Dec 03, 2013

    Spare the rod, spoil the listed company

    The Business Times

    LISTED companies here are motivated by the stick, not the carrot, said a recent study.

    The findings were staggering: An overwhelming majority (98 per cent) complied with risk-management disclosures when they were mandated by listing rules, but only a pitifully small proportion (12 per cent) complied with a similar requirement in the non-mandatory Code of Corporate Governance.

    However, in response to those findings, Singapore Exchange (SGX) - which regulates listed companies - said it does not believe the answer lies in more regulation, but in greater rewards for good behaviour.

    But here's the thing: When most listed companies aren't bothering to comply with a key provision in the Code because it's neither mandatory nor legislated, clearly the gentle persuasion and praise that have been used all along are not enough.

    It is probably time to make more of these practices count - and the first step could be that suggested by the Accounting and Corporate Regulatory Authority (Acra) last week.

    Acra, which regulates business entities and public accountants here, said it is looking into making chief executive officers and chief financial officers legally liable for their assurances on their companies' internal controls, part of the risk-management framework.

    To determine the appropriateness of such an action, let's delve deeper into listed companies' risk-management practices.

    A joint study by KPMG and ISCA, Towards Better Risk Governance: A Study Of Listed Companies 2013, sampled 250 companies, ranging from small to large caps, across various industries.

    It found that, based on annual reports that were available publicly as at Dec 31 last year, 98 per cent of the companies complied with SGX Listing Rule 1207 (10). The rule states that a company's board must, in its annual report, give its opinion - with the concurrence of the audit committee - on the adequacy of the company's internal controls, addressing financial, operational and compliance risks.

    Now, we come to the Code, which is a non-mandatory set of principles with which listed companies have to "comply or explain".

    Principle 11.3 of the Code has two parts, the first of which stipulates a practice similar to Rule 1207 (10). Only 12 per cent of the companies sampled in the study met the requirement that "the board should comment on the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information-technology controls, and risk-management systems, in the company's annual report".

    Clearly, more needs to be done to move risk-management practices along. If CEOs and CFOs don't feel the need to provide the necessary assurance to the board because it isn't a mandatory principle, the boards can't attest to the adequacy and effectiveness of internal controls.

    SGX's deputy chief regulatory officer, Mr Richard Teng, had said, in response to the study's findings: "As a regulator, you don't want to introduce more and more rules. What you want is to raise the reward for good behaviour."

    What's ironic about his statement is that it was SGX's decision to introduce Rule 1207 (10) in September 2011 that spurred a significantly larger number of companies to comply with the corresponding section in the Code.

    It needs to be said that tagging on a legal liability to such a certification or assurance is not just creating legislation for the sake of increasing regulation; rather, it needs to be recognised that such a move would clarify risk-management responsibilities for boards and management, and impel CEOs and CFOs to take a more proactive role in such practices.