Risk management and internal controls – the view from Mainland China 風險管理及內部控制 – 內企經驗分享
What is the relationship between risk management and corporate governance? What are the respective duties of management and the board in this area? The latest HKICS Regional Board Secretaries Panel meeting, held on 14 January 2015, sought answers to these and other critical questions regarding risk management and internal controls.
Organised by the HKICS, the latest Regional Board Secretaries Panel meeting was held on 14 January at the Admiralty Centre, Hong Kong. Attended by senior managers and company secretaries representing various companies listed on the Mainland and Hong Kong bourses, the discussion shed light on the recent changes to Hong Kong’s Corporate Governance Code, especially the revised rules on risk management and internal control. Michael Ma, a partner at Ernst & Young, and Yang Haijiang, the Board Secretary for China Oilfield Services Ltd (COSL), were the invited guest speakers.
In her welcoming address, Edith Shih FCIS FCS(PE), former HKICS President, thanked Mr Ma and Mr Yang for their presentations. She also gave a brief introduction to the Institute’s Enhanced Continuing Professional Development (ECPD) programme, which has been running since 2004. The ECPD programme keeps members’ and practitioners’ knowledge and skills up to date and keeps them abreast of all the latest regulatory and technical developments.
‘As Mainland China continues to push for the rule of law, the internationalisation of the renminbi and the liberalisation of its capital markets – especially since the launch of the Shanghai-Hong Kong Stock Connect scheme – China presents us with unprecedented opportunities and challenges. Corporate China is in need of more professionals with a global vision and strong leadership to surmount these challenges. The continuing professional development of company secretaries will surely help lift the corporate governance standards of Mainland Chinese companies, enabling them to integrate with the rest of the world,’ she said.
Good risk management is an essential part of good corporate governance Drawing on over two decades of consulting experience in audit, internal control and risk management, Ernst & Young’s Michael Ma shared with the audience the latest developments in corporate governance practice in both Mainland China and Hong Kong. In particular he focused on what makes good corporate governance, the updated rules of Hong Kong’s Corporate Governance Code and what companies can do to handle risks more effectively.
As an introduction, Mr Ma used General Electric as a prime example of the benefits of good corporate governance. General Electric is the only company listed in the Dow Jones Industrial Index today that was also included in the original index in 1896. ‘If a company exercises good corporate governance and persists with it, investors will never turn their backs on it. Even if it endures short-term losses, investors still believe the company is contributing to society and that it’s worthwhile to wait for its turnaround,’ he said.
He revisited the major milestones in the development of corporate governance in Mainland China, including the Corporate Governance Guidelines issued in 2002; the promulgation of the Basic Norms of Internal Control and the Implementation Guidelines for Enterprise Internal Control No.1 – Organisational Structure, between May 2008 and April 2010.
In December 2010, the China Listed Company Corporate Governance Development Report set up certain provisions to incorporate corporate governance principles. In 2006, State-owned Assets Supervision and Administration Commission of the State Council (SASAC) enacted and introduced the Comprehensive Risk Management Guidance for State-Owned Enterprises, requiring state-owned enterprises (SOEs) to establish a sound corporate governance structure while introducing the concept of the three lines of defence for the first time, Mr Ma added.
The three lines of defence are:
1. business operations – risk and control in the business
2. the oversight functions, and
3. independent assurance providers – internal audit and other independent assurance providers.
Turning to Hong Kong, Mr Ma explained that Hong Kong Exchanges and Clearing (HKEx) issued the then Code of Corporate Governance Practices (now the Corporate Governance Code) in November 2004, requiring issuers to include a ‘Corporate Governance Report’ as part of their annual reports.
When it came into effect, the Corporate Governance Code had some 30 rules and that number did not change until last year, said Mr Ma. After an industry- wide consultation, HKEx recently made a number of amendments to the Code and the Corporate Governance Report in order to strengthen its risk management perspective.
‘There are many factors that contribute to good corporate governance. Put simply, good governance means that: the company is transparent and that
the responsibilities of the board are well defined; it has a sustainable business model; stakeholders can understand what problems it is facing and how it is going to deal with them; employees are happy and the company is trusted by suppliers and regulators; and the public recognises that the company is committed to social responsibility. With these qualities, I’m sure that such a company would win the hearts of investors,’ he said.
He suggested that issuers communicate with stakeholders through multiple channels, such as annual reports, websites, adverts and CSR activities, to constantly keep them updated of what the company is doing – such as the roles and responsibilities of the board and the management, the industry landscape, the company’s strategies and goals, risks, financial results, major transactions and CSR initiatives, etc. ‘Good corporate governance goes beyond regulatory requirements, it is a long-term and dynamic process. Business strategies, risk management and internal control are inseparable and interdependent. Furthermore, good corporate governance practices should extend to the commitment of individual employees, not just limited to the board and the management,’ he said.
The new requirements in Hong Kong
On the updates to the Corporate Governance Code and the Corporate Governance Report, Mr Ma explained that HKEx completed its consultation in November 2014 before releasing the updates in December 2014. The consultation paper pointed out certain issues that needed to be addressed. For example, company boards often have a low awareness of risk, they often do not pay enough attention to risk management and lack the motivation to improve their internal control systems. Also, information disclosure quality varies from one issuer to another, and issuers often fail to disclose enough information about their annual reviews.
After receiving feedback, the Consultation Paper on Risk Management and Internal Control: Review of the Corporate Governance Code and Corporate Governance Report made the following suggestions:
- emphasise that internal controls are an integrated part of risk management
- enhance accountability of the board, board committees and management by clearly defining their roles and responsibilities in risk management and internal controls
- improve transparency of the issuer’s risk management and internal controls by upgrading the recommendation for issuers to disclose their policies, process, and details of the annual review carried out in respect of the effectiveness of the risk management and internal control systems, and
- strengthen oversight of the risk management and internal control systems by upgrading the recommendation for issuers to have an internal audit function.
Specifically, HKEx has added ‘risk management’ to the title of Section C.2 of the Code and throughout Sections C.2 and C.3 of the Code where appropriate in order to place greater emphasis on the integration of risk management and internal control. It has also included ‘risk management’ as part of the principles of the audit committee (Section C.3) and code provision C3.3.3 to ensure that the internal control measures of the Code and that of the audit committee are consistent. However, whether or not an issuer should establish a separate risk committee is at its discretion.
In addition, HKEx has redefined the roles of the board and the management in order to strengthen accountability. The board is now responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer’s strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal controls systems. The board should also oversee management in the design, implementation and monitoring of the risk management and internal control systems, and management should provide a confirmation to the board on the effectiveness of these systems.
With regard to transparency, HKEx has stepped up the requirements on risk disclosures by making them code provisions and even mandatory rules, including:
- disclosure of the matters that the board’s annual review should consider (Code Provision C2.3)
- particular disclosures that issuers should make in their Corporate Governance Reports following the annual review (Code Provision C2.4) – this aims to encourage disclosure of risk management and internal control systems as well as facilitate comparability across issuers’ Corporate Governance Reports, and
- amending the wording of Code Provision C2.4 to streamline the requirements, remove ambiguous language, and clarify that the risk management and internal control system is designed to manage rather than eliminate risks.
In addition, HKEx has simplified and upgraded a number of recommended disclosures relating to internal controls to mandatory disclosure requirements.
To fulfil the new disclosure requirements of Code Provisions C2.3 and C2.4, Mr Ma suggested that issuers prepare the following reports in a timely manner: significant risk checklist, risk assessment report, internal control assessment report and risk monitoring report. They are also advised to implement the relevant risk assessment and management procedures.
He added that the internal audit function of a firm plays an important role in supporting the board and the management, as well as the risk management and internal control system (through systematic analysis and independent assessment). The internal audit function is often called the ‘third line of defence’.
‘Risk management doesn’t mean blindly complying with rules and procedures. To be effective, it should be integrated into the company’s strategic goals. If risk management turns out to be nothing more than trying to close the loop with all the rules, efficiency will inevitably be compromised. Corporate governance is a corporate culture, the DNA of a company. It’s a catalyst for the long-term and sustainable growth of a business, enabling it to earn public trust and investor confidence over time, Mr Ma said wrapping up his presentation.
Case scenario: COSL’s risk management system
In 2010, the BP oil spill that followed the explosion of the Deepwater Horizon oil rig was a wake-up call to the entire petroleum industry. The Institute’s latest RBSP meeting was therefore fortunate to have Yang Haijiang, the Board Secretary for China Oilfield Services Ltd (COSL), to discuss his company’s approach to risk management and internal controls.
After walking the audience through COSL’s background, financial results, ownership structure and major assets, Mr Yang shared his company’s experience in risk management. ‘Risk management is not standardised,’ he pointed out. ‘The approach to it varies from one company to another. Every company has its own style and, especially, its own risk-tolerance levels. As long as a sound risk management process and procedures are in place, it’s sensible to take risks in exchange for potential higher returns.’
COSL is an interesting case scenario in risk management and internal controls. The COSL board began to be concerned about risk management in 2009. At a major board meeting, the board discussed whether it should establish a risk management committee under the board. After discussion, it was concluded that the board should not be held responsible for managing risks specific to particular projects, such as the risks associated with making investment decisions. It is the management’s job to handle those risks.
According to Mr Yang, the risk management measures of COSL have three objectives: to establish and constantly improve the internal control and risk assessment system; to implement a top-down and companywide risk management system that covers every aspect of the business; and to keep baseline risks within the generally acceptable range.
In the absence of a risk management committee, the management team are duty bound to identify, evaluate and mitigate risks, which are primarily handled by the risk management office under the internal audit department. While risks exist anywhere and everywhere, businesses should take a proactive approach to risk management, which Mr Yang described as a ‘value- creating process’. As long as the right risk management is in place to limit risks to a tolerable level, businesses will be able to reap the rewards for the risks taken, he stressed.
To demonstrate how risks are being assessed and managed at COSL, Mr Yang shared two real-world cases that had put COSL to the test. As mentioned, in 2010 the BP oil spill was a wake-up call to the entire industry. This prompted the COSL board to assess its safety measures and the risk of large marine oil spills. The management was therefore asked to submit a risk assessment report to address the concerns of the board.
At a subsequent board meeting, the report on COSL’s existing safety measures as well as the latest developments and the likely impact of the BP incident was presented to the board. The directors made a number inquiries into the technologies and equipment in use, and whether they could implement strong safety measures for oil drilling.
As a pre-emptive measure, the management was asked to learn from the BP incident and clear the conditions that contribute to oil spill risks. Follow- up actions were taken to inspect and fix leaks and decay found in all equipment in collaboration with oil companies.
The second test of COSL’s risk management structure Mr Yang discussed was its plan to acquire Norwegian rival Awilco Offshore in its entirety for about US$2.5 billion in 2008. The deal would give it access to drilling technology and expand its international operations. Including the debts amounting to about US$1.3 billion, the actual acquisition cost was estimated at US$3.8 billion, excluding time costs.
Amid the oil price rally in 2008, oil soared to about US$100 a barrel at the time of the acquisition. At one point analysts speculated that oil prices could reach US$200 a barrel.
‘Against this scenario, the valuation of the target firm was considered overpriced. The scale of our company was relatively smaller at that time, the purchase of Awilco Offshore was a huge and risky step for the company,’ he said. ‘Over the course of discussion, the board weighed different views of stakeholders, including the views expressed by two independent directors that the target firm was overvalued. In the end, the board gave it a go, believing that the acquisition could produce a strong cash flow and greatly enhance the company’s EPS.’
Jimmy Chow, Journalist
風險管理和企業管治之間有何關係?管理層和董事會如何 各司其職?在今年1月14日召開的公司秘書/董事會秘書 圓桌會議上,兩位演講嘉賓就以上問題耐心解答。
由香港特許秘書公會主辦的公司秘 書/董事會秘書圓桌會議順利在 今年1月14日於金鐘海富中心召開,獲 多家內地和香港上市公司的高管和董秘 應邀出席。會議的主題為《企業管治守 則》的最新動向-風險管理及內部監 控,講者依次序為安永會計師事務所安 永諮詢服務合夥人馬斌,以及中海油田 服務股份有限公司(「中海油服」)董 事會秘書楊海江。
香港特許秘書公會前會長、公司秘書專 責小組主席施熙德律師在開幕辭中,特 別鳴謝兩位出席會議的演講嘉賓,然後 提到公會自2004年起已持續舉辦強化持 續專業發展(ECPD)計劃,並於2006 起定期在港舉行講座,借此加強會員之 間的溝通,促進專業化發展。
「在國家依法治國的基礎下,再加上 人民幣國際化、資本市場自由化和創 新,特別是滬港通開通,種種變化正 為中國經濟帶來前所未見的機遇和挑 戰。我國的企業正需要有國際視野的 人才,去推行高標準的企業管治,以 應對各項挑戰。董秘專業化,將有助 於提升上市公司的治理水平,與世界 接軌。」她說。
憑借其超過20年的審計、內部控制與 風險管理的諮詢工作經驗,安永馬斌 先生詳細介紹了企業管治實務於內地 和香港的發展,以及剖析何謂良好的 企業管治。此外,他還對《企業管治 守則》(《守則》)及《企業管治報 告》(《報告》)的更新要求作了詳 盡介紹,以及就全面風險管理的一些 問題進行總結和探討。
在演講開始時,馬先生以通用電氣 (GE)作為良好企業管治的榜樣,而 通用電氣也是唯一一家自1896年道琼 斯指數成立以來仍留在指數中的成分 股。「如果某一家公司的內部管治良 好,便可以留住投資者。企業有好的 管治,儘管出現短期虧損,投資者始 終覺得公司對社會有貢獻,不會輕易 離去。」他說道。
然後,他跟大家回顧了企業管治在中 國大陸的主要發展里程,包括於2002 年發布的《上市公司治理準則》;於 2008年5月至2010年4月期間,五部 委共同發布了《企業內部控制基本規 範》及《企業內部控制應用指引第1 號-組織架構》。
2010年12月,《中國上市公司治理發 展報告》正式發布《公司治理原則》 的相應條文,梳理了中國企業的相關 制度和實踐。他補充,國資委於2006 年制定並推出 《中央企業全面風險管 理指引》,其中指出企業應建立健全 規範的公司法人治理結構,並提出風 險管理三道防線的概念。
在香港方面,2004年11月,香港聯交 所發布了 《企業管治常規守則》(現 為《守則》),並要求上市公司在年 報中發表《企業管治報告》。
馬先生指出,《守則》自2004年生 效以來,對上市公司董事約有三十條 守則要求,多年來一直沒變,但到了 去年,香港聯交所在經過業界諮詢 後,修訂了《守則》和《企業管治報 告》的相關條文,加入了強化風險管 理責任。
「構成良好企業管治有多項要素,簡單 說,良好企業管治就是企業公開透明, 問責清晰,業務具可持續性,投資者可 了解公司正面對什么問題,以及有什么 方法應對。公司不論有什么文化,裡面 的員工都感到滿足,而且獲得供應商的 信任,監管機構覺得有誠信,政府覺得 公司有社會責任,老百姓覺得企業可 靠,投資者自然培添信心。」他說。
馬先生建議,上市公司應不時從各種途 徑,如年報、網站、廣告營銷、公益和 社會活動等,清晰地讓公眾及投資者持 續了解公司正在做什么。公司信息應以 簡單易懂的方式表達出來,包括組織架 構、董事會和管理層的職能職責;行業 狀況;發展戰略及願景;經營風險、挑 戰和困難;財務數據;重大決策和交 易;以及社企責任等。
「近來企業管治發展趨勢表明,企業 管治超越簡單的合規遵循要求,是一 個長期持續的動態過程。戰略目標的 實現與風險管理和內部控制無法分 割,而這三者相互影響、相互關聯。 再者,良好的企業管治實務源於高層 基調、董事會和高級管理層,對風險 管理和內部控制的責任越來越明確清 晰。」 他續說。
接著,馬先生集中討論了《守則》和 《企業管治報告》的更新內容。他指 出,香港聯交所剛於去年11月完成業 界諮詢,繼而頒布了更新的《守則》 和《企業管治報告》,諮詢文件總 結了業界留意到過往企業管治實務中 的情況,包括:董事會未意識到面臨 風險;未對風險及風險管理給予足夠 的重視,缺乏動力來改善內部監控系 統;上市公司信息披露的質量不一, 缺乏可比性;以及發行人披露其年度 檢討的詳情不足。
根據收到的反饋意見,香港聯交所於 去年6月發布《諮詢總結-檢討企業管 治守則及企業管治報告:風險管理及 內部監控》,有以下總結:
- 清晰界定董事會、董事委員會及 管理層在風險管理和內部監控中 的角色和職責,以強化問責;
- 提升發行人風險管理和內部監控 系統的披露責任及相關的政策、 程序以及每年成效檢討的詳情, 以提高發行人在風險管理和內部 監控方面的透明度;以及
- 提升發行人內部審計的責任,以 加強發行人風險管理和內部監控 體系的監察。
有見及此,當局遂於兩份文件整合內 部監控的相關規範,作為風險管理的 重要元素:
- 在C.2標題中以及C.2和C.3全文合 適的地方,添加 「風險管理」
- 將「風險管理」納入審核委員 會原則(原則C.3)和守則條文 C3.3.3,確保《守則》內有關內 部監控及審核委員會的各節均保 持一致
- 是否單獨設立風險委員會由發行 人自行決定
- 守則條文-確保公司願意承擔的 風險程度
- 守則條文-確保公司具備有效的 風險管理和內部監控系統
- 建議最佳常規-企業管治報告中 可以披露:董事會已取得管理層 對於風險管理和內部監控系統有 效性的確認
- 守則條文-設計、實施及監察風 險管理和內部監控系統
- 守則條文-向董事會提供有關系 統有效性的確認
在透明度方面,監管當局要求有意義 的披露,從以往的最佳常規,升格為 守則條文:
- 守則條文C2.3-列明董事會年度 成效檢討應考慮的事項
- 守則條文C2.4-披露發行人如何 遵守風險管理和內部監控的守則 條文,以實現可比性
- 守則條文C2.4-風險管理和內部 監控系統旨在管理而非消除風險
- 強制披露-大多數現有的與內部 監控有關的建議披露被升級為強 制披露
就C2.3及C2.4守則條文的披露要求, 馬先生建議公司應定時擬備重大風 險清單;風險評估報告;內控評估報 告;風險監控報告;風險監控報告; 以及實施相關的風險評估和管理工作 程序。
他強調,公司內部審核功能發揮著支 援董事會、管理層以及風險管理及內 部監控系統(通過對系統進行分析及
最後,他總結道:「我們提到的風險管 理,不是一個盲目的風險管理,我們必 須結合企業的戰略目標,因為每家企業 的發展都有一個方向,控制得太緊太 死,會失去效率。企業管治是一種文 化,是企業的DNA,是實現企業可持續長 遠發展的催化劑,最終為企業贏得投資 者和公眾的信任及企業聲譽。」
2010年,BP墨西哥原油泄漏事件,引 起了國際社會與石油開採行業的高度 關注。公會有幸邀得中海油服董秘楊 海江先生,跟與會者分享事件對該公 司的啟示,以及公司在風險管理和內 部控制的目標和實踐。
在介紹過中海油服的業務背景、財務 數據、股權結構和主要裝備後,楊 先生坦言:「風險管理沒有一套客 觀標準,不同行業的管理方式不盡相 同,每家企業也有自己的風格和風險 承受程度。只要有套健全的風險管理 制度,該做的便去做,該冒的險就去 冒,這樣企業才會壯大起來。」
中海油服本身便經歷過一些重大風 險,其在風險管理和內控的經驗豐 富,很值得其他企業參考。據他透 露,中海油服董事會自2009年開始便 關注風險管理問題,2009年董事會年 度上曾就是否設立董事會風險管理委 員會進行了討論,關於董事會風險管 理工作責任,討論後認為董事會不適 宜管理具體事項(如具體投資項目) 的風險,而具體事項的風險管控是管 理層的職責。
據楊先生所述,中海油服風險管理目 標主要有三:一、建立和不斷完善有 效地內控體系和風險評估機制;二、 實現全員、全方位、全過程的管理; 三、風險始終控制在一般、可接受的 範圍內。
公司雖不設風險管理委員會,其責任則 落於管理層的常規職責範圍以內,即確 保公司設立及維持合適及有效的風險管 理系統;及定期評估公司風險管理系統 的有效性。風險管理辦公室設於公司的 審計監察部下,主要職責是落實和監督 各單位的風險管理和控制。
他再三強調,由於風險無處不在,企 業更應積極面對和控制風險,視之為 一種價值創造的活動,融入到公司企
業文化,從戰略的高度並採取系統地 方法主動去認識風險、管理風險。當 風險發生時應有充分的準備,能將風 險控制於企業能承擔的水平。
楊先生還與大家分享一些中海油服在 風險管理的實際案例,包括BP墨西哥 原油泄漏事件給予中海油服的啟示, 以及油價漲跌引發收購海外鑽井公司 的相關風險。
2010年,發生了震驚世界的BP墨西哥 原油泄漏事件。鑑於這屬於行業內的 重大事故,中海油服的董事會非常關 注,引發進一步關注公司的安全生產 形勢和相關的風險,遂要求管理層就 公司的相關風險管控工作給董事會做 一個專項匯報。
管理層於是在董事會年度例會上,就 安全管理體系情況及針對BP墨西哥 灣事故的應對措施作了匯報。會上, 董事詢問了有關問題,主要是公司在 技術、裝備方面有何進一步的應對措 施。董事會並要求公司管理層認真分 析研究BP的事故並從中吸取教訓,重 點是及早發現並清除那些可能導致事 故的各種安全隱患,對比查找管理和 技術方面的薄弱環節,使公司更有效 地防範此類種大風險。
最終,管理層按照董事會的要求進行 了具體落實,包括同油公司協商對一 些設備做了整改,提高可靠性。
2008年,中海油服宣布收購於奧斯 陸證券交易所上市的挪威海上鑽井公 司Awilco Offshore ASA(AWO),現金收 購100%股權,收購價為每股85挪威 克朗,即總價約127億挪威克朗(約 25億美元)。若按照25億美元的收 購價,加上13億的債務,估計實際收 購價格達38億美元,還沒有考慮時間 成本。
他憶述,2008年國際油價暴漲暴跌、 急劇波動,在確認收購時油價每桶漲 到100美元左右,更一度有分析師預 期油價有可能升至每桶200美元。
「當時油價高企,所以被收購公司的 估值非常高,再加上那時公司規模比 現在小,這幾十億美元的收購價對我 們來說是很大的風險。在商議過程 中,我們有兩位獨董認為收購價偏 高。不過,由於董事會最終判斷,收 購將能直接為公司帶來現金流,不久 後將能大大提升公司的EPS水平,最 終還是做了這項重大決定。」他說。
Jimmy Chow, Journalist