I. RISK MANAGEMENT AND INTERNAL CONTROL GOVERNANCE

(I) Objectives of Risk Management

China Power’s risk management efforts aim to ensure the Group’s overall risk level remains within the risk appetite and tolerance approved by the Board through systematic, institutionalized and regular risk identification, assessment, response and monitoring. This safeguards achievement of the Group’s strategic objectives, sustainable operational stability, the truthfulness and accuracy of financial reports, the security and integrity of assets and effective compliant operations, while enhancing the ability to respond to uncertainties and changes in the external conditions. Specific objectives on risk management include:

(II) Risk Management Governance Framework

An overall view of China Power’s risk management governance framework

The Board

The Board assumes ultimate responsibility for risk management and internal control of the Group. The Board profoundly recognizes that risk management is the major support and fundamental safeguard for achieving high-quality and sustainable development of the Group. The Board regards risk management as a proactive means for creating corporate value and in this regard, significantly enhances the risk management responsibilities of the Board, the management and all employees as well as the entire business system. The Board persists in building a risk culture pursuing “value conservation, value creation and enhancing core competitiveness” through proactive risk management activities, thereby ensuring high-quality and sustainable development of the Group.

At the strategy level, the Board regularly reviews and streamlines the Group’s comprehensive risk indicator system across its business through the RMC to monitor associated major risks. At the operational level, the Group dynamically identifies major risk areas based on internal and external changes, implements comprehensive mitigation measures for full coverage of major risks, and ensures that management assumes responsibility for dynamically monitoring and continuously controlling risks in daily operations. The Board plays a leading role in fostering the Group’s risk management culture of “prudence and accountability.”

Risk Management Committee

The RMC under the Board shares the responsibilities for overseeing the Group’s risk management systems. It is also responsible for advising the Board on risk-related matters, reviewing the Group’s risk management policies and assessing the effectiveness of the design and operation of risk management systems.

Audit Committee

The AC under the Board is responsible for reviewing the Group’s internal control system and the action plans designed to address any deficiencies in control. The AC reviews the findings from the external auditors and the Internal Audit Department regarding control matters related to business operations, financial reporting and legal compliance. The AC ensures that action plans are formulated to address identified control issues and monitors the implementation of audit recommendations through regular reports provided by the management. Additionally, the AC discusses the scope of the annual review and the audit plan with the Internal Audit Department, as well as the external auditors, to ensure that the Group maintains robust internal control.

The Management

The management is responsible for the specific design and implementation of the risk management and internal control systems, assists the RMC and the AC in monitoring these systems, and confirms the implementation progress and effectiveness of the systems. In accordance with the corporate governance framework, the management appropriately delegates the relevant roles, responsibilities, and authorities to various departments and employees of the Group. The Company has established a Legal and Risk Management Department, which is responsible for centrally overseeing the functions of risk management and internal control institutional system development, including development of legal systems, compliance management and internal control and risk management, legal affairs management and services, and institutional system optimization. The Legal and Risk Management Department submits risk management and internal control reports to the RMC and the Board at least twice annually.

Internal Audit

The Company has established an Internal Audit Department and ensures the independence of its organizational structure, staffing, and operation, thereby providing reasonable assurance for the Group to establish an effective internal control system. To actively foster a sound internal control environment, the Internal Audit Department submits internal control evaluation and oversight reports to the AC on a regular or ad hoc basis, and reports on internal audit work to the AC and the Board at least twice a year. In addition, the Company has also established an Audit Center with the objective of standardizing and digitizing internal audit and risk management. The Audit Center provides systematic support to the internal audit and control team and provides relevant talent training to support the development of the Group.

(III) Risk Management and Monitoring Model

China Power has continuously improved its risk management system and ancillary standards in accordance with relevant regulatory guidelines and international standards (including the standards issued by the COSO and the ISO 31000 Risk Management Guidelines issued by the International Organization for Standardization, and their updates from time to time). Aligning with the “Three Lines Model” concept issued by the Institute of Internal Auditors (IIA), the Company has also systematically optimized and updated its established risk management system with Three Lines of Defense, comprising the “business, support and verification” functions, clearly defining the responsibilities of each line of defense. The model is designed to strengthen the Group’s risk management capabilities and compliance culture across all divisions and functional departments.

The roles of three lines are as follows.

(IV) Risk Management Mechanisms and Procedures

Through long-term practices and exploration, China Power has established a set of stable and well-structured risk management systems and procedures.

Comprehensive Risk Management Procedures

II. ANNUAL REVIEW ON RISK MANAGEMENT AND INTERNAL CONTROL

(I) Scope and Details of Annual Reviews

1. Control Environment

The control environment is the foundation of internal control. The Group advocates a strong risk management culture with a focus on establishing a control environment through governance structure, human resources management and development of internal systems. The review results of the current year are as follows:

During the year, the Group newly added and revised 84 regulations with a focus on optimization of and adjustments to regulations across areas such as fuel procurement, oversight of safe production, cadre and talent management, project management and digital development, covering all aspects of the Group’s operations, with a view to ensuring the applicability and compliance of the regulations. Upon review, it was indicated that the internal regulation system is well in place and covered all core processes. However, the implementation guidelines of certain regulations remained unclear, leading to deviations during execution at junior-grade level.

2. Risk Assessment

The Group has established a regular risk assessment mechanism. It conducts comprehensive risk assessments on a periodic basis (at least once annually) to promptly identify various potential risks, evaluate risk levels, and formulate countermeasures. This ensures risk assessments align with corporate strategies and operational plans. Upon review, it was indicated that the Group’s risk assessment mechanism operated effectively and enabled the timely identification of major risks and development of countermeasures. However, its forward-looking risk identification, quantitative analysis capabilities and interdepartmental coordination still require enhancement, reflecting the need for further optimization of the risk assessment system. For details, please refer to the above-mentioned section titled “Annual Review on Risk Management and Internal Control” in this report.

3. Internal Controls

Control activities are the core components of internal controls. The Group has established targeted control activities around key business processes and critical control points, including approvals and authorizations, segregation of positions with incompatible duties, review and verification, asset protection, budget controls, and performance evaluations. A review was conducted during the year with a focus on control activities in the following core areas:

4. Information and Communication

The Group has established a comprehensive information and communication system, under which the information communication processes, channels and responsibilities were clearly defined to ensure timely delivery, sharing and feedback of both internal and external information. Communication and coordination between management and various departments and subsidiaries have been strengthened through regular meetings and communication mechanisms, so as to promptly resolve operational and internal control management issues. Communication with stakeholders including shareholders, the Hong Kong Stock Exchange, regulators and external auditors has been enhanced, with timely disclosure of relevant information and responses to stakeholder concerns. Upon review, it was indicated that the information and communication system operated effectively. However, some cross-departmental and cross-subsidiary information was not communicated in a timely manner, and the information sharing mechanism was not adequate. Further optimization of information communication processes is needed to enhance communication efficiency.

5. Supervision and Monitoring

The Group has established a multi-tiered internal supervision and monitoring system, which includes internal audit monitoring, departmental self-monitoring, and AC monitoring, so as to ensure the ongoing effective operation of the internal control system:

The review indicated that the Group has put in place a sound internal oversight system and conducted monitoring activities effectively.

(II) Sources of Risks

The risks of the Group stem from multiple internal and external factors, principally including:

(III) Identification of and Response to Major Risks in 2025

During 2025, the Group continued to focus on the strategic vision of becoming a “World-class Green and Low-carbon Energy Provider” and the mission of “Lower Carbon Empower Better Life” and conducted a risk assessment taking into account of the changes in recent and mid- to long-term internal and external conditions. Covering both existing and potential risks, the risk assessment identified and confirmed five major risks facing the Group. These risks specifically included: safety risks, investment risks, market risks, commodity or material procurement risks, and organizational and talent management risks.

The Group uses a risk heat map for visualized risk assessment and classification.

Risks are categorized based on the overall score:

Based on the occurrence probability and degree of impact on the Group’s objectives, risk priorities were determined (High/Medium/Low) and focus areas of risk control were specified. Details of the relevant major risks are as follows:

For details about the risks and opportunities related to climate change and the environment that pose to the Group, please refer to the Sustainability Report 2025 of the Company, which is available on the websites of the Company and the Hong Kong Stock Exchange.

(IV) Identification and Rectification Recommendation of Internal Control Deficiencies

1. Specialized System Evaluation

In 2025, a specialized evaluation of the internal control system was conducted to gain in-depth insights into the current status of the system framework. The evaluation focused on the conflicts between internal regulations and national laws and regulations, conflicts with regulations from higher-level management units, and conflicts within the Group’s own regulations. This evaluation aimed to identify significant internal control risks, uncover system deficiencies and management loopholes, and assess the legality, compliance, completeness and effectiveness of the Group’s systems and regulations. The goal was to promote the refinement of the internal control systems, ensure the legality and compliance of all corporate economic activities and safeguard the high-quality development of the Group.

This evaluation revealed the following: First, certain provisions in 14 internal systems were inconsistent with higher-level systems. Second, conflicts were identified among six systems, between systems and lists of responsibilities, and within different systems regarding the same matter. Third, system updates were not timely. A total of 81 issues were identified, including failure to update systems promptly, incorrect system names in references, and systems based on obsolete or inaccessible grounds. All identified issues were classified as general deficiencies and have been rectified.

2. On-Site Internal Control Evaluation

This on-site internal control evaluation was conducted concurrently with the annual audit. Ten representative units were selected for assessment to comprehensively review the effectiveness of internal controls across all business processes. The evaluation identified a total of 110 internal control deficiencies related to systemic development, which covered areas including rule of law and corporate governance, materials and procurement management, production and engineering management, financial and asset management, as well as general administration and human resources. Of these, four were classified as design deficiencies and 106 as execution deficiencies. All were categorized as general deficiencies.

As of the end of 2025, 105 deficiencies had been rectified, covering improvements in corporate governance, standardization of procurement procedures, strengthened asset management, and corrections related to safety and environmental protection. The rectification rate reached 95.4%. The remaining deficiencies have been incorporated into a closed-loop supervision and management mechanism. Most issues have already been systematically addressed at the operational front line, effectively promoting a substantive enhancement of the internal control system from being merely “in place” to being “truly effective”.

3. Self-Assessment on the Internal Control of Subsidiaries

The Group has organized the system-wide self-assessment on internal control to continuously strengthen the autonomous optimization and routine oversight mechanisms of the internal control system. This self-assessment covered 28 subsidiaries and will gradually extend to other subsidiaries in the future. Combining self-inspections by each unit with key guidance from headquarters, the Group conducted an in-depth review focused on three core dimensions. The self-assessment identified a total of 85 issues, covering systemic development, corporate governance, as well as production and operation, all of which were classified as general deficiencies. All deficiencies were systematically recorded in a unified “Integrated Application Platform,” enabling online issue registration, online assignment of responsibilities, real-time progress tracking, and cloud-based evidence archiving. This created a transparent, traceable closed-loop management system for rectification. Ongoing platform oversight effectively promoted immediate rectification upon identification across all units, thereby transforming self-monitoring into an internal driving force for management enhancement.

III. SUMMARY OF ANNUAL REVIEW

Upon comprehensive assessments on the management reports, the opinions of the RMC and the AC, the results of internal audits, and the independent confirmation provided by external advisors, the Board confirms that:

The Group’s risk management and internal control systems had been appropriately designed and operated effectively in general in 2025. It provided reasonable assurance for meeting the requirements set forth in Code Provision D.2.1 of the CG Code.

The systems as a whole meet the needs of operational management, compliance and financial reporting, and is capable of effectively identifying, assessing, monitoring and responding to major risks. No material control failures or systemic deficiencies were identified during the review period. Previously identified management weaknesses have been rectified as planned, and internal audit verification has been completed through a closed-loop mechanism.

Please refer to the Risk Management Committee Report and the Audit Committee Report in this annual report for highlights of their works done during the reporting period.