About KPMG in Singapore

KPMG in Singapore is part of a global network of professional services firms providing Audit, Tax and Advisory services. The independent member firms of the KPMG network operate in 155 countries and have more than 174,000 professionals worldwide.

Each KPMG firm is a legally distinct and separate entity and describes itself as such. KPMG's website is located at

For media enquiries, please contact:

Follow us on twitter @KPMGSingapore

Higher quality disclosure needed in risk governance 

Singapore, 27 November 2013
  • Bigger firms, finance sector and GLCs have more developed risk management practices
  • Greater clarity needed on risk governance role
  • Low rates of disclosure regarding adequacy and effectiveness of risk management and internal control

Singapore, 27 November, 2013 – A study by the Institute of Singapore Chartered Accountants (ISCA) and KPMG in Singapore has found that there is a need to generate greater awareness on internal control and risk management. The study also encourages companies to provide greater quality disclosure on their risk governance practices.

Entitled "Towards better risk governance: a study of Singapore listed Companies 2013", the ISCA-KPMG risk study looked at risk management disclosures of 250 listed companies in Singapore. It was conducted to assess the state of adoption of risk management practices by listed companies, especially in the light of the revised Code of Corporate Governance.

The study findings were shared with more than 250 board directors and senior C-suite executives at a forum this morning (27 November).

Greater Clarity Needed on Risk Governance Role

According to the study findings, the party responsible for risk governance differs across institutions.

Among the companies studied in the survey:
  • Some 34 percent stated that their board is responsible for risk governance
  • About 26 percent of companies pointed to management as being responsible
  • About 19 percent of companies stated that Board Committees are responsible for risk governance.

Similarly, the board committee responsible for overseeing risk governance is not consistently disclosed. About 29 percent of the companies studied disclosed that they relied on their Audit Committee for risk governance, while 14 percent established a separate Board Risk Committee. Some 57 percent did not disclose this information.

Mr R. Dhinakaran, Vice-President of ISCA and Chairman of the ISCA Corporate Governance Committee, said: "Our joint study revealed that there are gaps regarding the substance and quality of the disclosures of the sampled companies' risk management and internal control frameworks in their annual reports. It is important that companies adopt the best practices of risk governance not just from a compliance tick-the-box perspective but to promote their organisation's long-term sustainability."

Mr Irving Low, Head of Risk Consulting, KPMG in Singapore, said: "The findings suggest that more work is needed to clarify risk governance responsibilities of the board, board committee and management of the organisation.

"This is important to ensure that there is clear communication and greater transparency of risk, control and assurance information across the key 'lines of defence'. In that way, boards can validate observations and conclusions to determine whether the overall framework is adequate and effective."

Challenges in determining what and how much to disclose

Not surprisingly, compliance is higher when risk management is regulations-based, compared to when risk management is principles-based. While listed companies have complied with the mandatory SGX Listing Rule 1207(10), it is noted that some of them did not provide proper basis to explain how they concluded that there are adequate controls. Only 12 percent of companies complied with the revised Code of Corporate Governance.

Also, management support can be enhanced. Despite an increase in requirements regarding risk management and internal controls, resources at management level remain relatively unchanged. Only 12 percent of the companies sampled disclosed that they have a Management Risk Committee and only five percent have a dedicated Chief Risk Officer (CRO).

In addition, 85 percent of companies in the study are silent on whether there is a C-suite executive responsible for risk governance in their organisation.

Board Risk Committee Linked to Mature Risk Management Practices

The study found that the existence of a Board Risk Committee has been linked to more mature risk management practices.

Among companies with a Board Risk Committee, 34 percent have a CRO, compared to three percent for companies without a Board Risk Committee.

Some 69 percent of companies with a Board Risk Committee have an in-house Internal Audit function, compared with 27 percent for companies without a Board Risk Committee. Likewise, 71 percent of companies with a Board Risk Committee disclosed their risk management framework, compared with 40 percent of companies without a Board Risk Committee.

Said Mr Low: "Companies in complex and highly regulated industries typically have invested resources into establishing separate risk structures such as board risk committees and CROs to enable sufficient focus.

"Not all companies must adopt these same exact practices. However, they should take the time to clearly define key roles and responsibilities, resources required and the reporting requirements in terms of nature and frequency. Doing so will enable them to evaluate the adequacy and effectiveness of their risk management and internal control systems and satisfy disclosure obligations".

Other Areas for Improvement

Given the revised Code of Corporate Governance 2012, the adoption rate of risk management practices by companies in the study has been encouraging. Specifically, the study found that the introduction of the SGX Listing Rule 1207(10) has raised standards for internal control systems.

Bigger companies, as well as those from the finance sector, and Government-Linked Companies (GLCs) have adopted and disclosed better developed risk management practices. These companies have higher compliance and adoption rates in at least seven out of 10 areas.

However, the study found that more can be done in terms of disclosures of board responsibility, assurance from the CEO or CFO, and whether there is a CRO appointed.

In addition, boards can improve the disclosure regarding their risk management and internal controls systems. Approximately half of small and mid-cap firms in the study did not state their risk management framework.

More work also needs to be done in the disclosure of the adoption of standards set by the Institute of Internal Auditors (IIA). While 94 percent of companies in the study have an Internal Audit function, only 39 percent disclosed that the IA function meets IIA standards.

Said Mr Dhinakaran: "Effective risk governance is an ongoing commitment and ISCA encourages companies and businesses to think seriously about how to adopt the best practices, including those in the revised Code of Corporate Governance. We hope that our joint study with KPMG will achieve its aim of helping our companies to look at risk governance in greater depth and, in the process, follow up with adopting the best practices."

Said Mr Low, "Board members and C-Suite level executives should take stock of their existing board assurance framework to confirm whether it is adequate and effective in practice and adopt a substance over form approach to disclosures".

About the study

The study looked at the risk management disclosures of the 250 listed firms in terms adequacy of internal controls, effectiveness of internal controls, adequacy of risk management systems and effectiveness of risk management systems. It also benchmarked companies according to 10 risk management best practices identified for analysis.

Of the 250 companies sampled, 76 percent are small-cap firms (market capitalization of less then S$300 million), 12 percent are mid-cap (S$300 million to less than S$ 1billion) and 12 percent are large-cap (S$1billion and above) firms. The sectors of the companies reviewed include manufacturing, services, real estate, commerce, transport/storage/communications and finance.