The Stock Exchange of Hong Kong Limited ("HKEx") is currently undertaking a period of consultation on Listing Rule changes associated with Risk Management and Internal Controls. HKEx has published a consultation paper (the "Consultation Paper") on proposed revisions to the internal controls section of the Corporate Governance Code and Corporate Governance Report ("Code").1

Consistent with corporate governance developments and trends in various jurisdictions, the core objective of the Consultation Paper is to further highlight the importance of risk management. Other proposals to improve the Code include clearly specifying the respective roles and responsibilities of the board, management and the internal audit function; as well as to provide direction as to specific disclosures that issuers should make in the Corporate Governance Report.

Drawing experience from Singapore, Australia, the UK, the US and Mainland China, the core objectives of the Consultation Paper are to:

  • Confirm that internal controls are an important part of risk management
  • Increase accountability of the board and management by clearly defining their roles and responsibilities regarding risk management and internal controls
  • Accentuate transparency of the issuer's risk management and internal controls by upgrading the recommendation for issuers to disclose their policies, process and details of their annual review of the effectiveness of their risk management and internal control systems
  • Strengthen the oversight of issuer's risk management and internal control systems by upgrading the recommendation for issuers to have an internal audit function

The proposals are set out below:

Provision Current position Proposed amendment
C.2 Currently titled "Internal Controls"

The principle states that the board should ensure that the issuer maintains sound and effective internal controls to protect shareholders' investment and the issuer's assets.
To emphasise the inter-related nature of risk management and internal controls, the current title is intended to change to "Risk management and internal controls".

This Principle is regarded as placing insufficient emphasis on risk management; in addition, the connection between the issuer's objectives and risks associated with those objectives are not clearly stated.

It is proposed that this Principle should be altered in the following ways:
  • it should state that the board is responsible for evaluating the risk it is willing to take in achieving the issuer's objectives and ensuring the establishment and maintenance of effective risk management and internal control systems;
  • it should state that the management is responsible for designing, implementing and monitoring the risk management and internal control systems, and that management should provide assurance to the board on the effectiveness of these systems;
  • The phrase "to safeguard shareholders' investment and the issuer's assets" should be removed to widen its scope to cover risk management and internal control systems broadly; and
  • A new Recommended Best Practice ("RBP")2 should be introduced to state that the board may disclose in the Corporate Governance Report that it has received assurance from management regarding the effectiveness of the issuer's risk management and internal control systems.
RBP C.2.3 This RBP currently sets out the matters that the board's annual review should consider. In order to emphasize the importance of this provision, the Consultation Paper proposes to upgrade the existing RBP C.2.3 to a Code Provision ("CP").3
RBP C.2.4 This RBP sets out the particular disclosures that issuers should make in their Corporate Governance Reports in relation to how they have complied with disclosure requirements during the reporting period. To encourage more substantive, meaningful disclosure, it is proposed that the existing RBP C.2.4 be upgraded to a CP.

The Consultation Paper also proposes to alter the drafting to include risk management where appropriate, simplify the requirements and remove ambiguous language, and clarify that the risk management and internal control systems are designed to manage rather than eliminate risks.
Amendment of Section S Section S of the Code sets out additional Recommended Disclosure in respect of internal controls that issuers are encouraged to make in their Corporate Governance Report. The Consultation Paper proposes to upgrade most of the existing Recommended Disclosures in Section S to Mandatory Disclosures. Under the proposed new regime, issuers will be obliged to disclose:
  • Whether they have an internal audit function
  • How often the risk management and internal control systems are reviewed; and an explanation if no review has been conducted
  • A statement that a review of the effectiveness of the risk management and internal control systems has been conducted and whether the issuer considers them effective and adequate; and
  • Significant views or proposals put forward by the audit committee.
Amendment of CP C.2.1 CP C.2.1 requires the directors of an issuer to, at least annually, conduct a review of the effectiveness of the issuer's and its subsidiaries' internal control systems and report to the shareholders. To emphasise that the board has an ongoing, rather than "one-off", responsibility to oversee the issuer's risk management and internal control systems, the Consultation Paper proposes to require the board to oversee the issuer's risk management and internal control systems on an ongoing basis. The Consultation Paper also proposes the board's annual review should ensure the adequacy of resources, staff qualification and experience, training programs and budget of the issuer's internal audit function.
Amendment of RBP C.2.6 Under the existing Code, issuers are not required to have an internal audit function. It is voluntary. To address this issue, it is proposed that the RBP C.2.6 should be upgraded to CP, so that it would state that issuers should have an internal audit function, and those without an internal audit function should disclose the reasons for the absence of such a function in their Corporate Governance Report.

HKEx has commented that it is a common practice for issuers to engage external service providers to perform the internal audit function, which can give rise to concerns as to the independence of the internal audit function. HKEx is of the current view that compliance with the proposed CP may be achieved either by way of an in-house internal audit function or an outsourced one.

There is also a proposal to include new Notes to this provision to clarify that the role of the internal audit function is to perform the analysis and independent appraisal of the adequacy and effectiveness of an issuer's risk management and internal control systems, and a group with multiple listed issuers may share group resources of the holding company to carry out the internal audit function for members of the group.

Moving forward

HKEx is now evaluating market views on these changes, and it is expected to publish consultation conclusions within the next few months. Given that, HKEx listed companies are recommended to review their disclosures and internal control systems to ensure that they are capable of complying with the new requirements when they are introduced.

Footnotes

1. The Code is set out in Appendix 14 of the Main Board Rules and Appendix 15 of the Growth Enterprise Market Rules.

2. A RBP is for guidance only and not a mandatory Listing Rule requirement

3. Compared with a RBP which is for guidance only, a CP is on a "comply or explain" basis.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.