Disclosure efforts by Singapore companies have mainly focused on areas specified in corporate governance guidelines, but more attention needs to be paid to those not stated in the guidelines.
Other areas for improvement in disclosure include strategic risk, cyber risk, risk tolerance, risk culture, and fraud risk management.
Risk management disclosures among companies have improved since 2013. These include disclosures related to risk governance, risk management practices and the Board’s conclusion on the adequacy and effectiveness of risk management and internal controls. While improvements were noted across the board, large-cap companies have done better than mid- and small- cap companies. Government-linked companies (GLCs) continue to have more forthcoming disclosures than non-GLCs. The level of disclosure is also influenced by the sector the company is in. For instance, the Finance sector appears to be more advanced in disclosing risk governance structures and practices.
These are some of the key findings of the study of risk governance disclosures conducted by the Institute of Singapore Chartered Accountants (ISCA) and KPMG in Singapore, which is supported by the Singapore Exchange (SGX). The report, titled ‘Driving Value: Risk Transparency and Culture’, follows a similar study conducted in 20131.
Mr Ho Tuck Chuen, Chairman of ISCA’s Corporate Governance Committee, said, “It is encouraging to see an increased level of disclosures related to risk management and governance across all companies. Risk management is integral to all companies as they grow. Proper risk management and internal controls help companies understand their risk exposure with mitigating controls in place to effectively pursue their objectives. We hope this report will enable companies to better understand the key risk governance practices, as well as encourage them to be more forthcoming in disclosures beyond the guidelines to enhance their standards of risk governance.”
Mr Irving Low, Partner and Head of Risk Consulting at KPMG in Singapore, said that “The study highlights the disparity between disclosures of a structural versus behavioural nature. The focus of the Singapore Code of Corporate Governance (the CG Code) is primarily on structural elements, such as having a committee or policy in place, and we have seen a robust improvement in these disclosures since the CG Code was introduced. However, disclosures relating to behavioural factors such as risk culture are not as forthcoming and are not currently featured in the CG Code. With the impending review of the CG Code, this provides an opportunity to consider incorporating more of the behavioural elements influencing risk. Risk culture is arguably the most critical aspect of risk management because even if you have the best policy and process in place, if it is by-passed due to people not respecting it, the company is exposed to adverse outcomes.”
Mr Tan Boon Gin, Chief Regulatory Officer at SGX, said: “This study is a timely reminder that effective risk governance is not just structural, but also cultural. It is more than developing a risk appetite statement, establishing risk committees or charting risk heat maps. The Board also needs to inculcate and embed a risk governance culture and values, including respect for the company’s control environment. Risk management performance indicators should be set in a way that creates awareness, accountability and incentivises performance in risk governance.”
Improvement in Risk Management Disclosures
There have been significant improvements in corporate governance disclosures since the 2013 study. Companies with large market capitalisation ($1billion and above) were found to have more forthcoming disclosures compared to other companies for a majority of risk governance structures and practices. GLCs also continue to be more forthcoming in their disclosures. For example, more GLCs specified having a risk management framework, a Board Risk Committee, a Chief Risk Officer (CRO), a Management Risk Committee and establishing a risk culture.
Emerging areas of risk governance that are not specified in the CG Code, such as risk culture, the risk management function and fraud risk management could be improved.
Risk Governance Structures
The study shows enhanced clarity in the disclosure of the Board’s responsibilities in risk governance. When the study was conducted in 2013, only 34% of the companies indicated that their boards are responsible for risk governance. In 2016, this percentage improved significantly to 100%. This highlights the much stronger recognition that the Board is responsible for the governance of risk.
Given the increase in the complexity of the risk landscape, over the past three years, the percentage of companies that have restructured their boards to either have a formally constituted Audit and Risk Committee (ARC) or a separate Board Risk Committee (BRC) has increased from 2% to 16% for ARC, and 12% to 16% for BRC.
Risk Management Practices
The study found that while a majority of the companies have disclosed their financial, operational, compliance and information technology (IT) risks as specified by the CG Code, there was a significant lack of disclosure for strategic and cyber risks (31% and 5% respectively). Given the recent rise in the number of companies falling victims to malicious cyber-attacks, companies could be more forthcoming in disclosing such risks.
The study also found that there is a lack of specificity when it comes to disclosing risks. There is a lack of description of risks, and companies merely group them into broad risks categories (financial, operational, compliance, IT). According to the study, about 61% of the companies did not mention any specific risk type2, while only 39% provide a short description.
Areas of Improvement
Compared to three years ago, companies in Singapore have been making steady progress in improving their risk governance disclosures. More companies have been adhering to the requirements laid out in the CG Code.
However, the study also found that more could be done for areas that are not specified in the CG Code, as well as emerging areas of risk governance such as risk tolerance, risk culture and fraud risk management.
More companies should establish a formal risk culture framework. This includes setting the ‘tone at the top’, formalising the expected values and behaviours across the company. A strong risk culture supports effective risk management; a weak risk culture is a risk in itself.
Another area of improvement would be for companies to have a more holistic fraud risk management framework. According to the study, although 95% of companies disclosed having a whistleblowing policy and procedure as the primary means to mitigate against fraud such as money laundering and bribery, this only represents one aspect of fraud risk management. The framework should include other fraud risk management tools, such as using technology to adequately identify, assess, manage and mitigate fraud risks.
With the introduction of the new Key Audit Matters disclosure requirements in the enhanced auditor’s report mandated by the Accounting and Corporate Regulatory Authority, companies can also strive to improve in their specificity of disclosing risk types. This will ideally enhance transparency and engagement between the investor and the company.
1 ISCA-KPMG ‘Towards better risk governance’: A study of 250 listed Singapore companies, 2013
2 A risk type is defined as a specific risk example with a succinct description or title. It provides more insight than a broad risk category (health & safety, product reliability, geopolitical risk etc.)