Risk Management and Internal Control Practice - Part 2 (3)
Source : JFU
4 November 2015
JFU Approach to Meeting the Listing Rule Requirements
This note sets out our analysis of the C.2.3 requirements and proposed approach to meeting such requirements, with a summary of action pointers that can be adopted as risk management and internal control policy initiatives.
Analysis of C.2.3 Requirements
The board's annual review should, in particular, consider:
- the changes, since the last annual review, in the nature and extent of significant risks, and the issuer's ability to respond to changes in its business and the external environment;
- the scope and quality of management's ongoing monitoring of risks and of the internal control systems, and where applicable, the work of its internal audit function and other assurance providers;
- the extent and frequency of communication of monitoring results to the board which enables it to assess control of the issuer and the effectiveness of risk management;
- significant control failings or weaknesses that have been identified during the period. Also, the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the issuer's financial performance or condition; and
- the effectiveness of the issuer's processes for financial reporting and Listing Rule compliance.
JFU Approach 3(a)
To begin with, the Issuer should have a risk register documenting all the risks submitted by each business unit or process owners. The risks should be defined to facilitate understanding of its nature with a rigorous analysis in the light of changes in its business and the external environment. The result of the change analysis of each risk should include a statement of likelihood, the extent of impact on the issuer's financial result or position, and a discussion on how the issuer should address the potential impact arising from the change with comments on options available and whether the issuer is able to do so.
3(a) Action Pointers
- Keep a risk register
- Collect and collate risks from unit or process owners
- Understand and define risks
- Analyze risks in the light of changes in business and environment
- Report change analysis of risks
JFU Approach 3(b)
See Approach 1(a), "Risk Management and Internal Control Practice - Part 2(1)" dated 21 October 2015. The scope and quality of management's ongoing monitoring of the Systems can be assessed based on evidence of work undertaken by the workgroup ("WG").
3(b) Action Pointers
- Assess worktroup monthly reports and AR reports
- Comment on effectiveness of management ongoing monitoring
JFU Approach 3(c)
See Approach 1(a), "Risk Management and Internal Control Practice - Part 2(1)" dated 21 October 2015. The extent and frequency of communication of monitoring results to the board is documented by way of the WG reports and AR reports which provide the board a basis for assessing the control of the issuer and the effectiveness of risk management.
3(c) Action Pointers
- Assess WG monthly reports and AR reports
- Comment on the effectiveness of issuer's control and risk management
JFU Approach 3(d)
See Approach 1(a), "Risk Management and Internal Control Practice - Part 2(1)" dated 21 October 2015. The WG should have discussed at its monthly meetings or ad hoc meetings convened to deal with special and urgent issues. The board should focus on those issues considered as important failings or weaknesses and examine if the WG reports have adequately addressed the issues identified and in particular an assessment on the extent of the impact on the issuer's financial results and positions.
3(d) Action Pointers
- Assess WG monthly reports and AR reports
- Comment on impacts and remedies of failings and weaknesses
JFU Approach 3(e)
See Approach 2(a), 2(b) and 2(c), "Risk Management and Internal Control Practice - Part 2(2)" dated 28 October 2015. On the basis of outputs defined and reports received, the board assesses the scope, timing and quality of the outputs in terms of whether there is sufficient information to enable the board and management to exercise directorship, risk management and controllership for governance, management, operational purposes, and whether all listing disclosure requirements are satisfied.
3(e) Action Pointers
- Assess outputs produced by the accounting function
- Comment on effectiveness per governance, management, operational requirements
- Confirm with legal and auditors that all listing requirements are complied
Ms. Law for more information
Tel: +(852) 3719 6000