Risk management and corporate governance
The winning paper in the Institute’s latest Corporate Governance Paper Competition argues that risk management is an essential part of a healthy corporate governance framework. In this first part of their article, the authors focus on a comparison of the US and UK approaches to risk management.
Before the 2008 financial crisis, risk management was perceived as a voluntary function and it was often assumed that only large-scale companies would perform it due to the high cost involved. However, reality tells us that every company needs risk management. Moreover, in Hong Kong the issue of risk management has been given added importance since the recent amendments to the Corporate Governance Code (the Code) relating to risk management and internal control. In the consultation paper proposing the amendments to the Code, Hong Kong Exchanges and Clearing Ltd made it clear that the board should oversee the design, implementation and monitoring of the risk management and internal control systems.
The objectives of both corporate governance and risk management are to protect shareholders’ long-term interests. Effective corporate governance should be able to help the company present a better performance and mitigate negative impacts from crises. Risk management, as an element of corporate governance, can build a better defence against potential risks. Risk management therefore enhances the accountability of the board and plays an important role in developing a healthy corporate governance framework.
What is corporate governance?
The OECD Principles of Corporate Governance (www.oecd.org/corporate/principles-corporate-governance.htm) define corporate governance as a system by which organisations are directed and controlled. Usually the board is responsible for establishing some rules and structures for the company and regularly reviews and evaluates the existing rules and policies. Nowadays, the requirement for good corporate governance is highly emphasised, especially when considering stakeholders’ interests.
In Corporate Governance: Origin and Evolution, Vdo and Alexander highlight the differences between the stakeholder and shareholder approaches to corporate governance. ‘Continental European and Asian countries focus on the need to satisfy social expectations. Therefore they are concerned not only with shareholders’ interests, but also the employees, government and other stakeholders. But some countries, like Anglo-Saxon countries, focus on returning a profit to shareholders over the long term.’
What is risk management?
Risk management is the establishment of institutional policies, procedures or systems designed to analyse, assess, control and avoid, minimise or eliminate unacceptable risks. An organisation may use risk assumption, risk avoidance, risk retention, risk transfer or any other strategy (or combination of strategies) to manage risks. Although many people treat assurance as equivalent to risk management, assurance cannot calculate the non-monetary loss and compensate for losses to intangible assets.
The major objectives of risk management are to:
- identify risks and trace their root causes
- measure and evaluate risk
- mitigate risk, and
- monitor risk.
A comparison of the risk management approaches in the UK and US
After scandals in the financial services sector and the global financial crisis, both the UK and US have reinforced the requirements for risk management in their own systems, but with completely different approaches, so that corporate governance could further be enhanced with better risk management.
The UK Corporate Governance Code (the UK Code) was initially issued by the Cadbury Committee in 1992. Today, the UK Code is maintained and updated on a regular basis by the Financial Reporting Council. The UK Code is a guide that lists the principles and code provisions of good corporate governance and effective board practice. It applies to all companies with a listing of equity shares, regardless of where they are incorporated.
In 2010, following the global financial crisis, the section of the UK Code dealing with risk management was updated to improve risk management and internal control systems and ensure better protection for investors. Following that upgrade, the Financial Reporting Council published its Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (the Guidance) in 2014. This guidance promotes risk management best practice and is applied in the same way as the UK Code.
Unlike the UK, the US adopts a rules-based approach to risk management. The Sarbanes-Oxley Act of 2002 was enacted following the corporate governance scandals at Enron and WorldCom so as to better protect investors. It was enacted by the Senate and House of Representatives in Congress and takes effect as public law. It requires the Securities and Exchange Commission (SEC) to set rules and regulations in order to ensure that listed companies comply with the Act.
Section 404 of the Act regulates the internal control and risk management practices in business. It focuses on companies which have to file an annual report with the SEC under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 – these are listed companies. In addition, some rules tackling risk management are set by the SEC.
A comparison of the different approaches to risk management adopted by the UK and the US is given below.
The UK Code operates on a principles-based approach, namely a ‘comply or explain’ approach. It states that ‘companies should report whether they have followed the recommendations or, if not, explain why they have not done so’ (Financial Reporting Council). Hence, when a company adopts an alternative to achieve risk management instead of fully complying with the Code provisions, it has to provide a clear explanation to shareholders. In other words, the company does not need to strictly follow the provisions. Therefore, the board can retain flexibility in how to exercise its risk management responsibilities while ensuring proper risk management for the company.
Under the mandatory rule-based approach in the US, companies must comply with every detail of the Sarbanes-Oxley Act; otherwise, they breach the law. The treatment for violating Section 404 of the Sarbanes-Oxley Act is the same as violating the Securities Exchange Act of 1934, that is, penalties under Section 3 of the Sarbanes-Oxley Act, which include hefty fines and imprisonment. As a result, the companies have no choice but to comply with the regulations.
Responsibilities for risk management
Board level. As stated in the main principle (C.2) of the UK Code, the board is responsible for determining the risk appetite and maintaining sound risk management and internal controls. The UK Code also requires the board to get involved with implementing risk management. This is supplemented by the Guidance which gives more detail on how the board can fulfill its responsibilities. In addition to the points discussed above, the board has to ensure the design and implementation of systems that can manage the company’s risks properly.
In addition, the Guidance suggests that changes should be carried out internally and externally in order to maximise the benefits of risk management at the company level – for instance, nurturing an appropriate culture and better external communication on risk management and internal control. Hence, boards in the UK take an active role in risk management and give detailed recommendations to be performed at the organisational level.
In the US, risk oversight is a responsibility and clear goal for the board of directors in the broader perspective of the company. According to the Proxy Disclosure Enhancement, enacted by the SEC in 2010, the board’s responsibility is to oversee the company’s risks in different ways, such as through the whole board or by a separate committee responsible for handling the risks. Item 407(h) of Regulation S-K enacted by the SEC states that companies are required to disclose the extent of the board’s role in the risk oversight. Therefore, the board oversees the material risks faced by the company, including credit risk, liquidity risk and operational risk, though the extent is decided by each individual board.
The board’s responsibility is focused on reviewing the company’s risk oversight framework, such as the policies or procedures to manage risk, and identifying the material risks with management so as to mitigate those risks.
The board’s responsibilities in the UK are to manage risks in a more comprehensive way that does not only focus on the risk management itself, but also to recommend ways to facilitate the promotion of risk management. For example, the Guidance recommends external communication on risk management and internal cultivation of risk management or internal controls. Such suggestions do not directly help manage the risk but help facilitate risk management and create a healthier business environment or culture. The UK route ultimately optimises the benefits brought by all-round risk management to the company.
To summarise, the approach by which boards in the UK fulfill their responsibilities in respect of risk management are more comprehensive, whereas those in the US are more focused and concentrated on risk management tasks.
Management level. The UK Code, which is the major document regulating risk management, focuses on the responsibilities of the board, not on those of management or employees. The roles and responsibilities of management are described in the Guidance, as mentioned above. Management is responsible for daily operation or actual implementation of the policies or strategies on risk management or internal control which have been designed by the board.
In contrast, the Sarbanes-Oxley Act of 2002 in the US prescribes management’s responsibility specifically in Section 404 (a)(1). Moreover, the responsibilities of management took effect in 2002, far earlier than the requirements for the board in the UK which were implemented in 2010. Hence, we can see the US imposes the primary responsibility on senior management to carry out risk management, but not on the board, as is the case in the UK.
Requirements for attestation and reporting. In the UK, according to the UK Code, the audit committee is responsible for reviewing internal control and risk management systems, as well as the effectiveness of the internal audit function, so that the company can better manage its relevant risks. No attestation or report is required by the audit committee or the external auditors on risk management under the UK Code.
In contrast, in the US, management is required to make an assessment on internal control under Section 404 (a)(1) of the Sarbanes-Oxley Act. Under Section 404 (b) of the Act, the internal control assessment must be further attested and reported by a registered public accounting firm. Accordingly, the Public Company Accounting Oversight Board enacted Audit Standard No.5 to set out the standard for assessing internal controls. In other words, any public accounting firm would be legally liable for performing the attestation for the assessment, and there will be legal consequences if it fails to perform this.
Responsiveness to changes in the risk environment. The UK Code has been updated to react to the ever-changing business environment on a regular basis. For example, when there are risks arising from new products or technological advancements, the updated Code provides accurate and reliable guidance for companies to carry out risk management in response to the changing environment.
In contrast, the US Sarbanes-Oxley Act does not provide such a timely response to the changing environment. If the situation requires changes to the risk management system in order to better cope with the changing risk factors, there will always be a time lag due to the long legal and administrative procedures. Thus, the response could be too late when the relevant amendments are made to the law.
Comparing the responsiveness to changing risk factors, the UK would appear to perform better than the US.
Buffers and exemptions. The UK Code requires companies to indicate how long it will take them to come into compliance with the Code provisions if they deviate from its provisions. Companies therefore have a buffer time to fully comply with the principles and provisions. However, no exemption from the Code provisions is allowed for any company. An externally managed investment company follows another guidance or code (The Association of Investment Companies’ Corporate Governance Code and Guide) to fulfill its responsibilities in risk management and corporate governance.
In contrast, in the US any departures from the duties stated in the Sarbanes-Oxley Act are not allowed once the law takes effect. Even if listed companies are small in scale and new, they have to fulfill the requirements described in the Act. In other words, no buffer time is allowed. Nevertheless, there is a provision for some investment companies to be exempted from Section 404 of the Act.
Assessments. As required by the UK Code and Guidance, the board has to assess the principal risks of the company. It should monitor and assess any risk factors threatening the company’s business performance, such as the business model, solvency and liquidity. Furthermore, the board is also required to evaluate the effectiveness of the risk management and internal control systems, including the controls in relation to finance, operation and compliance. Hence, the monitoring of risk, as well as its control, is emphasised in the UK.
However, the assessment in the US focuses on the effectiveness of the risk management structure and the financial reporting procedures according to Section 404 (a)(1) of the Sarbanes-Oxley Act, but not the risks themselves. The risks should be reviewed by the board as a part of the board’s responsibilities. Therefore, ensuring a good risk management framework is the main focus in the US.
There are some common responsibilities or requirements for managing risk in the UK and the US. These include performing risk assessments, identifying and mitigating the risks as well as evaluating the effectiveness of the systems in place to manage risk. The common purpose or goal for the work done on risk management is to protect investors ultimately by correcting any misconduct in the past and improving business behaviour with a focus on risk. The two countries require their companies to perform risk management in different ways. It is hard to tell which one is better, but it is best for a company to undertake risk management in accordance with the local characteristics of each country.
Kingston Suen King Ho, Grace Gu Run and Ray Ho Wai Yan
Lee Shau Kee School of Business and Administration, The Open University of Hong Kong
In the second and final part of this article, to be published in next month’s journal, the authors look at examples of best practice in risk management in the Hong Kong market.
The Institute’s Corporate Governance Paper Competition is designed to promote awareness of corporate governance among local undergraduates. Authors of the competing papers also enter a presentation competition. Further details of the winners of both the paper and presentation competitions can be found in this month’s Institute News section.