Risk awareness starts with the board
Cover Stories

Risk awareness starts with the board

Tuesday | 7 April 2015

CSj takes a look at recent revisions to Hong Kong's Corporate Governance Code designed, among other things, to clarify that the board has an ongoing responsibility to oversee companies' risk management and internal control systems.

If the global financial crisis taught the world only one lesson, it was the importance of detecting and dealing with risks. Since the crisis, as you might expect, risk governance and internal controls have become key areas for companies – listed and private, global and national – to ensure that unpredicted events or challenging trends are dealt with so that threats are minimised and opportunities seized. Companies are not the only market participants getting involved – regulators in most markets around the world have been revising their compliance requirements relating to risk governance and trying to foster a 'risk culture'. In December 2014 the stock exchange amended Hong Kong's Corporate Governance Code to highlight the importance of risk management and effective internal controls. In summary, the main changes to the Code include:
  • incorporating risk management into the Code where appropriate
  • defining the roles and responsibilities of the board and management
  • clarifying that the board has an ongoing responsibility to oversee the issuer's risk management and internal control systems
  • upgrading to Code Provisions the Recommended Best Practices regarding the annual review of the effectiveness of the issuer's risk management and internal control systems, and disclosures in the Corporate Governance Report, and
  • upgrading to a Code Provision the Recommended Best Practice that issuers should have an internal audit function, and those without to review the need for one on an annual basis.
The revisions to the Code will apply to accounting periods beginning on or after 1 January 2016, so companies still have up to two years before compliance with the new Code Provisions falls due. Moreover, Code Provisions are not mandatory Listing Rules; companies can adopt alternative measures as long as they explain these to stakeholders in their Corporate Governance Reports. David Graham, Chief Regulatory Officer and Head of Listing at Hong Kong Exchanges and Clearing Ltd (HKEx), explained that good management of risks – that threaten the achievement of the strategic and operational objectives of an organisation – is a core element of good corporate governance. 'The amendments to the Corporate Governance Code which we adopted in the consultation conclusions published in December 2014 are intended to help improve the overall corporate governance standards of our issuers and to bring our Code in this area more in line with the latest international best practices', he told CSj.  The amendments emphasise that internal controls are an integral part of risk management. While risk management focuses on identifying threats and opportunities, internal control helps counter the threats and take advantage of opportunities. The amendments also focus on ensuring that stakeholders are informed of the effectiveness of companies' risk management and internal control systems. Investors are taking an increased interest in this area. According to a survey conducted by accountancy firm EY, more than 80% of institutional investors are willing to pay a premium for companies with good risk management practices. Similarly, a majority of respondents to the same survey said that they had passed up the opportunity to invest in a company because they believed risk management was insufficient. 'Understandably, investors don't like negative surprises – they want to know things are under control; they want open communication and information on control systems', the EY report said. 'One thing is certain: investors can’t value what they can't see. As well as being critical to the overall success of a business, a good investor communications programme is a key tool of risk management'.

The impact of the Code changes

Other jurisdictions, such as the UK, Australia and Singapore, have already adopted similar requirements within their respective corporate governance codes. For many companies with overseas listings, therefore, the new rules will not require any significant changes. Paul Stafford FCIS FCS, Corporation Secretary and Regional Company Secretary Asia-Pacific of the Hongkong and Shanghai Banking Corporation (HSBC), welcomes the amendments to the Code and explains that they will help align the rules on risk management globally. 'Many of the changes have already happened in the jurisdictions where we are subject to similar rules. So in many ways, these represent an alignment with other markets where we're already in operation to the same sorts of expectations', he said. 'This is particularly the case for financial services and banking companies where there has been a huge focus on risk management over many years, and especially since the global financial crisis'. A few years ago, HSBC established separate audit and risk committees. Although there are overlapping areas between the audit and risk committees, responsibilities and skill sets among its members are somewhat different. Paul Stafford said he appreciates that the HKEx Code will now provide flexibility for companies to operate with separate audit and risk committees as well as a single audit committee. He also said the separation of audit and risk committees brings new challenges for the company secretary because of the crossover of responsibilities between the two committees. 'Having two separate committees sometimes raises interesting situations', he said. 'In some cases we have to work out if it's an audit committee question or a risk committee question. Sometimes the answer is that it's both'. Internal control is a good example, he added. Internal control over financial reporting would tend to be within the audit committee's remit, but internal control in general will fall within the risk committee's remit. Having a separate risk committee is not obligatory under the revised Code. HKEx leaves it up to issuers to decide this question for themselves. For some issuers, the consultation paper states, it may be appropriate to establish a risk committee. But for others – particularly smaller issuers with fewer directors – establishing another board committee may be a strain on their resources. In those cases, the paper adds, the risk committee would be likely to comprise the same directors that sit on all the other board committees. Most audit committees already take responsibility for risk management and internal control. Some companies prefer to keep it that way rather than create a separate risk committee. Edith Shih FCIS FCS(PE), Head Group General Counsel and Company Secretary at Hutchison Whampoa, is also supportive of the new requirements – she points out that risk management and internal control go hand in hand. For the port-to-telecom conglomerate, the Code revisions won’t mean any major changes – risk management and internal controls have for years been an integral part of its operations. At Hutchison Whampoa the board takes responsibility for internal control and risk management of the company. The monitoring is delegated to the audit committee, Edith Shih explained. They do not have a separate risk committee. 'Risk management is such an integral part of corporate governance that it's right that the Code changes have been introduced', she said. 'Some think that it would have been better to introduce them earlier, but I understand that many smaller companies might not have had the manpower and infrastructure to deal with the requirements all at once'. Some of Hutchison Whampoa's business units, like Canadian oil and gas company Husky Energy, have a separate risk committee due to their specialised business areas where risk management is particularly important. Hutchison Whampoa follows an internal control model promoted by COSO, the Committee of Sponsoring Organisations of the Treadway Commission. The model – effected by an organisation's board of directors, management and other personnel – is basically designed to provide guidance for effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Under this model, the board assesses risk and internal control in all of Hutchison Whampoa's business units. Focus is somewhat different in the Group's different units depending on their business nature and risk profile. Its retail businesses, like ParknShop and Watsons, have tight control of cash and stock management, while its container port business unit focuses a great deal on safety for employees and machinery. Still, there is a framework of questions which all business units have to reply and report back on to the board. It is essentially a top-down process to scrutinise the effectiveness of internal control and to safeguard shareholder value. The model is based on self-assessment but is not solely reliant on self-assessment, Edith Shih explained. 'It is a very stringent system', she said. After all the questions have been answered, the managing director and finance director of each business unit have to sign and confirm the responses given. Then the company's internal auditor conducts his separate review and provides his own report which is compared against that of the business units. The work of the internal auditor is then verified by the external auditor. Finally, the board assures in the company's annual report that the risk and internal control review is satisfactory. The risk management and internal control review is ongoing throughout the year but the company provides a report twice a year, in its interim and annual reports.

Who is responsible for looking after risk?

Ultimately the responsibility for risk management rests with the board, but a good company secretary will be closely involved in the process in a number of ways. Company secretaries are not only there to handle the paperwork, Edith Shih points out – they assist in monitoring and policing the risk management process, ensuring that a risk review is on the board's agenda and providing advice to the board in this area. This advisory function is one area where the company secretary's services are increasingly in demand because tougher regulations have increased directors' responsibility and potential liability. As mentioned earlier in this article, the recent amendments to the Code aim to improve the definition and understanding  of the roles and responsibilities of the board and management in risk management. Andrew Weir, Regional Senior Partner of KPMG in Hong Kong, points out that the amendments to the Code include new principles that clearly distinguish the role of the board from the role of management. Boards are being encouraged to promote a 'risk awareness' culture rather than one of compliance, and this starts with robust discussion of risk and control in the boardroom. The principles state that the board is responsible for determining and evaluating the risks the company is willing to take, while management is responsible for designing, implementing and monitoring the risk management and internal control systems. Management should also provide confirmation to the board of the effectiveness of these systems. 'Ultimate responsibility rests with the board, however everyone within the organisation has a role to play', Andrew Weir said. 'This is why culture is such an important factor'. This will give company secretaries a key role to play, he added. They will be involved in both the implementation of a structured approach to risk management and in promoting the importance and benefits of effective risk management across the organisation. Best practice risk management employs a 'three lines of defence' model reporting to the board. Operational management and oversight functions form the first and second lines, and a third line of defence is provided by internal auditors. As mentioned earlier, the recent amendments to the Code have introduced a Code Provision that issuers should have an internal audit function. This is intended to help issuers carry out analysis and independent appraisal of their risk management and internal control systems. This Code provision is likely to attract significant attention from a compliance point of view. Today, only half of the companies listed on the Hong Kong stock exchange have an internal auditor. Moreover, hiring one is easier said than done – HKEx warned in its consultation paper on risk management that there is a limited supply of qualified, experienced internal audit personnel. There may also be concerns about the independence of the internal audit function in smaller companies as some issuers may utilise existing staff involved with preparing the issuer's financial statements to conduct the internal audit as well. The effort taken to implement risk management should not be underestimated, but those companies who do so effectively will find that it has clear operational and governance benefits.

Things to look out for

Since the 2008 global financial crisis, risk has been most often identified with financial risk, but this is far from being the only area of risk that companies need to monitor. Today, organisations face a wide range of uncertain internal and external factors that may affect the achievement of their objectives. The risk agenda has broadened into many different areas including: operational, regulatory, legal, social, environmental and reputational risks. Worryingly, there are many areas of risk that are overlooked or ignored. Andrew Weir lists some risks that he believes deserve greater attention than they are currently getting.
  • Regulation in Hong Kong, across Asia and globally is growing in its complexity and companies need to make sure they are abreast of all requirements that apply to the markets that they operate in. A company's regulatory burden is multiplied when it operates across multiple jurisdictions.
  • Cybersecurity is often an area overlooked by organisations and frequently delegated to the head of IT. There is a self-review risk inherent in this that has exposed numerous organisations to data and financial loss.
  • There is the risk of overconfidence in a companies’ ability to mitigate risks. The question needs to be asked whether an organisation is sufficiently prepared for an anticipated or unexpected event. Companies need to ask: are good risk management practices in place? Have they been tested? If we haven’t been exposed in the past is it due to good management or good luck?
  • The rise of social media and the increasing speed at which information travels is also impacting the speed at which companies must react to adverse events. There have been many examples in recent months which show both markets and regulators to be unforgiving to companies who are unable to respond effectively with sufficient speed.
Another peril is that risk committees still tend to rely on information generated within the business. Risk management and internal control need to encompass a wider perspective since organisations are affected by many variables – often outside their direct control.   Johan Nylander, Journalist The HKEx consultation paper and consultation conclusions regarding the recent Corporate Governance Code changes are available on the HKEx website (www.hkex.com.hk). Relevant Frequently Asked Questions can also be downloaded from the 'Rules & Regulations/ Rules and Guidance on Listing Matters/Interpretation and Guidance' section of the HKEx website.  

SIDEBAR: In other words

"The amendments to the Corporate Governance Code which we adopted in the consultation conclusions published in December 2014 are intended to help to improve the overall corporate governance standards of our issuers and to bring our Code in this area more in line with the latest international best practices." David Graham, Chief Regulatory Officer and Head of Listing at Hong Kong Exchanges and Clearing Ltd (HKEx) "Many of the changes have already happened in the jurisdictions where we are subject to similar rules. So in many ways, these represent an alignment with other markets where we're already in operation to the same sorts of expectations." Paul Stafford FCIS FCS, Corporation Secretary and Regional Company Secretary Asia-Pacific of the Hongkong and Shanghai Banking Corporation (HSBC) "Risk management is such an integral part of corporate governance that it's right that the Code changes have been introduced. Some think that it would have been better to introduce them earlier, but I understand that many smaller companies might not have had the manpower and infrastructure to deal with the requirements all at once." Edith Shih FCIS FCS(PE), Head Group General Counsel and Company Secretary at Hutchison Whampoa "Ultimate responsibility [for risk management] rests with the board, however everyone within the organisation has a role to play. This is why culture is such an important factor." Andrew Weir, Regional Senior Partner, KPMG Hong Kong

Read More

See All April articles