D.2 Risk management and internal control
The board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer's strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal control systems. Such risks would include, amongst others, material risks relating to ESG (please refer to the ESG Reporting Guide in Appendix 27 to the Exchange Listing Rules for further information). The board should oversee management in the design, implementation and monitoring of the risk management and internal control systems, and management should provide a confirmation to the board on the effectiveness of these systems.
The board should oversee the issuer’s risk management and internal control systems on an ongoing basis, ensure that a review of the effectiveness of the issuer’s and its subsidiaries’ risk management and internal control systems has been conducted at least annually and report to shareholders that it has done so in its Corporate Governance Report. The review should cover all material controls, including financial, operational and compliance controls.
The board’s annual review should, in particular, ensure the adequacy of resources, staff qualifications and experience, training programmes and budget of the issuer’s accounting, internal audit, financial reporting functions, as well as those relating to the issuer’s ESG performance and reporting.
The board’s annual review should, in particular, consider:
(a) the changes, since the last annual review, in the nature and extent of significant risks (including ESG risks), and the issuer’s ability to respond to changes in its business and the external environment;
(b) the scope and quality of management’s ongoing monitoring of risks (including ESG risks) and of the internal control systems, and where applicable, the work of its internal audit function and other assurance providers;
(c) the extent and frequency of communication of monitoring results to the board (or board committee(s)) which enables it to assess control of the issuer and the effectiveness of risk management;
(d) significant control failings or weaknesses that have been identified during the period. Also, the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the issuer’s financial performance or condition; and
(e) the effectiveness of the issuer’s processes for financial reporting and Exchange Listing Rule compliance.
Issuers should disclose, in the Corporate Governance Report, a narrative statement on how they have complied with the risk management and internal control code provisions during the reporting period. In particular, they should disclose:
(a) the process used to identify, evaluate and manage significant risks;
(b) the main features of the risk management and internal control systems;
(c) an acknowledgement by the board that it is responsible for the risk management and internal control systems and reviewing their effectiveness. It should also explain that such systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss;
(d) the process used to review the effectiveness of the risk management and internal control systems and to resolve material internal control defects; and
(e) the procedures and internal controls for the handling and dissemination of inside information.
The issuer should have an internal audit function. Issuers without an internal audit function should review the need for one on an annual basis and should disclose the reasons for the absence of such a function in the Corporate Governance Report.
1 An internal audit function generally carries out the analysis and independent appraisal of the adequacy and effectiveness of the issuer's risk management and internal control systems.
2 A group with multiple listed issuers may share group resources to carry out the internal audit function for members of the group.
The issuer should establish a whistleblowing policy and system for employees and those who deal with the issuer (e.g. customers and suppliers) to raise concerns, in confidence and anonymity, with the audit committee (or any designated committee comprising a majority of independent non-executive directors) about possible improprieties in any matter related to the issuer.
The issuer should establish policy(ies) and system(s) that promote and support anti-corruption laws and regulations.
Recommended Best Practices
The board may disclose in the Corporate Governance Report that it has received a confirmation from management on the effectiveness of the issuer's risk management and internal control systems.
The board may disclose in the Corporate Governance Report details of any significant areas of concern.