Risk culture still lacking in Singapore companies

SINGAPORE - Risk management disclosures by Singapore-listed companies have improved in the last three years. But, behavioural aspects - such as a company's risk culture - could do with greater attention in the near future.

These were the key takeaways from a new study published on Tuesday by the Institute of Singapore Chartered Accountants (Isca) and KPMG in Singapore.

The study, "Driving Value: Risk Transparency and Culture", is also supported by the Singapore Exchange (SGX).

The study looked at how risk management disclosures in annual reports have improved for a sample of 250 companies covered in a 2013 study.

Of the 250 companies sampled in 2013, only 219 were available for analysis in 2016; 31 companies have either since been delisted or had released their annual reports only after the period of study.

Small-capitalisation companies formed the bulk (72 per cent) of the sample; large-cap companies made up 16 per cent, while mid-cap companies made up 12 per cent.

The study found that disclosures relating to risk governance, risk management practices and the board's conclusion on the adequacy and effectiveness of risk management and internal controls have improved over time.

There was also an improvement in terms of the risk structures and practices specified in either SGX Listing Rules or the Code of Corporate Governance (CG Code).

However, the study found that for additional areas not specified in guidelines - such as risk culture and fraud risk management - disclosures were less forthcoming.

For example, 64 per cent of companies disclosed information in relation to having established a risk management framework - including a risk assessment and monitoring process - and 68 per cent of companies disclosed having a risk management policy in place.

But, the disclosures relating to risk culture were found to be lacking, with only 19 per cent of companies having made some mention of it.

Forty-one per cent of companies mentioned setting risk tolerance limits, while only 19 per cent disclosed aligning remuneration and risk policies - both of which are key elements in establishing an effective risk culture, the report said.

Only 4 per cent of companies disclosed having a formal process in place to assess and measure the organisational risk culture.

Tan Boon Gin, chief regulatory officer at SGX, said: "This study is a timely reminder that effective risk governance is not just structural, but also cultural.

It is more than developing a risk appetite statement, establishing risk committees or charting risk heat maps.

The board also needs to inculcate and embed a risk governance culture and values, including respect for the company's control environment.

Risk management performance indicators should be set in a way that creates awareness, accountability and incentivises performance in risk governance."

Irving Low, partner and head of Risk Consulting at KPMG in Singapore, added: "With the impending review of the CG Code, this provides an opportunity to consider incorporating more of the behavioural elements influencing risk.

Risk culture is arguably the most critical aspect of risk management because even if you have the best policy and process in place, if it is by-passed due to people not respecting it, the company is exposed to adverse outcomes."

The study also found that, while a majority of the companies have disclosed their financial, operational, compliance and information technology risks as specified by the CG Code, there was a significant lack of disclosure for strategic and cyber risks.

It also found that the majority of companies that disclosed some fraud risk measures had this in the form of a whistle-blowing policy; only 5 per cent or less disclosed information related to a broader fraud risk management framework, anti-fraud policies, or a focus on establishing an anti- fraud culture.

The report said that, while whistle-blowing and tip-offs are the most common method of fraud detection, the introduction of other fraud risk management tools is recommended, particularly as technology is enabling new methods of fraud which can more easily circumvent internal controls.

Perhaps expectedly, large-cap companies and government-linked companies (GLCs) outperformed other companies.

The report said this could possibly be a reflection of "the scale and complexity of risks in these organisations and importance they place on communicating these practices to key stakeholders to enhance confidence in their ability to manage risks".

This article was first published on November 02, 2016.
Get The Business Times for more stories.