corporate governance, compliance and code of conduct … · 2.5 corporate social ... 2.9 overall...

corporate governance, compliance and code of conduct study 2012

Hong Kong

About The Red Flag Group

The Red Flag Group is one of the world’s leading independent corporate governance and compliance firms providing thought leadership around

compliance to Fortune 1000 companies. Our main goals include helping companies develop and maintain efficient and effective governance and

compliance programs in emerging markets, as well as providing professional due diligence services to companies around the world. Our technology

solutions are leading edge – providing practical web-based solutions to manage compliance risks globally. For more information, go to

www.redflaggroup.com

Contents

1. Introduction

1.1 Background

1.2 Our initial approach

1.3 The study and methodology

1.3.1 Overall approach to corporate governance and compliance

1.3.2 Analysis of publicly-available codes of conduct

2. PART A – Study of projected attitude to compliance

2.1 Overview

2.2 Code of conduct

2.3 Chief compliance officer

2.4 Compliance committee

2.5 Corporate social responsibility, anti-corruption and other approaches to compliance issues

2.6 Compliance report

2.7 Whistleblower policy

2.8 Annual report–focus on compliance issues

2.9 Overall publicly-conveyed approach to ethics, compliance and good governance

3. Part B - Examination of publicly-available codes of conduct

3.1 The criteria

3.2 Results of the study

3.2.1 Overview

3.2.2 Focus areas

3.2.2.1 Direction from the board and senior management

3.2.2.2 Applicable law and legislation

3.2.2.3 Revision, awareness and promotion of the code

The Red Flag Group

1. Introduction

1.1 Background

There is an ever-growing expectation of companies around the world to raise their standards of corporate governance and compliance. While European and US companies tend to have taken significant steps in the right direction, it has become increasingly apparent that their counterparts in Asia are not at the same level of development.

There are several reasons why a below-par approach to corporate governance and compliance is unsustainable. Primary among these is the fact that investors are becoming increasingly savvy about the corporate governance and compliance standards of the companies in which they invest. Given the recent prevalence of corporate scandals and the gravity of their impact on capital markets, investors have become far more demanding in terms transparency, ethics and integrity. Furthermore, the emergence of ESG (environmental, social and governance) conscious investors has given companies an additional incentive to bolster their corporate governance and compliance procedures.

Annual Assessment - Hong Kong Corporate Governance, Compliance and Code of Conduct Study 2012

Companies based in Hong Kong and China are not immune to these pressures. The high-profile delisting of Betex and ZTC Telecoms in London in addition to the spate of scandals involving Chinese companies in North America in 2011 has rocked investor confidence. As investor expectations rise, the governance and compliance standards of companies will have to follow suit.

Investor pressure is not the only factor. A strong governance and compliance programme is becoming more and more of a catalyst for recruiting the best talent into all levels of a company. An organisation publicly declaring its values and ethics not only gives its current employees a clear understanding of the company’s expectations, it also attracts potential high-calibre employees. The lure of an ethical company exhibiting high standards of integrity should not be underestimated – no employee wants to suffer the stigma of working for a company that might be renowned for illegitimate practices, corruption or fraud.

While companies should embrace corporate governance as an opportunity for growth, compulsion from external bodies is undeniably a significant motivator for increasing standards of behaviour. Not only are regulatory requirements becoming more stringent, but the risk of legal exposure for non-compliance is becoming ever more serious. Take for instance the recent high-profile corruption investigations in Hong Kong, undertaken by the Independent Commission Against Corruption (ICAC). In March 2012, the ICAC arrested Raymond and Thomas Kwok, the co-chairmen and controlling shareholders of Sun Hung Kai Properties (one of the largest Hong Kong listed property development companies). The brothers, reportedly worth in excess of US$18 billion, were arrested under suspicion of corruption, along with Rafael Hui, the former Chief Secretary for Administration in the Hong Kong government and an advisor to Sun Hung Kai.

In another well-publicised case, Donald Tsang, the Chief Executive of Hong Kong SAR, is under investigation by the ICAC for allegedly accepting free holidays and apartments from local businesses in violation of anti-bribery laws. The scandal has also engulfed Henry Tang, who was unsuccessful in his bid to become Donald Tsang’s successor.

Based on these emerging trends and increasingly-frequent incidents of corruption amongst high-profile business leaders, The Red Flag Group undertook a study to examine the projected approach to good governance and compliance by leading companies that are listed on the Hong Kong Stock Exchange (HKEx).

1.2 Our initial approach

The original concept was for us to conduct an analysis on the publicly-available codes of conduct of the top 50 companies on the HKEx, based on market capitalisation. It quickly became apparent that only a tiny proportion of these companies had any form of code available. Further, none of the selected group of companies were willing to divulge this document upon request. This is alarming in itself as it demonstrates there is a misconception that such a document is private or confidential.

The code of conduct (or similar document such as a code of ethics, code of practice, and so on) is an organisation’s primary vehicle by which it can show the standards of behaviour it expects and the levels of integrity and ethical practices it adheres to. Not only is such a document a guide to the expectations of employees, it shows to all shareholders, would-be investors, business partners and third parties the culture instilled within a company and the immoral behaviour it will not tolerate.

The law in Hong Kong does not strictly require listed companies to have a code of conduct; instead, it requires a “comply or explain” approach. It is clear from our study that most organisations do not understand the benefits of taking the time to produce a well-thought-out code and divulging it to the public. It shows who you are, what you stand for, and how you do business. Any prospective investor or employee would want reassurance that the manner in which a company conducts itself is of the highest order, and that it takes all precautions against the risks associated with corrupt conduct.

The Red Flag Group

1.3 The study and methodology

Given the lack of availability of critical corporate documentation, the study was subsequently divided into two parts:

An analysis of overall approaches to corporate governance and compliance

An analysis of the codes of conduct that were publicly available.

First, the sample group was expanded to analyse the top 150 companies on the HKEx (again ranked according to market capitalisation). This group was derived from those who were consistently in the top 150 according to market capitalisation in June 2012. Despite the variations between many of these companies in terms of their size and industry, this sample group provides a revealing insight into the trending standards and attitudes towards corporate governance and compliance.

1.3.1 Overall approach to corporate governance and compliance

All 150 companies in our sample group were assessed according to their publicly-projected approach to governance and compliance. The assessment was based on eight different categories:

Whether a code of conduct (or similar document) existed and was available to the public

Whether the company identified its Chief Compliance Officer (or similar position), and if so, whether that person’s role and function was clearly explained

Whether the company had a Compliance Committee (or similar oversight group) that was devoted to the review and improvement of the firm’s approach to compliance

The company’s efforts to publicise its corporate social responsibility, anti-corruption practices and compliance

Whether the company had a publicly-available report specifically addressing compliance-related matters

Whether the company exhibited any form of whistleblower policy or policies on openness and transparency

The level of attention paid to compliance issues in the company’s annual report

The company’s overall approach to ethics, compliance and good governance based on viewing all publicly-available material collectively.

In each of these categories, the companies were given a score from zero to four, based on a clear set of guidelines and instructions. The maximum-possible score was 32. Each score sheet contained comments on how the final score for each category was derived, and all were reviewed independently for consistency.

1.3.2 Analysis of publicly-available codes of conduct

From our expanded sample group of 150 companies, we also conducted a code of conduct analysis on those that were publicly available and accessible. Out of the 150 companies, we were only able to find 21 who had such a document publicly available. For those few companies which we could examine, further analysis was conducted on the extent to which their code satisfied the following criteria:

Public accessibility

Commitment, values and themes


Leadership commitment

Target audience suitability

Readability and tone

Structure, presentation and style

Stakeholder identification

Explanation of the company interests

Non-retaliation commitment

Country culture suitability

Comprehension aids

Risk topics

Conflicts of interest policies

Board structure explanation

Board behaviour requirements

Committees

Acknowledgement of receipt

Disclaimers and reminders

Applicability

Law and legislation

Corporate citizenship

Workplace and employment values

Frequent review of code

Awareness and promotion

Company relations with business or government entities

Just as with the overall approach assessment, each criterion was also scored on a zero-to-four scale, with a maximum possible score of 100.

Again, the scope of both the overall compliance and code of conduct studies covered only publicly-available information; the results in our report do not suggest that most companies do not have any sort of governance or compliance programme. However, given the importance of corporate governance and compliance to such a wide range of stakeholders it is vital that these associated practices are as open and transparent as possible. For example, a code of conduct that is only available to directors or senior management excludes most employees and prospective investors, and is therefore far less effective in achieving its goals. For this reason, we took the approach of only considering publicly-available information and policies for the purposes of this study.

The Red Flag Group

2.1 Overview

As identified above, each of the 150 companies was assessed on eight different criteria, with a maximum-possible score of 32. While the specific trends within each category will be discussed in greater detail below, the data that was collated revealed several key trends.

One of these trends is the correlation between the location of the company and its governance and compliance standards, as shown in Figure 1, below. A company’s location can be based on numerous factors (particularly for multinational organisations). For the purposes of this study, we limited the classification to where that particular company was headquartered. Figure 1 below shows that companies based in China had the lowest average score of 4.1 out of 23. HKEx-listed companies that were based in Hong Kong had a slightly higher average of 5.1 out of 32, whereas HKEx-listed companies that were headquartered outside Hong Kong and China (for the purposes of this report named “foreign companies”) had a significantly

5

6

7

4

2

1

0Largest 50 companies Middle 50 companies Smallest 50 companies

3

8

9 8.2

4.02.3

Figure 2: Average compliance scores by market capitalisation

out of 32, with a further 29 scoring just 1 out of 32. In contrast, the majority of companies based outside of Hong Kong and China had a much more holistic approach to compliance and corporate governance, with only one such company scoring a total of 1 out of 32, while the next-lowest score in this group was 8 out of 32.

Another key trend was the correlation between market capitalisation and compliance standards, as shown in Figure 2. The largest 50 companies in terms of market capitalisation had an average score of 8.2; the middle 50 companies had an average of 4; while the smallest 50 companies had an average of just 2.3. While there were outliers within each category (the highest

10

12

14

8

4

2

0China Hong Kong Foreign

6

16

4.1 5.1

15.4

Figure 1: Average compliance scores by country

2. Part A – Study of projected attitude to compliance

higher average of 15.4. Granted, the sample size of foreign companies listed on the HKEx was very small in comparison to the number of Chinese- and Hong Kong-based companies.

Companies based in China and Hong Kong typically focused on just one area, such as corporate social responsibility, while neglecting the other aspects of their corporate governance and compliance disclosures. Accordingly, there were 34 companies from China and Hong Kong that had an overall score of 0


overall score, 26, belonged to a technology company based in the middle 50), there was a noticeable decline in compliance standards as the market capitalisation of the companies decreased.

It can be reasonably inferred that smaller (and often newer) companies do not devote the same resources to compliance and governance as their larger counterparts. Given that listed companies of all sizes face the same pressures from investors, employees and regulators, it would be remiss of smaller companies to neglect their compliance and corporate governance practices. That said, out of a possible 32 marks, even the largest 50 companies had an average score of only 8.2.

Data was also collated showing results distributed across the varying industry sectors within the sample group. The average score across all 150 companies was 5.1; however there was a significant disparity between the average scores of each sector, as shown in Figure 3, below.

Companies in the technology sector had both the highest individual score and the highest sector average at 26 and 11.1 respectively. Basic materials, financial services and utilities companies all had similar averages and high scores. The remaining four – conglomerates, consumer goods, industrial goods and, in particular, healthcare – all had a much low scores. It is worth noting that there was only one foreign company within these final four sectors – all of the other companies were based in Hong Kong or China. These figures are therefore less reflective of the corporate governance standards within that sector.

These trends paint a rough picture of the standard of corporate governance in Hong Kong listed companies: smaller companies tend to have lower standards than larger ones, while foreign-based companies generally have higher standards than companies based in Hong Kong or China. However, a clearer picture emerges when the eight criteria studied are analysed individually.

Figure 3: Compliance scores by sector

Basic

Mat

erial

s

Tech

nolog

y

Finan

cial

Servi

ces

Utilitie

s

Congio

mer

ate

Consu

mer

Goo

ds

Indus

trial

Goods

Health

care

25

20

10

5

26

18

7.1

11

3.05.1 5.1 5.7

3.41.5

0.52.4

2321 20

8.0 8.0

5.0

1.0

0

15

30 Highest score

Average score

Lowest score

The Red Flag Group

100

120

80

40

20

00 1 2 3 4

60

Nu

mb

er o

f co

mp

anie

s

Score out of 4

Code of conduct - score distribution

4

0

1

2

3

2.2 Code of conduct

As already identified, public availability of a code of conduct or similar document was generally poor across the sample group. A code of conduct is an important tool in stating a company’s ethics and principles. Only 21 companies had a publicly-available code, and it proved extremely difficult to obtain copies of private codes. Public availability itself did not automatically render a score of 4 out of 4 for this category. Its ease of location and prominence on the corporate website were factored into scoring. Companies that at least mentioned a code of conduct somewhere on their website or in other documents such as annual reports scored one mark.

Part B of this report will analyse these 21 codes of conduct in greater detail, but there are several points worth noting in the context of the overall corporate governance and compliance study. Firstly, out of a maximum-possible four marks the average score was only 0.7. Furthermore, 109 companies scored 0 out of 4, which effectively means that there was no mention of a code of conduct, internal or public, anywhere in the company’s publicly-available material (see Figure 4). It is worth emphasising that these 109 companies include some of Hong Kong’s, and indeed the world’s, largest and most-powerful firms.

Take for instance one company who was in the top ten in terms of market capitalisation at the time of the study. This entity was listed on not only the Hong Kong Stock Exchange, but also in New York, London and Shanghai. It is one of the world’s largest integrated energy and chemical companies. Its operations span many different countries and range from oil exploration and extraction to the production of rubber and other petrochemical products. Given the breadth of the company’s operations, it has a huge number of stakeholders (including international regulatory bodies), workers spread across many jurisdictions, a global supply chain and the natural environment from which it extracts oil and gas. Despite this, the company has not exhibited any form of code of conduct. As such, the various stakeholders are largely left in the dark as to the company’s guiding values and principles.

A company in this position should have a publicly-available code of conduct that demonstrates a clear commitment to ethical standards in its business practices. The code should show endorsement from the company’s leadership and be tailored to its stakeholders and the countries and industries in which it operates.

Figure 4 – Code of conduct score distribution


2.3 Chief compliance officer

The chief compliance officer (CCO) criterion was the weakest of all eight areas studied. With an average score of only 0.2 and with no company attaining the full 4 marks it is clear that this is the area with the most room for improvement.

The purpose behind analysing this criterion was to determine how many companies clearly identify who is in charge of governance and compliance-related issues at their firm. Who should employees, customers or third parties go to if they need to report unethical behaviour? How can regulators or investors know who to contact within an organisation on governance and compliance-related issues? Ideally, a firm should identify who this person is, and provide their full contact details and role and function within the organisation.

As shown in Figure 5, below, 130 of the 150 companies had no mention of a CCO (or similar position) at all. Of the remaining 20 companies, all but one of them had cursory references to another position such as “Risk Officer” that also assumed responsibility for compliance. Although this is obviously preferable to the 130 companies who failed to identify anyone, listed companies should ideally be identifying one person whose primary or sole duty is to oversee compliance and corporate governance. Only one company scored 3 out of 4, as it had a clearly identified CCO; however, the roles and responsibilities of this individual were not fully explained. Companies who scored 2 out of 4 confirmed the existence of some form of a compliance officer with reasonable frequency throughout their materials (for example, an “anti-money laundering compliance officer”). However, the people in such positions and their exact functions are not provided.

Score out of 4

Cheif compliance officer score distribution

4

0

1

2

3130

113

6

Figure 5 – Compliance officer score distribution

The Red Flag Group

50

60

70

40

20

10

00 1 2 3 4

30

Nu

mb

er o

f co

mp

anie

s

Score out of 4

CSR - score distribution

80

4

0

1

2

3

Figure 6 –CSR score distribution

2.4 Compliance committee

This part of the study looked to examine whether organisations identified any form of oversight committee to conduct independent internal reviews of compliance procedures. Any effective monitoring and measurement of a compliance programme requires independent internal oversight to determine the effectiveness of a programme’s implementation. We did not simply look for a committee entitled “compliance committee”; rather, we looked for some sort of group within the company that appeared to have the function of reviewing compliance processes, regardless of the name.

Again, the average score for this criterion was quite low. The majority of companies made no mention of independent oversight or review of the compliance programme, whilst some gave mention to an audit committee. Often, the role and responsibility of this audit committee was not defined. Regardless, a committee simply performing an audit function is only limited in terms of how much information it can gather about the quality of the programme and adherence to it within the organisation. One company that scored particularly well identified a “Corporate Governance and Nominations Committee”, which was responsible for reviewing and monitoring the company’s policies and practices on compliance with legal and regulatory requirements. This committee was also in charge of reviewing the code of ethics and compliance manual. The members of this committee and the roles they played were clearly outlined.

There were certainly a number of companies who saw the value in demonstrating to their stakeholders how they monitor, review and improve upon their compliance programmes. Some did mention the existence of some form of internal oversight, though most had no mention at all.

2.5 Corporate social responsibility, anti-corruption and other approaches to compliance issues

The corporate social responsibility (CSR) aspect of the study sought to determine a company’s approach to its impact on its surrounding community. This was not just in terms of charitable events and environmental initiatives, but acknowledging how other compliance issues such as bribery and corruption have a negative impact on not just the business, but society as well. This aspect of the study looked beyond CSR pages, and we looked for emphasis on these issues in various company publications.


Many companies made at least some effort to demonstrate that CSR was something on their radar; however most efforts could be described as minimal at best, with only some coverage of local community activities (and we did award some marks for this).Our study even found that a number of companies had used the exact same pictures of trees and forests on their CSR page. This is not suggestive of a serious, company-wide approach to potential negative impacts from unethical behaviour.

One of the standout organisations was a leading power company in the Asia-Pacific region. Anti-corruption and anti-fraud measures were mentioned extensively and as a priority in its sustainability report, annual report and CSR page. This company emphasised the importance of the positive impact it must have in the region, and also had its own “Community Investment Report”. The major risk elements to the company in terms of its environmental and social impact were addressed in its reports in a very meticulous way.

2.6 Compliance report

The production of a report focused on the compliance issues facing a particular company provides full disclosure to stakeholders of the constantly-changing risk environment and the efforts made to mitigate that risk. Our analysis looked for devoted sections of governance reports, annual reports (which are also analysed separately below), sustainability reports or even news announcements to ascertain whether compliance efforts were being publicised.

There were a number of companies who, in some fashion, gave details of where their priorities lay in terms of compliance risk. A major manufacturer and distributer of technology products that scored 4 out of 4 in its corporate responsibility report continually affirmed its commitment to a disciplined approach to compliance and placed a heavy emphasis on complying with applicable laws and regulations. The report details how it achieved this through taking steps to ensure its suppliers strictly adhered to applicable laws, regulations and guidelines, as well as to the principles by which that company abides by. The company’s report also described how it regularly organised training and information-exchange seminars to ensure all employees were fully informed of any compliance-related issues.

Companies like the one above appear to be the exception rather than the norm, as the average score across the sample group was just 0.3 out of 4. This demonstrates virtually no projection of information of compliance issues dealt with by the company as it evolved. The idea of having some kind of report is to go beyond simply stating the principles and procedures; it shows the changing risk landscape as the business develops, and what is being done in a practical sense to manage that change.

The Red Flag Group

2.7 Whistleblower policy

One of the major difficulties that company leaders might face is a lack of knowledge of corrupt or amoral behaviour occurring within organisation. Too often, such behaviour is only realised long after “the damage has been done” and the company’s reputation and image is all but salvageable. Often such reports only reach key decision-makers after it is too late because the business does not facilitate and encourage people inside or outside the organisation to speak up against and create awareness of corrupt or unethical behaviour. A clearly-defined and publicised whistleblower and non-retaliation policy is one of the best possible ways of ensuring the appropriate figures become aware of unethical behaviour before it is too late.

Companies listed in Hong Kong demonstrate a reluctance to adopt and promote such policies. As Figure 7 demonstrates, 97 out of the 150 companies analysed (64.67 percent) had no mention whatsoever of reporting suspected behaviour to their organisations. On a positive note, a decent proportion (13 in total) showed an exemplary commitment to supporting employees and stakeholders reporting suspicious activity through the appropriate channels. One such organisation provided a clear, comprehensive breakdown of the appropriate reporting channels and the overarching purpose of its whistleblower policy. The concept of transparency and openness throughout the organisation was continually reiterated by this company in the particular document and webpage.

Companies who scored less in this category tended to only provide a contact number or hotline, and gave no further elaboration on the purpose or function of the hotline, or how having this system was in alignment with the companies values.

100

80

40

20

00 1 2 3 4

60

Nu

mb

er o

f co

mp

anie

s

Score out of 4

Whistleblower policy - score distribution

97

20 14 6.0 13

Figure 7 – Whistleblower policy score distribution


2.8 Annual report–focus on compliance issues

One of the key mediums by which stakeholders (and mainly investors) get up to speed with company affairs is via the annual report. As such, this is an opportunity to properly identify governance and compliance issues in the organisation, how they have been addressed in that financial year, and how those programmes will continue to evolve as the business develops. This criteria did not just look for a devoted “compliance section”; in contrast to that section above, it looked at the annual report holistically, and how much compliance and governance issues were focused on throughout.

Figure 8 below shows that just fewer than 50 percent of companies gave at least some detail on governance and compliance in their annual reports. Only twelve companies scored three or above, and only four obtained full marks in this category. One such company was a Hong Kong-based consumer goods multinational whose annual report contained a comprehensive section on corporate governance and risk-management measures (this was in addition to the corporate governance report as required by the HKEx Listing Rules), and then continued to repeatedly address these themes throughout. Detail was provided on the role and function of a risk-management committee as well as the frequency of audits to be performed.

At the other end of the scale, most annual reports gave only brief mentions to the companies’ compliance obligations with certain laws, and in the majority of cases this addressed just generic compliance and ethical issues, with no elaboration given to specific areas affecting the business and what was being done internally as a response to the various risks.

The annual report is the perfect vehicle to establish confidence with existing and potential investors and, from the sample group examined, not nearly enough companies are grasping the opportunity to show how robust their internal controls are, and how serious they are about shielding stakeholders from governance and compliance risks.

Score out of 4

Annual report - score distribution

4

0

1

2

377

8 4

45

16

Figure 8 – Annual report score distribution

The Red Flag Group

2.9 Overall publicly-conveyed approach to ethics, compliance and good governance

The purpose behind an overall review of a company’s approach to ethics, compliance and governance was to factor in other elements of publicly-available information that might not fit into other categories. For example, a company might not have had a comprehensive whistleblower policy, its code of conduct may be extremely inaccessible or its compliance report limited in detail and scope. Despite this, the company may also exhibit that ethical business practices are high on its radar, and demonstrate its obligation to such issues through repeated leadership commitment, frequently citing its key values, and dedicating significant portions of its publicly-available material to ethics, governance and compliance.

The results in Figure 9 show a similar trend to other categories, in that the majority of companies scored 0 out of 4. For these companies, no devotion to addressing ethics, governance or compliance could be found whatsoever. A handful conveyed at least some commitment, and a small number stood out for their excellent approach.

The business that achieved the highest-overall score in this aspect was an international personal technology company. From this firm’s publicly-available information, it demonstrated enormous efforts in projecting the image of an ethical enterprise. Some of the less-commonly addressed compliance areas, such as human rights obligations, were frequently the focus of attention, and all risk areas directly affecting the business were elaborated on in length. The relevant regulations and laws were cited and explained in detail, and they even went beyond detailing the usual legislation to devote time to the importance of other standards such as the UN Global Compact. Ethics and integrity were mentioned frequently throughout the materials, and it was clear that governance ethics and compliance were high on its radar compared to that of most of its counterparts in the sample group.

Another business that achieved full marks in this group was a Hong Kong-based company which, despite falling short in other categories, had a webpage that addressed many key issues in relation to governance and compliance. While this particular company had no publicly-available code of conduct, there were many other aspects to its website that repeatedly confirmed its dedication to compliance.

Companies that tended to score in the mid-range endorsed the right principles regarding compliance – clearly demonstrating integrity as a core value – although had a number of areas that required improvement. For example, one Hong Kong-based property development company touched upon these issues at many points, but lacked the finer details and did still not appear to have compliance as a primary feature of its overall strategy. As an improvement, businesses like this should look to develop a page on their website to summarise all matters relating to ethics, governance and compliance, as opposed to touching upon it in various sections throughout.


Figure 9 – Overall approach to compliance – score distribution

4

3

1

0

0 20 40 60 80 100

2

Sco

re o

ut

of

4

Number of companies

Overall approach to compliance - score distribution

1316

3385

3

There were other factors which were taken into account which detracted from the score for this category. Remarkably, a number of businesses were found to have cut and pasted the exact same audit committee terms of reference from the HKEx Listing Rules, and guised this as their key policies and principles in monitoring compliance. Such practices show no insight into how the businesses’ specific needs are factored in, and provide no detail on how the risk will be mitigated in practice. More so, this demonstrates an ignorant approach to serious issues that can severely affect the welfare of the business, and ultimately investors and other shareholders.

The Red Flag Group

The Red Flag Group conducted a separate analysis of the codes of conduct (or similar documents) of 21 companies within the sample group who had made these documents publicly available. This aspect of our analysis aimed at identifying common trends in terms of where the codes of conduct of Hong Kong listed companies excelled in the issues they covered, and where improvements are needed. The majority of companies that did have a code available tended to also score well in the overall governance and compliance study.

There is no set of laws in Hong Kong which dictates what must or must not be included in a code of conduct, let alone mandating that one should exist. Various international organisations and industry bodies have produced numerous reports and guidelines detailing what constitutes the highest standards of governance and what companies should address in their policy documents. As already stated in this report, adhering to such guidelines and international standards helps instil stakeholder confidence and demonstrates a company’s commitment to ethical business practices and allocating the appropriate resources to mitigating foreseeable risks.

3.1 The criteria

The set of criteria with which we used to conduct our analysis was developed based on the aforementioned guidelines and papers (including, but not limited to, the OECD Principals on Corporate Governance, the International Federation of Accountants guidelines on developing an effective code of conduct and the Hong Kong ICAC Good Governance and Internal Control guide), as well as our own expertise and experience in advising clients on developing these documents.

Companies were given a score of zero to four for each of the criteria (which are outlined in further detail later), to give a total score out of 100.

3.2 Results of the study

The results of our code of conduct study showed a range of scores across our sample group, and revealed certain areas that were uniformly sub-standard. Figure 10 shows the overall results for companies ranked according to market capitalisation. Interestingly, it was not the largest companies that exhibited the most robust codes of conduct.

100

90

80

70

50

40

20

10

8378 7572

66656359

535050

48

40

34 3431

2118

14

63

74

01 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

30

60

Sco

re o

ut

of

100

Company rank according to market capitalisation

Figure 10 – Total scores

3. Part B – Examination of publicly-available codes of conduct


Figure 11 – Code of conduct score distribution

90

80

70

50

40

20

10

78

66

83

5860

50

1814

38

0

Hong Kong China Foreign

30

60

Sco

re o

ut

of

100

Highest score

Average score

Lowest score

Breaking down the total scores out of 100 into the three groups of Hong Kong, Chinese and foreign companies, Figure 11, demonstrates it is apparent that Chinese-based Hong Kong listed companies overall had the lowest average score as well as the lowest high score.

Figure 12 provides a complete breakdown of the average scores of each company across all the criteria assessed. This is a clear indicator of where companies excelled in terms of satisfying certain criteria, and where companies require improvement. Most companies effectively addressed some important factors such as tailoring the code to the audience and presenting the code in an

Publi

c Ava

ilabil

ity

Board

Stru

cture

Board

Beh

avior

Comm

ittee

s

Ackno

wledge

men

t of R

eceip

t

Disclai

mer

s and

Rem

inder

s

Applic

abilit

y

Law an

d Le

gislat

ion

Corpo

rate

Citiz

ensh

ip

Wor

kplac

e/Em

ploym

ent V

alues

Frequ

ent R

eview

of C

ode

Awarene

ss an

d Pro

mot

ion

Compa

ny R

elatio

ns

Omitm

ent,

Value

s, an

d Th

emes

Lead

ersh

ip co

mm

itmen

t

Targ

et A

udien

ce

Read

abilit

y and

Tone

Stru

cture,

Pres

enta

tion

and

Style

Stak

ehold

ers

Compa

ny In

teres

ts

Non-R

etali

ation

Com

mitm

ent

Count

ry Cult

ure

Compr

ehen

sion

Aids

Risk T

opics

Conflic

ts of

Inte

rest

4.0

3.5

3.0

2.5

2.0

1.5

1.0

0.5

3.43.13.1

3.02.8

2.62.52.5

2.4 2.4 2.42.3

2.12.0 2.0

1.9

1.6

1.41.3

1.2

0.9

0.4

0.8

1.4

2.6

Figure 12 – Average score for each criterion assessed

appealing manner. Particularly for a wide audience, it is important those from all backgrounds, not just lawyers and compliance officers, can review and absorb the contents of the code. Key ways of assisting this include avoiding the use of “legalese” and implementing eye-catching presentation.

The Red Flag Group

3.2.1 Overview

The criteria that each company was assessed on, as well as some of our general observations from the study, are as follows:

Public accessibility – As already discussed, public availability demonstrates a company’s willingness to share its ethos and philosophy and is also an indicator of its penchant for transparency. Generally speaking, those who did have a public code of conduct advertised it quite clearly, usually under an “investor relations” or similar heading on their website. Those who scored lower usually had links to the code in relatively obscure locations, such as in annual reports.

Commitment, values and themes – Statements which iterate values and themes set the tone of the code in that it is about adhering to higher values and standards, going above and beyond mere compliance with laws and regulations. On the whole, most organisations had some keywords which were chosen as their main identifiers of ethical values, while only three companies had no such demonstration of main themes at all.

Leadership commitment – Having a senior officer associated with the code is seen as a way of impressing upon employees that the organisation is serious about adherence to its values. This category is discussed in the next section.

Target audience suitability – The code will be largely redundant if it does not clearly specify to whom it is applicable. It must address those who need to acknowledge and absorb its contents, and be tailored as such. This was an area of strength amongst the group of companies analysed, with a very high average score of 3.4 out of 4.

Readability and tone – The code should avoid the use of complex legal jargon as it will be reviewed by a wide audience. It should also adopt a language and style that reflects the type of industry the company operates in as well as the type of employee it wishes to retain. Again, most companies performed well in this area, with only one company completely failing to make any effort to avoid generic listing of rules.

Structure, presentation and style – Similar to readability and tone, the impact a code has can depend largely on its overall presentation and appeal. Most organisations took the approach of “dressing up” their code. Such practices help appeal to a wider audience and get key messages across.

Stakeholder identification – This criteria is significant as it shows directly where a company’s priorities in strategy and decision-making lay. From the companies examined this requires some improvement. Firms should go beyond identifying managers and employees in their policies.

Explanation of the company interests – An organisation should make it clear what interests it values most, and therefore the code must direct employees on what they should value most in making their decisions. Many companies failed to highlight what their key priorities were. Some standout firms identified interests such as the importance of customers’ data and confidentiality, while others put their brand reputation and customer interests as their top priority.

Non-retaliation commitment – Companies should promote a culture where people aren’t vindicated for speaking out on matters that could be damaging to a company. A relatively small portion chose to include such a commitment in their code. Including this helps an organisation go beyond simply having a whistleblower policy – people need to be encouraged to speak up when they think bad behaviour is occurring.

Country culture suitability – Particularly for multinational corporations, a code will lose its impact severely if only directed at one or two countries or regions, and is not tailored accordingly. Some of the Chinese companies we examined distributed their code in Mandarin and English, but in most cases the translation was a poor reflection of the detail contained in its counterpart.


Comprehension aids – Such materials significantly assist in emphasising key points and allowing for a better understanding of the issues. Our study found that companies can do much more in this area. Some companies included case studies to help explain a particular issue, while others included frequently-asked questions, a glossary of terms and scenario examples, but overall this category scored poorly.

Risk topics – The code must exemplify the key risks to which a company is exposed, thereby better transmitting the salient aspects of the company’s overall business conduct. Most companies included at least some reference to the risk elements they were especially vulnerable to; however the average score of 2 out of 4 is reflective of most companies giving minimal details in this area.

Conflicts of interest policies – Conflicts of interest can be quite complex and some employees may not fully understand what might constitute a conflict of interest in the context of their role at a company. The code should therefore address this for better overall understanding. Most scored well in this category, while companies who excelled clearly defined the term and provided examples for illustration. Potential consequences that may arise were also clearly explained.

Board structure explanation – This information is vital in relaying how top-level leadership will coordinate its governance programme and how stakeholder interests will be prioritised. This area is discussed in the next section.

Board behaviour requirements – The code should exemplify that everyone must adhere to its principles, and for good business practices to be implemented company-wide the example must be set by those directing the company (not just senior management). This area is discussed in the next section.

Committees – Particularly in large, diverse organisations, there will be a number of different areas for which people are responsible. The code needs to recognise this as a means of bringing awareness of other crucial functions in the business. One code which scored well went into the details of the company’s “supervisory body”, responsible for investigating alleged violations of the code and unlawful conduct. The role of the supervisory body was explained in great detail throughout. Some businesses highlighted the roles of groups such as compliance, assurance and audit; however, most failed to mention how other committees within the business or at board level took part in promoting good governance.

Acknowledgement of receipt – It needs be shown that the relevant individual or organisation has reviewed and understood the code. Most codes reviewed did not provide this sign-off page.

Disclaimers and reminders – Reference needs to be made to other policies within the company (for example, IT or accounting) so that there is more-complete coverage of an employee’s responsibilities, not just overarching statements. This is an area in which most companies at least provided some reference to other company policies.

Applicability – We looked to determine whether codes were accurate in their applicability to the industry and market in which each company operates, as well as making it clear that individuals must adhere to it. Overall, this category was quite strong, with leading companies not only stating the applicability to all employees and third parties, but also citing other internal policies and industry standards that the audience should refer to.

Law and legislation – Particularly for key-risk areas, the code needs to cite the most salient legislative instruments so that there is a clearer understanding of the application of the laws and the consequences involved for breaching. This area is discussed in more detail in the next section.

Corporate citizenship – This expands upon a company’s statement of values and adds credibility to its image in the public eye and commitment to having a positive impact on those in the broader community. This criterion looked how a company aimed to identify its responsibilities beyond those immediate to the business,

The Red Flag Group

with organisations who acknowledged the impact and responsibility in terms of climate change, human rights and fighting global crimes in a number of sections scoring well.

Workplace and employment values – The code should not only address how an organisation should treat its stakeholders, but also how those within the organisation treat each other. This is often one of the main areas addressed by company codes. High-scoring companies made a strong commitment to “ethical integrity” within the work environment, and employees were instructed to work with professional rigor, loyalty, honesty and good faith, correctness, commitment and reciprocal spirit of collaboration. This is just naming a few keywords that companies impressed upon their employees.

Frequent review of code – An organisation should strive for continual improvement, beginning with its code for changes in the market, countries in which it has a presence, or new elements of the business. This area is discussed in more detail in the next section.

Awareness and promotion – Employees should be encouraged to promote the code to new, as well as existing, staff. The key principle here is that everyone is responsible to each other for the awareness of the code. This area is discussed in more detail in the next section.

Company relations with business or government entities – Company representatives are often required to meet with new third parties, and the code should stipulate the manner in which this must be done. Again, this demonstrates to a wider audience the standard of conduct and the culture that should be exhibited with all bodies external to the company. There were a number of businesses in our study which provided details on how company personnel were supposed to deal with regulators and other competitors. One of the best codes that we reviewed provided details on best practices in liaising with third parties, customers, suppliers, external consultants, the public sector, the judiciary and other institutional authorities, each of which has its own dedicated section in the code. Generally speaking this was an area where the group of companies performed well.

3.2.2 Focus areas

Further to all the criteria detailed above, there were a small number of areas that our study uncovered to be considerably below standard, and therefore areas which we consider warrant closer attention and analysis.

3.2.2.1 Direction from the board and senior management

Having someone such as the CEO or chairman introduce a corporate code of conduct is a way to impress upon employees how serious a company takes ethics, governance and compliance, and makes a statement to other stakeholders that protecting their interests is high on the agenda. Some of the more effective “opening statements” we came across in our study were more personalised and less formal. One such organisation is a foreign-based consumer electronics company. In the chairman’s address at the beginning of the code, it immediately addressed those in the company as fellow employees and set the standard that everyone collectively as a company had the duty to maintain ethical business practices and the company’s good image.

The “tone from the top” is an integral aspect of any governance and compliance programme. As the results of our study show, too many Hong Kong listed companies did not exhibit this approach in their codes of conduct. Whilst many companies did include some sort of introduction or acknowledgement from a company leader, most were very brief, generic and vague. Only few went into the detail of the example outlined above, and gave an introduction that conveyed a message of ethics being personally important to that individual, as well as the business.


Similarly, our results showed that few companies failed to fully identify the role of the board and senior management when it came to implementing the code. This is an aspect that should not be neglected as it helps convey to stakeholders the universal approach to ethical conduct within an organisation, and not just that expected of employees. Especially in the wake of recent corporate scandals in the Asia-Pacific region, senior management and directors are equally, if not more so, culpable for ethical decision-making and business practice. Some companies in our study did address the roles and responsibility of the board, and referred to them in the same context as all other employees. One company even referred to a separate code for directors, although this was not accessible. Too many organisations, however, failed to exhibit in their code the roles and responsibilities of board members in the context of the responsibilities of the organisation. The directive for ethical behaviour comes from the top: the more a company’s leaders demonstrate this commitment, the more other employees are likely to follow suit, and the more stakeholders will be reassured of a robust governance structure.

10

12

8

4

2

00 1 2 3 4

6

Nu

mb

er o

f co

mp

anie

s

Score out of 4

Leadership commitment - score distribution

10

3.0 4.02.0 2.0

Figure 13 –Leadership commitment score distribution

10

12

16

14

8

4

2

00 1 2 3 4

6

Nu

mb

er o

f co

mp

anie

s

Score out of 4

Board structure and behaviour - score distribution

15

6

3 3 3 4

0

3

0

5

Figure 14 – Board structure and behaviour score distribution

The Red Flag Group

3.2.2.2 Applicable law and legislation

All publicly-listed companies are, to a degree, subject to the same set of laws. However, depending on industry and operation, each business is unique in terms of the regulatory requirements it is obliged to abide by. Not only should these legislative requirements be addressed in a code of conduct as a means of raising awareness, the legislative instruments should be set out in manner that is easy to understand in the context of the business’s operations. While most of the companies’ codes we examined gave some reference to applicable law, most gave no further details on how each business needed to address the specifics, and even fewer provided some sort of explanation of the main legislative requirements in plain English terms.

One Chinese-based oil company not only identified the various jurisdictions which affected its business and operation in its code, it also cited numerous business-specific examples of breaches and applicable penalties for breaches of such laws. The code of a major international clothing retailer referenced multiple legislative decrees set forth by the government of its home country, and also made a declaration of support of the applicable legislation in various territories after explaining how they applied in each situation.

One of the main compliance risks to any organisation is that of legal compliance. As such, all stakeholders must be fully aware of the main types of laws which affect its business. Raising awareness of this is not necessarily an easy task as the laws can be multi-dimensional and complicated. This is where time must be invested in devising a concise yet understandable breakdown of various legislative instruments in the code. Companies in our review who scored a 1 or 2 out of 4 (11 companies out of the 21) did not convey this feature, with most simply highlighting applicable legislation and occasionally paraphrasing penalty provisions. Stating the law in a code of ethics or code of conduct is a positive thing. Taking the extra step beyond simply providing this detail by ensuring all stakeholders have a broader understanding of the issues is what really adds value to a business.

7

9

8

4

3

2

1

00 1 2 3 4

6

5

Nu

mb

er o

f co

mp

anie

s

Score out of 4

Law and legislation - score distribution

8.0

1.0 4.0

5.03.0

Figure 15 – Law and legislation score distribution


3.2.2.3 Revision, awareness and promotion of the code

As an organisation grows, new legal parameters become applicable and market environments change, a company’s internal policies should also develop. An exemplary code of conduct will undergo frequent revision, with some even stipulating this process within the code itself. A business must adapt to its changing risk environment, and one of the key ways of keeping stakeholders fully abreast of an organisation’s shifting approaches and expectations is thorough frequent revision (sometimes with external consultation) of the code.

Few companies in our study excelled in this category, with an average score of just 0.8 out of 4. One leading global financial services company specified in its code that it would periodically review these procedures and amend them as appropriate. This company also had a “last reviewed” date on the very front page. Most codes that we came across did not feature any date, and some that we did locate had last-review dates that were over five years’ old.

Similarly, an organisation’s code should exhibit the process and requirements by which all employees promote and create awareness of the code’s principles. In our sample group, only a small percentage of companies did this. As Figure 16, below, demonstrates, just over half of our sample group gave little, if not zero, guidance on everyone’s responsibility to promote their business’s principles on ethical practice. Including such text is important, particularly in the context of multiple business units and across geographical regions where different personnel should be identified as being responsible for raising awareness of the code. One leading Chinese telecommunications company who attained full marks stated throughout its code where different business units and managers were responsible for publicising, promoting and implementing the code. Another retail company emphasised its commitment to ensuring the maximum dissemination of the code and to promoting “awareness-raising” of its contents through the use of instruments, constant monitoring of adherence to the code and continual development and updating.

10

12

8

4

2

00 1 2 3 4

6

Nu

mb

er o

f co

mp

anie

s

Score out of 4

Awareness and promotion - score distribution

10

2.05.0

1.0 3.0

Figure 16 –Awareness and promotion score distribution

corporate governance, compliance and code of conduct … · 2.5 corporate social ... 2.9 overall...

Documents