There is a need to generate greater awareness on internal control and risk management, finds a study by the Institute of Singapore Chartered Accountants (ISCA) and KPMG in Singapore.
The study also encourages companies to provide greater quality disclosure on their risk governance practices.
Entitled “Towards better risk governance: a study of Singapore listed Companies 2013”, the ISCA-KPMG risk study looked at risk management disclosures of 250 listed companies in Singapore. It was conducted to assess the state of adoption of risk management practices by listed companies, especially in the light of the revised Code of Corporate Governance.
According to the study findings, the party responsible for risk governance differs across institutions.
Among the companies studied in the survey, some 34 percent stated that their board is responsible for risk governance. About 26 percent of companies pointed to management as being responsible. Meanwhile, about 19 percent of companies stated that Board Committees are responsible for risk governance.
Similarly, the board committee responsible for overseeing risk governance is not consistently disclosed. About 29 percent of the companies studied disclosed that they relied on their Audit Committee for risk governance, while 14 percent established a separate Board Risk Committee. Some 57 percent did not disclose this information.
“Our joint study revealed that there are gaps regarding the substance and quality of the disclosures of the sampled companies’ risk management and internal control frameworks in their annual reports," says R. Dhinakaran, Vice-President of ISCA and Chairman of the ISCA Corporate Governance Committee. "It is important that companies adopt the best practices of risk governance not just from a compliance tick-the-box perspective but to promote their organisation’s long-term sustainability.”
Irving Low, Head of Risk Consulting, KPMG in Singapore, said: “The findings suggest that more work is needed to clarify risk governance responsibilities of the board, board committee and management of the organisation.
“This is important to ensure that there is clear communication and greater transparency of risk, control and assurance information across the key ‘lines of defence’. In that way, boards can validate observations and conclusions to determine whether the overall framework is adequate and effective.”
Challenges in determining what and how much to disclose
Not surprisingly, compliance is higher when risk management is regulations-based, compared to when risk management is principles-based. While listed companies have complied with the mandatory SGX Listing Rule 1207(10), it is noted that some of them did not provide proper basis to explain how they concluded that there are adequate controls. Only 12 percent of companies complied with the revised Code of Corporate Governance.
Also, management support can be enhanced. Despite an increase in requirements regarding risk management and internal controls, resources at management level remain relatively unchanged. Only 12 percent of the companies sampled disclosed that they have a Management Risk Committee and only five percent have a dedicated Chief Risk Officer (CRO).
In addition, 85 percent of companies in the study are silent on whether there is a C-suite executive responsible for risk governance in their organisation.
Board Risk Committee Linked to Mature Risk Management Practices
The study found that the existence of a Board Risk Committee has been linked to more mature risk management practices.
Among companies with a Board Risk Committee, 34 percent have a CRO, compared to three percent for companies without a Board Risk Committee.
Some 69 percent of companies with a Board Risk Committee have an in-house Internal Audit function, compared with 27 percent for companies without a Board Risk Committee. Likewise, 71 percent of companies with a Board Risk Committee disclosed their risk management framework, compared with 40 percent of companies without a Board Risk Committee.
“Companies in complex and highly regulated industries typically have invested resources into establishing separate risk structures such as board risk committees and CROs to enable sufficient focus," says Low.
Low notes that not all companies must adopt these same exact practices. "However, they should take the time to clearly define key roles and responsibilities, resources required and the reporting requirements in terms of nature and frequency. Doing so will enable them to evaluate the adequacy and effectiveness of their risk management and internal control systems and satisfy disclosure obligations.”
Other Areas for Improvement
Given the revised Code of Corporate Governance 2012, the adoption rate of risk management practices by companies in the study has been encouraging. Specifically, the study found that the introduction of the SGX Listing Rule 1207(10) has raised standards for internal control systems.
Bigger companies, as well as those from the finance sector, and Government-Linked Companies (GLCs) have adopted and disclosed better developed risk management practices. These companies have higher compliance and adoption rates in at least seven out of 10 areas.
However, the study found that more can be done in terms of disclosures of board responsibility, assurance from the CEO or CFO, and whether there is a CRO appointed.
In addition, boards can improve the disclosure regarding their risk management and internal controls systems. Approximately half of small and mid-cap firms in the study did not state their risk management framework.
More work also needs to be done in the disclosure of the adoption of standards set by the Institute of Internal Auditors (IIA). While 94 percent of companies in the study have an Internal Audit function, only 39 percent disclosed that the IA function meets IIA standards.
“Effective risk governance is an ongoing commitment and ISCA encourages companies and businesses to think seriously about how to adopt the best practices, including those in the revised Code of Corporate Governance," says Dhinakaran. "We hope that our joint study with KPMG will achieve its aim of helping our companies to look at risk governance in greater depth and, in the process, follow up with adopting the best practices.”
Low adds that Board members and C-Suite level executives should take stock of their existing board assurance framework to confirm whether it is adequate and effective in practice and adopt a substance over form approach to disclosures.