CMCL Risk Management

The Listing Rules of Hong Kong Exchanges and Clearing Limited (HKEX) recommend that listed companies should engage in risk management:

‘The board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the issuer’s strategic objectives, and ensuring that the issuer establishes and maintains appropriate and effective risk management and internal control systems. The board should oversee management in the design, implementation and monitoring of the risk management and internal control systems, and management should provide a confirmation to the board on the effectiveness of these systems.’

Code provision C2.1 of Appendix 14/15 of the Main Board/GEM Listing Rules

Email Us for Details

We will take the five-step approach to understanding the risk management process of a company in order to help develop a risk management system that meets the COSO description.

Step 1 – Identifying risks

Reviewing business processes and the environment in which the business operates to identify risks. For example, when the EU General Data Protection Regulation (GDPR) came into effect in 2018, we identified risks of non-compliance with the regulation for our clients who carry on business in the EU.

Step 2 – Analysing the possibility of a risk occurring

Assessing the likelihood and impact of each risk. For instance, the aforementioned compliance risks of the GDPR are very likely to occur in and have great impacts on airlines (with a maximum penalty of 4% of global revenue). Meanwhile, in the case of manufacturing companies, these risks also have significant impacts but are less likely to occur because manufacturing companies do not have individual customers. The risks affect only their own employees. Therefore, even within the same regulation, the likelihood of risks occurring varies depending on the type of industry.

Step 3 – Establishing a risk prioritisation process

The risk assessment will help to prioritise the risks, but management will still need to consider different risk mitigation measures, in particular the time and cost of implementing them.

Step 4 – Putting in place countermeasures

All identified and assessed risks should be recorded to ensure that they are followed up. Potential issues that have not yet posed a risk are placed on a watch list for monitoring purposes. For example, staff training often needs to be continually adjusted in response to customer complaints.

Step 5 – Monitoring risk on a regular basis

Due to changes in the business environment, regulatory environment and operating model, companies need to update their risk assessments regularly. Risk assessments and internal control systems complement each other to ensure that all risks are reduced to an acceptable level.

Q & A

Q: Our company has stated in the Corporate Governance Report that the Board has conducted a review of the effectiveness of the risk management and internal control system. What else should be disclosed?
A: Under the requirements of HKEX, companies are still required to disclose:

– whether the issuer has an internal audit function;
– the frequency and period covered by the review of the risk management and internal control systems; and
– whether the issuer considers such risk management and internal control systems to be effective and adequate.

With extensive experience, our accounting team are able to assist with the preparation of the risk management section of the Corporate Governance Report to meet the disclosure requirements of the Listing Rules.

 

Q: How long does the work regarding risk management usually take?
A: We plan our work schedule according to the complexity of the company’s business.

Contact Us for Free Accounting Consultation
Free Consultation