CSj highlights the results of a new KPMG/HKICS survey to assess the awareness and preparedness of organisations in Hong Kong and Mainland China to manage and oversee risks.
Risk management has been climbing the regulatory agenda internationally since the global financial crisis. We have seen regulators, both overseas and here in Hong Kong, tighten the requirements relating to risk. In December 2014, Hong Kong’s Corporate Governance Code was amended to highlight the importance of risk management and effective internal controls. Other jurisdictions, such as the UK, Australia and Singapore, have already adopted similar requirements within their respective corporate governance codes (see ‘Code changes’ below).
In the wake of these changes, KPMG and The Hong Kong Institute of Chartered Secretaries (HKICS) conducted a survey of 279 senior executives based mainly in Hong Kong and Mainland China to assess how far risk management practices are fit for purpose in the Hong Kong and Mainland China markets. The resulting report – Risk Management: Looking at the New Normal in Hong Kong – has just been published.
‘With new corporate governance requirements for companies listed or looking to list in Hong Kong, the intention was to capture what the new normal for risk management looks like in the region,’ the KPMG/HKICS report states.
The KPMG/HKICS risk management survey indicates that risk management is seen as a high priority. ‘Board directors and senior executives are increasingly thinking about the risks facing their organisation,’ the report states.
- 91% of respondents believe that risk management adds value to their overall objectives and helps improve the way they do business
- 72% said their organisation had increased investment in risk management over the last three years, and
- 79% anticipated a further increase over the next three years.
The survey also highlights, however, many areas where companies are failing to translate this raised awareness of risk into effective management of risk.
- 15% do not have an internal audit function
- 57% do not have an internal audit function whose audits can be clearly linked back to the top risks facing the organisation
- 64% have not developed a formal risk appetite statement
- 34% do not regularly factor risk considerations into their planning decisions
- 29% have no process to aggregate risks from across the business
- 58% believe their organisation is not effective in developing stakeholders’ knowledge of their risk programme
- 61% said there was a weak link between risk management and compensation
- 57% cited difficulty in understanding enterprise-wide risk exposures, and
- 61% indicate the need for better board and senior management team awareness.
To address the problem areas highlighted by the KPMG/HKICS survey, the report emphasises that organisations need to adopt a structured approach to risk management. To this end, it sets out five ‘imperatives’ for organisations to consider:
- establish risk as a boardroom agenda item
- establish a risk appetite
- develop an enterprise-wide view of risk
- enforce accountability for managing risk, and
- enhance independent assurance through internal audit.
1. Establish risk as a boardroom agenda item
The responsibility for overseeing risk rests with the board. This was backed up by the recent amendments to Hong Kong’s Corporate Governance Code mentioned above which clarify that the board has an ongoing responsibility to oversee companies’ risk management and internal control systems.
The KPMG/HKICS survey indicates that this is well recognised by the market – 90% of respondents said that their board regularly discusses risk issues in the boardroom. ‘Boards are seeing the value risk management brings to overall objectives and are increasingly asking management questions about risks facing the business,’ the report states.
Nevertheless, the report emphasises the need for organisations to include risk as a standing boardroom agenda item – the survey found that 57% of respondents do not have such an agenda item – and to ensure that the board is provided with insights on the top risks facing the business.
2. Establish a risk appetite
The recent amendments to Hong Kong’s Corporate Governance Code brought in a Code Provision requiring boards to determine the level of risk they are willing to take in pursuit of their objectives. The KPMG/HKICS survey found that 64% of respondents have not developed a formal risk appetite statement. This does not mean, however, that these companies are in breach of the Code. Code Provisions require compliance on a comply-or-explain basis and the revisions to the Corporate Governance Code will apply to accounting periods beginning on or after 1 January 2016.
The report points out, however, that developing a formal risk appetite statement is a good first step in any risk management programme. It adds that, to be useful, the statement needs to be directly related to how the business makes strategic and business plans and how it drives future decision making.
‘In developing an appetite statement, executives should first articulate the company’s strategic objectives and drivers of performance. The next step is to align the risk profile to business and capital management plans by defining the acceptable levels of unexpected loss and areas of zero tolerance risk exposures for each key driver. Once the thresholds have been defined and agreed, risk indicators should be developed to allow for monitoring and reporting. Finally, the statement should be approved by the board and then communicated and integrated across the organisation,’ the report states.
The report adds that monitoring the risk appetite should be an ongoing process and companies should have an escalation process in place to ensure that any significant limit breaches are escalated to, and addressed by, the board and senior management.
3. Develop an enterprise-wide view of risk
The KPMG/HKICS survey found that 29% of respondents had no formal process to aggregate the overall risk exposure facing their business. The report suggests that one possible reason for this is a lack of relevant expertise.
‘Organisations should start with developing an overarching enterprise-wide risk management framework,’ the report states. ‘This should include a governance structure that will allow for oversight, a standard methodology including policies, risk assessment criteria, use of technology to enable risk management activities and the overall process for the periodic identification, assessment and reporting of risk. The framework should be widely communicated across the organisation so it is understood by all key stakeholders.’
The report emphasises that organisations need to ensure that they recognise the full spectrum of risks facing them, including the external threats which are often given less attention by boards. The KPMG/HKICS survey found that there is an awareness that many of the most serious risks businesses face today are external and not within the direct control of the organisation. In fact the top three threats identified by survey respondents were of this nature.
4. Enforce accountability for managing risk
The report points out that frontline managers are often best placed to identify and manage business risks. Organisations need therefore to ensure that all employees and officers are risk aware. Only half the respondents to the survey, however, rated their employees as having either ‘high’ or ‘somewhat high’ levels of risk awareness.
One of the reasons businesses struggle to motivate their employees to actively consider risk is the weak link between incentives and risk. The survey found that 61% of respondents believed that the link between risk management and incentive structures was weak or non-existent. The report therefore recommends organisations provide employees with incentives to encourage them to weigh risk and opportunity in all business decisions.
Other ways to raise risk awareness among employees and officers, the report suggests, is to set up a training programme and to define and communicate roles and responsibilities for managing risk.
5. Enhance independent assurance through internal audit
Another Code Provision brought in by the Exchange in its amendments to Hong Kong’s Corporate Governance Code requires companies to set up an internal audit function. The KPMG/HKICS survey found that as many as 15% of respondents do not currently have such a function. Moreover, only 43% of respondents could see a link back from internal audit activities to the top risks within the organisation.
‘We infer from this that a significant proportion of internal audit functions haven’t met stakeholders’ maturity expectations and are failing to make a significant impact on the business,’ the report states.
The report suggests the following key considerations for organisations setting up an internal audit function.
Positioning. The work done by internal audit should address the organisation’s key risks and they should bring objective challenge and improvement in the form of practical recommendations. Internal audit should have unfettered access to top executives and its reporting lines should not compromise its independence.
People. An appropriate people strategy should be defined so internal audit has adequate levels of staffing and access to specialists with the depth of technical knowledge required to challenge the business. Programmes should be developed such that internal audit staff understand nuances across the business and provide the business with commercially aware advice.
Process. Internal audit should develop a standard methodology such that it can deliver audits efficiently, in a timely manner
and to a high quality. Internal audit should also set up a system to track recommendations made and follow-up on progress as appropriate.
The KPMG/HKICS risk management survey shows that the importance of effective risk management is now well recognised in Hong Kong. ‘To help companies deal with new external risks, increasing shareholder scrutiny and changing regulations, effective risk management has never been more essential,’ the report states. The survey also, however, highlights many problem areas where companies are failing to adopt best practices.
The KPMG/HKICS report Risk Management: Looking at the New Normal in Hong Kong is therefore not only diagnostic, but also a call to action. It points out that effective risk management is unlikely to result from a simple expansion of governance, risk management, compliance and internal audit departments – this can lead to confusion, duplication of effort and increased costs. It recommends a structured approach to risk management based on the five key imperatives outlined above.
‘Risk Management: Looking at the New Normal in Hong Kong’ (October 2015) is available in the publications section of the HKICS website: www.hkics.org.hk.
For more on the role of the company secretary in implementing a structured approach to risk management, see ‘Risk awareness starts with the board’ (CSj, April 2015 edition, pages 6–11).
SIDEBAR: Code changes
In December 2014, Hong Kong Exchanges and Clearing brought in changes to Hong Kong’s Corporate Governance Code designed to highlight the importance of risk management and effective internal controls. The Code changes included:
- incorporating risk management into the Code where appropriate
- defining the roles and responsibilities of the board and management
- clarifying that the board has an ongoing responsibility to oversee the issuer’s risk management and internal control systems
- upgrading to Code Provisions the Recommended Best Practices regarding the annual review of the effectiveness of the issuer’s risk management and internal control systems, and disclosures in the Corporate Governance Report, and
- upgrading to a Code Provision the Recommended Best Practice that issuers should have an internal audit function, and those without to review the need for one on an annual basis.
The revisions to the Corporate Governance Code will apply to accounting periods beginning on or after 1 January 2016.
More information on the recent changes to Hong Kong’s Corporate Governance Code are available on the HKEx website (www.hkex.com.hk).