The Stock Exchange of Hong Kong Limited (HKEx) is currently undertaking a period of consultation on listing rule changes associated with risk management and internal controls. HKEx has published a consultation paper (the consultation paper) on proposed revisions to the internal controls section of the corporate governance code and corporate governance report (code). The code is set out in Appendix 14 of the main board rules and Appendix 15 of the growth enterprise market rules.

Consistent with corporate governance developments and trends in various jurisdictions, the core objective of the consultation paper is to further highlight the importance of risk management. Other proposals to improve the code include clearly specifying the respective roles and responsibilities of the board, management and the internal audit function; as well as to provide direction as to specific disclosures that issuers should make in the corporate governance report.

Drawing experience from Mainland China, Singapore, Australia, the UK and the US, the core objectives of the consultation paper are to:

  • Confirm that internal controls are an important part of risk management
  • Increase accountability of the board and management by clearly defining their roles and responsibilities regarding risk management and internal controls
  • Accentuate transparency of the issuer's risk management and internal controls by upgrading the recommendation for issuers to disclose their policies, process and details of their annual review of the effectiveness of their risk management and internal control systems
  • Strengthen the oversight of issuer's risk management and internal control systems by upgrading the recommendation for issuers to have an internal audit function

The Proposals

  1. Risk management and internal controls

To emphasise the inter-related nature of risk management and internal controls, the current title of Section C.2 of the code is intended to change from “internal controls” to “risk management and internal controls”.

  1. Responsibilities of the board and management

Amendment to principle C.2

The existing principle C.2 states  that the board should ensure that the issuer maintains sound and effective internal controls to protect shareholders’ investment and the issuer’s assets. This principle is regarded as placing insufficient emphasis on risk management; in addition, the connection between the issuer’s objectives and risks associated with those objectives are not clearly stated.

To address these issues, it is proposed that this principle should be altered in the following ways:

  • It should state that the board is responsible for evaluating the risk it is willing to take in achieving the issuer’s objectives and ensuring the establishment and maintenance of effective risk management and internal control systems
  • It should state that the management is responsible for designing, implementing and monitoring the risk management and internal control systems, and that management should provide assurance to the board on the effectiveness of these systems
  • The phrase “to safeguard shareholders’ investment and the issuer’s assets” should be removed to widen its scope to cover risk management and internal control systems broadly
  • A new recommended best practice (RBP) (an RBP is for guidance only and not a mandatory listing rule requirement) should be introduced to state that the board may disclose in the corporate governance report that it has received assurance from management regarding the effectiveness of the issuer’s risk management and internal control systems.
  1. Annual review and disclosure in the corporate governance report

Amendment of RBP C.2.3 – matters to be reviewed by the board

This RBP currently sets out the matters that the board’s annual review should consider. In order to emphasise the importance of this provision, the consultation paper proposes to upgrade the existing RBP C.2.3 to a code provision (CP). Compared with a RBP which is for guidance only, a CP is on a “comply or explain” basis.

Amendment of RBP C.2.4 – disclosures by the board

This RBP sets out the particular disclosures that issuers should make in their corporate governance reports in relation to how they have complied with disclosure requirements during the reporting period. To encourage more substantive, meaningful disclosure, it is proposed that the existing RBP C.2.4 be upgraded to a CP.

The consultation paper also proposes to alter the drafting to include risk management where appropriate, simplify the requirements and remove ambiguous language, and clarify that the risk management and internal control systems are designed to manage rather than eliminate risks.

Amendment of section S – recommended  disclosures

Section S of the code sets out additional recommended disclosure in respect of internal controls that issuers are encouraged to make in their corporate governance report.

The consultation paper proposes to upgrade most of the existing recommended disclosures in section  S to mandatory disclosures. Under the proposed new regime, issuers will be obliged to disclose:

  • Whether they have an internal audit function
  • How often the risk management and internal control systems are reviewed; and an explanation if no review has been conducted
  • A statement that a review of the effectiveness of the risk management and internal control systems has been conducted and whether the issuer considers them effective and adequate
  • Significant views or proposals put forward by the audit committee

Amendment of CP C.2.1 – review of internal control systems

CP C.2.1 requires the directors of an issuer to, at least annually, conduct a review of the effectiveness of the issuer’s and its subsidiaries’ internal control systems and report to the shareholders. To emphasise that the board has an ongoing, rather than “one-off”, responsibility to oversee the issuer’s risk management and internal control systems, the consultation paper proposes to require the board to oversee the issuer’s risk management and internal control systems on an ongoing basis. The consultation paper also proposes the board’s annual review should ensure the adequacy of resources, staff qualification and experience, training programs and budget of the issuer’s internal audit function.

  1. Internal audit

Amendment of RBP C.2.6 – internal audit  function

Under the existing code, issuers are not required to have an internal audit function. It is voluntary. To address this issue, it is proposed that the RBP C.2.6 should be upgraded to CP, so that it would state that issuers should have an internal audit function, and those without an internal audit function should disclose the reasons for the absence of such a function in their corporate governance report.

HKEx has commented that it is common practice for issuers to engage external service providers to perform the internal audit function, which can give rise to concerns as to the independence of the internal audit function. HKEx is of the current view that compliance with the proposed CP may be achieved either by way of an in-house internal audit function or an outsourced one.

There is also a proposal to include  new notes to this provision to clarify that the role of the internal audit function is to perform the analysis and independent appraisal of the adequacy and effectiveness of an issuer’s risk management and internal control systems, and a group with multiple listed issuers may share group resources of the holding company to carry out the internal audit function for members of the group.

Moving forward

HKEx is now evaluating market views on these changes, and it is expected to publish consultation conclusions within the next few months. Given that, HKEx listed companies are recommended to review their disclosures and internal control systems to ensure that they are capable of complying with the new requirements when they are introduced.