December 2017
Conquering the Corporate Governance Code – How well are Hong Kong listed companies addressing new requirements?
www.pwchk.com Key messages
• Corporates have strengthened their risk management (RM) and internal control (IC) measures, and most of the listed companies we reviewed have complied with the disclosure requirements of the revised Hong Kong Corporate Governance Code issued by the Hong Kong Stock Exchange. Nevertheless, companies still need to put greater effort into improving reporting to the Board of directors and the effectiveness of their internal audit (IA) functions. • Companies emphasise more on RM and IC in response to different kinds of disruption. About 78% of companies analysed disclosed their process used to identify, evaluate and manage significant risks, which represents an increase of 33% from last year. However, only 50% depicted the main features of both the RM and IC systems. Management of listed companies should examine their current RM and IC systems, and clearly identify and disclose the main features of the systems. • 97% of companies analysed disclosed that they had an IA function. However, only 36% provided details of the review of IA functions – including adequacy of resources, staff qualifications and experience, training programmes and budget of the IA function. Listed companies should regularly assess the effectiveness of their IA function. • While 92% of companies analysed disclosed that they conducted an annual review of the RM and IC systems, only 54% provided details of the process used to review the effectiveness of systems and to resolve material IC deficiencies. The Board should assess the robustness of their annual review mechanism to ensure that they have conducted the review properly and sufficiently, and to address any IC defects in a timely manner. • Using control self-assessment (CSA) as a tool to identify and assess the level of risks and effectiveness of controls is getting more popular. Nearly half of the companies analysed, with a 12% increase from last year, disclosed that they adopted a CSA approach to assess internal control, reinforce control ownership and raise awareness among operation managers. Table of Contents
1 Introduction 2 Executive Summary 3 Background 4 Methodology 5 Market Trends 5 Risk management and internal control 9 Internal audit 11 Annual review of risk management and internal control systems 14 The Roadmap Forward 15 Appendix 1: Extract of Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Hong Kong Main Board Listing Rules) 18 Appendix 2: List of companies included in the analysis (by category) 18 Hang Seng Index 19 Hang Seng China Enterprises Index 19 Financial services 20 Real estate 20 Retail 21 Technology 22 Appendix 3: Areas of Focus of Our Study Introduction
The Hong Kong Stock Exchange has revised the Corporate Governance Code and Corporate Governance Report (Appendix 14 of the Main Board Listing Rules), which requires Hong Kong listed companies to enhance their standard of corporate governance and make relevant statements / disclosures in their annual reports. The amendments of the Corporate Governance Code (CG Code) have become effective for issuers’ accounting periods beginning on or after 1 January 2016.
In 2016, PwC Hong Kong (PwC) conducted a comprehensive study, Cracking the Corporate Governance Code – How ready are Hong Kong listed companies in meeting new requirements? to assess the readiness of listed companies in responding to the new requirements of the revised CG Code in the areas of risk management and internal control. Please refer to https://goo.gl/MCkonh for details.
In 2017, we have carried out a second wave of the Study, Conquering the Corporate Governance Code – How well are Hong Kong listed companies addressing new requirements? This analysis followed a similar approach to that adopted in our 2016 analysis – we have included companies from the broader Hang Seng Index, the Hang Seng China Enterprises Index, as well as across four industries (i.e. financial services, real estate, retail and technology).
This new Study had two main goals. First, to provide directors, executives and managers with a thorough analysis on how well listed companies are responding to the new requirements of the revised CG Code, and to give insights into the prevalence level of adopting risk management and internal control practices in the market. Second, the Study was designed to help companies look for further opportunities to review their corporate governance structure; enhance management accountability; strengthen RM and IC systems; transform the internal audit function and assess its effectiveness; and improve business performance and efficiency. With our substantial experience in helping companies navigate new requirements of the Listing Rules including the CG Code, we have seen successful examples of how companies have used this exercise to help themselves better manage different stakeholders’ expectations.
Embracing good corporate governance is a continuous process and it can improve investor relations; protect shareholders’ interests; and increase a company’s competitiveness. Eventually, it is a performance matter instead of a compliance issue.
Sincerely, PwC Corporate Governance Partners and Team
1 Executive Summary
In an increasingly challenging business C. Annual review of RM & IC systems environment, having a robust risk While 92% of companies in the Study management (RM) and internal control disclosed that they conducted an (IC) system has become more essential annual review of the RM and IC when responding to disruptions, such as systems, only 54% provided details of cyber-attacks and financial crimes. In the process used to review the systems’ general, listed companies have become effectiveness and to resolve material IC more proactive in meeting the tightened deficiencies. RM and IC requirements of the Corporate Governance Code (CG Code). In addition, nearly half of the companies analysed, with a 12% To understand the extent of Hong Kong increase from last year, disclosed that listed companies’ adoption of new CG they adopted a control self-assessment Code requirements, PwC has conducted approach to assess internal controls a second consecutive study on the and reinforce control ownership and Corporate Governance reports (CG raise awareness among operation reports) of 223 companies in the Hang managers. However, only 31% of the Seng Index and Hang Seng Chinese companies disclosed that they had Enterprises Index, as well as in four received management confirmation on sectors: financial services, real estate, the RM and IC systems effectiveness. retail and technology. Based on the findings in this Study, some The main findings of this Study are recommendations are listed below for described in the following three listed companies to consider: categories: • Management of listed companies A. Risk management and internal should examine their RM and IC control systems and clearly identify and disclose the main features of the RM A majority of Hong Kong listed and IC systems. companies analysed (78%) disclosed the process used to identify, evaluate • Listed companies should review their and manage significant risks. IA function, particularly focusing on However, only half of them disclosed the adequacy of resources, staff the main features of the RM and IC qualifications and experience, training systems, whereas 37% did not programmes and budget of the IA provide disclosure of the main function. features of both the RM and IC • The Board should consider increasing systems. Also, companies with the transparency of the process used to disclosures on procedures and review the RM & IC systems internal controls for handling and effectiveness and to resolve material IC dissemination of inside information deficiencies, and ensure such disclosure increased significantly from 43% (in is properly made in the CG report. 2016) to 87% in our 2017 Study. • Companies should understand if there B. Internal audit (IA) function are any gaps or improvement areas in Overall, 97% of the companies in this fulfilling the RM & IC disclosure Study disclosed they had an IA requirements of the CG Code. For function, while only 36% disclosed example, if control self-assessments are information regarding their review of not currently used, management could the adequacy of resources, staff use this approach to help assess qualifications and experience, controls underlying key business training programmes and budget of processes, and to assist management in the IA function. providing confirmation to the Board on the systems effectiveness. 2 Background
The Hong Kong Stock Exchange published its consultation conclusions on risk management and internal control on 19 December 2014, and subsequently issued amendments to the Corporate Governance Code and Corporate Governance Report1 (the Code). The main objective of the revisions was to improve the standard of corporate governance among listed companies in Hong Kong.
The revisions to the Code made five key changes: • Incorporating risk management into the Code where appropriate; • Revising Principle C.2 to define the roles and responsibilities of the Board and management; • Clarifying that the Board has an ongoing responsibility to oversee the issuer’s risk management and internal control systems; • Upgrading to Code Provisions the recommendations in relation to the annual review and disclosures in the corporate governance report; and • Upgrading to a Code Provision the recommendation that issuers should have an internal audit function, and those without to review the need for one on an annual basis.
In 2016, PwC performed a comprehensive study, Cracking the Corporate Governance Code – How ready are Hong Kong listed companies in meeting new requirements? to assess the readiness of listed companies in responding to the revised Tips risk management and internal control requirements of the The principle underlying the Code Provisions under Section C.2 is to note that revised Corporate Governance Code. the Board is responsible for evaluating and determining the nature and extent of the risks In 2017, we have conducted a second wave of the Study, it is willing to take in achieving the issuer’s Conquering the Corporate Governance Code – How well are strategic objectives, and ensuring that the issuer Hong Kong listed companies addressing new requirements? establishes and maintains appropriate and effective RM and IC systems. The Board should oversee management in that analyses the current disclosure practices of the revised the design, implementation and monitoring of the RM and Code Provisions and Recommended Best Practices in IC systems, and management should provide a confirmation relation to risk management and internal control to assess to the Board on the effectiveness of these systems. the readiness of the 43 Hang Seng Index2 companies, 40
Source: Hang Seng Chinese Enterprises Index entities and 140 Corporate Governance Code and Corporate Governance Report- companies in four different industry sectors in complying What are the changes?, PwC Hong Kong, May 2015 with the new requirements. Please refer to Appendix 1 for https://goo.gl/tFMkMI details of Code Provisions, Recommended Best Practices and mandatory disclosure requirements.
1 https://goo.gl/tHJA4u 2 There are 50 companies in the HSI, but only 43 corporate reports were publicly available when we 3 conducted this Study. Methodology
The Corporate Governance Code (CG Code) sets out a • The Hang Seng Index (HSI): PwC examined the available number of principles including Code Provisions and CG reports from all 43 constituent companies of the HSI. Recommended Best Practices. Issuers are required to state HSI is one of the oldest stock market indices in Hong whether they have complied with the Code Provisions for Kong. Publicly launched on 24 November 1969, the HSI the relevant accounting period in their annual financial has become the most widely quoted indicator of the reports and interim reports. Where the issuer deviates from performance of the Hong Kong stock market and is used a code provision, the issuer must give considered reasons. for developing numerous market measures to help The Recommended Best Practices are for guidance only. investors make their investment decisions. It represents a broad cross-section of publicly-listed companies in Hong In order to understand how listed companies of different Kong. industries are responding to the CG Code changes, PwC • The Hang Seng China Enterprises Index (HSCEI): PwC conducted another comprehensive analysis of corporate examined CG reports from all 40 constituent companies governance reports (CG reports) of companies in the of the HSCEI. The HSCEI was launched one year after the following categories by stock index and industry (See first H-share company was listed on the Stock Exchange Appendix 2 for a full listing of the companies included in the of Hong Kong. It tracks the performance of large 2017 analysis by index/industry). A full list of the questions Mainland China enterprises listed in Hong Kong in the used in this Study can be found in Appendix 3. Please note form of H-shares3. that this Study is conducted solely based on what we can observe, which may not reflect the actual situation of • PwC also selected key companies from four sectors to individual companies in real life. analyse: financial services (40 companies), real estate (40 companies), retail (30 companies) and technology (30 The objective of this Study is to determine the companies’ companies). The largest companies were selected for level of compliance with the revised CG Code from 1 inclusion in this analysis, determined by the size of the January 2016, based on the relevant disclosure in CG overall market capitalisation with an accounting period reports. that ended at or before 31 March 2017.
Graph 1: Company coverage of PwC study of risk management and internal control disclosure in corporate governance reports