The latest HKICS Regional Board Secretaries Panel (RBSP) meeting, held in Hong Kong last month, focused on the management of risk from the perspective of Mainland companies listed in Hong Kong.

On 14 January this year, more than 30 corporate secretaries representing various Hong Kong-listed companies from the Mainland gathered at the Regional Board Secretaries Panel (RBSP) meeting hosted by the HKICS to talk about their experiences and views on risk management.

Dr Gao Wei FCIS FCS(PE), HKICS Vice-President and Board Secretary and General Counsel, Sinotrans Ltd, highlighted the new requirements in Hong Kong’s Corporate Governance Code (the Code) Appendix 14 of the listing rules, regarding risk management and internal controls. He emphasised that Hong Kong-listed companies, both as a result of the new regulatory requirements and as a prudent corporate governance measure, need to adopt a structured approach to risk management. Dr Gao also highlighted the findings and recommendations of the recent HKICS/KPMG China survey on risk management – Risk Management: Looking at the New Normal in Hong Kong.

Dr Gao was followed at the podium by Xu Shiqing, Board Secretary, China Merchants Bank (CMB). Mr Xu gave attendees insights into the practical implementation of risk management measures by CMB and the role of the board secretary in risk management.

The presentations by Dr Gao and Mr Xu were followed by a roundtable discussion which gave attendees the opportunity to share views on the new risk management requirements in Hong Kong and to share their experiences in the practical implementation of risk management and internal control systems.

Risk management overview

Effective 1 January 2016, Hong Kong Exchanges and Clearing (the Exchange) has brought in new listing rule requirements relating to risk management and internal controls. The Exchange’s amendments to the Code, are aimed at integrating risk management into the Code; defining the roles and responsibilities of the board and management; and clarifying that the board has an ongoing responsibility to oversee risk management and internal control systems.

Other changes include upgrades of certain recommendations to Code Provisions (CPs) regarding the annual review of the effectiveness of issuers’ risk management and internal control systems and disclosures in the Corporate Governance Report. Issuers are also required by a new CP to have an internal audit function in place.

As a result of the renewed regulatory requirements and the increased focus on risk governance, Hong Kong-listed companies need to adopt a structured approach to risk management to mitigate risks that can threaten the achievement of their objectives, Dr Gao emphasised.

He also highlighted the recent HKICS/KPMG China survey on risk management – Risk Management: Looking at the New Normal in Hong Kong – which assesses the readiness of issuers for the more stringent requirements regarding risk management and internal control. Specifically, the survey aims to capture what the ‘new normal’ for risk management looks like in the region. This survey gathered data from 279 respondents from across a range of industries.

Below are the highlights of the survey’s findings which Dr Gao shared with the participants.

  • Despite the fact that the vast majority of respondents to the survey consider risk management as a priority on their board agenda, 34% do not regularly factor risk considerations into their planning decisions.
  • Only 36% of respondents have fully developed a formal risk appetite statement which has been approved by the board and implemented.
  • Only 42% of respondents believe that their companies could effectively help stakeholders understand the risk management solutions implemented, especially the underlying risk/return trade-off.
  • The survey results also suggest that the correlation between risk management and the incentive structure of frontline employees tends to be weak, as about 61% of the respondents said there is no significant relation between the two.
  • Only 43% believe that their internal audit could assure the top board risks are being managed. In addition, about 15% of the surveyed companies said they did not have an internal audit function.

These findings indicate that, while directors and senior executives are increasingly thinking about the risks their organisations face, there are many areas where they are failing to translate this raised awareness of risk into effective management of risk.

Dr Gao also highlighted some of the useful recommendations of the HKICS/KPMG China survey relevant to Hong Kong-listed companies from the Mainland.

Awareness of external emerging risks

External uncertainties such as the macroeconomic environment, regulatory changes and innovations are viewed as the region’s top risks. Businesses need to prepare themselves for the unexpected threats and opportunities arising therefrom. However, possessing the right skill set to do so remains a key challenge. The majority (57%) of the respondents cited difficulties in understanding enterprise-wide risk exposures, and 61% indicated the need for better board and senior management team awareness.

Changing regulatory requirements

The recent amendments to the Code are seen as a significant step in bringing risk governance in line with more mature global markets. The change mandates new responsibilities for the boards, management and internal audit functions of companies listed in Hong Kong. Boards are now required to determine and evaluate the level of risk they are willing to take to achieve their objectives. Management is held responsible for designing, implementing and monitoring controls to manage the risk, while internal audit needs to provide an independent appraisal of the systems.

Imperatives towards a structured approach to risk management

In view of the market trends outlined above, companies are recommended to adopt five imperatives to develop a structured approach to risk management:

  1. establish risk management as a boardroom item and provide boards with insights on the top risks facing the business
  2. establish a risk appetite statement to define the level and type of risk the business is willing to accept, and use it to drive strategic business decisions
  3. develop and roll out enterprise-wide risk management practices to identify, manage and report on risks facing the business
  4. define clear accountabilities for the management and oversight of risks across the organisation, and
  5. set up an internal audit function that provides independent assurance for the effectiveness of the risk management and internal control systems.

Regarding the need to develop a risk appetite statement (see item 2 above), executives are recommended to articulate the company’s strategic objectives and performance drivers, align the risk profile to business and capital management plans, and then define and agree on thresholds in order to develop risk indicators for monitoring and reporting. The statement should finally be approved by the board, and then communicated and integrated across the organisation.

Developing an internal audit function (see item 5 above) that works requires a balance between its positioning in the organisation, the quality of its people and the processes in place to help it achieve its objectives. ‘Internal audit should have unfettered access to top executives, and its reporting lines should not compromise its independence,’ Dr Gao recommended.

An appropriate people strategy should also be defined so that internal audit has adequate numbers of staff and access to specialists with the technical knowledge required to challenge the business. Last but not the least, a standard methodology and a system should be put in place in order to deliver high-quality audits, track recommendations made and follow up on progress.

A case scenario: CMB’s structured approach to risk management

As mentioned at the beginning of this article, Xu Shiqing, Board Secretary, China Merchants Bank (CMB) focused his presentation on the practical implementation of risk management measures by CMB. He outlined the way CMB has adopted a three-tier risk management approach to identify, assess, mitigate and handle risks. He also emphasised that CMB, as a modern bank, has placed great importance on risk control procedures and security measures in the implementation of internet banking.

In the first tier, which represents the headquarters, risks are factored into the formulation of the group’s portfolio management and credit policy. Risks associated with customer life cycle and regional portfolio management are identified, assessed and managed proactively in the second tier. The third tier, which he refers to as front-line, client-facing managers, is where the gatekeeping for approval of loans to and business deals with individual businesses and customers takes place.

‘A bank must ensure that the risk it is willing to tolerate is in line with its business objectives and management philosophies,’ he said, adding that the risk appetite of CMB as a prudent bank is ‘conservative’.

After years of efforts, CMB has developed a relatively complete risk management system to identify, assess, mitigate and handle credit and operational risks with the use of scientific tools. The quality of analytics collected has seen tremendous improvements, which can be used extensively to improve business-making decisions, optimise revenue management while reducing risk costs, he added.

CMB’s risk management relies on a ‘check-and-balance’ control system, according to Mr Xu, in which the risk management and sales/marketing units, with two of them monitoring each other, are supervised by the internal audit unit.

As the first line of defence, the sales/marketing unit is responsible for identifying, assessing and monitoring risks associated with each business or deal. The risk management unit, as the second line of defence, defines rule sets and models, provides technical support, develops new systems and oversees portfolio management. Equally important is that it ensures risks are within the acceptable range and that the first line of defence is effective.

As the final line of defence, the internal audit and compliance unit ensures that the first and second lines of defence are effective through constant inspection and monitoring.

‘As an example, our loan underwriting process is based on a detailed risk assessment and a stringent due diligence process. We pay close attention to the borrower’s cash flow and make sure that the guarantor is not from within the same organisation. We prefer secured loans backed by collaterals to unsecured, risky loans.’

Before committing to a new client, the bank carries out a thorough due diligence process to understand and validate the client’s business, profit, investment, liabilities and risk profile in order to give a complete picture of a company’s balance sheet. Over a longer time span, the bank carries out regular credit analysis on its existing clients and examines local market conditions as part of its ongoing risk rating process.

The role of company secretaries in risk management

Mr Xu emphasised that company secretaries should help the board set up and improve the organisation’s risk management framework; strengthen and maintain the independence and authority of the internal audit unit; and play a facilitative role in the implementation of corporate governance practices, especially those related to risk management.

‘The company secretary should articulate his or her professional opinions on the organisation’s risk management measures at board and special committee meetings while serving as the bridge between the board and management,’ he said, adding that the company secretary is also responsible for true, accurate, complete and timely disclosures of information and assisting in investor relations activities.

Implications and challenges for issuers

The updated CPs regarding issuers’ risk management and internal control practices require listed companies to pay more attention to the effectiveness of risk management. They also require the board to assess and monitor risk management on a regular basis, define clearly the role and responsibilities of the board, management and internal audit function, and improve information disclosure transparency, Mr Xu pointed out.

‘The rule changes have prompted us to redefine the roles and responsibilities of the board and management in risk management in order for the bank to comply with the new requirements. It is inevitable that the accounting and internal audit departments have more work to do and that we have to dedicate more manpower,’ he said. The internal control system also has to be optimised from time to time to adapt to the fast-changing business environment.

Despite the new challenges and extra resources needed, however, he believes that the benefits of better risk management go well above and beyond compliance requirements. ‘More importantly, we consider effective risk management an integral part of our strategy to achieve sustained growth,’ he said.

Roundtable discussion

Li Zhidong FCIS FCS, Assistant General Manager, Shipbuilding Marine and defence Equipment Co Ltd, said the updates made by the Exchange to the CPs concerning risk management, especially internal control, are quite comprehensive, focusing on effectiveness, accountability and independence. ‘Other than managing different risks in the design, manufacturing and safety management processes, we also strive to minimise foreign exchange risk because an increase in imported raw material costs is likely to hurt the firm’s profitability,’ he said.

To streamline the internal budget approval process, Xie Jilong, Board Secretary of CRRC Corporation Ltd, said his firm has implemented a budget management policy, which authorises different levels of department heads to manage their budget. ‘Our budget management guidance saves a great deal of time in the budget approval process, especially the time of the financial controller. It outlines the responsibilities of budget holders and specifies the maximum amounts they can sign off,’ he explained.

Nuclear power plants need to consider many dimensions of risk in addition to nuclear safety-related risk, said Fang Chunfa, Board Secretary and General Manager of the Investor Relations Department at China General Nuclear Power Corporation. He emphasised that, in order to stay competitive in modern energy markets, nuclear power plants must integrate management of production, safety-related and economic risks in an effective way. ‘Certainly, safety remains our utmost concern,’ he said.

Luo Binhua, Vice-President and Board Secretary of GF Securities Co Ltd, said his firm was one of the early adopters of risk management practices in China’s securities brokerage industry. ‘We have a robust, companywide risk management system to effectively manage market, credit, liquidity and operational risks. It gives us the capacity to identify foresight risks when they occur and take well-prepared actions even in hindsight,’ he said.
In addition to risk management and internal control, Wei Fang, Chief Hong Kong Representative for China National Petroleum Corporation, said he looks forward to more discussions on environmental, social and governance (ESG) reporting in future RBSP meetings organised by the HKICS.


Jimmy Chow
The HKICS/KPMG China report ‘Risk Management: Looking at the New Normal in Hong Kong’ is available in the publications section of the HKICS website:














  • 即使大部分受訪者都認同風險管理是優先考慮的重要事項,但仍有34%的受訪企業沒有定期將風險管理融入他們的戰略決策和計劃中。
  • 只有36% 的受訪者制定了正式的風險取向政策偏好。如果沒有風險取向政策偏好,企業便會難以準確衡量實現某既定戰略所涉及的風險。
  • 不到一半(42%) 受訪者認為其企業能有效促進利益相關者了解風險管理方案。這意味著部分企業往往不能令董事會、投資者及/或監管機構了解其所採取的優化措施,從而不能將有關措施轉化為企業價值。
  • 風險管理和激勵機制之間關係薄弱,阻礙了企業在戰略決策過程中對風險因素的考量。 61% 受訪者表示,其企業在風險管理和報酬之間沒有顯著關係。
  • 僅有43% 的受訪者認為他們內部審計職能的審計工作能夠清楚地與企業所面對的主要風險掛鉤。此外,15% 的企業沒有建立內部審計職能。



企業高管越來越認識到管理企業所面對外部不確定因素的艱巨性。經濟環境、監管變化以及增長和創新等因素被視為是區域內主要的風險,促使企業必須為無法預計的威脅和商機做好充分準備。對本地企業來說,具備適當的技能以處理有關工作仍然是一項關鍵挑戰。大部分(57%)受訪管理層認為,他們對於掌握企業整體層面所面對的風險敞口感到困難,而61% 受訪管理層則認為董事會和高級管理層有需要提高風險管理意識。


投資者就企業的戰略和執行情況質詢企業董事會的情況有增加的趨勢。股東加強監督和投資者積極參與等現象促使董事會進一步涉足公司事務並跨越了他們傳統的監督角色。調查顯示,區域內的董事會正加大力度就風險管理事宜對管理層作出更加嚴格的要求和質詢。大部分受訪者 (90%) 表示,他們的董事會目前已將風險管理列為常設議題,或定期在董事會會議中討論風險管理事宜。






  1. 將風險管理納入董事會議程,讓董事會了解企業面對的主要風險
  2. 制定風險偏好,以界定企業願意承受的風險水平和類別,以此作為戰略業務決策的基礎
  3. 在企業層面製定和推行風險管理措施,以識別、管理和報告企業所面對的風險
  4. 制定清晰的問責制度,以在企業層面管理和監察風險
  5. 設置內部審計職能,就風險管理和內部控制系統的有效性提供獨立保證










“舉例說,我們的貸款審批過程是基於詳細的風險評估和嚴格的盡職調查程序。我們重視貸款人自身經營性現金流;對集團內部關聯企業之間的擔保要嚴格管理,嚴防陷入 ‘擔保圈’;而在對關聯企業融資具體擔保方式的選擇時,以抵押、質押等強擔保方式為主等。”他解釋說。












廣發證券股份有限公司副總經理兼董事會秘書及公司秘書羅斌華透露,廣發證券是內地證券經紀行業最早實施風險管理的公司之一。 他說:「我們擁有一套統一的風險管理體系,有效地管理市場、信用、流動性風險和操作風險。所有業務、部門和人員納入到統一的風險管理體系中,並滲透到事前、事中以及事後的各個階段和環節。」



Jimmy Chow