In July 2016, the Institute set up seven Interest Groups under the Technical Consultation Panel to produce guidance notes on key topics in governance and company secretarial practice. CSj reviews the latest additions to this series.
Since its launch in 2016, the Institute’s Interest Groups project has added a substantial body of guidance to the Institute’s website for the benefit of Institute members and the wider profession and community. A total of 12 guidance notes have been published so far in this series (all of which are available in the ‘Publications’ section of the Institute’s website: www.hkics.org.hk). This article reviews the three additions to this series so far in 2018, comprising two guidance notes on managing bribery and corruption risks, and a guidance note on the corporate secretary’s role in preparing for and responding to a ransomware attack.
Managing bribery and corruption risks
The risks associated with bribery and corruption, both internationally and in the Asian region, are on the rise. The two guidance notes published earlier this year by the Institute’s Ethics, Bribery and Corruption Interest Group emphasise that companies cannot afford to neglect this area of risk management and compliance, and company secretaries and governance professionals can play a key role in ensuring that the relevant issues are understood by the board and senior management.
The guidance emphasises that ethics, bribery and corruption risks are not only about possible fines and regulatory actions – far more serious for companies are the reputational risks. ‘Global corruption scandals over the last few years have shown that non-compliant behaviour does not only lead to financial losses, but also massive reputational damage. In comparison to possible exclusion from bidding procedures due to a blacklisting, or even the imprisonment of managers and employees, reputational damage can be far more serious. Building a good reputation takes a long-term investment and it might take years of effort to win back stakeholders’ trust,’ the guidance note (first issue) states.
Step one – know the rules
For company secretaries and governance professionals, the first requirement is of course to have a good understanding of the relevant regulatory requirements and the consequences of non-compliance. The first issue guidance note from the Institute’s Ethics, Bribery and Corruption Interest Group provides an overview of the regulatory requirements relating to bribery and corruption in Hong Kong, Mainland China and internationally.
These include the main anti-corruption laws – such as the Prevention of Bribery Ordinance in Hong Kong, the Criminal Law of the People’s Republic of China and the US Foreign Corrupt Practice Act – but also lesser known laws and rules which can be just as relevant to managing bribery and corruption risks. These include the Theft Ordinance, the Companies Ordinance and the listing rules in Hong Kong, the Anti-Unfair Competition Law in Mainland China and the Organisation for Economic Co-operation and Development Anti-Bribery Convention internationally.
While a knowledge of the rules is essential, the first issue guidance note points out that practitioners should also be aware of enforcement trends in the areas of ethics, bribery and corruption. There has been an escalation in the number of investigations and prosecutions by regulatory and criminal authorities. In Mainland China, for example, we have seen a sweeping anti-corruption campaign in recent years with vigorous enforcement activities. In Hong Kong and internationally we have also seen an increased focus by regulatory and enforcement authorities on holding individuals to account for wrongdoings.
Step two – build an ethics and compliance programme
The second issue guidance note from the Institute’s Ethics, Bribery and Corruption Interest Group focuses on practical advice to help company secretaries and governance professionals build a compliance programme for managing ethics, bribery and corruption risks. It sets out the key elements such a programme would need to include to be effective. Some of the key elements discussed in the guidance are highlighted below.
- Set the right tone from the top. The guidance emphasises that it is important for management and the board of directors to set the right tone from the top. ‘A strong foundation based on the commitment and endorsement of company leaders is vital to the success of an ethics and compliance programme. Management should set the right tone and be seen to play an active and visible role in demonstrating ethical behaviour,’ the guidance states.
This issue will have particular relevance for corporate secretaries and governance professionals in their board advisory function. Since the board of directors is the starting point for setting the right tone, practitioners will need to ensure that ethics, bribery and corruption issues are on the board’s agenda and are monitored on a regular basis.
- Take a principles-based approach. With ethical issues, and in particular in the fight against bribery and corruption, a rules-based approach alone will not be sufficient. Rules are useful to provide clarity about the minimum standards of behaviour and practice, but the ultimate goal should be to change mindsets and create an ethical culture that is based on principles and values. For this reason, it is important to engage the users of the ethics and compliance programme. Ethical values need to be effectively communicated to employees, the guidance points out, because their support is needed to make the programme effective and sustainable.
‘The company’s code of conduct will only have an impact if the appropriate standards of behaviour are effectively communicated to all members of the organisation. Accordingly, the code should be clear and understandable to every employee at every level. Use simple and concise language, and avoid unnecessary legal jargon,’ the guidance states.
- Support whistleblowers. Most instances of fraud are detected by parties within organisations rather than by external agencies. It makes sense therefore for organisations to encourage whistleblowing by members of the organisation.
The guidance reviews the support and incentives to whistleblowers in overseas jurisdictions and in Hong Kong. Code Provision C.3.7 of Hong Kong’s Corporate Governance Code, for example, indicates that the terms of reference of the audit committee should require a review of the arrangements ’employees of the issuer can use, in confidence, to raise concerns about possible improprieties in financial reporting, internal control or other matters. The audit committee should ensure that proper arrangements are in place for fair and independent investigation of these matters and for appropriate follow-up action’.
In addition, Recommended Best Practice C.3.8 in the code recommends the audit committee to establish ‘a whistleblowing policy and system for employees and those who deal with the issuer (for example customers and suppliers) to raise concerns, in confidence, with the audit committee about possible improprieties in any matter related to the issuer’.
Ransomware prevention, preparedness and response
The WannaCry ransomware attack of May 2017 is estimated to have affected more than 200,000 computers across 150 countries and caused total damages into the billions of US dollars. WannaCry certainly put this type of ransomware cyber risk on the global map for compliance and governance professionals.
What is a ransomware attack?
A typical ransomware attack involves introducing malware into your IT system, which then renders critical data and systems inaccessible via encryption. This is followed by a demand for payment for the decryption key – usually in the form of cryptocurrencies such as bitcoin. The consequences of a ransomware attack can be severe and the guidance points out that companies need to take all available preventative measures in advance. They also need to have a response plan ready in the event that these measures fail.
The corporate secretary role
The guidance points out that ransomware is not a problem that one corporate officer, or even any single division, can take on in isolation. A whole-of-company approach is required, from the boardroom down and across divisions. ‘Corporate secretaries are increasingly being called on to take on this challenging issue on a proactive basis. With the right planning, they can save their companies from the headlines and focus on the business instead,’ the guidance states.
As you would expect, many of the measures recommended in the guidance relate to the IT system, but there are many measures which are likely to involve close participation by the corporate secretary. The incident response team, for example, needs to include employees from all relevant divisions, including IT, security, legal, compliance, human resources, customer relations, and public relations, as well as the company’s outside advisers. The corporate secretary will be in an ideal position to co-ordinate this cross-disciplinary effort. ‘The corporate secretary should consider who within the organisation is responsible for elements of planning and response around ransomware, and then convene those corporate stakeholders around the table,’ the guidance states.
Another area which relates directly to the work of the corporate secretary is the need to advise the board of directors and senior executives on ransomware risk, prevention, planning and response.
Key elements of prevention and response
The guidance goes into some detail on the key things to consider when preparing for a ransomware attack. Corporate secretaries are likely to be involved in organising regular training for employees on the expected vectors for the malware, such as phishing emails. Training will also be needed to ensure employees notify IT immediately when a potential ransomware attack has occurred. ‘Employees should be trained never to pay ransom or attempt to negotiate or communicate with the attackers,’ the guidance states.
Where preventative measures fail, companies will need to implement a response plan and the guidance gives advice on what such a plan should involve. For example, this plan should involve notifying all affected audiences such as employees, customers, investors, key commercial partners, regulators and, potentially, law enforcement.
Perhaps the most difficult aspect of a ransomware attack is the question of whether to pay ransom. The guidance lays out the key considerations for such a decision and makes it clear that such a decision should involve the company’s key decision makers – including the CEO, corporate secretary and general counsel. The company should also try to identify the perpetrator as this can assist in evaluating sanctions compliance risk, the likelihood that the perpetrator will indeed furnish the decryption key upon payment and other relevant issues.
Returning to business as usual
The guidance also has advice on the key remediation measures companies should consider after a ransomware attack. These should involve restoring data backed up prior to the attack and assessing whether there are any regulatory, contractual or other obligations as a result of the incident.
The guidance notes reviewed in this article are available from the ‘Publications’ section of the Institute website: www.hkics.org.hk.
SIDEBAR: A word of thanks
The Institute would like to give thanks to all those involved in the production of the guidance notes reviewed in this article. These include the members of the Institute’s Ethics, Bribery and Corruption Interest Group (Dr Brian Lo FCIS FCS, Lily Chung, Miang Lee and Ralph Sellar) and the authors of the ransomware guidance note (Robert Silvers, Jacqueline Cooney and Reade Jacob of Paul Hastings).
Mohan Datwani FCIS FCS(PE), Senior Director and Head of Technical & Research, serves as secretary to the Institute’s Interest Groups. Feedback on this project is welcome; please contact Mr Datwani at: email@example.com.