The winning paper in the Institute’s latest Corporate Governance Paper Competition argues that risk management is an essential part of a healthy corporate governance framework. In this second and final part of their article, the authors look at examples of best practice in risk management in the Hong Kong market.

Risk management has been a critical area of corporate governance since the 2008 financial crisis. The crisis demonstrated that a number of problematic financial institutions did not have effective risk management. Those financial institutions failed to monitor potential risks. Risk management, in fact, is the process of identification, assessment and prioritisation of risks by both the board and the management to monitor, minimise and control the probability and the impact of risks. Only if potential threats and opportunities are identified can a company apply good governance to cope with the evolving environment. The company’s management should invest more resources in risk management and this should form an essential part of the company’s strategy.

Moreover, as the consultation paper on risk management and internal control issued by Hong Kong Exchanges and Clearing Ltd (the Exchange) in June 2014 emphasised, companies’ risk management systems need to be fully integrated with their internal controls. Currently, jurisdictions in other countries such as UK, Australia and Singapore have already incorporated risk management requirements in the internal control section of their corporate governance codes. All these codes require the board to maintain a sound risk management and internal control framework system. In accordance with this global trend, it is necessary for companies in Hong Kong to ensure an effective framework for risk management and internal controls and to ensure full disclosure in this area.

Rationale of the Code changes

Following its 2014 consultation paper, the Exchange amended the Corporate Governance Code to upgrade the provisions of the Code relating to risk management and internal control. These amendments took effect at the beginning of this month. The rationale for the Code changes are discussed below.

On the company side, the revised Code Provisions are intended to provide a better guideline for both board and management to monitor the procedures and evaluate the performance of internal controls. Better risk management and internal controls will help companies to reach their long-term objectives and improve the efficiency of operations. The board has a responsibility to identify potential problems in the first place. Potential risks vary in relation to the nature, size and complexity of the company, and its individual characteristics. In addition, the audit committee has the responsibility to set up risk assessment and management guidance based on the ‘comply or explain’ provisions of the Code and overview of the internal control performance.

On the shareholders’ side, risk management disclosure can enhance transparency. With the risk management report, shareholders can be fully informed how the company’s management deals with the risks they have encountered or will encounter in future. It provides reassurance to the shareholders and helps them make rational investment decisions.

Although risk management reporting is not mandatory, CLP Holdings Ltd (CLP) is a good example of best practice in this area. The company provides a risk management report to shareholders in its annual report. CLP’s risk management report of 2014 (available on the company’s website:, discloses the risk governance framework and existing risks, and compares this with the past. This enables shareholders to have a better understanding of the company’s strategy and operation. The MTR is another good example of a company which publically discusses its risk management, especially its crisis management.

Examples of best practice

1. CLP Holdings

CLP is a well-known listed corporation in Hong Kong. It has adopted its own corporate governance code (the CLP Code) which exceeds many of the requirements of the Exchange’s Corporate Governance Code.

In order to enhance transparency, CLP has adopted its own Code for Securities Transactions by Directors. What’s more, CLP requires directors and senior management to disclose their interests and confirm compliance with the Model Code and the CLP Code for Securities Transactions. CLP has also published a set of Continuous Disclosure Obligation Procedures for other staff: this formalises the current practices in monitoring developments in its businesses for potential inside information and communicates the information to its shareholders, the media and analysts. CLP has also set up an internal control system of checks and balances on staff and managers’ authority so as to avoid one party monopolising a transaction. CLP provides guidelines for staff to voice their opinions and suggestions (and to report any malpractices) to management. This accords with the company’s values, that is – ‘every employee is responsible for the company’s risk management’. These policies can protect the corporation from making unwise decisions and from corruption.

CLP has disclosed its strategic plan for responding to risks in its Risk Management Report since 2007. In addition, its audit committee is responsible for internal controls and the financial report. Although risk management reporting is not a mandatory requirement in Hong Kong, CLP provides a risk management report covering its risk management framework and strategies
to deal with crises.

Every quarter, business and functional units are required to submit the material risks identified through their risk management process to group risk management. When the risks have been identified, the group executive committee writes a quarterly group risk management report and submits it to the audit committee. A summary of the material risks are passed to board. In the case of investment proposals, CLP requires multi-disciplinary experts to evaluate the risks ahead of any investment.

2. The MTR Corporation

In 2014, the Mass Transit Railway (MTR) Corporation established a risk committee which complies with the Exchange’s new requirements on risk management and internal control. The company’s risk committee’s work and responsibilities, as stated in the 2014 annual report, include the following:

  • review the set-up and implementation of the company’s ERM framework, guidelines, policy and procedures for risk assessment and risk management
  • review the company’s top risks and key emerging risks
  • review the enterprise risk management function, and
  • review the collaboration arrangements with the capital works committee and the audit committee.


According to good corporate governance procedures, the board and management owe a duty of care to their shareholders and the public, especially financial institutions. Rather than just tick boxes, the role of the board should be to oversee and evaluate the risks towards objectives and establish a sound framework for risk management and internal control. Simultaneously, management has the ongoing responsibility to monitor and implement risk management and internal control. In order to perform this duty of care, it is also necessary for the board to disclose its risk management processes in its annual report for shareholders to assess the performance of investment. As a further line of defence, internal audit plays a significant role in analysing and appraising the effectiveness of risk management and internal control.

It is not easy to assess the nature and extent of risks and it can be catastrophic for a business to wrongly assess the complexity of risks. Some large companies such as Enron, even those with risk management departments, failed to successfully assess the risks which led to corporate collapse. In pursuit of business objectives, there is an urgent need for all companies to disclose their risk management details in their financial reports. In line with the assumption for the current and future risks, the board should not only identify shareholders’ expectations but also balance the strategic objectives between risk taking and risk control.

According to the recent amendments to the Corporate Governance Code, the board is responsible for overseeing the risk management and internal control systems on an ongoing basis. The aim of upgrading the need to review risk management to a Code Provision is to protect shareholders’ long-term interests and to manage risks. However, according to the Organisation for Economic Co-operation and Development (OECD), the existing guidance on risk management is concerned with creating a risk management framework. Management is not only responsible for monitoring and implementing risk management through internal control; the company should develop a risk-aware culture and disseminate this awareness to every individual.

The CLP risk management report mentions that every employee within CLP has responsibility for risk management. Sometimes it is hard to assess the risks or for management to identify all the risks. A good risk awareness culture and a proper risk appetite can help reduce certain risks. Education of the company’s employees may help to achieve this.

Despite the fact that the need to review risk management has been upgraded, this requirement is still based on a ‘comply or explain’ approach. Although this provides flexibility to the board, it also challenges the ethics of the board. In contrast, the NYSE Corporate Governance Standards require all companies to develop a clear risk management report for shareholders. To better enhance transparency and accountability, we recommend further upgrading the Code Provision on risk management to a listing rule. In other words, it should be mandatory for all companies to disclose their risk management policies and performance in their annual financial report.


To conclude, the new Code Provisions on risk management have raised awareness of the importance of good risk management and internal controls. This will enhance the transparency of listed companies as they are required to disclose to their shareholders how they have managed their risks. However, since the Code Provisions are imposed on a ‘comply or explain’ basis, some companies might fail to comply with this requirement and simply provide explanations for their non-compliance in the corporate governance report. This means that shareholders in these companies may not be protected.

Kingston Suen King Ho, Grace Gu Run and Ray Ho Wai Yan
Lee Shau Kee School of Business and Administration, The Open University of Hong Kong

The Institute’s Corporate Governance Paper Competition is designed to promote awareness of good corporate governance among local undergraduates. Authors of the competing papers also enter a presentation competition. More information is available on the HKICS website: