Against a backdrop of political unrest, the ongoing Sino-US trade war and growing environmental threats, there has been a renewed interest among governance professionals in the complex and challenging art of risk management.

In October and November last year, local newspapers reported on the vulnerability of many companies in Hong Kong to data governance risks. Mingpao cited the fact that you could easily obtain the credit reports of the city’s Chief Executive and Financial Secretary through a few simple steps on the TransUnion Hong Kong website in November. Only a month earlier, airline Cathay Pacific had announced a data breach in which 9.4 million passengers’ details were stolen by hackers.    

These headlines are a reminder of the importance of effective risk management. Many companies, even the larger companies and financial institutions that have generally better risk management than smaller companies, are vulnerable to the manifold risks inherent in the current business environment in Hong Kong.

‘We are still far, far away from talking about risk management and governance for many companies in Hong Kong. Even for big companies there is still room for improvement in areas such as information security,’ says Dominic Wu ACIS ACS, Chairman of Asia Financial Risk Think Tank.

KPMG and The Hong Kong Institute of Chartered Secretaries (the Institute) conducted surveys in 2015 and 2017 among senior managers of companies in Hong Kong. The 2017 survey found that, while the Corporate Governance Code changes of 2016 designed to foster a better risk culture among Hong Kong companies had helped improve the oversight of risk, only 69% of the companies interviewed included risk management in strategic decision-making. Both reports give recommendations on how organisations should include risk as a standing boardroom agenda item.

Mr Wu emphasises that the most fundamental step is getting support from the board. ‘First of all, you need commitment from the board. If the board does not agree on the strategic priorities, there’s nothing you can talk about. Once the strategy has been agreed, then you can move on to the governance of risk, the tools to manage risk, the risk appetite statement, the necessary resources and also internal controls.’

Wu also points out that commitment from the board on risk management varies across industries and businesses. This point is echoed by other respondents to this article. ‘Some industries have a strong tradition of risk management – some utilities for example are even better than banks. Banks have a very low risk tolerance, but the utilities have zero risk tolerance. The nature of the industry is such that if you make mistakes, people will die.’

The 2017 HKICS/KPMG survey also highlighted the differences between the financial sector and the non-financial sectors when it comes to assessing risk. It found 47% of respondents from the financial industry see their risk function within the company as ‘mature and well-integrated in business activities with extensive oversight’. This, compared to just 10% of the respondents from the non-financial services sector. When it comes to roles and responsibilities, 63% of the respondents from the finance industry saw their roles as clearly defined for managing risks, compared to just 36% from the non-finance sector.

Social unrest and other uncertainties

Given that Hong Kong has been rocked by social instability in recent months, businesses here are taking risk management a lot more seriously. ‘No company can escape from the risks and it has to face and to prepare for the challenges, no matter what size it is or will be,’ says Mike Chan ACIS ACS, Fraud Control Officer and Head of Operational Risk Management at a top Mainland Chinese bank. 

Facing the challenge requires adopting a structured approach to risk management, which is the fundamental element of governance. ‘We have our operational risk managers in different departments and branches, and they are our so-called first line of defence. Their role is to be the major contact point and the ones that know the whole story and full picture. They use our models and tools and then report to the risk departments that are the second line of defence. If we consider the situation very severe and crucial exposures are identified, we will immediately escalate up to senior management and committees.’

When it comes to incidents like the protests, Mr Chan’s bank has a set of plans in place to ensure business continuity and disaster recovery. ‘We identified critical services through a detailed risk assessment mechanism, called Business Impact Analysis (BIA), for our bank so that we can prioritise our responses in case of incidents or disasters,’ Mr Chan says. After considering and utilising BIA results, the bank develops an operational resilience plan to be ready in case an incident happens near any office, branch network or data centre, ensuring business continuity as well as the safety of staff and customers. The plan stipulates required resources in terms of people, processes and systems, as well as communication plans. ‘We have different levels of alertness and when it reaches a certain level, we scale it up and convene a designated committee meeting urgently with our general managers, Chief Risk Officer, Chief Information and Operation Officer, Chief Financial Officer and different stakeholders to implement our resilience plan within the recovery time. Continuous monitoring is necessary to keep our plans alive,’ Mr Chan says.

Both Mr Chan and Apple Lee ACIS ACS, Deputy Head of Risk Management at Bank of Communications Co Ltd Hong Kong Branch (Bank of Communications Hong Kong Branch), mention that their organisations are in regular contact with the Hong Kong Monetary Authority on the threat level to their branches and the general impacts on their business. Ms Lee says that Bank of Communications Hong Kong Branch has been calling their staff in early when there is a risk of road closures and public transportation disruption. ‘During this period we have been coming to the office earlier than usual. On the day of the general strike, our staff were in the office before the stated time of the strikes,’ she says.

This focus on the operational risks, however, needs to go hand in hand with an awareness of the indirect impacts. ‘First of all you have to assess the direct and indirect impacts on the location of your business, but you also have to ask yourself how this may be affecting your clients. Will your clients’ behaviour and attitudes change? There may be less spending as a result of the protests for instance,’ Mr Wu points out.

He adds that addressing risk involves a wide knowledge of the many uncertainties that may affect the business. Assessing the impact of the ongoing Sino-US trade war, for example, is not just a matter of following the news. ‘Each company is different, with a different exposure and a different client base. You need to take a strategic view and each enterprise needs to do an internal assessment. Think about the new rules of the game – the impact on globalisation, for example. How are you going to find your new position in the shifting global supply chains? Find the threats and also the opportunities,’ he says.

The role of governance professionals

Risk management is an integral part of corporate governance. What then should be the role of governance professionals, in particular company secretaries, in assisting with the management of risk? The Institute has highlighted the importance of asking the right questions and company secretaries can be a crucial part of this in their board advisory and support roles. How often and how effectively is risk addressed by the board? How effective are the risk management internal controls? Does the organisation have a structured framework to identify risks and assess their impact on the business?

Ms Lee emphasises that good communication skills are vital to company secretaries. The company secretary plays a key role in setting up the board agenda for meetings, but given that board meetings are held once every few months, other communication channels outside the meetings are also important. ‘It is really important that the board knows about any internal control failings, because these failings represent potential risk to the company. Cases of cyber-attacks or emails being compromised, for example, should be escalated to the board immediately, perhaps via emergency meetings at the board level,’ she says.

Internal communication channels, such as chat groups and phone lines, are also crucial in keeping management and the board informed, she explains. ‘One of the important things is to convey to the board our recommendations on certain decisions, such as buying expensive insurance for protection and indemnity. The insurance can run up to millions of Hong Kong dollars so we need to ensure the board understands why it is required,’ she says.

Mr Wu points out that the mindset of a risk professional and a company secretary may not always be the same. ‘The role of company secretaries is very important and they do a lot of compliance work, but one very distinctive aspect of risk management is that you have to be very forward looking – you have to be able to tell what will happen tomorrow and how you can deal with it. This does not mean that company secretaries cannot be responsible for risk management, but they would need to have more training because the mindset of a risk professional and a company secretary can be different.’

Mr Chan points out that the issue of who should be responsible for risk management in a company will often come down to the question of resources. ‘The smaller listed companies might not have the resources to have specialised risk officers. A company secretary has a background in compliance and has a strong mindset in corporate governance, so a company secretary with technical competency in risk management becomes a treasure of a company secretary who can help future governance enhancements. More importantly, companies should have a small office or team to be responsible for risk management at the very least. We need to change the mindset that risk management is a cost to companies – it actually helps to reduce financial loss through identifying risk exposures and implementing mitigating measures.’

Risk training

The ongoing situation in both domestic and global environments calls for more training in risk management, respondents to this article agree. ‘Risk management is a profession just like accountancy. I don’t think company owners and managers would hire an accountant who doesn’t do accounting,’ Mr Wu says.

Suggestions for ways risk management professionals can upgrade their skills and knowledge include more scenario-based sharing, talking to peers and other people, and keeping an open mind about future developments.

‘We find that case studies generate the highest level of interest in the internal training at our organisation,’ Ms Lee says. Such case studies focus on actual situations and assess the correct steps needed in each case. The TransUnion Hong Kong branch scenario mentioned at the beginning of this article, for example, is a good case to study in relation to the risks involved in improper storage of sensitive data. The first step here would be to identify the risk and this would be followed by an assessment of the most effective risk mitigation measures.

Ms Lee also mentions that organisations need to think about what kind of risks they need to prioritise. ‘There are a lot of risks to consider and it’s up to you how you prioritise these risks – taking into account for example the frequency or the severity of relevant incidents,’ she says.

Respondents also highlight the potential for future collaboration between different professional bodies and the Institute in risk management training. The Institute has been upgrading its own risk management training in recent years. The transition to the new combined Chartered Secretary and Chartered Governance Professional (CS/CGP) designation has led to a broadening of the curriculum of the Institute’s Enhanced Continuing Professional Development programme and a revised syllabus for its New Qualifying Programme to ensure that CS/CGP professionals have the knowledge and reinforced skill set they need. The new curriculum has a much stronger emphasis on board effectiveness and risk management.

Crisis and opportunity

There is no shortage of high-level risks for businesses to consider at the moment. Respondents to this article highlight liquidity and geopolitical risks among the most significant risks Hong Kong companies will face going forward. Mr Wu urges companies to consider the impact of ‘de-globalisation’ and global reconfiguration of supply chains. News reports have also reported on capital outflow to destinations such as Singapore and such a situation is likely to continue given the political situation in Hong Kong.

‘Companies in Hong Kong need to rethink the new global model. Can you just rely on exports to the US or should you diversify your customer base? Managers need to be aware of this macro climate and future trends. If you don’t put all your eggs in one basket, no matter what happens, you will still have choices,’ he says.

He adds that it is always worth remembering that, even in times of crisis, there are opportunities. ‘Even though your assessment can be very negative, there are always opportunities and it’s also about being positive. Try to reduce the negative impacts and maximise the potential upside,’ he says.

Poo Yee Kai
The 2017 KPMG/HKICS research report mentioned in this article (‘Risk Management: Navigating Change in Hong Kong’) was a follow-up to an earlier report in 2015 (‘Risk Management: Looking at the New Normal in Hong Kong’). Both reports are available in the Publications section of the Institute’s website: