Conquering the Corporate Governance Code How well are Hong Kong listed companies addressing new requirements?

Similar documents
Easter Holidays - Futures Market & Stock Options Market Temporary Margin Requirement Arrangements

Tracker Fund of Hong Kong

The following is the text of a press release issued today by HSI Services Ltd. ***** HANG SENG INDEX COMPILATION METHODOLOGY

Hang Seng Indexes Announces Index Review Results

CONSULTATION CONCLUSIONS ON RISK MANAGEMENT AND INTERNAL CONTROL: REVIEW OF THE CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

Market Outlook. Expect Hang Seng Index to test 28,000 in August led by H shares. Overweight Chinese banks with ICBC and CCB as top picks

Reliance ETF Hang Seng BeES An Open Ended Index Exchange Traded Fund

Reliance ETF Hang Seng BeES

Reliance ETF Hang Seng BeES An Open Ended Index Exchange Traded Fund

Hang Seng Indexes Announces Index Review Results

HKEx Stock Options Revamp Fact Sheet 20 March 2013

HANG SENG INDEXES ANNOUNCES INDEX REVIEW RESULTS

October 2017 ANALYSIS OF CORPORATE GOVERNANCE PRACTICE DISCLOSURE IN 2016 ANNUAL REPORTS

Market Outlook. Expect Hang Seng Index to move within 23,500-25,000 but the risk is on the downside

Risk Management. Credit Risk Management

REVISION OF THE STOCK OPTION POSITION LIMIT MODEL

Market Outlook. Forecast a trading range of 21,300-22,800 for HSI but the risk is on the downside. Overweight HK and China property stocks

Report of the Survey on Hedge Funds Managed by SFC Licensed Managers. (for the Period 31 March March 2006)

Announcement of 3 rd HKBSI Results

ANALYSIS OF CORPORATE GOVERNANCE PRACTICE DISCLOSURE IN 2012 ANNUAL REPORTS

How we manage risk. Risk philosophy. Risk policy. Risk framework

Supplementary Information:

DISCLAIMER FREQUENTLY ASKED QUESTIONS

Update Date :

Outlook and Strategy Hong Kong China Funds

PRODUCT KEY FACTS STATEMENT

Network Rail Limited (the Company ) Terms of Reference. for. The Audit and Risk Committee of the Board

CONSTELLATION NOTES SERIES 14-17, 18-21, 22-25, 30-33, AND (TOGETHER, THE NOTES AND EACH, A SERIES ) FREQUENTLY ASKED QUESTIONS

CONSTELLATION INVESTMENT LTD. 5,000,000,000 ( )

AUDIT QUALITY THEMATIC REVIEW

Summary. Research Paper No. 24

PRODUCT KEY FACTS STATEMENT

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Management Discussion and Analysis Risk Management

1 Trustee s responsibilities

The Liquidity of Hong Kong Stocks: Statistical Patterns and Implications

Enhanced auditor s report

Management Discussion and Analysis Risk Management

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Business Plan

Hong Kong Capital Markets Update

CONSTELLATION NOTES SERIES 8-9, 14-17, 18-21, 22-25, 30-33, AND (TOGETHER, THE NOTES AND EACH, A SERIES ) FREQUENTLY ASKED QUESTIONS

Regulatory Hot Issues

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Towards robust quality management for European Statistics

Stand out for the right reasons Financial Services Risk and Regulation. Hot topic. Increased clarity on BMR

2015 ANALYSIS OF CORPORATE GOVERNANCE DISCLOSURES IN ANNUAL REPORTS. Annual Reports December Page 0

Assistance Options to New Applicants and Sponsors in connection with Due Diligence Obligations, including Internal Controls over Financial Reporting

Internal Audit Report on. Supervision of Life Insurance Non- Conglomerate Institutions. November 2017

Principle 1: Ethical standards

Supervision of the MPF Industry Professional

Li & Fung Limited and Trinity Limited selected as constituent stocks of the Hang Seng Corporate Sustainability Index Series

Basel Committee on Banking Supervision. Consultative Document. Pillar 2 (Supervisory Review Process)

Tax governance high on IRD s agenda. The 2015/16 Compliance Focus for Multinationals emphasises the role of good tax governance in mitigating tax risk

BOC Hong Kong ( Holdings ) delivered solid results with profit attributable to the equity holders of HK$11.2 billion

Susan Schmidt Bies: A supervisory perspective on enterprise risk management

The Central Bank of Ireland Risk Appetite: A Discussion Paper

Keynote Address by Mr John Leung, CEO, Insurance Authority 12th Asian Insurance CFO Summit th May 2018, Hong Kong

Profile of the Stock Options Market in Hong Kong Joseph Lee and Yan Yuhong, Research Department of the Supervision of Markets Division 1 June 2004

RESULT OF THE SURVEY ON THE PERFORMANCE OF ENVIRONMENTAL, SOCIAL AND GOVERNANCE REPORTING OF HONG KONG LISTED COMPANIES

BOC Hong Kong (Holdings) Limited 2012 Interim Results Financial Highlights

Ashmore Group plc Pillar 3 Disclosures as at 30 June 2018

The Manager does not intend to pay or make any distributions or dividends Financial year end:

Sharing insights on key industry issues*

Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers

INDUSTRY OVERVIEW SOURCE OF INFORMATION

We expect Hang Seng Index to have a technical support at 24,000. Market Overview

August 2017 CONSULTATION CONCLUSIONS PROPOSED AFTER-HOURS TRADING ENHANCEMENTS

TRACKER FUND OF HONG KONG INTERIM REPORT

We expect Hang Seng Index to be highly volatile in the short term. Market Overview. Hang Seng Index Performance

PRODUCT KEY FACTS STATEMENT

Report of the Survey on Hedge Fund Activities of SFC-licensed Managers/Advisors. September 2009

Pillar 3 Disclosures 31 December 2011

Fathom Wealth Management Advisors Ltd Risk Management Disclosures Year Ended 31 December 2017

Management Discussion and Analysis Risk Management

PRODUCT KEY FACTS ChinaAMC Direxion Hang Seng Index Daily (-1x) Inverse Product

Cabinet Committee on State Sector Reform and Expenditure Control STAGE 2 OF TRANSFORMING NEW ZEALAND S REVENUE SYSTEM

TRANSFER OF LISTING FROM THE GEM TO THE MAIN BOARD OF THE STOCK EXCHANGE OF HONG KONG LIMITED. Joint Sponsors

DEVELOPING ASIAN CAPITAL MARKETS

Taiwan Clearing House. Principles for Financial Market Infrastructures. Disclosure Report

ASF Hong Kong Market Report

ENFORCEMENT REPORTER

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Chief Executive s Report

We believe further upside for Hang Seng Index will be limited in near term. Market Overview. 17 November 2017

May Analysis of Environment, Social and Governance Practice Disclosure in 2016/2017

Management Discussion and Analysis Financial Review

Vanguard Investments Hong Kong Limited May 2018

MANAGEMENT DISCUSSION & ANALYSIS DISCLOSURE GUIDE

Audit Committee report THE AUDIT COMMITTEE. Tim Weller Audit Committee Chairman

A Narrative Progress Report on Financial Reforms. Report of the Financial Stability Board to G20 Leaders

RISK MANAGEMENT AND RISK FACTORS*

Principal risks and uncertainties

Pillar III Disclosure Report 2017

The Vanguard Group, Inc. 3 June 2014

FEATURE ARTICLE: INVESTING IN TECHNOLOGY COMPANIES

Does ERM matter?* Enterprise risk management for the insurance industry

ERM/ORSA Training Thai General Insurance Association (TGIA)

A radically new market environment requires comprehensive data-driven digital collateral management

CSOP Asset Management Limited 30 April 2018

Hong Kong Investor Relations Association Announces HKIRA 2 nd IR Awards 2016 Now Open for Public Nomination

Transcription:

December 2017 Conquering the Corporate Governance Code How well are Hong Kong listed companies addressing new requirements? www.pwchk.com

Key messages Corporates have strengthened their risk management (RM) and internal control (IC) measures, and most of the listed companies we reviewed have complied with the disclosure requirements of the revised Hong Kong Corporate Governance Code issued by the Hong Kong Stock Exchange. Nevertheless, companies still need to put greater effort into improving reporting to the Board of directors and the effectiveness of their internal audit (IA) functions. Companies emphasise more on RM and IC in response to different kinds of disruption. About 78% of companies analysed disclosed their process used to identify, evaluate and manage significant risks, which represents an increase of 33% from last year. However, only 50% depicted the main features of both the RM and IC systems. Management of listed companies should examine their current RM and IC systems, and clearly identify and disclose the main features of the systems. 97% of companies analysed disclosed that they had an IA function. However, only 36% provided details of the review of IA functions including adequacy of resources, staff qualifications and experience, training programmes and budget of the IA function. Listed companies should regularly assess the effectiveness of their IA function. While 92% of companies analysed disclosed that they conducted an annual review of the RM and IC systems, only 54% provided details of the process used to review the effectiveness of systems and to resolve material IC deficiencies. The Board should assess the robustness of their annual review mechanism to ensure that they have conducted the review properly and sufficiently, and to address any IC defects in a timely manner. Using control self-assessment (CSA) as a tool to identify and assess the level of risks and effectiveness of controls is getting more popular. Nearly half of the companies analysed, with a 12% increase from last year, disclosed that they adopted a CSA approach to assess internal control, reinforce control ownership and raise awareness among operation managers.

Table of Contents 1 Introduction 2 Executive Summary 3 Background 4 Methodology 5 Market Trends 5 Risk management and internal control 9 Internal audit 11 Annual review of risk management and internal control systems 14 The Roadmap Forward 15 Appendix 1: Extract of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules) 18 Appendix 2: List of companies included in the analysis (by category) 18 Hang Seng Index 19 Hang Seng China Enterprises Index 19 Financial services 20 Real estate 20 Retail 21 Technology 22 Appendix 3: Areas of Focus of Our Study

Introduction The Hong Kong Stock Exchange has revised the Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Main Board Listing Rules), which requires Hong Kong listed companies to enhance their standard of corporate governance and make relevant statements / disclosures in their annual reports. The amendments of the Corporate Governance Code (CG Code) have become effective for issuers accounting periods beginning on or after 1 January 2016. In 2016, PwC Hong Kong (PwC) conducted a comprehensive study, Cracking the Corporate Governance Code How ready are Hong Kong listed companies in meeting new requirements? to assess the readiness of listed companies in responding to the new requirements of the revised CG Code in the areas of risk management and internal control. Please refer to https://goo.gl/mckonh for details. In 2017, we have carried out a second wave of the Study, Conquering the Corporate Governance Code How well are Hong Kong listed companies addressing new requirements? This analysis followed a similar approach to that adopted in our 2016 analysis we have included companies from the broader Hang Seng Index, the Hang Seng China Enterprises Index, as well as across four industries (i.e. financial services, real estate, retail and technology). This new Study had two main goals. First, to provide directors, executives and managers with a thorough analysis on how well listed companies are responding to the new requirements of the revised CG Code, and to give insights into the prevalence level of adopting risk management and internal control practices in the market. Second, the Study was designed to help companies look for further opportunities to review their corporate governance structure; enhance management accountability; strengthen RM and IC systems; transform the internal audit function and assess its effectiveness; and improve business performance and efficiency. With our substantial experience in helping companies navigate new requirements of the Listing Rules including the CG Code, we have seen successful examples of how companies have used this exercise to help themselves better manage different stakeholders expectations. Embracing good corporate governance is a continuous process and it can improve investor relations; protect shareholders interests; and increase a company s competitiveness. Eventually, it is a performance matter instead of a compliance issue. Sincerely, PwC Corporate Governance Partners and Team 1

Executive Summary In an increasingly challenging business environment, having a robust risk management (RM) and internal control (IC) system has become more essential when responding to disruptions, such as cyber-attacks and financial crimes. In general, listed companies have become more proactive in meeting the tightened RM and IC requirements of the Corporate Governance Code (CG Code). To understand the extent of Hong Kong listed companies adoption of new CG Code requirements, PwC has conducted a second consecutive study on the Corporate Governance reports (CG reports) of 223 companies in the Hang Seng Index and Hang Seng Chinese Enterprises Index, as well as in four sectors: financial services, real estate, retail and technology. The main findings of this Study are described in the following three categories: A. Risk management and internal control A majority of Hong Kong listed companies analysed (78%) disclosed the process used to identify, evaluate and manage significant risks. However, only half of them disclosed the main features of the RM and IC systems, whereas 37% did not provide disclosure of the main features of both the RM and IC systems. Also, companies with disclosures on procedures and internal controls for handling and dissemination of inside information increased significantly from 43% (in 2016) to 87% in our 2017 Study. B. Internal audit (IA) function Overall, 97% of the companies in this Study disclosed they had an IA function, while only 36% disclosed information regarding their review of the adequacy of resources, staff qualifications and experience, training programmes and budget of the IA function. C. Annual review of RM & IC systems While 92% of companies in the Study disclosed that they conducted an annual review of the RM and IC systems, only 54% provided details of the process used to review the systems effectiveness and to resolve material IC deficiencies. In addition, nearly half of the companies analysed, with a 12% increase from last year, disclosed that they adopted a control self-assessment approach to assess internal controls and reinforce control ownership and raise awareness among operation managers. However, only 31% of the companies disclosed that they had received management confirmation on the RM and IC systems effectiveness. Based on the findings in this Study, some recommendations are listed below for listed companies to consider: Management of listed companies should examine their RM and IC systems and clearly identify and disclose the main features of the RM and IC systems. Listed companies should review their IA function, particularly focusing on the adequacy of resources, staff qualifications and experience, training programmes and budget of the IA function. The Board should consider increasing the transparency of the process used to review the RM & IC systems effectiveness and to resolve material IC deficiencies, and ensure such disclosure is properly made in the CG report. Companies should understand if there are any gaps or improvement areas in fulfilling the RM & IC disclosure requirements of the CG Code. For example, if control self-assessments are not currently used, management could use this approach to help assess controls underlying key business processes, and to assist management in providing confirmation to the Board on the systems effectiveness. 2

Background The Hong Kong Stock Exchange published its consultation conclusions on risk management and internal control on 19 December 2014, and subsequently issued amendments to the Corporate Governance Code and Corporate Governance Report 1 (the Code). The main objective of the revisions was to improve the standard of corporate governance among listed companies in Hong Kong. The revisions to the Code made five key changes: Incorporating risk management into the Code where appropriate; Revising Principle C.2 to define the roles and responsibilities of the Board and management; Clarifying that the Board has an ongoing responsibility to oversee the issuer s risk management and internal control systems; Upgrading to Code Provisions the recommendations in relation to the annual review and disclosures in the corporate governance report; and Upgrading to a Code Provision the recommendation that issuers should have an internal audit function, and those without to review the need for one on an annual basis. Tips The principle underlying the Code Provisions under Section C.2 is to note that the Board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer s strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective RM and IC systems. The Board should oversee management in the design, implementation and monitoring of the RM and IC systems, and management should provide a confirmation to the Board on the effectiveness of these systems. Source: Corporate Governance Code and Corporate Governance Report- What are the changes?, PwC Hong Kong, May 2015 https://goo.gl/tfmkmi In 2016, PwC performed a comprehensive study, Cracking the Corporate Governance Code How ready are Hong Kong listed companies in meeting new requirements? to assess the readiness of listed companies in responding to the revised risk management and internal control requirements of the revised Corporate Governance Code. In 2017, we have conducted a second wave of the Study, Conquering the Corporate Governance Code How well are Hong Kong listed companies addressing new requirements? that analyses the current disclosure practices of the revised Code Provisions and Recommended Best Practices in relation to risk management and internal control to assess the readiness of the 43 Hang Seng Index 2 companies, 40 Hang Seng Chinese Enterprises Index entities and 140 companies in four different industry sectors in complying with the new requirements. Please refer to Appendix 1 for details of Code Provisions, Recommended Best Practices and mandatory disclosure requirements. 1 https://goo.gl/thja4u 3 2 There are 50 companies in the HSI, but only 43 corporate reports were publicly available when we conducted this Study.

Methodology The Corporate Governance Code (CG Code) sets out a number of principles including Code Provisions and Recommended Best Practices. Issuers are required to state whether they have complied with the Code Provisions for the relevant accounting period in their annual financial reports and interim reports. Where the issuer deviates from a code provision, the issuer must give considered reasons. The Recommended Best Practices are for guidance only. In order to understand how listed companies of different industries are responding to the CG Code changes, PwC conducted another comprehensive analysis of corporate governance reports (CG reports) of companies in the following categories by stock index and industry (See Appendix 2 for a full listing of the companies included in the 2017 analysis by index/industry). A full list of the questions used in this Study can be found in Appendix 3. Please note that this Study is conducted solely based on what we can observe, which may not reflect the actual situation of individual companies in real life. The objective of this Study is to determine the companies level of compliance with the revised CG Code from 1 January 2016, based on the relevant disclosure in CG reports. The Hang Seng Index (HSI): PwC examined the available CG reports from all 43 constituent companies of the HSI. HSI is one of the oldest stock market indices in Hong Kong. Publicly launched on 24 November 1969, the HSI has become the most widely quoted indicator of the performance of the Hong Kong stock market and is used for developing numerous market measures to help investors make their investment decisions. It represents a broad cross-section of publicly-listed companies in Hong Kong. The Hang Seng China Enterprises Index (HSCEI): PwC examined CG reports from all 40 constituent companies of the HSCEI. The HSCEI was launched one year after the first H-share company was listed on the Stock Exchange of Hong Kong. It tracks the performance of large Mainland China enterprises listed in Hong Kong in the form of H-shares 3. PwC also selected key companies from four sectors to analyse: financial services (40 companies), real estate (40 companies), retail (30 companies) and technology (30 companies). The largest companies were selected for inclusion in this analysis, determined by the size of the overall market capitalisation with an accounting period that ended at or before 31 March 2017. Graph 1: Company coverage of PwC study of risk management and internal control disclosure in corporate governance reports 43* 40 Hang Seng Index HSCEI 40 Real estate Total 223 Financial services 40 Retail Technology 30 30 * There are 50 companies in the HSI, but only 43 CG reports were available when we conducted this Study. 3 H-Share is a share of a company incorporated in Mainland China that is listed on the Hong Kong Stock Exchange or other foreign exchanges. H-shares are still regulated by Chinese law, but they are denominated in Hong Kong dollars and traded in the same way as other equities on the Hong Kong Stock Exchange. 4

Market Trends From our review of the risk management and internal control disclosures in over 220 corporate governance reports (CG reports), some key market trends are identified and categorised into the following three areas: Risk management and internal control Internal audit function Annual review of risk management and internal control systems Risk management (RM) and internal control (IC) The latest CG Code puts a new emphasis on risk management. Listed companies are required to develop processes to identify, evaluate and manage significant risks, and determine main features of RM and IC systems. Some companies have already been using CG reports as a public platform to detail what type of risk management processes are currently in place; to provide a description of the key risks they face; and to include mitigation measures they use to address these risks. Boards are also given an important responsibility they need to oversee management in the design, implementation and monitoring of the RM and IC systems, and ensure that effective systems are established and maintained. 78% of analysed companies disclosed their process used to identify, evaluate and manage significant risks, with an increase of 33 % from our Study last year. PwC s 2017 Study found that 78% of analysed companies disclosed the process used to identify, evaluate and manage significant risks. There is a 33% increase from our prior year Study. Among indices, Hang Seng Index (HSI) companies continued to stay ahead of the curve: 84% of HSI companies disclosed their risk management practices, while only 80% of The Hang Seng China Enterprises Index (HSCEI) companies did, which represents 20% and 57% increases from prior year respectively. From an industry perspective, a greater variance was observed in disclosure rates: financial services companies (90%) continued to top the list, followed by real estate (78%), technology (73%) and retail (67%) companies, with a significant increase of making such disclosure varying from 20% (for real estate) to 54% (for retail) from last year. Financial services companies are typically exposed to a wider spectrum of risks, such as credit risks and market risks, and usually they have a designated risk management department. Accordingly, the identification, evaluation and management of risks would be expected to be more robust than other industries and therefore better disclosure. On the other hand, for real estate entities, housing markets (in both Hong Kong and Mainland China) boomed with rapid, record-breaking sales and price growth in 2016. The tightening of government policies in the property markets gave real estate companies an opportunity to reflect on the importance of setting up a process to identify, evaluate and manage significant risks. Tips COSO s Fundamental Principle: Good risk management and internal control are necessary for long term success of all organisations. The new COSO 2017 ERM Focused Framework Enterprise Risk Management (ERM) Integrating with Strategy and Performance clarifies the importance of ERM in strategic planning and embedding it throughout an organisation, because risk influences and aligns strategy and performance across all departments and functions. Source: Enterprise Risk Management Integrating with Strategy and Performance (2017), The Committee of Sponsoring Organizations of the Treadway Commission, 2017 https://goo.gl/jiruww https://goo.gl/eafnvu References: The top changes to the COSO ERM Framework you need to know now, PwC Risk Insights blog, 2017 https://goo.gl/huv2ix Risk in Review 2017 Going the Distance, PwC, 2017 https://goo.gl/jubd56 What you need to know about the new COSO ERM Framework, PwC Global Risk podcast series Episode 1, PwC, 2017 https://goo.gl/uexd59 5

Only half of the analysed companies disclosed main features of both the internal control and risk management systems, while 37% of the companies did not make such disclosure at all. PwC s 2017 Study revealed that 50% of the analysed companies provided disclosure on main features of both IC and RM systems, while 37% of the companies did not provide disclosure regarding the main features of the two systems at all. It indicates that quite a large portion of listed companies might have overlooked this Code Provision requirement. Area of focus: Did the issuer disclose the process used to identify, evaluate and manage significant risks in its CG report? Graph 2: Results of disclosure of process used to identify, evaluate and manage significant risks 2016 78% 84% 80% 78% 67% 73% 90% 2015 45% 64% 23% 58% 13% 33% 63% +33% +20% +57% +20% +54% +40% +27% 67% HSI entities disclosed main features of both systems, while only 35% HSCEI companies did it. From an industry perspective, 63% of the technology companies provided disclosure of main features of both the IC and RM systems and 27% of them did not provide such disclosure. Technology is a fast growing industry, and companies are facing emerging risks and disruptive challenges, so technology companies, including start-ups are beginning to realise the importance of internal control and risk management. Both real estate companies (52%) and financial services companies (58%) were above average in making such disclosure. Yet, 33% of real estate companies and 20% of the financial services companies did not disclose it respectively. Retail companies lagged behind significantly as only 17% of them disclosed the main features of the systems, and 77% of them did not make such disclosure at all. Area of focus: Did the issuer disclose main features of the IC and RM systems in the CG report? Graph 3: Disclosure of main features of the RM and IC systems Overall 50% HSI HSCEI Real estate Retail Overall Retail HSI Technology HSCEI Financial services Real estate Technology Financial services 2% 11% 67% 35% 3% 37% 2% 12% 22% 52% 17% 6% 19% 40% 3% 12% 33% 77% 63% 58% 10% 3% 19% 27% 20% Disclosure on both RM and IC systems Disclosure on IC only Disclosure on RM only No disclosure 6

Majority of the companies analysed provided description of key risks and mitigation measures. When examining if companies described their key risks and/or disclosed how those risks were measured, large variances were noted among the analysed companies. This year s Study revealed that 77% of analysed companies described their key risks in the CG report, compared to 39% in the prior year (PY), which represents a 38% increase year-on-year. Although HSI companies were above the average with nearly 60% of companies describing key risks, and only 25% of HSCEI companies offered such description in their CG reports in 2015, HSCEI companies (95%) surpassed HSI companies (79%) in their disclosures in 2016, which significantly narrows the gap between the two indices. On an industry basis, financial services led the sectors, with 100% of the analysed companies describing key risks (PY: 70%), followed by 83% of retail companies (PY: 20%), 70% of real estate companies (PY: 50%), and only 50% of technology companies (PY: 10%) provided such details in their CG reports. Risks continued to be a major focus for financial services companies. With tighter regulations such as Basel III, financial services companies are likely to be more transparent in describing the key risks. Area of focus: Is there any description of key risks disclosed in the issuer s corporate governance report? Graph 4: Financial services Technology Retail Real estate HSCEI HSI Overall Description of the key risks 10% 20% 25% 2016 2015 39% 50% 50% 60% 70% 70% 83% 79% 77% 95% 100% 58% of the analysed companies provided disclosure of the risk management measures of the key risks, while financial services entities outperformed it than other industries. PwC s Study indicated that 58% of analysed companies disclosed risk management measures in their CG reports, with a 26% increase from last year. Again, HSCEI companies (75%) surpassed HSI companies (65%) on making such disclosure, with a respective increases of 35% and 21% form prior year. Given more rigorous risk management requirements, financial services companies continued to outperform the other 3 industries, with 95% of the companies having disclosed mitigation measures to address key risks (PY: 80%). The industry with the second highest disclosure rate is retail. Its disclosure rate increased from 3% in 2015 to 57% in 2016, representing a significant year-on-year increase of 54%. Meanwhile, real estate (45%) and technology (37%) companies continued to lag behind. Overall, financial services outperformed other industries in disclosing risk management practices. Risk management is essential and form part of the financial services business in providing financial products and services. Given its business nature, which often involves providing credit and financing to customers, poor risk management would result in direct financial losses to financial institutions. Furthermore, various regulators such as the Hong Kong Monetary Authority (HKMA) and Securities and Futures Commission (SFC) of Hong Kong impose vast regulatory requirements in regards to identifying, monitoring and reporting key risks. Failure to comply may result in regulatory breaches with undesirable consequences. Area of focus: Did the issuer disclose its risk management measures of the key risks? Graph 5: Financial services Technology Retail Real estate HSCEI HSI Overall Disclosure of the risk management measures of the key risks 3% 10% 23% 32% 37% 45% 40% 44% 57% 58% 65% 75% 80% 95% 2016 2015 7

? Questions to ask: Have you made reference to the Committee of Sponsoring Organisations (COSO) Enterprise Risk Management Framework in making disclosures in the CG report? If so, how ready are you in adopting the new COSO 2017 Enterprise Risk Management Framework? How do you identify and manage emerging risks? Do you have a proper risks monitoring mechanism (e.g. use of key risk indicators) and reporting protocol in place to ensure risks are well managed? Tips Management of companies could use key risk indicators (KRIs) as a risk monitoring mechanism to enhance the existing risk management system. KRIs are metrics or in the form of dashboards that could be used by companies to monitor and mitigate risk as increased risk can be detected by KRIs at an early stage. Using the KRIs as an early warning indicator allows companies to monitor the key risks on a regular basis; monitor business operational risks; find out root causes of risk events; increase the awareness of key risk areas to the senior management; and enhance the internal controls corresponding to the identified key risks. 87% of companies analysed disclosed procedures and internal controls for handling and dissemination of inside information. Properly handling inside information is one of the emerging issues that more companies focus on and has been emphasised in the revised CG Code. Out of the listed companies analysed, 87% had disclosures related to handling inside information in their CG reports. It is a significant improvement of 44% year-on-year when compared to 43% of the companies providing the disclosures in prior year. 91% of the HSI constituents made the disclosures in our 2017 Study (PY: 58%), slightly outperforming the HSCEI constituents at 88% (PY: 30%). From an industry perspective, there was a big jump for all industries: 70% increase for companies in retail, 45% increase for financial services companies, and 22% increase for real estate entities, with disclosure rates of 93%, 90%, and 85%, respectively. For financial services companies, inside information may also include other companies as well as its own (e.g. providing services to other listed companies), therefore the handing of inside information is expected to be more stringent and hence more disclosures in this regard. Technology companies continued to lag behind other industries at about 77% disclosure rate (PY: 23%). Area of focus: Did the issuer disclose the procedures and internal controls for the handling and dissemination of inside information in the CG report? Graph 6: Disclosure of procedures and internal controls over inside information 2016 2015 Financial services 90% 10% Financial services 55% 45% Technology 77% 23% Technology 23% 77% Retail 93% 7% Retail 23% 77% Real estate 85% 15% Real estate 63% 37% HSCEI 88% 12% HSCEI 30% 70% HSI 91% 9% HSI 58% 42% Overall 87% 13% Overall 43% 57% 0 10 20 30 40 50 60 70 80 90 100 % 0 10 20 30 40 50 60 70 80 90 100 % Disclosed Not disclosed Disclosed Not disclosed 8

Internal audit (IA) The importance of the IA function is highlighted as another area of key changes in the Corporate Governance Code (CG Code). Previously, companies were only recommended to have an IA function as a Recommended Best Practice; and now this is a Code Provision effective from 1 January 2016. The three major revisions to the CG Code for the IA function are summarised below: Upgraded from Recommended Best Practice C.2.6 to Code Provision C.2.5: Issuers should have an IA function, and for those who do not have it should review the need for it on an annual basis and disclose the reasons for the absence of the IA function in the CG report. New CP C. 2.5 states that IA function carries out the analysis and independent appraisal of the adequacy and effectiveness of the risk management (RM) and internal control (IC) systems. Amended CP C.2.2. states that the Board s annual review should ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer s IA function (in addition to its accounting and financial reporting functions). 97% of companies analysed disclosed that they had an internal audit function, only 36% provided details over the disclosure of their review such as the resources and qualifications of internal audit staff. 97% of companies analysed in this year s Study revealed that they had an IA function in their CG reports, with all of the reviewed HSI and HSCEI companies making the disclosure. Among industries, financial services (100%) and retail (100%) companies had the highest rates of disclosure followed by real estate (98%), and technology companies lagged behind with a disclosure rate of 87%. The results show a wider gap among companies on providing details of the resources and qualifications of IA staff. Indeed, 36% of analysed companies disclosed that they had covered the IA function in their annual review to assess and ensure the adequacy of resources, qualifications and experience, training programmes, and budget of their IA function, compared to 20% in the prior year. While companies in the HSI boasted a disclosure rate (44%) higher than the average, the HSCEI companies were significantly below the average at 10%. On an industry basis, real estate companies (58%) outperformed the other industries with a year-on-year increase of 38%. This indicates that more real estate companies realise the importance of having an independent IA function as their third line of defence to the organisation. The other industries were all below average: Technology (33%), retail (30%), and financial services (18%). Area of focus: Did the issuer disclose the existence of an IA function in the CG report? (Top graph) Did the Board s annual review specifically disclose that it has assessed the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer s accounting, IA and financial reporting function? (Bottom graph) Graph 7: Existence of IA function 2016 Annual review of the adequacy of resources, staff qualifications and experience, training programmes and budget of the IA function? Results of presence of IA function among analysed companies 10 18 0 20 40 60 80 100 % Overall HSI HSCEI Real estate 36 30 33 Questions to ask: Does your IA function have adequate resources and required skill sets, such as cyber security to respond to key and emerging risks? Is your IA function meeting your expectations, i.e. giving you value and providing you with sufficient comfort over the IC and RM systems? Have you conducted a periodic quality assessment on the IA function; for example, every 3 or 5 years? What framework do you use to assess the effectiveness of the IA function? 44 58 87 Retail Technology Financial services 97 100 100 98 100 100 9

Tips Quality assessment on the IA function An effective review of the IA function can be performed by referring to a benchmark of established standards. One potential benchmark for reference is The Institute of Internal Auditors Standards for the Professional Practice of Internal Auditing (SSPIA). The Standards provide companies with a comprehensive explanation of the IA function, as well as providing details on how the function should be implemented. The Standards will be a good reference for a gap analysis or quality assessment review of the IA function, helping companies to understand where potential improvements can be made in the existing IA function. Source: International Standards for the Professional Practice of Internal Auditing, The Institute of Internal Auditors, 2012 https://goo.gl/ac4o2m References: Internal Audit Matters Combined Assurance - How do Boards obtain comfort over controls governance?, PwC Hong Kong, 2016 https://goo.gl/altlmc The Importance of having an Effective Resourcing Solution for your Internal Audit Function amid Today s Challenges What suits you the best?, PwC Hong Kong, 2016 https://goo.gl/0qmyjk 2017 State of the Internal Audit Profession Study, PwC, 2017 https://goo.gl/azqvd9 The Eight Attributes: Delivering Internal Audit Excellence as Stakeholders Expect More https://goo.gl/yssqwe For those who would like to transform or enhance the IA function, these are some areas for consideration, together with an approach for corporates to take steps forward and make the changes towards a more value-adding IA function. Use of data analytics Technology audit function & value enhancement tasks Innovative reporting To drive a more effective and efficient internal audit approach and help you identify potential areas of risk and opportunities for you To ensure all emerging risk areas are properly covered by IA, and optimise controls underlying each key process in different businesses To promote visualisation in reporting that meets the needs and increasing heightened expectations of stakeholders Graph 8: An approach to transforming IA Strategy and risk People Process Technology Strategic objectives Understand what the strategic objectives of the organisation are Stakeholder value Understand what drives/ devalues stakeholder value within the organisation Strategic risks Understand what the strategic risks of the organisation are Capabilities assessment Capabilities assessment Inventory of existing skills Conduct gap analysis Determine adequacy of resources to respond to all key risks Talent management Use of internal and external resources Consider implementing a rotational staffing model to attract and retain talent Audit cycle improvements Align internal audit with organisation s strategic objectives Reduce audit cycle time by conducting more targeted audits Increase value derived from focus on higher-risk areas Improve communication to stakeholders through concise, impactful reports Optimisation of technology Reduce the labour content of audits by increasing the effectiveness of lower-risk audits Provide real time monitoring of significant risks Explore areas where technology can streamline or standardise a process Test entire data populations electronically 10

Annual review of risk management (RM) and internal control (IC) systems The revised CG Code highlights the Board s ongoing responsibility to oversee RM and IC systems. The amended Code Provision C2.1 puts forth new requirements that: The Board should oversee the issuer s RM and IC systems on an ongoing basis and; The Board should also ensure that a review of the issuer s and subsidiaries RM and IC systems has been conducted at least annually and report to shareholders that it has done so in the CG report. Majority of analysed companies disclosed the review of risk management and internal control systems. This year s Study reveals that 92% of companies analysed performed an annual review of both the RM and IC systems, representing an increase of 23% from prior year. 93% of HSI constituents and 86% of HSCEI entities also made such disclosures, which represents a 7% and 25% increase over the last year respectively. For industries, retail companies (97%) outperformed real estate (93%), technology (93%) and financial services (90%). This area has one of the highest disclosure rates in the 2017 Study. Disclosure of the process used to review risk management and internal control systems effectiveness lagged. 54% of the companies analysed in the 2017 Study disclosed the process used to review RM and IC systems effectiveness and to resolve material IC deficiencies, representing an increase of 17% from prior year. The disclosure rates for HSI companies remained relatively stable at 63% while HSCEI companies increased by 20% to 33%. Among industries, retail companies outperformed the others as their disclosure rate increased the most from 10% to 70%. In contrary, the financial services companies that disclosed the process decreased by 7% to 48% in 2016. Due to the complexity of organisation structure for financial services companies, the process to review the effectiveness of the RM and IC systems could be complicated and such review might be managed separately across different line of businesses, therefore rendering it difficult to disclose. Area of focus: Did the issuer disclose the process used to review the effectiveness of the RM and IC systems and to resolve material IC deficiencies? Graph 10: Disclosure of the process used to review the RM and IC systems effectiveness and to resolve material IC deficiencies Area of focus: Did the Board perform at least an annual review of the RM and IC systems for the issuer? Graph 9: Financial services Technology Retail Real estate HSCEI HSI Overall Results of annual review of IC and RM systems 2016 2015 2016 2015 2016 2015 2016 2015 2016 2015 2016 2015 2016 2015 90% 10% 80% 18% 93% 3% 53% 43% 97% 3% 57% 43% 93% 3% 75% 23% 85% 60% 15% 38% 93% 86% 0% 12% 92% 5% 69% 28% 0 10 20 30 40 50 60 70 80 90 100 % % of annual review of IC and RM systems % of annual review of IC system only Overall HSI HSCEI Real estate 2016 54% 63% 2015 37% 64% +17% -1% 33% 13% +20% 55% 48% +7% 70% 10% +60% 57% 17% +40% 48% 55% -7% Retail Technology Financial services 11

? Questions to ask: Do you consider your current review process sound and sufficient so that it can meet the new CG Code disclosure requirements in relation to an annual review of the RM and IC systems? Do you feel comfortable providing a positive statement to confirm that the RM and IC systems are effective? Do you have proper processes in place to assess the effectiveness of your RM and IC systems? Tips Establishing and maintaining strong internal controls are critical for the success of any organisation. Regulations also require that companies report to shareholders that its RM and IC systems are operating effectively. In this connection, management are required to provide a confirmation to the Board on the effectiveness of the RM and IC systems. For management to provide such confirmation, many leading organisations have implemented a control selfassessment (CSA) framework. This allows management to verify that controls are working as expected. By linking key risks to controls, management can carry out periodic testing to form an in-house assessment of their existing ( as-is ) controls that address their key risks, identify weaknesses on internal controls and facilitate the formulation of action plans to address any identified weaknesses. A CSA programme also helps to reinforce control ownership and awareness to line managers. The CSA assessment can be conducted through a variety of different means such as questionnaires or checklists. The process can be reviewed by internal auditors and form part of the Board s assessment of control effectiveness. Almost half of the companies analysed adopted a control self-assessment framework to assess internal controls and reinforce controls ownership. Using CSA as a tool to identify and assess the level of risks and effectiveness of controls is getting more common. Nearly half of the companies analysed, with 12% increase from last year, disclosed that they adopted a CSA approach to assess internal controls and reinforce control ownership and awareness to operation managers. There was a large variance across indices and industries on using CSA. The adoption rate among HSCEI constituents was 90% (PY: 65%), while HSI s adoption rate was 65% (PY: 48%), representing increases of 35% and 17% respectively. However, only 5% of the directors of these HSCEI companies disclosed that they received a management confirmation of the systems effectiveness (PY: 3%). HSI companies had a much smaller disclosure gap between the number of companies adopting the CSA practices (65%) and directors of those companies receiving management confirmation (49%). The four industries analysed in this Study show very different adoption rates: 83% of financial services companies adopted CSA (PY: 75%), with only 28% of directors of those companies disclosing their receipt of management confirmation (PY: 13%), while only 33% of real estate companies (PY: 28%), 30% of technology companies (PY: 10%) and 17% of retail companies (PY: 3%) disclosed that they had adopted the CSA. This might indicate that most management did not have the comfort to confirm their systems effectiveness. 12

Area of focus: Did management disclose that they have used CSA in their review? (Graph 11) Did the Board disclose that it has received a confirmation from management on the effectiveness of the issuer s RM and IC systems? (Graph 12) Graph 11: Disclosure of adoption of CSA 65% 90% 33% Overall 48% HSI HSCEI Real estate 17% 30% 83% Retail Technology Financial services Graph 12: Disclosure of directors receipt of management confirmation on systems effectiveness Overall 31% HSI 49% HSCEI 5% Real estate 38% Retail 23% Technology 30% Financial services 28% 0 50 100 Confirmation on effectiveness of IC and RM systems? Questions to ask: Are there any challenges or concerns that hinder you from providing a management confirmation on the systems effectiveness to the Board of directors? Were your CSA process and results reviewed by the IA function or qualified external parties before the Board s assessment? 13

The Roadmap Forward According to a pulse survey 4 conducted in a series of recent PwC seminars and client events held in Hong Kong and Mainland China in July, August and September 2017, less than 25% of participants responded that they were having an effective and adequate internal control system. This Study also illustrated diverging patterns of adoption among companies in different sectors, particularly in the areas of risk management practices, reporting to the Board and internal audit function, even though the Code Provision requirements in relation to risk management and internal control have become in-force from 2016. Companies may be at different stages in adoption and need assistance in different areas. Based on the findings of the Study, PwC has identified six key areas for the roadmap forward where companies may have questions or need further information to help assess their current progress. 1 Perform a health check / diagnosis of your current RM & IC practices and disclosures 2 Enhance risk management system (e.g. risk monitoring mechanism) 3 Assess the design and implementation of CSA process 4 Assess / enhance internal audit function 5 Review and ensure compliance to Section C.2 of the CG Code 6 Strengthen CG report disclosure 4 Details of PwC Corporate Governance Seminars in 2017 can be found at https://goo.gl/afhss3 14

Appendix 1: Extract of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules) This section outlines Code Provisions, Recommended Best Practices and mandatory disclosure requirements in relation to risk management and internal control, with details provided below: C.2 Risk management and internal control Principle The board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer s strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal control systems. The board should oversee management in the design, implementation and monitoring of the risk management and internal control systems, and management should provide a confirmation to the board on the effectiveness of these systems. Source: The above principle is extracted from page 14 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules). Code Provisions 5 C.2.1 The board should oversee the issuer s risk management and internal control systems on an ongoing basis, ensure that a review of the effectiveness of the issuer s and its subsidiaries risk management and internal control systems has been conducted at least annually and report to shareholders that it has done so in its Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls. C.2.2 The board s annual review should, in particular, ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer s accounting, internal audit and financial reporting functions. 15 5 Issuers are expected to comply with the Code Provisions. Where they deviate from any of the Code Provision requirements, they must give considered reasons and disclose them in the CG Reports.

C.2.3 The board s annual review should, in particular, consider: a. the changes, since the last annual review, in the nature and extent of significant risks, and the issuer s ability to respond to changes in its business and the external environment; b. the scope and quality of management s ongoing monitoring of risks and of the internal control systems, and where applicable, the work of its internal audit function and other assurance providers; c. the extent and frequency of communication of monitoring results to the board (or board committee(s)) which enables it to assess control of the issuer and the effectiveness of risk management; d. significant control failings or weaknesses that have been identified during the period. Also, the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the issuer s financial performance or condition; and e. the effectiveness of the issuer s processes for financial reporting and Listing Rule compliance. C.2.4 Issuers should disclose, in the Corporate Governance Report, a narrative statement on how they have complied with the risk management and internal control code provisions during the reporting period. In particular, they should disclose: a. the process used to identify, evaluate and manage significant risks; b. the main features of the risk management and internal control systems; c. an acknowledgement by the board that it is responsible for the risk management and internal control systems and reviewing their effectiveness. It should also explain that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss; d. the process used to review the effectiveness of the risk management and internal control systems and to resolve material internal control defects; and e. the procedures and internal controls for the handling and dissemination of inside information. C.2.5 The issuer should have an internal audit function. Issuers without an internal audit function should review the need for one on an annual basis and should disclose the reasons for the absence of such a function in the Corporate Governance Report. Source: The above Code Provisions are extracted from pages 15-16 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules). 16

Recommended Best Practices C.2.6 The board may disclose in the corporate governance Report that it has received a confirmation from management on the effectiveness of the issuer s risk management and internal control systems. C.2.7 The board may disclose in the corporate governance Report details of any significant areas of concern. Source: The above Recommended Best Practices are extracted from page 16 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules). Mandatory disclosure requirements Risk management and Internal control Where an issuer includes the board s statement that it has conducted a review of its risk management and internal control systems in the annual report under code provision C.2.1, it must disclose the following: a. whether the issuer has an internal audit function; b. how often the risk management and internal control systems are reviewed, the period covered, and where an issuer has not conducted a review during the year, an explanation why not; and c. a statement that a review of the effectiveness of the risk management and internal control systems has been conducted and whether the issuer considers them effective and adequate. Source: The above mandatory disclosure requirements are extracted from page 30 of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules). 17

Appendix 2: List of companies included in the study (by category) A. Hang Seng Index Stock code Company name Stock code Company name 1 CK Hutchison Holdings Limited 2 China Light & Power Company Limited 3 The Hong Kong and China Gas Company Limited 4 The Wharf (Holdings) Limited 5 HSBC Holdings plc 6 Power Assets Holdings Limited 11 Hang Seng Bank Limited 12 Henderson Land Development Company Limited 19 Swire Pacific Limited 23 The Bank of East Asia, Limited 27 Galaxy Entertainment Group Limited 66 MTR Corporation Limited 101 Hang Lung Properties Limited 135 Kunlun Energy Company Limited 144 China Merchants Port Holdings Company Limited 151 Want Want China Holdings Limited 267 CITIC Pacific Limited 293 Cathay Pacific Airways Limited 386 China Petroleum & Chemical Corporation 388 Hong Kong Exchanges and Clearing Limited 494 Li & Fung Limited 688 China Overseas Land & Investment Limited 700 Tencent Holdings Limited 762 China Unicom (Hong Kong) Limited 836 China Resources Power Holdings Company Limited 857 PetroChina Company Limited 883 CNOOC Limited 939 China Construction Bank Corporation 941 China Mobile Limited 1038 Cheung Kong Infrastructure Holdings Limited 1044 Hengan International Group Company Limited 1088 China Shenhua Energy Company Limited 1109 China Resources Land Limited 1113 Cheung Kong Property Holdings Limited 1398 Industrial and Commercial Bank of China Limited 1928 Sands China Ltd. 2018 AAC Technologies Holdings Inc. 2318 Ping An Insurance (Group) Company of China, Ltd. 2319 China Mengniu Dairy Company Limited 2388 BOC Hong Kong (Holdings) Limited 2628 China Life Insurance Company Limited 3328 Bank of Communications Co., Ltd. 3988 Bank of China Limited 18

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback