compliant manner. The Board of Directors is responsible for establishing, maintaining, and effectively implementing the Company’s internal control and risk management functions. The Board ensures that Onewo has in place an effective risk management and internal monitoring system covering all key control areas, including financial, operational, and compliance monitoring. The Board also continuously oversees the scope, quality, and procedures of the Company’s overall risk management and internal control work, including environmental, social, and governance (ESG) risks.
Onewo has established a multi-level risk management structure from headquarters to regional operations and adopted the “Three Lines of Defense” model. Under the oversight of the Board and the management team, the Company continues to enhance and strengthen its functions in risk identification, monitoring, and prevention, and regularly assesses the effectiveness of its risk management systems. The headquarters is responsible for Company-level risk identification and control, while each business unit and functional department progressively establishes its own risk management functions to conduct risk identification and assessment.
First Line of Defense: Frontline Operations and Business Units
Transitioning from process compliance to process accountability, Onewo strengthens both its process framework and accountability systems. Each process owner or manager assumes responsibility for internal control and risk supervision, with 95% of risks expected to be managed and mitigated through standardized operational processes.
Second Line of Defense: Internal Control, Legal, and Investment Functions
Focused on mid-process control, this line acts as a partner to the business, assisting managers and responsible personnel at all levels in managing their operations effectively. It helps identify issues in a timely manner, promotes corrective actions, and ensures effective problem-solving and closure. By emphasizing risk awareness and mechanism optimization, this line advances towards comprehensive oversight.
Third Line of Defense: Audit and Supervision
Internal audit functions independently from business operations and processes, assuming the responsibility of independently evaluating the Company’s risk control system. Through independent assessments and post-event investigations, it establishes deterrence to prevent misconduct — ensuring employees are both unwilling and afraid to engage in inappropriate behavior.
2. Risk Review Process
2.1 Risk Exposure Assessment Method
The Company adopts a two-dimensional method of “Likelihood × Magnitude” when assessing risk exposure. It takes into account financial impacts (such as revenue, cost, capital expenditure, asset impairment, etc.), business interruption and operational impacts, regulatory and compliance risks, technological system dependency and data risks, geographical location, regional differences, customer types and project characteristics, brand and reputation impacts, and ESG / climate factors as part of the overall risk framework. The assessment tools include: Risk Scoring Sheet, Risk Heatmap, Sensitivity Analysis, and Stress Testing.
2.2 Risk Appetite and Tolerance Framework
The Company has established a formal risk appetite framework consisting of:
- The Board of Directors approves the Risk Appetite Statement;
- Management formulates quantitative and qualitative appetite indicators;
- The risk control department is responsible for monitoring and regularly updating the framework.
The risk appetite covers:
- Financial soundness (net profit volatility, cash flow, leverage level);
- Operational continuity (service interruption threshold, work order handling SLA);
- Safety risks (incident rate, emergency response time);
- Information technology and cybersecurity;
- Compliance violation tolerance;
- Strategic investment risk level.
The framework includes:
- Clearly defined acceptable risk levels;
- Designated responsible departments;
- Trigger thresholds for early warning;
- Conditions requiring escalation and reporting to management or the Board of Directors.
2.3 Company-Specific Risk Exposure Description for Two Key Corporate Risks
Risk 1: Market Risk
Risk Exposure Description: As a large-scale property and urban services enterprise operating across multiple cities and business types, the Company faces risks of slower-than-expected market expansion due to intensified regional competition, continued tightening of property service fee pricing policies, and increasing bargaining power of property owners.
Likelihood: Medium to High. With increasing industry consolidation and the growing number of regional service providers, uncertainties in project renewals and new contract signings have significantly increased.
Magnitude: Significant impact. If market pressures intensify, it may result in:
- Declining project renewal rates and fewer new project signings, directly affecting revenue growth;
- Restrictions or reductions in service fee pricing, compressing gross margins and impacting overall profitability;
- Weakened brand competitiveness in certain regions, affecting long-term market positioning.
The Company maintains a “Moderately Low” Risk Appetite for Market Risk:
- Adopting a prudent expansion strategy in key cities and business segments, avoiding aggressive, high-risk expansion;
- Exercising caution when entering low-margin or unstable market environments;
- Requiring each regional company to conduct annual market risk exposure analysis and set acceptable sales and renewal fluctuation ranges;
- Establishing clear decision thresholds and approval authorities for fee adjustments and competitive incentives.
Mitigating Actions:
- Diversified Market Portfolio: Expand into multiple business segments such as city services and space services to reduce volatility from any single business line.
- Enhanced Differentiated Service Capability: Strengthen community digitalization, smart service systems, and value-added service capabilities to improve customer loyalty.
- Regional Competition Monitoring Mechanism: Regularly analyze competitive dynamics, pricing trends, and policy changes in key cities to develop proactive response strategies.
- Enhanced Customer Relationship Management (CRM): Improve renewal rates through satisfaction management to reduce reliance on new contract acquisition.
- Strict Project Entry Evaluation: Apply a risk review mechanism to identify and manage potential loss-making or low-margin projects in advance.
Risk 2: Cost Management Risk
Risk Exposure Description: The property management industry is generally labor-intensive. The Company operates a large number of self-owned and cooperative projects nationwide, relying heavily on the recruitment, compensation, training, and optimization of frontline personnel. In recent years, labor shortages, rising wages, and increasing social security costs have intensified cost pressures.
Likelihood: High. In some regions, labor supply is tight, and rising minimum wages as well as stricter labor regulations have led to rigid increases in labor costs.
Magnitude: Significant impact. If cost increases cannot be effectively controlled or passed on, this may result in:
- A decline in the Company’s overall profitability;
- Certain low-margin projects turning from profit to loss;
- Service quality sacrifices made to control costs, leading to complaints, disputes, renewal difficulties, and brand reputation damage.
The Company maintains a “Low” Risk Appetite for Cost Management Risk:
- Requiring all regional and business units to manage human resources within approved budgets;
- Strictly controlling labor outsourcing ratios and supplier cost structures;
- Setting early-warning thresholds for rising labor costs and reporting regularly to management;
- Escalating significant cost fluctuations to the headquarters’ risk management process.
Mitigating Actions
- Strengthened Human Resource Planning: Enhance workforce stability through centralized recruitment, talent reserve programs, and regional job rotation.
- Digitalization-Driven Cost Reduction: Deploy intelligent inspection systems, online work order scheduling, and robotics/automation tools to reduce labor dependence.
- Performance-Oriented Compensation Mechanism: Link compensation to efficiency and satisfaction metrics to boost productivity.
- Optimized Supply Chain and Outsourcing Management: Centralize procurement of key materials and outsourced services to minimize project-level cost fluctuations.
- Regular Cost Review: Conduct monthly rolling analyses of labor and material costs in key regions and implement corrective measures through the budget management system.
3. Frequency of Risk Exposure Review and Audit of Risk Management Processes
The Company conducts a review of key risk exposures at least once every six months, which includes updating risk scores, adjusting risk appetite or thresholds, reviewing the implementation of mitigating measures, and identifying emerging risks.
In addition, over the past two years, the Company has carried out:
- Internal Audit: Conducted by the Headquarters Internal Audit Department, assessing the effectiveness and compliance of the risk management process, covering risk identification, assessment, reporting, and the follow-up of mitigation measures.
- External Audit: Conducted by an independent third-party institution in accordance with ISO 31000 guidelines, reviewing the integrity of the risk management system, process implementation, and internal control framework, and providing recommendations for improvement.
The Annual Risk Management and Internal Control Report has been submitted to the Audit Committee for review and subsequently approved by the Board of Directors upon the Audit Committee’s examination. Based on the standards for identifying internal control deficiencies in both financial and non-financial reporting stated in the report, the Board believes that during the reporting period, the Group did not have any material or significant internal control deficiencies. As of December 31, 2024, the Group’s risk management and internal control systems remained sound overall, with no deficiencies or anomalies identified that would have a material impact on corporate governance, business operations, or development.
4. Risk Culture
4.1 Risk Management Training for Non-Executive Directors
The Company provides regular, thematic risk management training to all Non-Executive Directors each year. The training covers updates to the risk management framework, emerging risk trends (including technology, ESG, compliance, strategy, and operations), risk appetite and monitoring mechanisms, as well as changes in domestic and overseas regulations.
4.2 Organization-Wide Risk Management Training
Onewo places great emphasis on employee training in risk management. Customized training programs are conducted for employees in different roles, covering a wide range of topics such as internal audit requirements, risk control measures, business risk management, policy interpretation, integrity awareness, and updates to internal control tools.
In 2024, the Company conducted 92 targeted internal control inspections and 81 proactive reviews. On-site internal control capability-building training was organized, covering 9 business units or professional functional departments and approximately 28 business categories. A total of 27,500 employees participated in the training, with an average training duration of 1.1 hours per employee.
4.3 Integration of Risk Standards into Product and Service Development
In the development of new businesses, products, or technologies, the Company incorporates assessments of regulatory compliance, data security and privacy risks, financial feasibility and policy risks, operational risk analysis, and customer impact analysis. During product and service iterations, the finance, legal, and internal control departments participate in the formulation of standards and procedures to ensure that risk management and internal control requirements are embedded in operational guidelines and process controls. For R&D activities, risk assessment is integrated into all stages of project initiation, design, testing, and launch. Project teams are required to consider potential risks and develop corresponding mitigation measures during project planning, ensuring that products and services meet both business needs and risk control requirements.
4.4 Integration of Risk Indicators into Performance Incentives
The Company incorporates risk-related indicators into the performance evaluation system for the following roles. Negative risk indicators such as quality incidents are included in assessments, and managers who fail to effectively manage risks may receive performance deductions or penalties. This approach aims to encourage both management and employees to proactively engage in risk management, further enhancing the Company’s overall risk management capability.
• Operations teams: Safety incident rate, service continuity indicators
• Information technology department: System stability, data security indicators
• Regional management: Compliance incidents, major complaint rate
• Functional departments: Timeliness of internal control and risk response
5. Emerging Risk
In addition to identifying day-to-day operational risks, Onewo also assesses long-term emerging risks that may significantly impact the Company’s business model, strategic direction, and operational structure over the next 3–5 years.
Emerging risks typically have the following characteristics:
• Originate from external factors (macroeconomic, policy, social, or technological);
• Are long-term and uncertain in nature;
• May exert significant potential influence on the Company’s business structure, regional layout, customer needs, or operating model;
• Lack mature mitigation practices within the industry;
• Require the Company to make early strategic and business model adjustments.
Emerging Risk 1: AI Disruption to Traditional Urban and Property Service Models
Risk Category: Technological
Risk Description: Artificial Intelligence (including Large Language Models), robotics, IoT, and automation technologies are expected to accelerate their penetration in urban operations, property management, inspection, and security scenarios over the next 3–5 years. This trend is characterized by:
- A pace of technological transformation far exceeding that of traditional service models;
- "Unmanned inspections, intelligent security, and AI-based customer service" reshaping service delivery methods;
- New ecosystem participants (such as technology companies) entering the property and urban services market;
- Fundamental shifts in the industry’s talent structure.
Given the rapid technological evolution, the Company must plan ahead or risk facing disruptive structural impacts.
Potential Impact on Business:
- The traditional labor-intensive service model may face substitution risks;
- Failure to keep pace with technological advancement may lead to structural cost imbalances;
- Cross-sector entry by technology firms could redefine industry profit distribution;
- The Company may need to rebuild new “human-machine collaboration” capabilities;
- Customers’ perceptions of service experience may shift, diminishing traditional differentiation advantages.
Mitigating Measures:
- Invest in R&D and ecosystem collaboration to explore applications such as AI property service assistants and intelligent inspection systems;
- Establish “smart service demonstration zones” in key cities to test and validate automation scenarios;
- Promote workforce skill transformation by enhancing competencies in equipment management, digital platform operations, and data analytics;
- Form strategic partnerships with technology enterprises to introduce cutting-edge technologies and algorithmic capabilities;
- Develop a “digital service cost model” to dynamically assess replacement and transformation benefits.
Emerging Risk 2: Demographic Shifts Reshaping Urban Service Demand
Risk Category: Societal
Risk Description: China's aging population trend continues to intensify and is expected to significantly affect community demographics, household structures, and service demand directions over the next 3–5 years. For companies deeply involved in community services, property management, and urban space operations, demographic change will lead to:
- Service demand expanding from traditional property management to areas such as health, elderly care, daily living support, and community medical assistance;
- A higher proportion of elderly residents driving demand for adaptive public spaces (e.g., elderly-friendly renovations, safety facilities);
- A tightening labor supply further constraining the replenishment of frontline service staff.
This risk is long-term, cross-sectoral, and externally driven by societal structural change—thus meeting the definition of an emerging risk.
Potential Impact on Business:
- The Company’s standardized service system may not meet increasingly diverse demands under new demographic conditions, necessitating adjustments to product structure and service models;
- Shortages of frontline staff may cause long-term shifts in labor cost structures;
- Changing customer (property owner/government) needs may push the Company’s transformation from “property management” to “integrated community services”;
- Service category upgrades may raise costs, while customers may not be immediately willing to pay extra;
- Failure to adapt swiftly may result in loss of competitiveness in certain regions.
Mitigating Measures:
- Conduct “Future Community Service Demand Studies” to identify growth opportunities in elderly care and new community service segments;
- Advance product innovation in "smart elderly care support tools" and "community medical collaboration services";
- Develop standardized modules for "elderly-friendly renovation and safety services";
- Collaborate with vocational institutions to establish professional talent training programs for community care;
- Encourage regional companies to develop differentiated service products to strengthen competitiveness under demographic transitions.
This document has been approved by the Company's Board of Directors and is implemented under its oversight. The Company will, based on changes in national laws and regulations, actual operating conditions, and performance evaluation results, initiate an annual review and update process led by the Audit Office and the ESG Office of Onewo by April 20 each year, to be completed and reissued by June 30. This ensures the document’s continued effectiveness and applicability.
Onewo Inc.
ESG Office
Audit Office
November 25, 2025
