There have been numerous changes to Hong Kong's Corporate Governance Code that require companies to adapt quickly. Kanus Yue, Risk Assurance Partner, PwC Hong Kong, highlights the findings of a recent PwC study designed to assist listed companies to comply with the new requirements of the code.

Companies face an increasing array of challenges. From the rapid pace of technological adoption to amplified industry competition and the recruitment and retention of talent, the number of critical issues increases daily. The shifting regulatory environment adds even greater complexity – companies must not only spend extensive time and effort understanding new regulations, but also understand how the playing field might evolve in the future. In order to understand the state of Hong Kong listed companies’ adoption of the new requirements of Hong Kong's Corporate Governance Code (CG code), we have studied the Corporate Governance Reports (CG reports) of 230 companies in the Hang Seng Index and Hang Seng Chinese Enterprises Index. This study has two main goals. First, the report provides directors, executives and managers with a comprehensive analysis of how ready listed companies are to respond to the new requirements of the revised CG code. The analysis is also diverse – we have included companies from the broader Hang Seng Index (HSI) and the Hang Seng China Enterprises Index (HSCEI), as well as across four industries (financial services, real estate, retail and technology). It provides a baseline of listed company adoption practices in the key areas of risk management and internal controls. Second, the study allows companies to think more deeply and creatively about compliance with the CG code as a value-adding activity. Often times, new regulations and compliance can turn into a 'box-ticking’ activity rather than one that enables companies to unlock value in key areas that will enhance management accountability, strengthen internal control and risk management systems, and improve performance and efficiency. With our experience in helping companies navigate the new requirements of the CG code, we have seen examples of how companies have used this exercise to make themselves more nimble and responsive.

Market trends

From reviewing risk management and internal controls disclosures in over 200 CG reports, some key market trends can be identified and categorised into the following five areas:

1. annual review of risk management and internal control systems
2. risk management system
3. internal audit function
4. management confirmation to the board on systems effectiveness, and
5. other disclosures in CG reports.

1. Annual review of risk management and internal control systems

The revised CG code highlights the board's ongoing responsibility to oversee risk management and internal control systems. The old version of Code Provision C2.1 required that 'directors of an issuer should at least annually conduct a review of the effectiveness of the issuer's and its subsidiaries’ internal control systems and report to the shareholders’. Amended code provision C2.1 puts forth new requirements that:

• the board should oversee the issuer's risk management and internal control systems on an ongoing basis, and
• the board should also ensure that a review of the issuer's and subsidiaries’ risk management and internal control systems has been conducted at least annually, and report to shareholders that it has done so in the corporate governance report.

Our study revealed that a majority of the companies (69%) were early adopters for the disclosure of review for both internal control and risk management systems. By index, early adoption was greater among companies in the HSI (86%) compared to the HSCEI (60%). For examined sectors, financial services (80%) and real estate (75%) illustrated high levels of early adoption compared to retail (57%) and technology (53%). While there were some variances in the sample of companies analysed, it appeared that a majority of companies have developed a process/approach to look at internal control and risk management systems. One of the reasons that HSI constituents perform better is because substantial emphasis and resources are put into risk management and internal control areas to respond to market expectations and regulatory changes. The majority of HSI constituents have made an effort to increase their voluntary disclosure beyond the level of mere compliance. This greater transparency and the additional information disclosed helps investors to analyse the overall risk profiles of the companies and facilitates more informed investment decisions.

2. Risk management system

The latest CG code puts a new emphasis on risk management. Listed companies are required to develop processes to identify, evaluate and manage significant risks, and to determine the main features of risk management (RM) and internal control (IC) systems. Some companies have already been using corporate governance reports as a public platform to detail what type of RM processes are currently in place; to provide a description of the key risks they face; and to include mitigation measures they use to address these risks. Boards are also given an important responsibility – they are tasked with overseeing management in the design, implementation and monitoring of the RM and IC systems, and ensure that effective systems are established and maintained. Our study found that 45% of the companies disclosed the process used to identify, evaluate and manage significant risks. Among indices, HSI companies were clearly ahead of the curve: 64% of HSI companies disclosed their risk management practices, while only 23% of HSCEI companies did. From a sector perspective, a greater variance was observed in disclosure rates: financial services companies (63%) topped the list, followed by real estate (58%), technology (33%) and retail (13%) companies.

3. Internal audit function

Another area of key changes in the CG Code was to highlight the importance of the internal audit (IA) function. Previously, an IA function was a Recommended Best Practice; this is now a Code Provision. As a result, companies are required to establish an IA function and to assess the effectiveness of the IA function on a regular basis.

1. The three major revisions to the CG Code for the IA function are summarised below.
2. Upgraded from Recommended Best Practice C.2.6 to Code Provision C.2.5, issuers should have an IA function, and those who don’t should review the need for it on an annual basis and disclose the reasons for its absence in the corporate governance report.
3. New Code Provision C.2.5 states that the IA function carries out analysis and independent appraisal of the adequacy and effectiveness of the risk management and internal control systems.
4. Amended  Code Provision  C.2.2. states that the board's annual review should ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer's IA function (in addition to its accounting and financial reporting functions).

Our study revealed that 82% of companies disclosed that they had an IA function in CG reports, with almost all HSI companies (94%) and 78% of HSCEI companies making the disclosure. By sector, financial services (93%) and real estate (90%) companies had the highest rates of disclosure. A wider gap emerged among companies that provide detail on the resources and qualifications of IA staff. Only 20% of analysed companies covered the IA function in their annual review to assess and ensure the adequacy of resources, qualifications and experience, training programmes, and the budget of their IA function. While companies in the HSI boasted a disclosure rate (36%) significantly higher than the average, both the HSCEI and retail sector were below the average at 10%.

4. Management confirmation to the board on systems effectiveness

Establishing and maintaining strong risk management and internal controls is critical for the success of any organisation. Regulations also require that companies disclose in their CG reports that their RM and IC systems are operating effectively. In this connection, management is expected to provide a 'confirmation’ to the board on the RM and IC systems’ effectiveness. For management to provide such 'confirmation’, many leading organisations have implemented a control self-assessment (CSA) framework. This allows management to verify that controls are working as expected. By linking key risks to controls, management can carry out periodic testing to form an in-house assessment of their existing (‘as is’) controls that address their key risks, identify weaknesses in internal controls and facilitate the formulation of action plans to address any identified weaknesses. A CSA programme also helps to reinforce control ownership and awareness to line managers. The CSA can be conducted through a variety of different means, such as questionnaires or checklists. The process can be reviewed by internal auditors and form part of the board's assessment of control effectiveness. Our study found that 36% of the companies adopted CSA to assess their internal controls by management. There was significant divergence across indices and sectors on using CSA. This was one of the areas in the study where the adoption rate among HSCEI companies (65%) surpassed that of HSI companies (48%). However, only 3% of the directors of these HSCEI companies said they received management confirmation of their RM and IC systems’ effectiveness. HSI companies evidenced a much smaller disclosure gap between the number of companies adopting the CSA practice (48%) and directors of those companies receiving management confirmation (32%).

5. Other disclosures in CG reports

PwC's study found that 43% of companies have disclosures related to handling inside information in their CG reports. The level of disclosure is higher among HSI companies (58%) than HSCEI companies (30%). From a sector perspective, companies in real estate (63%) and financial services (55%) are early adopters and have met inside information disclosure requirements. Disclosure was marginally lower among companies in retail and technology, at 23% each.

The way forward

As this study has shown, there have been numerous changes to the CG code that require companies to adapt quickly. The study has also illustrated diverging patterns of adoption among companies in different sectors, particularly in the area of risk management practices. Companies may be at different stages of adoption and need assistance in different areas. Based on the findings of the study, we have identified six key areas for the way forward, where companies may have questions or need further information to help assess their current progress.

1. Perform a gap analysis against the revised CG code

• Benchmark current practices against the revised CG code requirements.
• Identify the gap and work out a plan to remediate it.

2. Formalise and enhance your risk management system

• Enhance/set up a robust risk management system.
• Develop a proper risk management structure, policy and procedures.
• Perform a risk assessment, and identify key risks faced by the company, the risk owners and risk mitigating actions.
• Report results to management and the board/audit committee.

3. Develop a control self-assessment framework

• Develop a CSA mechanism (for example via the use of CSA questionnaire and/or on-site visit) to facilitate management assessment of internal controls at the issuer and subsidiaries level.
• Summarise the results of CSA and report to management and the board/audit committee.
• Rectify any control gaps identified and enhance the internal control system.

4. Assess your internal audit function

• Conduct a quality assessment review to assess the adequacy and effectiveness of the IA function.
• Areas under review include, but are not limited to: IA's roles and responsibilities, authority, structure, resources, staff qualifications and experience, training programmes and budget.
• Report results to management and the board/audit committee; and agree and implement the action plan for IA function enhancement.

5. Review compliance to Section C.2 of the CG code

• Establish a robust and comprehensive review mechanism to ensure that the company complies with Code Provision C.2. Summarise the review results and report to the board on the effectiveness of the risk management and internal control systems.
• Review listing rules compliance process, for example inside information regulations.

6. Strengthen CG report disclosure

• Understand market expectations and best practices in corporate governance disclosure.
• Determine corporate governance report disclosure strategy in relation to risk management and internal control.
• Draft the disclosure and submit for management and the board/audit committee review.

At the end of the day, 'cracking the code' is not a one-off effort. However, once a company has established robust systems and proper processes to deal with changing regulations, many find that being ahead of the curve affords them advantages that increase their competitiveness and improve relations with investors. Kanus Yue Risk Assurance Partner, PwC Hong Kong Copyright 2017 PricewaterhouseCoopers. All rights reserved.