The latest HKICS Regional Board Secretaries Panel (RBSP) meeting, held in Hong Kong last month, focused on the management of risk from the perspective of Mainland companies listed in Hong Kong.

On 14 January this year, more than 30 corporate secretaries representing various Hong Kong-listed companies from the Mainland gathered at the Regional Board Secretaries Panel (RBSP) meeting hosted by the HKICS to talk about their experiences and views on risk management. Dr Gao Wei FCIS FCS(PE), HKICS Vice-President and Board Secretary and General Counsel, Sinotrans Ltd, highlighted the new requirements in Hong Kong's Corporate Governance Code (the Code) Appendix 14 of the listing rules, regarding risk management and internal controls. He emphasised that Hong Kong-listed companies, both as a result of the new regulatory requirements and as a prudent corporate governance measure, need to adopt a structured approach to risk management. Dr Gao also highlighted the findings and recommendations of the recent HKICS/KPMG China survey on risk management – Risk Management: Looking at the New Normal in Hong Kong. Dr Gao was followed at the podium by Xu Shiqing, Board Secretary, China Merchants Bank (CMB). Mr Xu gave attendees insights into the practical implementation of risk management measures by CMB and the role of the board secretary in risk management. The presentations by Dr Gao and Mr Xu were followed by a roundtable discussion which gave attendees the opportunity to share views on the new risk management requirements in Hong Kong and to share their experiences in the practical implementation of risk management and internal control systems.

Risk management overview

Effective 1 January 2016, Hong Kong Exchanges and Clearing (the Exchange) has brought in new listing rule requirements relating to risk management and internal controls. The Exchange's amendments to the Code, are aimed at integrating risk management into the Code; defining the roles and responsibilities of the board and management; and clarifying that the board has an ongoing responsibility to oversee risk management and internal control systems. Other changes include upgrades of certain recommendations to Code Provisions (CPs) regarding the annual review of the effectiveness of issuers’ risk management and internal control systems and disclosures in the Corporate Governance Report. Issuers are also required by a new CP to have an internal audit function in place. As a result of the renewed regulatory requirements and the increased focus on risk governance, Hong Kong-listed companies need to adopt a structured approach to risk management to mitigate risks that can threaten the achievement of their objectives, Dr Gao emphasised. He also highlighted the recent HKICS/KPMG China survey on risk management – Risk Management: Looking at the New Normal in Hong Kong – which assesses the readiness of issuers for the more stringent requirements regarding risk management and internal control. Specifically, the survey aims to capture what the 'new normal’ for risk management looks like in the region. This survey gathered data from 279 respondents from across a range of industries. Below are the highlights of the survey's findings which Dr Gao shared with the participants.

• Despite the fact that the vast majority of respondents to the survey consider risk management as a priority on their board agenda, 34% do not regularly factor risk considerations into their planning decisions.
• Only 36% of respondents have fully developed a formal risk appetite statement which has been approved by the board and implemented.
• Only 42% of respondents believe that their companies could effectively help stakeholders understand the risk management solutions implemented, especially the underlying risk/return trade-off.
• The survey results also suggest that the correlation between risk management and the incentive structure of frontline employees tends to be weak, as about 61% of the respondents said there is no significant relation between the two.
• Only 43% believe that their internal audit could assure the top board risks are being managed. In addition, about 15% of the surveyed companies said they did not have an internal audit function.

These findings indicate that, while directors and senior executives are increasingly thinking about the risks their organisations face, there are many areas where they are failing to translate this raised awareness of risk into effective management of risk. Dr Gao also highlighted some of the useful recommendations of the HKICS/KPMG China survey relevant to Hong Kong-listed companies from the Mainland.

Awareness of external emerging risks

External uncertainties such as the macroeconomic environment, regulatory changes and innovations are viewed as the region's top risks. Businesses need to prepare themselves for the unexpected threats and opportunities arising therefrom. However, possessing the right skill set to do so remains a key challenge. The majority (57%) of the respondents cited difficulties in understanding enterprise-wide risk exposures, and 61% indicated the need for better board and senior management team awareness.

Changing regulatory requirements

The recent amendments to the Code are seen as a significant step in bringing risk governance in line with more mature global markets. The change mandates new responsibilities for the boards, management and internal audit functions of companies listed in Hong Kong. Boards are now required to determine and evaluate the level of risk they are willing to take to achieve their objectives. Management is held responsible for designing, implementing and monitoring controls to manage the risk, while internal audit needs to provide an independent appraisal of the systems.

Imperatives towards a structured approach to risk management

In view of the market trends outlined above, companies are recommended to adopt five imperatives to develop a structured approach to risk management:

1. establish risk management as a boardroom item and provide boards with insights on the top risks facing the business
2. establish a risk appetite statement to define the level and type of risk the business is willing to accept, and use it to drive strategic business decisions
3. develop and roll out enterprise-wide risk management practices to identify, manage and report on risks facing the business
4. define clear accountabilities for the management and oversight of risks across the organisation, and
5. set up an internal audit function that provides independent assurance for the effectiveness of the risk management and internal control systems.

Regarding the need to develop a risk appetite statement (see item 2 above), executives are recommended to articulate the company's strategic objectives and performance drivers, align the risk profile to business and capital management plans, and then define and agree on thresholds in order to develop risk indicators for monitoring and reporting. The statement should finally be approved by the board, and then communicated and integrated across the organisation. Developing an internal audit function (see item 5 above) that works requires a balance between its positioning in the organisation, the quality of its people and the processes in place to help it achieve its objectives. 'Internal audit should have unfettered access to top executives, and its reporting lines should not compromise its independence,’ Dr Gao recommended. An appropriate people strategy should also be defined so that internal audit has adequate numbers of staff and access to specialists with the technical knowledge required to challenge the business. Last but not the least, a standard methodology and a system should be put in place in order to deliver high-quality audits, track recommendations made and follow up on progress.

A case scenario: CMB's structured approach to risk management

As mentioned at the beginning of this article, Xu Shiqing, Board Secretary, China Merchants Bank (CMB) focused his presentation on the practical implementation of risk management measures by CMB. He outlined the way CMB has adopted a three-tier risk management approach to identify, assess, mitigate and handle risks. He also emphasised that CMB, as a modern bank, has placed great importance on risk control procedures and security measures in the implementation of internet banking. In the first tier, which represents the headquarters, risks are factored into the formulation of the group's portfolio management and credit policy. Risks associated with customer life cycle and regional portfolio management are identified, assessed and managed proactively in the second tier. The third tier, which he refers to as front-line, client-facing managers, is where the gatekeeping for approval of loans to and business deals with individual businesses and customers takes place. ‘A bank must ensure that the risk it is willing to tolerate is in line with its business objectives and management philosophies,’ he said, adding that the risk appetite of CMB as a prudent bank is 'conservative'. After years of efforts, CMB has developed a relatively complete risk management system to identify, assess, mitigate and handle credit and operational risks with the use of scientific tools. The quality of analytics collected has seen tremendous improvements, which can be used extensively to improve business-making decisions, optimise revenue management while reducing risk costs, he added. CMB's risk management relies on a 'check-and-balance' control system, according to Mr Xu, in which the risk management and sales/marketing units, with two of them monitoring each other, are supervised by the internal audit unit. As the first line of defence, the sales/marketing unit is responsible for identifying, assessing and monitoring risks associated with each business or deal. The risk management unit, as the second line of defence, defines rule sets and models, provides technical support, develops new systems and oversees portfolio management. Equally important is that it ensures risks are within the acceptable range and that the first line of defence is effective. As the final line of defence, the internal audit and compliance unit ensures that the first and second lines of defence are effective through constant inspection and monitoring. ‘As an example, our loan underwriting process is based on a detailed risk assessment and a stringent due diligence process. We pay close attention to the borrower's cash flow and make sure that the guarantor is not from within the same organisation. We prefer secured loans backed by collaterals to unsecured, risky loans.’ Before committing to a new client, the bank carries out a thorough due diligence process to understand and validate the client's business, profit, investment, liabilities and risk profile in order to give a complete picture of a company's balance sheet. Over a longer time span, the bank carries out regular credit analysis on its existing clients and examines local market conditions as part of its ongoing risk rating process.

The role of company secretaries in risk management

Mr Xu emphasised that company secretaries should help the board set up and improve the organisation's risk management framework; strengthen and maintain the independence and authority of the internal audit unit; and play a facilitative role in the implementation of corporate governance practices, especially those related to risk management. ‘The company secretary should articulate his or her professional opinions on the organisation's risk management measures at board and special committee meetings while serving as the bridge between the board and management,’ he said, adding that the company secretary is also responsible for true, accurate, complete and timely disclosures of information and assisting in investor relations activities.

Implications and challenges for issuers

The updated CPs regarding issuers’ risk management and internal control practices require listed companies to pay more attention to the effectiveness of risk management. They also require the board to assess and monitor risk management on a regular basis, define clearly the role and responsibilities of the board, management and internal audit function, and improve information disclosure transparency, Mr Xu pointed out. ‘The rule changes have prompted us to redefine the roles and responsibilities of the board and management in risk management in order for the bank to comply with the new requirements. It is inevitable that the accounting and internal audit departments have more work to do and that we have to dedicate more manpower,’ he said. The internal control system also has to be optimised from time to time to adapt to the fast-changing business environment. Despite the new challenges and extra resources needed, however, he believes that the benefits of better risk management go well above and beyond compliance requirements. 'More importantly, we consider effective risk management an integral part of our strategy to achieve sustained growth,’ he said.

Roundtable discussion

Li Zhidong FCIS FCS, Assistant General Manager, Shipbuilding Marine and defence Equipment Co Ltd, said the updates made by the Exchange to the CPs concerning risk management, especially internal control, are quite comprehensive, focusing on effectiveness, accountability and independence. 'Other than managing different risks in the design, manufacturing and safety management processes, we also strive to minimise foreign exchange risk because an increase in imported raw material costs is likely to hurt the firm's profitability,’ he said. To streamline the internal budget approval process, Xie Jilong, Board Secretary of CRRC Corporation Ltd, said his firm has implemented a budget management policy, which authorises different levels of department heads to manage their budget. 'Our budget management guidance saves a great deal of time in the budget approval process, especially the time of the financial controller. It outlines the responsibilities of budget holders and specifies the maximum amounts they can sign off,’ he explained. Nuclear power plants need to consider many dimensions of risk in addition to nuclear safety-related risk, said Fang Chunfa, Board Secretary and General Manager of the Investor Relations Department at China General Nuclear Power Corporation. He emphasised that, in order to stay competitive in modern energy markets, nuclear power plants must integrate management of production, safety-related and economic risks in an effective way. 'Certainly, safety remains our utmost concern,’ he said. Luo Binhua, Vice-President and Board Secretary of GF Securities Co Ltd, said his firm was one of the early adopters of risk management practices in China's securities brokerage industry. 'We have a robust, companywide risk management system to effectively manage market, credit, liquidity and operational risks. It gives us the capacity to identify foresight risks when they occur and take well-prepared actions even in hindsight,’ he said. In addition to risk management and internal control, Wei Fang, Chief Hong Kong Representative for China National Petroleum Corporation, said he looks forward to more discussions on environmental, social and governance (ESG) reporting in future RBSP meetings organised by the HKICS.   Jimmy Chow Journalist The HKICS/KPMG China report 'Risk Management: Looking at the New Normal in Hong Kong’ is available in the publications section of the HKICS website: www.hkics.org.hk.  

聚焦風險

上月，香港特許秘書公會2016年公司秘書／董事會秘書圓桌會議在港召開，多家內地在港上市企業的代表聚首一堂，分享了大家對風險管理的看法和實施內控制度的經驗。

  今年1月14日，逾30位內地在港上市企業的董事會及公司秘書，出席了由香港特許秘書公會舉辦的公司秘書／董事會秘書圓桌會議，分享了大家對風險管理的看法及實施內控制度的具體經驗。 中國外運股份有限公司董事會秘書兼總法律顧問高偉博士，先向與會者講解了香港《企業管治守則》中有關於風險管理和內部控制的新要求。他強調，香港的上市公司，無論是為了符合新的監管要求，還是希望加強企業管治，都有需要採用一套系統化的風險管理方案以降低企業風險。 去年，香港特許秘書公會及畢馬威中國聯合進行了一項問卷調查，名為《風險管理—香港新常態觀察》，高博士扼要介紹了調查結果和分析。緊隨其後，招商銀行股份有限公司董事會秘書許世清，也分享了他對風險管理的理解和招商銀行所採取的內控措施，以及道出公司秘書在過程中所扮演的角色。 在高博士及許世清發言後，部分與會者先後就《企業管治守則》中有關風險管理要求進行了交流，以及在風險管理和內部控制等方面的落實經驗。

風險管理概述

在2014年，香港交易及結算所有限公司（港交所）提出修訂《企業管治守則》（《上市規則》)附錄十四），加強了對發行人在風險管理及內部控制的要求，將風險管理納入到《守則》之中；界定董事會和管理層在風險管理的權責；以及明確指出董事會應有的長遠職責，持續監督風險管理和內控制度的有效實施。新要求於2016年1月生效。 這一輪的修訂還包括將部分先前針對發行人風險管理和內控系統有效性年度審查建議升格為守則條文；以及要求將之於企業管治報告中作披露。新守則條文還要求發行人須設有內部審計職能。 高博士續說，有見及此，香港上市公司有需要採用一套系統化的機制進行風險管理，從而降低及管理風險，同時實踐企業目標。會上，他分享了該份風險管理調研報告的結果和分析，探討了上市公司對風險管理及內控的準備是否充足，了解在新要求下風險管理的“新常態”。調查共收集了279位來自各行各業受訪者的數據。 以下是該份調研報告的結果摘要：

• 即使大部分受訪者都認同風險管理是優先考慮的重要事項，但仍有34%的受訪企業沒有定期將風險管理融入他們的戰略決策和計劃中。
• 只有36% 的受訪者制定了正式的風險取向政策偏好。如果沒有風險取向政策偏好，企業便會難以準確衡量實現某既定戰略所涉及的風險。
• 不到一半(42%) 受訪者認為其企業能有效促進利益相關者了解風險管理方案。這意味著部分企業往往不能令董事會、投資者及/或監管機構了解其所採取的優化措施，從而不能將有關措施轉化為企業價值。
• 風險管理和激勵機制之間關係薄弱，阻礙了企業在戰略決策過程中對風險因素的考量。 61% 受訪者表示，其企業在風險管理和報酬之間沒有顯著關係。
• 僅有43% 的受訪者認為他們內部審計職能的審計工作能夠清楚地與企業所面對的主要風險掛鉤。此外，15% 的企業沒有建立內部審計職能。

結果表明，雖然董事和高級管理人員已多加關注組織所面臨的風險，但在提高風險意識並將之切實的納入內控系統中，仍有很多不足之處。有見市場更加注重風險管治，香港企業必須採用系統性的風險管理方案，以降低可能阻礙實現業務目標的風險。報告建議企業採用5項必要措施，協助上市企業制定系統性的風險管理方案。

外部新興風險的風險管理意識

企業高管越來越認識到管理企業所面對外部不確定因素的艱巨性。經濟環境、監管變化以及增長和創新等因素被視為是區域內主要的風險，促使企業必須為無法預計的威脅和商機做好充分準備。對本地企業來說，具備適當的技能以處理有關工作仍然是一項關鍵挑戰。大部分（57%）受訪管理層認為，他們對於掌握企業整體層面所面對的風險敞口感到困難，而61% 受訪管理層則認為董事會和高級管理層有需要提高風險管理意識。

投資者行動主義加劇，董事會更加註重風險管理

投資者就企業的戰略和執行情況質詢企業董事會的情況有增加的趨勢。股東加強監督和投資者積極參與等現象促使董事會進一步涉足公司事務並跨越了他們傳統的監督角色。調查顯示，區域內的董事會正加大力度就風險管理事宜對管理層作出更加嚴格的要求和質詢。大部分受訪者 (90%) 表示，他們的董事會目前已將風險管理列為常設議題，或定期在董事會會議中討論風險管理事宜。

不斷變化的監管要求

全球各地的監管機構紛紛評估其企業管治制度是否充足，以確保有關制度符合最佳操作模式，這已經成為大勢所趨。在香港，監管機構更新了適用於香港上市公司的《企業管治守則》和《企業管治報告》，在促進香港企業就風險管治與更成熟的全球市場保持一致方面，邁出了重大的一步。 監管規則的變化為香港上市公司的董事會、管理層和內部審計職能賦予了新的任務。需要注意的是，董事會目前需要進行評估並釐定他們為達到既定的企業目標而願意承擔的風險程度；管理層須負責設計、實施風險控制措施並監察措施的落實情況；內部審計職能需就有關係統進行獨立評估。

報告建議的五項必要措施

基於以上調查結果，報告建議五項必要措施以制定系統性的風險管理方案：

1. 將風險管理納入董事會議程，讓董事會了解企業面對的主要風險
2. 制定風險偏好，以界定企業願意承受的風險水平和類別，以此作為戰略業務決策的基礎
3. 在企業層面製定和推行風險管理措施，以識別、管理和報告企業所面對的風險
4. 制定清晰的問責制度，以在企業層面管理和監察風險
5. 設置內部審計職能，就風險管理和內部控制系統的有效性提供獨立保證

就制定風險偏好（必要措施2）而言，企業應先明確列出企業的戰略目標和績效推動因素。下一步便是就每項主要因素界定可接受的非預期損失水平和零風險容忍的範圍，從而確保企業的風險概況符合業務和資本管理計劃。在制定和確定有關限額後，應當制定風險衡量指標以進行監察和報告。最後，風險偏好該由董事會正式審批，並在整個企業內部有效傳達和整合。 在實行必要措施5方面，企業應先設置內部審計職能，加強獨立保證，就企業內部定位和人員素質及操作過程中找一個平衡，從而實踐預期目標。高博士補充道，內部審計職能應可隨時不受限制地接觸最高管理層，其匯報制度不可有損其獨立性。 同時，企業應制定合適的人力資源戰略，確保內部審計職能有充裕人手，並配備深諳有關知識的專才對業務進行檢討；也應制定有關方案，確保內部審計人員了解業務流程的細節，並能從商業角度提供精闢務實的諮詢。

案例分享：招商銀行的系統化風險管理制度

招商銀行董事會秘書許世清則集中介紹了招商銀行對風險管理措施的安排和具體執行情況。據介紹，招商銀行實施了三級制的風險管理的方案，以識別、評估、緩解和處理風險。他強調，招商銀行作為現代化銀行，十分重視網上銀行的風險控制程序，並已實施了嚴謹的信息安全措施。 第一層是集團總部層面，負責組合管理及信貸政策；第二層是分行，主要負責客戶全生命週期及區域組合風險控制；第三層是則前線的經營團隊，做好個別客戶、單筆業務的准入和審批（包括財務指標、擔保抵押、貸款三查等）。他表示：“銀行必須確保其願意承受的風險，符合其業務目標和經營理念，而招商銀行的風險偏好是穩健。” 經過多年努力，招商銀行現已初步搭建了較為完整的信用、市場和操作風險管理體系，風險治理架構得到優化，風險精細化管理水平大幅提高，數據質量明顯改善，業務應用不斷深化。新協議達標為加強風險管理提供了科學工具、為系統提升風險管理水平奠定了基礎，同時實現了降低資本消耗的顯著作用。 招商銀行的風險管理體系以三權互相制衡作基礎，風險管理部門及營銷經營部門同時受審計部門監督，而它們兩者之間也作相互制衡。 作為第一道防線，營銷條線承擔著風險識別、風險計量和風險監測的職責，確保單筆業務的風險可控。第二道防線，即風險管理條線，發揮制定規則、模型設計、技術支持、系統開發、組合管理等作用，確保組合層面的風險可控和第一道防線的有效。至於第三道防線，即審計合規部門，通過檢查、監督，確保第一、二道防線的有效性。 “舉例說，我們的貸款審批過程是基於詳細的風險評估和嚴格的盡職調查程序。我們重視貸款人自身經營性現金流；對集團內部關聯企業之間的擔保要嚴格管理，嚴防陷入 '擔保圈’；而在對關聯企業融資具體擔保方式的選擇時，以抵押、質押等強擔保方式為主等。”他解釋說。 在審批新貸款客戶前，招商銀行都會進行徹底的盡職調查，藉此了解和核實客戶的業務狀況、利潤、投資、負債和風險狀況等。其後，銀行還會定期分析客戶信貸狀況及對區域風險進行前瞻性分析，以此作為風險評級的參考。

公司秘書在風險管理的角色

許世清強調，公司秘書有責任協助董事會建立完善風險管理架構；持續鞏固和保持內部審計的獨立性和權威性；以及在公司治理運作中發揮風險管理職責。 具體責任包括：在董事會及其專門委員會上須發表意見和建議；搭建董事會與高管層溝通橋樑；公司治理規範有效運作；真實、完整、準確地進行信息披露；組織開展與投資者積極溝通，維護資本市場良好聲譽。

對發行人的意義及挑戰

許世清指出，經修訂後的守則條文更注重風險管理的有效性；強調董事會對風險管理的定期評估和持續監督；更清晰地明確董事會、管理層及內部審計的角色與職責；以及提高了信息披露的透明度。 “根據新的要求，我們重新梳理和界定了董事會、管理層的風險管理職責。無可避免，財務會計、內部審計工作要求提高，需要更多的專業人才和足夠的財務預算。此外，內控體系需針對新的經營環境不斷評估和完善，才能確保持續有效。”但他相信，風險管理不僅僅為了合規，更是要為經營發展、實現戰略保駕護航。

圓桌會議討論

中船海洋與防務裝備股份有限公司總經理助理李志東認為，港交所就風險管理和內控的修訂全面而且深入，強調其有效性、問責性和獨立性。“以造船行業為例，除了設計、製造及安全管理等各環節的風險外，我們也十分關注外匯風險，因為原材料價格對我們的利潤以至造船質量都有一定影響。” 中國中車股份有限公司董事會秘書謝紀龍表示，為了簡化內部預算審批過程，該公司已實施了預算管理政策，授權不同級別的部門主管，能於指定權限內審批一定限額的項目或開支。若超過限額，則須上報財務總監或董事長加簽審批。這樣一來，財務管理更有效率，財務總監也不會成為瓶頸。 中國廣核電力股份有限公司董事會秘書兼投資者關係部總經理方春法指出，毫無疑問，核安全對核電行業至關重要。不過，除此以外核電公司也須好好管控其他方面的風險，包括生產和經濟風險，並將之一併整合到風險管理制度中，才能於現今能源市場保持競爭力。 廣發證券股份有限公司副總經理兼董事會秘書及公司秘書羅斌華透露，廣發證券是內地證券經紀行業最早實施風險管理的公司之一。 他說：「我們擁有一套統一的風險管理體系，有效地管理市場、信用、流動性風險和操作風險。所有業務、部門和人員納入到統一的風險管理體系中，並滲透到事前、事中以及事後的各個階段和環節。」 中國石油天然氣股份有限公司香港代表處總代表魏方補充道，這次有關風險管理和內控制度的圓桌會議十分有意義和建設性，他同時期望香港特許秘書公會能於不久將來就其他議題，特別是環境、社會和治理報告，舉辦更多的交流活動。   Jimmy Chow 記者 由香港特許秘書公司和畢馬威中國聯合進行和撰寫的《風險管理—香港新常態觀察》調研報告，可於香港特許秘書公會網站下載：www.hkics.org.hk