On 19 December 2014, the Stock Exchange of Hong Kong published amendments to the Corporate Governance Code and Corporate Governance Report contained in Appendix 14 of the Main Board Listing Rules (“the Code”) to include specific provisions relating to risk management and internal controls into the Code. The amendments are intended to help improve corporate governance standards for listed companies in Hong Kong and to bring the Code more in line with international trend on best practices. Although the new requirements will only apply to accounting periods beginning on or after 1 January 2016, all listed companies should take action regarding these changes now.
A. The Amendments
The main amendments to the Code are as follows :-
(i) Risk management and internal controls
The board of directors of a listed company (“the Board”) now has a clear responsibility to determine and evaluate the risks it is willing to take to achieve the listed company’s objectives and to ensure the establishment and maintenance of effective risk management and internal control systems. The Board should also oversee the management of the listed company in the design, implementation and monitoring of its risk management and internal control systems and the management should confirm to the Board of the effectiveness of the systems.
Two recommended best practices C.2.6 and C.2.7 have been introduced whereby the Board should disclose in the corporate governance report as part of its annual report that it has received confirmation from the management on the effectiveness of the listed company’s risk management and internal control systems and details of any significant areas of concern.
(ii) Ongoing review and disclosure
The Board is now responsible for overseeing the listed company’s risk management and internal control systems on an ongoing basis, rather than a one-off annual review. The following recommended best practices have been expanded and are now mandatory Code Provisions :-
1. Provision C.2.3 of the Code provides for the matters which the Board should consider on an annual review of the listed company;
2. Provision C.2.4 of the Code provides for the matters which listed companies should disclose in the corporate governance report; and
3. Section Q (previously section S) of the Code provides that where a listed company includes a Board’s statement in the corporate governance report that it has conducted a review of its risk management and internal control systems, it also needs to disclose whether the listed company has an internal audit function, how often the risk management and internal control systems are reviewed, the period covered and where a listed company has not conducted a review during the period, an explanation why not and a statement as to the effectiveness and adequacy of its risk management and internal control systems.
(iii) Internal audit
Previously, it was only a recommended best practice for listed companies without an internal audit function to review the need for this function annually and disclose the outcome of such review in the corporate governance report. The Code has now been amended to state that listed companies should either have an in-house or outsourced internal audit function, and that those without one should review the need for this function and disclose the decisions in the annual report on an annual basis. Additionally, in relation to the internal audit function, the Code has been amended to :-
1. clarify that the role of the internal audit function is to carry out the analysis and independent appraisal of the adequacy and effectiveness of a listed company’s risk management and internal control systems;
2. state that the internal audit function may be outsourced and that a group with multiple listed companies may share the group resources of the holding company to carry out the internal audit function for the group; and
3. the Board must ensure the adequacy of resources, staff qualifications and experience, training programmes, and the budget of the internal audit function.
(iv) Audit committee
The Code has been specifically amended that the audit committee of a listed company now also has a risk management responsibility and will need to practically oversee the implementation of the amendments to the Code discussed above. A listed company can choose whether to have its existing audit committee perform risk management functions or to create a separate risk committee.
B. Further Legal Impact
The result of the amendments to the Code is that risk management is now a regular agenda item for the Board and the Board will have to identify and assess the most significant risks faced by the listed company in achieving its strategic and operational objectives. Consequently, legal risk should also be reviewed by the Board annually and this would include legal compliance review, standard documentation review and contracts review.
For example, reviewing the human resource of a listed company would be a review of its office policies, staff handbook and standard employment contracts. All companies should take particular note that in the past year there have been major developments in employment law such as amendments to the Sexual Discrimination Ordinance (Cap. 480) and the Employment Ordinance (Cap. 57). All listed companies should ensure that they are in compliance.
If you have any queries regarding the above eNews or any other questions relating to employment or corporate or commercial matters, experienced lawyers in our Corporate and Commercial and Employment departments would be happy to assist you.