Hong Kong boards must lead corruption fight to create effective internal risk-management culture

Placing greater emphasis on risk management, including that of fraud risk and corruption, is a key objective of the Hong Kong Exchanges and Clearing’s (HKEX) measures to strengthen locally listed companies’ corporate governance and internal control disclosure requirements.

Since these changes became effective this year, a survey by PwC found that most companies in the Hang Seng Index and Hang Seng Chinese Enterprise Index have complied with these amended requirements, says Jim Woods, PwC’s global risk assurance leader.

In a world of ever-evolving risks and constant regulatory changes, boards need a thoughtfully defined approach for preventing and overseeing risks, including corruption.

“The most important deterrent for fraud and corruption in an organisation is to have the right ‘tone at the top’,” Woods says. “This has to come from the board, and permeate down through the organisation. You want to create a culture where people do the right thing even when their bosses aren’t looking.”

Having a robust risk management and internal control system to identify, prevent and detect corruption red flags is also the key, he adds.

“To do this effectively, an increasing number of companies in Hong Kong and [mainland] China have started to embed digital solutions and predictive analytics into their monitoring mechanism to highlight unusual trends and anomalies which could be indicators of corruption activities,” Woods says. “As many high-profile cases have demonstrated, corruption allegations can destroy a company’s brand and reputation, ruin its financial standing and put individuals in jail. Good corporate governance gives companies the best chance to prevent this from happening.”

Corporate culture is an increasingly important aspect of corporate governance, says KPMG China’s head of internal audit & risk compliance services, Hong Kong, Paul McSheaffrey.

“Having the right culture at all levels of an organisation is a key factor in preventing corruption,” he says. “Implementing the right culture can take a significant period of time and require identification of gaps and proactive leadership from senior management to resolve them.”

Having an appropriate channel for staff to speak up, particularly a whistle-blowing channel, is a key area that is often overlooked, McSheaffrey adds. “This is a good way for staff members to flag up corruption, although it only works if the culture supports and encourages people to speak out,” he says.

An internal audit is also an important part of good corporate governance, McSheaffrey says.

“One area of development is an increasing use of data and analytics. By allowing internal audit to test the whole population, rather than just a sample, the ability to detect corruption early is enhanced. For example, we are seeing internal audit using data and analytics to analyse employees’ travel and expenditure claims and therefore identify any possible corruption perpetrated through that route.”

Chris Fordham, managing partner, fraud investigation & dispute services at EY Asia-Pacific, agrees that senior management must set the tone; be seen to live the company’s values; and set the clear example that ethical behaviour is not an impediment to success. “A key finding of EY’s Asia-Pacific Fraud Survey 2017 is that employees in Asia-Pacific want simplicity and consistency from their companies’ policies and procedures on corporate governance,” he says. “Our survey finds overwhelmingly that employees want to act ethically and would also strongly consider a company’s ethical reputation in making decisions on joining or staying. However, [staff] struggle to understand the overly complex ethical policies and procedures. If they don’t understand, they are not aware; and if they are not aware, then they can’t comply.”

Another key finding is employees’ reluctance to use whistle-blowing hotlines, Fordham says. “The hotlines are among the most critical of tools used by companies to prevent and detect fraud, bribery and corruption,” he says. “Yet, despite increasing numbers of companies in Asia-Pacific implementing these channels, we still see that employees are reluctant to use them, even preferring to turn to social media or law-enforcement channels to report unethical behaviour.

“Companies in Asia-Pacific need to ensure their employees trust the reporting channels they have invested in, providing confidence to their employees that their reports will be handled seriously and confidentially.”

McSheaffrey believes an enterprise-wide assessment of an entity’s corruption risks is crucial. It is essential that companies do an internal review of their operations to identify where the risks are the greatest.

“This will identify gaps in controls,” he says. “The assessment is only the first step. Companies will need to implement appropriate controls and ensure the performance of these controls is monitored within the existing corporate governance and risk management framework.”

Deloitte China’s risk advisory partner, Hugh Gozzard, thinks an organisation should adopt a comprehensive approach which is supported by its overall corporate governance framework. “Effective governance provides the foundation for specific systems established for preventing, detecting and addressing corruption,” he says. “It also fosters the culture of an organisation that is serious about reducing corruption risk.”

Sound practices for governance and anticorruption include board commitment; a code of ethics that imposes

zero-tolerance of malpractice; comprehensive risk management; internal controls that provide accountability and segregation of duties; anonymous reporting of suspected corruption; and training that promotes integrity, Gozzard says.

“While many organisations have established such governance/anticorruption measures, this is often done statically, meaning that practices are only implemented superficially or soon become outdated as the organisation develops.” he says. “This approach leaves a company exposed to corruption risk when it acquires overseas subsidiaries; forms alliances or outsources parts of its operations yet may not have performed the risk-based due diligence of relevant counterparties that is essential to preventing corruption.”

Organisations should subject their governance and anticorruption systems to dynamic programmes of review and enhancement, Gozzard says. “These should comprise regular self-assessment and independent evaluation of board performance and not just routine operating activities.”