Corporate Governance Code and Corporate Governance Report – What are the key changes?

www.pwchk.com

www.pwchk.comThis content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2015 PricewaterhouseCoopers Limited. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. HK-20140903-4-C1

Our key research and insights

Publication Title and Synopsis QR code

Riding through the Waves – Pursuing a High Performance Board

With the objective of enhancing the standard of corporate governance amongst companies listed in Hong Kong, the Hong Kong Exchanges and Clearing Limited (“the Exchange”) has concluded on a series of changes in December 2014 in relation to the internal control and risk management provisions of the Corporate Governance Code (Appendix 14), effective for issuers with accounting periods beginning on or after 1 January 2016.

Board of Directors need to understand the critical issues encompassing corporate governance and reinforce investor confidence in their organisations. This brochure listed a number of current topics which can be mixed and matched in accordance with your requirements. We have also included a suggested duration for each of these thus giving you full flexibility over the programme.

Culture, conduct and behaviours – Creating confidence in culture and behaviours

In 2007, the author Nassim Nicholas Taleb put forward the concept of ‘black swans’: unforeseen risk events that have a major impact, such as the September 11 attacks or the Indian Ocean tsunami of December 2004. This idea has rapidly taken hold, and has been applied to recent events ranging from the credit crunch to BP’s Deepwater Horizon oil spill to the Arab Spring. Today, ‘black swan’ events like these are regarded as one of three types of risks that organisations face.

The Global State of Information Security® Survey 2015

The Global State of Information Security® Survey 2015 (GSISS 2015) is a worldwide study by PwC, CIO, and CSO. The results discussed in this report are based on responses of more than 9,700 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from more than 154 countries.

Cyber risks will never be completely eliminated. Today, organisations must remain vigilant and agile in the face of a continually evolving threat landscape. Find out why your organisation should consider implementing a risk-based approach to security that prioritises your most valuable assets and proactively addresses your most relevant threats.

2014 State of the Internal Audit Profession Study

Our annual State of the Internal Audit Profession, which includes responses from more than 1,900 chief audit executives (CAEs), internal audit managers, members of senior management, and board members, representing 24 industries and 37 countries, provided substantial insight into how internal audit is performing and the steps individual functions are taking to increase their contribution to their respective organisations.

Future-proofing your business - A framework for thinking differently about your risks

We have developed a framework to help you explore where risk lies in your business and identify the potential threats and opportunities it holds.

The framework is flexible and dynamic – designed to encourage a broader perspective and future-facing approach to risk and resilience. It is a catalyst to help you think holistically about your key strategic risks and adopt a different mindset that explores the opportunities presented by risk, as much as the threats.

January 2015

South North

Cimi LeungPartner+852 2289 2997cimi.leung@cn.pwc.com

Stephen Ducker Partner+8610 6533 2279stephen.j.ducker@cn.pwc.com

Eric Yeung Partner+852 2289 1953eric.ck.yeung@hk.pwc.com

Kanus YuePartner+852 2289 1989kanus.km.yue@hk.pwc.com

Duncan Fitzgerald Partner+852 2289 1190duncan.fitzgerald@hk.pwc.com

Summary of Key Changes in relation to the Risk Management and Internal Control Provisions of the Corporate Governance Code and Corporate Governance ReportWith the objective of enhancing the standard of corporate governance amongst companies listed in Hong Kong (“the Issuers”), the Hong Kong Exchanges and Clearing Limited (“the Exchange”) released a Consultation Conclusions Paper in December 2014 and confirmed a series of changes to the existing code relating to internal control and risk management (Appendix 14), effective for issuers with accounting periods beginning on or after 1 January 2016.

Risk Management and Internal Control

Responsibilities of the Board and Management

Annual Review and Disclosure in the CG Report

Internal Audit

Audit Committee’s Role

• The title of Section C.2 of the existing Code is now amended to put equal emphasis on the importance of risk management.

• The roles of the board, management and internal audit are to be clearly defined in Principle C.2.

• Management should provide confirmation to the board on the effectiveness of the risk management and internal control systems.

• The relevant confirmation obtained from management is to be disclosed in the CG Report under Recommended Best Practice (“RBP”) C.2.6.

• The board should oversee the issuer’s risk management and internal control systems on an ongoing basis rather than just a one-off review (which is a current common approach).

• The board’s annual review should consider:

– The changes since the last annual review

– Scope and quality of management’s ongoing monitoring of risks and the internal control systems

– The extent and frequency of communication of monitoring results to the board

– Significant control weaknesses identified during the period

– The effectiveness of the issuer’s processes for financial reporting and Listing Rule compliance.

• The issuers now need to state whether they consider the risk management and internal control systems to be effective and adequate (it was previously optional).

• Issuers are also required to disclose procedures and internal controls relating to the handling and disseminating of inside information.

• Issuers should disclose a narrative statement on how they have complied with the risk management and internal control code provisions during the reporting period.

• Most of the existing Recommended Disclosures on internal controls (Section S) are now upgraded to Mandatory Disclosures.

• Issuers will be required (on a ‘comply or explain’ basis) to have an internal audit function, which can be an in-house function or one that is outsourced.

• The board’s annual review should ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer’s internal audit function.

• Principle C.3 on audit committees and Code Provision (“CP”) C.3.3 on terms of reference should incorporate risk management where appropriate.

• The audit committee’s terms of reference should include the review of issuer’s financial controls, and unless expressly addressed by a separate board risk committee, or by the board itself, to review the issuer’s risk management and internal control systems.

Conduct Corporate Governance Review against the current Appendix 14 requirements

Establish / Assess / Enhance your Internal Audit function and its underlying methodologyEstablish / enhance your

Risk Management and disclosure practices

Deliver Training on Risk and Controls Awareness

Develop and implement a Risk and Controls Assurance Mechanism

1

4

2

3

5

Contact us

Central

Jasper XuPartner+8621 2323 3405 jasper.xu@cn.pwc.com

What should you do and how can we help?In response to the key changes outlined in the Consultation Conclusions Paper, we recommend issuers to assess the impact of the key changes on their corporate governance arrangements and disclosure practices. Some possible areas where we can assist you in addressing the key changes are as follows: