Risk management and internal controls - the view from Mainland China 風險管理及內部控制 - 內企經驗分享

Saturday | 7 March 2015

What is the relationship between risk management and corporate governance? What are the respective duties of management and the board in this area? The latest HKICS Regional Board Secretaries Panel meeting, held on 14 January 2015, sought answers to these and other critical questions regarding risk management and internal controls.

Organised by the HKICS, the latest Regional Board Secretaries Panel meeting was held on 14 January at the Admiralty Centre, Hong Kong. Attended by senior managers and company secretaries representing various companies listed on the Mainland and Hong Kong bourses, the discussion shed light on the recent changes to Hong Kong's Corporate Governance Code, especially the revised rules on risk management and internal control. Michael Ma, a partner at Ernst & Young, and Yang Haijiang, the Board Secretary for China Oilfield Services Ltd (COSL), were the invited guest speakers. In her welcoming address, Edith Shih FCIS FCS(PE), former HKICS President, thanked Mr Ma and Mr Yang for their presentations. She also gave a brief introduction to the Institute's Enhanced Continuing Professional Development (ECPD) programme, which has been running since 2004. The ECPD programme keeps members' and practitioners' knowledge and skills up to date and keeps them abreast of all the latest regulatory and technical developments. 'As Mainland China continues to push for the rule of law, the internationalisation of the renminbi and the liberalisation of its capital markets – especially since the launch of the Shanghai-Hong Kong Stock Connect scheme – China presents us with unprecedented opportunities and challenges. Corporate China is in need of more professionals with a global vision and strong leadership to surmount these challenges. The continuing professional development of company secretaries will surely help lift the corporate governance standards of Mainland Chinese companies, enabling them to integrate with the rest of the world,' she said.

Good risk management is an essential part of good corporate governance Drawing on over two decades of consulting experience in audit, internal control and risk management, Ernst & Young's Michael Ma shared with the audience the latest developments in corporate governance practice in both Mainland China and Hong Kong. In particular he focused on what makes good corporate governance, the updated rules of Hong Kong's Corporate Governance Code and what companies can do to handle risks more effectively. As an introduction, Mr Ma used General Electric as a prime example of the benefits of good corporate governance. General Electric is the only company listed in the Dow Jones Industrial Index today that was also included in the original index in 1896. 'If a company exercises good corporate governance and persists with it, investors will never turn their backs on it. Even if it endures short-term losses, investors still believe the company is contributing to society and that it's worthwhile to wait for its turnaround,' he said. He revisited the major milestones in the development of corporate governance in Mainland China, including the Corporate Governance Guidelines issued in 2002; the promulgation of the Basic Norms of Internal Control and the Implementation Guidelines for Enterprise Internal Control No.1 – Organisational Structure, between May 2008 and April 2010.

In December 2010, the China Listed Company Corporate Governance Development Report set up certain provisions to incorporate corporate governance principles. In 2006, State-owned Assets Supervision and Administration Commission of the State Council (SASAC) enacted and introduced the Comprehensive Risk Management Guidance for State-Owned Enterprises, requiring state-owned enterprises (SOEs) to establish a sound corporate governance structure while introducing the concept of the three lines of defence for the first time, Mr Ma added. The three lines of defence are: 1. business operations – risk and control in the business 2. the oversight functions, and 3. independent assurance providers – internal audit and other independent assurance providers. Turning to Hong Kong, Mr Ma explained that Hong Kong Exchanges and Clearing (HKEx) issued the then Code of Corporate Governance Practices (now the Corporate Governance Code) in November 2004, requiring issuers to include a 'Corporate Governance Report' as part of their annual reports.

When it came into effect, the Corporate Governance Code had some 30 rules and that number did not change until last year, said Mr Ma. After an industry- wide consultation, HKEx recently made a number of amendments to the Code and the Corporate Governance Report in order to strengthen its risk management perspective. 'There are many factors that contribute to good corporate governance. Put simply, good governance means that: the company is transparent and that the responsibilities of the board are well defined; it has a sustainable business model; stakeholders can understand what problems it is facing and how it is going to deal with them; employees are happy and the company is trusted by suppliers and regulators; and the public recognises that the company is committed to social responsibility. With these qualities, I’m sure that such a company would win the hearts of investors,' he said. He suggested that issuers communicate with stakeholders through multiple channels, such as annual reports, websites, adverts and CSR activities, to constantly keep them updated of what the company is doing – such as the roles and responsibilities of the board and the management, the industry landscape, the company's strategies and goals, risks, financial results, major transactions and CSR initiatives, etc. 'Good corporate governance goes beyond regulatory requirements, it is a long-term and dynamic process. Business strategies, risk management and internal control are inseparable and interdependent. Furthermore, good corporate governance practices should extend to the commitment of individual employees, not just limited to the board and the management,' he said.

The new requirements in Hong Kong

On the updates to the Corporate Governance Code and the Corporate Governance Report, Mr Ma explained that HKEx completed its consultation in November 2014 before releasing the updates in December 2014. The consultation paper pointed out certain issues that needed to be addressed. For example, company boards often have a low awareness of risk, they often do not pay enough attention to risk management and lack the motivation to improve their internal control systems. Also, information disclosure quality varies from one issuer to another, and issuers often fail to disclose enough information about their annual reviews. After receiving feedback, the Consultation Paper on Risk Management and Internal Control: Review of the Corporate Governance Code and Corporate Governance Report made the following suggestions:

emphasise that internal controls are an integrated part of risk management
enhance accountability of the board, board committees and management by clearly defining their roles and responsibilities in risk management and internal controls
improve transparency of the issuer's risk management and internal controls by upgrading the recommendation for issuers to disclose their policies, process, and details of the annual review carried out in respect of the effectiveness of the risk management and internal control systems, and
strengthen oversight of the risk management and internal control systems by upgrading the recommendation for issuers to have an internal audit function.

Specifically, HKEx has added 'risk management' to the title of Section C.2 of the Code and throughout Sections C.2 and C.3 of the Code where appropriate in order to place greater emphasis on the integration of risk management and internal control. It has also included 'risk management' as part of the principles of the audit committee (Section C.3) and code provision C3.3.3 to ensure that the internal control measures of the Code and that of the audit committee are consistent. However, whether or not an issuer should establish a separate risk committee is at its discretion. In addition, HKEx has redefined the roles of the board and the management in order to strengthen accountability. The board is now responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer's strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal controls systems. The board should also oversee management in the design, implementation and monitoring of the risk management and internal control systems, and management should provide a confirmation to the board on the effectiveness of these systems.

With regard to transparency, HKEx has stepped up the requirements on risk disclosures by making them code provisions and even mandatory rules, including:

disclosure of the matters that the board's annual review should consider (Code Provision C2.3)
particular disclosures that issuers should make in their Corporate Governance Reports following the annual review (Code Provision C2.4) – this aims to encourage disclosure of risk management and internal control systems as well as facilitate comparability across issuers’ Corporate Governance Reports, and
amending the wording of Code Provision C2.4 to streamline the requirements, remove ambiguous language, and clarify that the risk management and internal control system is designed to manage rather than eliminate risks.

In addition, HKEx has simplified and upgraded a number of recommended disclosures relating to internal controls to mandatory disclosure requirements. To fulfil the new disclosure requirements of Code Provisions C2.3 and C2.4, Mr Ma suggested that issuers prepare the following reports in a timely manner: significant risk checklist, risk assessment report, internal control assessment report and risk monitoring report. They are also advised to implement the relevant risk assessment and management procedures. He added that the internal audit function of a firm plays an important role in supporting the board and the management, as well as the risk management and internal control system (through systematic analysis and independent assessment). The internal audit function is often called the 'third line of defence'. 'Risk management doesn’t mean blindly complying with rules and procedures. To be effective, it should be integrated into the company's strategic goals. If risk management turns out to be nothing more than trying to close the loop with all the rules, efficiency will inevitably be compromised. Corporate governance is a corporate culture, the DNA of a company. It's a catalyst for the long-term and sustainable growth of a business, enabling it to earn public trust and investor confidence over time, Mr Ma said wrapping up his presentation.

Case scenario: COSL's risk management system

In 2010, the BP oil spill that followed the explosion of the Deepwater Horizon oil rig was a wake-up call to the entire petroleum industry. The Institute's latest RBSP meeting was therefore fortunate to have Yang Haijiang, the Board Secretary for China Oilfield Services Ltd (COSL), to discuss his company's approach to risk management and internal controls. After walking the audience through COSL's background, financial results, ownership structure and major assets, Mr Yang shared his company's experience in risk management. 'Risk management is not standardised,' he pointed out. 'The approach to it varies from one company to another. Every company has its own style and, especially, its own risk-tolerance levels. As long as a sound risk management process and procedures are in place, it's sensible to take risks in exchange for potential higher returns.'

COSL is an interesting case scenario in risk management and internal controls. The COSL board began to be concerned about risk management in 2009. At a major board meeting, the board discussed whether it should establish a risk management committee under the board. After discussion, it was concluded that the board should not be held responsible for managing risks specific to particular projects, such as the risks associated with making investment decisions. It is the management's job to handle those risks. According to Mr Yang, the risk management measures of COSL have three objectives: to establish and constantly improve the internal control and risk assessment system; to implement a top-down and companywide risk management system that covers every aspect of the business; and to keep baseline risks within the generally acceptable range. In the absence of a risk management committee, the management team are duty bound to identify, evaluate and mitigate risks, which are primarily handled by the risk management office under the internal audit department. While risks exist anywhere and everywhere, businesses should take a proactive approach to risk management, which Mr Yang described as a 'value- creating process'. As long as the right risk management is in place to limit risks to a tolerable level, businesses will be able to reap the rewards for the risks taken, he stressed.

To demonstrate how risks are being assessed and managed at COSL, Mr Yang shared two real-world cases that had put COSL to the test. As mentioned, in 2010 the BP oil spill was a wake-up call to the entire industry. This prompted the COSL board to assess its safety measures and the risk of large marine oil spills. The management was therefore asked to submit a risk assessment report to address the concerns of the board. At a subsequent board meeting, the report on COSL's existing safety measures as well as the latest developments and the likely impact of the BP incident was presented to the board. The directors made a number inquiries into the technologies and equipment in use, and whether they could implement strong safety measures for oil drilling.

As a pre-emptive measure, the management was asked to learn from the BP incident and clear the conditions that contribute to oil spill risks. Follow- up actions were taken to inspect and fix leaks and decay found in all equipment in collaboration with oil companies. The second test of COSL's risk management structure Mr Yang discussed was its plan to acquire Norwegian rival Awilco Offshore in its entirety for about US$2.5 billion in 2008. The deal would give it access to drilling technology and expand its international operations. Including the debts amounting to about US$1.3 billion, the actual acquisition cost was estimated at US$3.8 billion, excluding time costs. Amid the oil price rally in 2008, oil soared to about US$100 a barrel at the time of the acquisition. At one point analysts speculated that oil prices could reach US$200 a barrel. 'Against this scenario, the valuation of the target firm was considered overpriced. The scale of our company was relatively smaller at that time, the purchase of Awilco Offshore was a huge and risky step for the company,' he said. 'Over the course of discussion, the board weighed different views of stakeholders, including the views expressed by two independent directors that the target firm was overvalued. In the end, the board gave it a go, believing that the acquisition could produce a strong cash flow and greatly enhance the company's EPS.' Jimmy Chow, Journalist

風險管理和企業管治之間有何關係?管理層和董事會如何各司其職?在今年1月14日召開的公司秘書/董事會秘書圓桌會議上,兩位演講嘉賓就以上問題耐心解答。

由香港特許秘書公會主辦的公司秘書/董事會秘書圓桌會議順利在今年1月14日於金鐘海富中心召開,獲多家內地和香港上市公司的高管和董秘應邀出席。會議的主題為《企業管治守則》的最新動向-風險管理及內部監控,講者依次序為安永會計師事務所安永諮詢服務合夥人馬斌,以及中海油田服務股份有限公司(「中海油服」)董事會秘書楊海江。香港特許秘書公會前會長、公司秘書專責小組主席施熙德律師在開幕辭中,特別鳴謝兩位出席會議的演講嘉賓,然後提到公會自2004年起已持續舉辦強化持續專業發展(ECPD)計劃,並於2006 起定期在港舉行講座,借此加強會員之間的溝通,促進專業化發展。「在國家依法治國的基礎下,再加上人民幣國際化、資本市場自由化和創新,特別是滬港通開通,種種變化正為中國經濟帶來前所未見的機遇和挑戰。我國的企業正需要有國際視野的人才,去推行高標準的企業管治,以應對各項挑戰。董秘專業化,將有助於提升上市公司的治理水平,與世界接軌。」她說。

良好的風險管理是良好公司治理的重要組成部分

憑借其超過20年的審計、內部控制與風險管理的諮詢工作經驗,安永馬斌先生詳細介紹了企業管治實務於內地和香港的發展,以及剖析何謂良好的企業管治。此外,他還對《企業管治守則》(《守則》)及《企業管治報告》(《報告》)的更新要求作了詳盡介紹,以及就全面風險管理的一些問題進行總結和探討。

在演講開始時,馬先生以通用電氣 (GE)作為良好企業管治的榜樣,而通用電氣也是唯一一家自1896年道琼斯指數成立以來仍留在指數中的成分股。「如果某一家公司的內部管治良好,便可以留住投資者。企業有好的管治,儘管出現短期虧損,投資者始終覺得公司對社會有貢獻,不會輕易離去。」他說道。然後,他跟大家回顧了企業管治在中國大陸的主要發展里程,包括於2002 年發布的《上市公司治理準則》;於 2008年5月至2010年4月期間,五部委共同發布了《企業內部控制基本規範》及《企業內部控制應用指引第1 號-組織架構》。 2010年12月,《中國上市公司治理發展報告》正式發布《公司治理原則》的相應條文,梳理了中國企業的相關制度和實踐。他補充,國資委於2006 年制定並推出《中央企業全面風險管理指引》,其中指出企業應建立健全規範的公司法人治理結構,並提出風險管理三道防線的概念。

風險管理的三道防線是指: 1. 業務運作上的風險與控制 2. 監督職能 3. 獨立內部審計及其他獨立監管單位在香港方面,2004年11月,香港聯交所發布了《企業管治常規守則》(現為《守則》),並要求上市公司在年報中發表《企業管治報告》。馬先生指出,《守則》自2004年生效以來,對上市公司董事約有三十條守則要求,多年來一直沒變,但到了去年,香港聯交所在經過業界諮詢後,修訂了《守則》和《企業管治報告》的相關條文,加入了強化風險管理責任。

「構成良好企業管治有多項要素,簡單說,良好企業管治就是企業公開透明, 問責清晰,業務具可持續性,投資者可了解公司正面對什么問題,以及有什么方法應對。公司不論有什么文化,裡面的員工都感到滿足,而且獲得供應商的信任,監管機構覺得有誠信,政府覺得公司有社會責任,老百姓覺得企業可靠,投資者自然培添信心。」他說。馬先生建議,上市公司應不時從各種途徑,如年報、網站、廣告營銷、公益和社會活動等,清晰地讓公眾及投資者持續了解公司正在做什么。公司信息應以簡單易懂的方式表達出來,包括組織架構、董事會和管理層的職能職責;行業狀況;發展戰略及願景;經營風險、挑戰和困難;財務數據;重大決策和交易;以及社企責任等。

「近來企業管治發展趨勢表明,企業管治超越簡單的合規遵循要求,是一個長期持續的動態過程。戰略目標的實現與風險管理和內部控制無法分割,而這三者相互影響、相互關聯。再者,良好的企業管治實務源於高層基調、董事會和高級管理層,對風險管理和內部控制的責任越來越明確清晰。」他續說。

港交所對風險控制與內部控制的新要求

接著,馬先生集中討論了《守則》和《企業管治報告》的更新內容。他指出,香港聯交所剛於去年11月完成業界諮詢,繼而頒布了更新的《守則》和《企業管治報告》,諮詢文件總結了業界留意到過往企業管治實務中的情況,包括:董事會未意識到面臨風險;未對風險及風險管理給予足夠的重視,缺乏動力來改善內部監控系統;上市公司信息披露的質量不一, 缺乏可比性;以及發行人披露其年度檢討的詳情不足。

根據收到的反饋意見,香港聯交所於去年6月發布《諮詢總結-檢討企業管治守則及企業管治報告:風險管理及內部監控》,有以下總結: 強調內部監控是風險管理的重要元素;

清晰界定董事會、董事委員會及管理層在風險管理和內部監控中的角色和職責,以強化問責;
提升發行人風險管理和內部監控系統的披露責任及相關的政策、程序以及每年成效檢討的詳情, 以提高發行人在風險管理和內部監控方面的透明度;以及
提升發行人內部審計的責任,以加強發行人風險管理和內部監控體系的監察。

有見及此,當局遂於兩份文件整合內部監控的相關規範,作為風險管理的重要元素:

在C.2標題中以及C.2和C.3全文合適的地方,添加「風險管理」
將「風險管理」納入審核委員會原則(原則C.3)和守則條文 C3.3.3,確保《守則》內有關內部監控及審核委員會的各節均保持一致
是否單獨設立風險委員會由發行人自行決定

此外,聯交所還界定了董事會和管理層的角色,以強化問責:

守則條文-確保公司願意承擔的風險程度
守則條文-確保公司具備有效的風險管理和內部監控系統
建議最佳常規-企業管治報告中可以披露:董事會已取得管理層對於風險管理和內部監控系統有效性的確認
守則條文-設計、實施及監察風險管理和內部監控系統
守則條文-向董事會提供有關系統有效性的確認

在透明度方面,監管當局要求有意義的披露,從以往的最佳常規,升格為守則條文:

守則條文C2.3-列明董事會年度成效檢討應考慮的事項
守則條文C2.4-披露發行人如何遵守風險管理和內部監控的守則條文,以實現可比性
守則條文C2.4-風險管理和內部監控系統旨在管理而非消除風險
強制披露-大多數現有的與內部監控有關的建議披露被升級為強制披露

就C2.3及C2.4守則條文的披露要求, 馬先生建議公司應定時擬備重大風險清單;風險評估報告;內控評估報告;風險監控報告;風險監控報告; 以及實施相關的風險評估和管理工作程序。他強調,公司內部審核功能發揮著支援董事會、管理層以及風險管理及內部監控系統(通過對系統進行分析及

獨立評估)的作用。因此,內部審核功能常被稱為「第三道防線」。最後,他總結道:「我們提到的風險管理,不是一個盲目的風險管理,我們必須結合企業的戰略目標,因為每家企業的發展都有一個方向,控制得太緊太死,會失去效率。企業管治是一種文化,是企業的DNA,是實現企業可持續長遠發展的催化劑,最終為企業贏得投資者和公眾的信任及企業聲譽。」

案例分析:中海油服的風險管理制度

2010年,BP墨西哥原油泄漏事件,引起了國際社會與石油開採行業的高度關注。公會有幸邀得中海油服董秘楊海江先生,跟與會者分享事件對該公司的啟示,以及公司在風險管理和內部控制的目標和實踐。在介紹過中海油服的業務背景、財務數據、股權結構和主要裝備後,楊先生坦言:「風險管理沒有一套客觀標準,不同行業的管理方式不盡相同,每家企業也有自己的風格和風險承受程度。只要有套健全的風險管理制度,該做的便去做,該冒的險就去冒,這樣企業才會壯大起來。」

中海油服本身便經歷過一些重大風險,其在風險管理和內控的經驗豐富,很值得其他企業參考。據他透露,中海油服董事會自2009年開始便關注風險管理問題,2009年董事會年度上曾就是否設立董事會風險管理委員會進行了討論,關於董事會風險管理工作責任,討論後認為董事會不適宜管理具體事項(如具體投資項目) 的風險,而具體事項的風險管控是管理層的職責。據楊先生所述,中海油服風險管理目標主要有三:一、建立和不斷完善有效地內控體系和風險評估機制;二、實現全員、全方位、全過程的管理; 三、風險始終控制在一般、可接受的範圍內。公司雖不設風險管理委員會,其責任則落於管理層的常規職責範圍以內,即確保公司設立及維持合適及有效的風險管理系統;及定期評估公司風險管理系統的有效性。風險管理辦公室設於公司的審計監察部下,主要職責是落實和監督各單位的風險管理和控制。他再三強調,由於風險無處不在,企業更應積極面對和控制風險,視之為一種價值創造的活動,融入到公司企

業文化,從戰略的高度並採取系統地方法主動去認識風險、管理風險。當風險發生時應有充分的準備,能將風險控制於企業能承擔的水平。楊先生還與大家分享一些中海油服在風險管理的實際案例,包括BP墨西哥原油泄漏事件給予中海油服的啟示, 以及油價漲跌引發收購海外鑽井公司的相關風險。 2010年,發生了震驚世界的BP墨西哥原油泄漏事件。鑑於這屬於行業內的重大事故,中海油服的董事會非常關注,引發進一步關注公司的安全生產形勢和相關的風險,遂要求管理層就公司的相關風險管控工作給董事會做一個專項匯報。管理層於是在董事會年度例會上,就安全管理體系情況及針對BP墨西哥灣事故的應對措施作了匯報。會上, 董事詢問了有關問題,主要是公司在技術、裝備方面有何進一步的應對措施。董事會並要求公司管理層認真分析研究BP的事故並從中吸取教訓,重點是及早發現並清除那些可能導致事故的各種安全隱患,對比查找管理和技術方面的薄弱環節,使公司更有效地防範此類種大風險。

最終,管理層按照董事會的要求進行了具體落實,包括同油公司協商對一些設備做了整改,提高可靠性。 2008年,中海油服宣布收購於奧斯陸證券交易所上市的挪威海上鑽井公司Awilco Offshore ASA(AWO),現金收購100%股權,收購價為每股85挪威克朗,即總價約127億挪威克朗(約 25億美元)。若按照25億美元的收購價,加上13億的債務,估計實際收購價格達38億美元,還沒有考慮時間成本。他憶述,2008年國際油價暴漲暴跌、急劇波動,在確認收購時油價每桶漲到100美元左右,更一度有分析師預期油價有可能升至每桶200美元。「當時油價高企,所以被收購公司的估值非常高,再加上那時公司規模比現在小,這幾十億美元的收購價對我們來說是很大的風險。在商議過程中,我們有兩位獨董認為收購價偏高。不過,由於董事會最終判斷,收購將能直接為公司帶來現金流,不久後將能大大提升公司的EPS水平,最終還是做了這項重大決定。」他說。 Jimmy Chow, Journalist