Spare the rod, spoil the listed company

LISTED companies here are motivated by the stick, not the carrot, said a recent study.mini storage The findings were staggering: An overwhelming majority (98 per cent) complied with risk management disclosures when they were mandated by listing rules, but only a pitifully small proportion (12 per cent) complied with a similar requirement in the non-mandatory Code of Corporate Governance.In response to those findings, however, Singapore Exchange (SGX) - which regulates listed companies - said it does not believe the answer lies in more regulation, but in greater rewards for good behaviour.But here's the thing: When most listed companies aren't bothering to comply with a key provision in the Code because it's neither mandatory nor legislated, clearly the gentle persuasion and praise that have been used all along are not enough.It is probably time to make more of these practices count - and the first step could be that suggested by the Accounting and Corporate Regulatory Authority (ACRA) last week. ACRA, which regulates business entities and public accountants here, said it is looking into making CEOs and CFOs legally liable for their assurances on their companies' internal controls, part of the risk management framework.Listing rule complianceTo determine the appropriateness of such an action, let's delve deeper into listed companies' risk management practices.The joint study by KPMG and ISCA, Towards better risk governance: a study of listed companies 2013, sampled 250 companies, ranging from small to large caps, across various industries.It found that, based on annual reports that were publicly available as at Dec 31, 2012, 98 per cent of the companies complied with SGX Listing Rule 1207 (10). The rule states that a company's board must, in its annual report, give its opinion with the concurrence of the audit committee on the adequacy of the company's internal controls, addressing financial, operational and compliance risks.Now, we come to the Code, which is a non-mandatory set of principles with which listed companies have to "comply or explain".Principle 11.3 of the Code has two parts, the first of which stipulates a practice similar to Rule 1207 (10). Only 12 per cent of the companies sampled in the study met the requirement that "the board should comment on the adequacy and effectiveness of the internal controls, including financial, operational, compliance and information technology controls, and risk management systems, in the company's annual report".Only 15 per cent complied with the second part, which says the board should also comment in the annual report on whether it has received assurance from the CEO and the CFO on the company's financial statements and the effectiveness of the company's risk management and internal control systems.It's important to point out here that this section on internal controls was amended when the Code was revised and relaunche儲存 in May 2012. The earlier version of the Code, which was in effect from 2005, stipulated only that the audit committee should review the adequacy of the company's internal controls and that the board should comment on this adequacy.This bears mentioning because many of the annual reports covered in the KPMG-ISCA study were published before the revised Code was issued.But, the study also looked at compliance by companies with the older version of the Code, and that was at a rate of 23 per cent.That is still a very low rate of compliance, when compared to that for Rule 1207 (10), considering how long the Code has been around, and that it is this old version of the Code that contains the principle most similar to the SGX listing rule.Clearly, more needs to be done to move risk management practices along. If CEOs and CFOs don't feel the need to provide the necessary assurance to the board because it isn't a mandatory principle, the boards can't attest to the adequacy and effectiveness of internal controls.SGX's deputy chief regulatory officer, Richard Teng, had said, in response to the study's findings: "As a regulator, you don't want to introduce more and more rules. What you want is to raise the reward for good behaviour."What's ironic about his statement is that it was SGX's decision to introduce Rule 1207 (10) in September 2011 that spurred a significantly larger number of companies to comply with the corresponding section in the Code.ACRA's proposalIrving Low, head of risk consulting at KPMG in Singapore, who presented the study, pointed out: "It (the SGX rule) has pushed and propelled a significant majority of the listed companies to at least have some form of formal internal control frameork/systems in place."And it's time to consider what else needs legislating. ACRA has suggested attaching a legal liability to the assurances made by CEOs and CFOs - taking a leaf from the book of the US Securities and Exchange Commission (SEC). A CEO or CFO signing a false certification could be subject to an SEC enforcement action for violating the law.ACRA's chief executive, Kenneth Yap, said the regulatory authority "is currently studying the practice in other jurisdictions, such as in the US and Australia" and has been "talking to counterparts such as the US SEC to learn from their experiences, and are currently seeking views from the business community as well".It needs to be said that tagging on a legal liability to such a certification or assurance is not just creating legislation for the sake of increasing regulation; rather, it needs to be recognised that such a move would clarify risk management responsibilities for boards and management, and impel CEOs and CFOs to take a more proactive role in such practices.As ACRA and this paper hopes, this should go some way in raising standards of financial disclosure and corporate governance, to the benefit of investors.迷你倉