Grant Thornton Hong Kong calls on regulator to make the establishment of a separate risk committee a code provision under the Corporate Governance Code
Hong Kong- Grant Thornton Hong Kong Corporate Governance Review 2018 (the “Review Report”) finds that the percentage of the Hang Seng Composite Index (“HSCI”) companies which claimedfull compliance with the Hong Kong Corporate Governance Code and Corporate Governance Report (the “Code”) issued by Hong Kong Exchanges and Clearing Limited (“HKEx”) remained steady at 44%. The level of compliance on certain aspects of the Code, such as risk management and internal control, director’s performance evaluation and time spent on the companies’ businesses and environment, social and governance (“ESG”) reporting, had improved from 2016. Overall speaking, Hong Kong listed companies have sound corporate governance, and often the standards are on par with corporate governance standards of listed companies in other major developed capital markets.
Grant Thornton Hong Kong analysed the 2017 annual reports of 483 HSCI companies and notes that a slightly higher percentage of small-cap companies (6%) used a “box-ticking” approach by giving shorter and simpler explanation and detail-free write-ups when compared to large-cap (1%) and medium-cap (2%) companies. Such companies should improve the quality of their ESG reporting by actively identifying the specific risks amongst their ESG KPIs in order to effectively promote transparency and disclosure. A comprehensive and high-quality ESG report would enable the company to better address its institutional investment grade and general investors’ investment decision making processes, which will in turn increase its investors’ perception on the listed company’s true value.
Meanwhile, the Review Report reveals that areas in which listed companies have done less well include confirming the effectiveness of risk management and internal control systems, board diversity and directors’ training, coming up with a risk culture, disclosing the findings or weaknesses on their internal control systems and having a robust data privacy governance.
Commenting on the disclosure ofprocess complying with the risk management and internal control code provisions,Eugene Ha, deputy managing partner of Grant Thornton Hong Kong said, “According to the Review Report, 2017 saw a high proportion of listed companies in the financial sector (68%) had disclosed that they had a separate risk committee. We encourage listed companies, particularly in telecommunications industry andretail industry, which retain a high volume of customer data to follow this practice. As having a separate risk committee apart from the audit committee will further enhance the existing risk governance structures in Hong Kong listed companies, we suggest the regulator to upgrade the establishment of aseparate risk committee which is currently a recommended best practice tobecome a code provision of Corporate Governance Code.”
The increasing significance of cybersecurity and data privacy governance
Given the rapid development of modern day technologies and the increase in the use of personal data in organizations, the Review Report shows that one-third of the listed companies disclosed how IT systems had influenced their businesses. While 68% of the listed companies disclosed they had developed comprehensive privacy management programmes to manage and protect customers’ personal data, only 11% of the listed companies disclosed they had implemented data breach handling procedures.
Mian Wong, advisory director of Grant Thornton Hong Kong commented, “To prioritize the top risks of companies, the issues of cyber security and data privacy are vitally important to companies. Data breaches and cyber attacks can lead to immediate crises or the unintentional release of highly sensitive clients and/or companies’ confidential information. In our opinion, listed companies should communicate more with their investors in their annual reports by devoting a section that focuses on how their businesses are driven by technologies and how data privacy is governed in their companies.”
Hong Kong lags on whistleblower protection
With the cybercrimes becoming progressively prevalent in today’s economy, information technology sector and telecommunications sector that process high volume of personal data have started to keep their guard up through the implementation of a whistleblowing policy. The Review Report shows that 65% of listed companies disclosed they implemented a whistleblowing policy, which represented an increase of 15% as compared to 2016.
Mian Wong said, “Hong Kong listed companies are encouraged to incorporate the whistleblowing policy as it provides a path for communicating any wrongdoing and allows any issues and risks to be addressed quickly and potentially before any regulatory action or damage to reputation. As Hong Kong lags on whistle-blower protection in comparison with other developed jurisdictions, such as the Public Interest Disclosure Act 1998 in the United Kingdom and Federal Law on Whistleblower Protection Enhancement Act 2012 in the United States, we urge the Hong Kong government to enact acomprehensive whistleblower protection regime in line with international standards and practices. ”
Code amendments to address Independent Non Executive Directors’ over-boarding
As an ongoing process to raise the standard of corporate governance for listed companies in Hong Kong, the HKEx has announced amendments to the Code and the related listing rules which targeted at strengthening the transparency and accountability of the board and election of directors, and addressing the issues of Independent Non-Executive Directors (INEDs)’s over-boarding and time commitment, effective on 1 January 2019.
Eugene Ha concluded, “It’s worthnoting that under the amended Code, a listed company should explain to shareholders why it considers the proposed INED holding a seventh (ormore) listed company directorship would still be able to devote sufficient time to the board. While the amendments head in the right direction, we recommend the regulator to consider the UK’s dual-voting process, under whichan INED need to be approved by an ordinary resolution of the shareholders and aseparate ordinary resolution of the independent shareholders, so as to ensure ahigher level of independence and involvement in the companies.”