.png?sfvrsn=dd675fd5_2)
.jpg?sfvrsn=d4038e84_0)
-(1).png?sfvrsn=db949de5_0)
-(5).png?sfvrsn=3162fbc9_0)
/business-management-global-connection/istock-1167579720-c.jpg?sfvrsn=ff93f9a5_2)
/audit-assurance/istock-1169206203-c.jpg?sfvrsn=1d6f9b25_2)
/professionals/istock-845530100-c.jpg?sfvrsn=46efdedd_2)
/ethics-and-professionalism/istock-1141115724-c.jpg?sfvrsn=4e54d691_2)
/business-management-global-connection/istock-1079974636-c.jpg?sfvrsn=e9fea23b_2)
.png?sfvrsn=905ee1bd_0)
/legal-secretarial/istock-866706340-c.jpg?sfvrsn=d7f57b8c_2)
- Disclosure efforts by Singapore companies have mainly focused on areas specified in corporate governance guidelines, but more attention needs to be paid to those not stated in the guidelines.
- Other areas for improvement in disclosure include strategic risk, cyber risk, risk tolerance, risk culture, and fraud risk management.
1 November 2016 – Risk management disclosures among companies have improved since 2013. These include disclosures related to risk governance, risk management practices and the Board’s conclusion on the adequacy and effectiveness of risk management and internal controls. While improvements were noted across the board, large-cap companies have done better than mid- and small-cap companies. Government-linked companies (GLCs) continue to have more forthcoming disclosures than non-GLCs. The level of disclosure is also influenced by the sector the company is in. For instance, the Finance sector appears to be more advanced in disclosing risk governance structures and practices.
These are some of the key findings of the study of risk governance disclosures conducted by the Institute of Singapore Chartered Accountants (ISCA) and KPMG in Singapore, which is supported by the Singapore Exchange (SGX). The report, titled ‘Driving Value: Risk Transparency and Culture’, follows a similar study conducted in 2013[1].
Mr Ho Tuck Chuen, Chairman of ISCA’s Corporate Governance Committee, said, “It is encouraging to see an increased level of disclosures related to risk management and governance across all companies. Risk management is integral to all companies as they grow. Proper risk management and internal controls help companies understand their risk exposure with mitigating controls in place to effectively pursue their objectives. We hope this report will enable companies to better understand the key risk governance practices, as well as encourage them to be more forthcoming in disclosures beyond the guidelines to enhance their standards of risk governance.”
Mr Irving Low, Partner and Head of Risk Consulting at KPMG in Singapore, said that “The study highlights the disparity between disclosures of a structural versus behavioural nature. The focus of the Singapore Code of Corporate Governance (the CG Code) is primarily on structural elements, such as having a committee or policy in place, and we have seen a robust improvement in these disclosures since the CG Code was introduced. However, disclosures relating to behavioural factors such as risk culture are not as forthcoming and are not currently featured in the CG Code. With the impending review of the CG Code, this provides an opportunity to consider incorporating more of the behavioural elements influencing risk. Risk culture is arguably the most critical aspect of risk management because even if you have the best policy and process in place, if it is by-passed due to people not respecting it, the company is exposed to adverse outcomes.
Mr Tan Boon Gin, Chief Regulatory Officer at SGX, said: “This study is a timely reminder that effective risk governance is not just structural, but also cultural. It is more than developing a risk appetite statement, establishing risk committees or charting risk heat maps. The Board also needs to inculcate and embed a risk governance culture and values, including respect for the company’s control environment. Risk management performance indicators should be set in a way that creates awareness, accountability and incentivises performance in risk governance.”
Improvement in Risk Management Disclosures
There have been significant improvements in corporate governance disclosures since the 2013 study. Companies with large market capitalisation ($1billion and above) were found to have more forthcoming disclosures compared to other companies for a majority of risk governance structures and practices. GLCs also continue to be more forthcoming in their disclosures. For example, more GLCs specified having a risk management framework, a Board Risk Committee, a Chief Risk Officer (CRO), a Management Risk Committee and establishing a risk culture.
Emerging areas of risk governance that are not specified in the CG Code, such as risk culture, the risk management function and fraud risk management could be improved.
Risk Governance Structures
The study shows enhanced clarity in the disclosure of the Board’s responsibilities in risk governance. When the study was conducted in 2013, only 34% of the companies indicated that their boards are responsible for risk governance. In 2016, this percentage improved significantly to 100%. This highlights the much stronger recognition that the Board is responsible for the governance of risk.
Given the increase in the complexity of the risk landscape, over the past three years, the percentage of companies that have restructured their boards to either have a formally constituted Audit and Risk Committee (ARC) or a separate Board Risk Committee (BRC) has increased from 2% to 16% for ARC, and 12% to 16% for BRC.
Risk Management Practices
The study found that while a majority of the companies have disclosed their financial, operational, compliance and information technology (IT) risks as specified by the CG Code, there was a significant lack of disclosure for strategic and cyber risks (31% and 5% respectively). Given the recent rise in the number of companies falling victims to malicious cyber-attacks, companies could be more forthcoming in disclosing such risks.
The study also found that there is a lack of specificity when it comes to disclosing risks. There is a lack of description of risks, and companies merely group them into broad risks categories (financial, operational, compliance, IT). According to the study, about 61% of the companies did not mention any specific risk type[2], while only 39% provide a short description.
Areas of Improvement
Compared to three years ago, companies in Singapore have been making steady progress in improving their risk governance disclosures. More companies have been adhering to the requirements laid out in the CG Code.
However, the study also found that more could be done for areas that are not specified in the CG Code, as well as emerging areas of risk governance such as risk tolerance, risk culture and fraud risk management.
More companies should establish a formal risk culture framework. This includes setting the ‘tone at the top’, formalising the expected values and behaviours across the company. A strong risk culture supports effective risk management; a weak risk culture is a risk in itself.
Another area of improvement would be for companies to have a more holistic fraud risk management framework. According to the study, although 95% of companies disclosed having a whistleblowing policy and procedure as the primary means to mitigate against fraud such as money laundering and bribery, this only represents one aspect of fraud risk management. The framework should include other fraud risk management tools, such as using technology to adequately identify, assess, manage and mitigate fraud risks.
With the introduction of the new Key Audit Matters disclosure requirements in the enhanced auditor’s report mandated by the Accounting and Corporate Regulatory Authority, companies can also strive to improve in their specificity of disclosing risk types. This will ideally enhance transparency and engagement between the investor and the company.
About the Study
The ISCA-KPMG study, “Driving Value: Risk Transparency and Culture” is a time-based study to observe the risk governance disclosures of over 200 Singapore-listed companies. The study analyses disclosures found in annual reports relating to board risk governance, risk management capabilities and structures, risk management practices, internal audit and fraud risk management. Interviews with independent directors and leading risks practitioners were also conducted.
For media queries, please contact:
For ISCA
Shaun Tay, Communications Executive
Tel: 6597 5613 /9147 7633
Email: shaun.tay@isca.org.sg
Betsy Tan, Senior Communications Manager
Tel: 6597 5608/ 9641 6920
Email: betsy.tan@isca.org.sg
For KPMG
Mok Fei Fei
External Communications
Tel: +65 6507 1597
Email: fmok@kpmg.com.sg
About the Institute of Singapore Chartered Accountants
The Institute of Singapore Chartered Accountants (ISCA) is the national accountancy body of Singapore. ISCA’s vision is to be a globally recognised professional accountancy body, bringing value to our members, the profession and wider community. There are over 30,000 ISCA members making their stride in businesses across industries in Singapore and around the world.
Established in 1963, ISCA is an advocate of the interests of the profession. Possessing a Global Mindset, with Asian Insights, ISCA leverages its regional expertise, knowledge, and networks with diverse stakeholders to contribute towards Singapore’s transformation into a global accountancy hub.
ISCA is the Administrator of the Singapore QP and the Designated Entity to confer the Chartered Accountant of Singapore - CA (Singapore) - designation.
ISCA is an Associate of Chartered Accountants Worldwide – supporting, developing and promoting over 620,000 Chartered Accountants in more than 200 countries around the world.
For more information, visit www.isca.org.sg.
About KPMG in Singapore
KPMG in Singapore is part of a global network of professional services firms providing Audit, Tax and Advisory services. The KPMG network operates in 155 countries, with more than 174,000 people working in member firms around the world. In the ASEAN region, member firms operate across all 10 countries of this regional grouping providing professional services supporting the growth, compliance and performance objectives of our clients.
The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. Each KPMG firm is a legally distinct and separate entity and describes itself as such.
Connect with us
LinkedIn: linkedin.com/company/kpmg-singapore
Twitter: @KPMGSingapore
[1] ISCA-KPMG ‘Towards better risk governance’: A study of 250 listed Singapore companies, 2013
[2]A risk type is defined as a specific risk example with a succinct description or title. It provides more insight than a broad risk category (health & safety, product reliability, geopolitical risk etc.)