Jurisdiction - Hong Kong
Reports and Analysis
Hong Kong – Listed Companies: Stock Exchange Consultation On Risk Management and Internal Controls

31 October, 2014



The Stock Exchange of Hong Kong Limited (“HKEx”) is currently undertaking a period of consultation on Listing Rule changes associated with Risk Management and Internal Controls. HKEx has published a consultation paper (the “Consultation Paper”) on proposed revisions to the internal controls section of the Corporate Governance Code and Corporate Governance Report (“Code”).1

Consistent with corporate governance developments and trends in various jurisdictions, the core objective of the Consultation Paper is to further highlight the importance of risk management. Other proposals to improve the Code include clearly specifying the respective roles and responsibilities of the board, management and the internal audit function; as well as to provide direction as to specific disclosures that issuers should make in the Corporate Governance Report.

Drawing experience from Singapore, Australia, the UK, the US and Mainland China, the core objectives of the Consultation Paper are to:


  • Confirm that internal controls are an important part of risk management
  • Increase accountability of the board and management by clearly defining their roles and responsibilities regarding risk management and internal controls
  • Accentuate transparency of the issuer’s risk management and internal controls by upgrading the recommendation for issuers to disclose their policies, process and details of their annual review of the effectiveness of their risk management and internal control systems
  • Strengthen the oversight of issuer’s risk management and internal control systems by upgrading the recommendation for issuers to have an internal audit function

The proposals are set out below


Provision Current position Proposed amendment
C.2  Currently titled “Internal Controls” 


The principle states that the board should ensure that the issuer maintains sound and effective internal controls to protect shareholders’ investment and the issuer’s assets.


To emphasise the inter-related nature of risk management and internal controls, the current title is intended to change to “Risk management and internal controls”. 


This Principle is regarded as placing insufficient emphasis on risk management; in addition, the connection between the issuer’s objectives and risks associated with those objectives are not clearly stated.



It is proposed that this Principle should be altered in the following ways:


  • it should state that the board is responsible for evaluating the risk it is willing to take in achieving the issuer’s objectives and ensuring the establishment and maintenance of effective risk management and internal control systems;


  • it should state that the management is responsible for designing, implementing and monitoring the risk management and internal control systems, and that management should provide assurance to the board on the effectiveness of these systems;


  • The phrase “to safeguard shareholders’ investment and the issuer’s assets” should be removed to widen its scope to cover risk management and internal control systems broadly; and


  • A new Recommended Best Practice (“RBP”)should be introduced to state that the board may disclose in the Corporate Governance Report that it has received assurance from management regarding the effectiveness of the issuer’s risk management and internal control systems.
RBP C.2.3 This RBP currently sets out the matters that the board’s annual review should consider.  In order to emphasize the importance of this provision, the Consultation Paper proposes to upgrade the existing RBP C.2.3 to a Code Provision (“CP”).3 
RBP C.2.4  This RBP sets out the particular disclosures that issuers should make in their Corporate Governance Reports in relation to how they have complied with disclosure requirements during the reporting period.  To encourage more substantive, meaningful disclosure, it is proposed that the existing RBP C.2.4 be upgraded to a CP. The Consultation Paper also proposes to alter the drafting to include risk management where appropriate, simplify the requirements and remove ambiguous language, and clarify that the risk management and internal control systems are designed to manage rather than eliminate risks.
Amendment of Section S  Section S of the Code sets out additional Recommended Disclosure in respect of internal controls that issuers are encouraged to make in their Corporate Governance Report.  The Consultation Paper proposes to upgrade most of the existing Recommended Disclosures in Section S to Mandatory Disclosures. Under the proposed new regime, issuers will be obliged to disclose: 

  • Whether they have an internal audit function


  • How often the risk management and internal control systems are reviewed; and an explanation if no review has been conducted


  • A statement that a review of the effectiveness of the risk management and internal control systems has been conducted and whether the issuer considers them effective and adequate; and


  • Significant views or proposals put forward by the audit committee.


Moving Forward

HKEx is now evaluating market views on these changes, and it is expected to publish consultation conclusions within the next few months. Given that, HKEx listed companies are recommended to review their disclosures and internal control systems to ensure that they are capable of complying with the new requirements when they are introduced.


End Notes:


The Code is set out in Appendix 14 of the Main Board Rules and Appendix 15 of the Growth Enterprise Market Rules.


A RBP is for guidance only and not a mandatory Listing Rule requirement
Compared with a RBP which is for guidance only, a CP is on a “comply or explain” basis.


Clyde & Co


Simon McConnell, Partner, Hong Kong
[email protected]


Mun Yeow, Partner, Hong Kong
[email protected]


Comments are closed.