7
Case Study: Risk Management Implementation in China

Duojia (Doug) Lu

Chairman, First Huida Risk Management, Beijing, China

Risk management has been developing fast in the People's Republic of China in recent years. This article gives an overview of the Chinese market for risk management, highlights some of the prominent recent developments in the market, and presents a couple of cases of risk management implementation, which are typically seen in this field.

7.1 MARKET BACKGROUND

It is well known that China is a large country with a big market. As of recent statistics, China's population is over 1.3 billion people. China also has a large business community. In 2012, there were about 11 million registered for-profit companies in China, and about 36 million registered sole proprietors. By 2012, more than 2,300 Chinese companies were listed in domestic stock exchanges in Shanghai and Shenzhen along with a couple of hundred Chinese companies listed overseas.

China has a vibrant economy. Over the last twenty years, China's economic growth has averaged an annual growth rate of 9.8%, triple the world average. Right now China is the second largest economy in the world with an RMB1 51.9 trillion ($8.33 trillion dollar) GDP. China's economy is especially heavy in manufacturing, which accounts for 45% of GDP (2012) and produces anything from cars and machinery to airplanes and electronics. For example, in 2012, China produced over 19 million cars and light trucks, and sold about the same number domestically, ranking China the first in the world in both production and sales.

As the saying goes, “no risk, no return”. The high growth in China's economy is inevitably accompanied by high risk. As a result, China's economy is showing signs of imbalances. China's currency has risen significantly in the last few years and is still under pressure to further increase. Domestically, the income gap is big as China's Gini coefficient2 of 0.48; food safety problems have frequently made headlines and the pollution is dreadful. Internationally, China frequently engages in arguments over trade with its major trading partners. All of these issues continue to exist while China faces the difficult transition from an export and investment oriented economy to a more balanced one.

Within businesses there are different risk concerns. A recent survey of large SOEs (State Owned Enterprises) showed that investment, government policy, human resources, market fluctuation, and work safety were the top risks that concern the Chinese executives.

7.2 CHINA'S SOEs AND SASAC

For risk management implementation, the Chinese enterprises can be divided into three sectors of different characteristics.

The first sector consists of all financial industries, including banks, insurance companies, brokerages, mutual funds, etc. The risk management in these companies fundamentally follows international protocols such as Basel II and Solvency II under the supervision of respective regulators.

The second sector consists of the privately owned companies in the non-financial industries. The majority of 11 million for-profit Chinese companies are in this group; they are diverse and most of them are small or midsize companies. Certain reports claim that, on average, these companies have a brief lifespan of less than three years. Risk management in these companies at the moment is composed mostly of contingency and crisis management.

The third sector consists of about 150,000 State Owned Enterprises (SOEs). Generally, these companies are large and concentrated in a few industries including energy, telecom, aerospace, utilities, defense and transportation; they are the likes of China Mobile, Petro China, Sinopec, AVIC, Shenhua, and State Grid. The (non-financial) SOEs have been regulated and supervised under three levels of State Asset Supervision and Administration Commission (SASAC) since 2003: State Council SASAC (SC SASAC), provincial SASACs, and city SASACs. SC SASAC supervises the largest SOEs. The 116 SOEs under SC SASAC hold more than RMB 32 trillion in assets and control 100% of China's oil, gas, telecom, ocean shipping, power grid, nuclear power and defense. They also control 90% of China's airlines, 55% of China's electrical power, and 48% of China's auto industries. In 2012, 73 Chinese companies were in Fortune 500, 68 of which are SOEs. Among China 100 2012, 80 were non-financial SOEs, 68 of which were under SC SASAC's supervision. SOEs' revenue altogether accounts for 81% of China's GDP, while the 116 SOEs under SC SASAC accounts for 43% (2012).

SC SASAC acts as the shareholder of SOEs on behalf of the Chinese government. SC SASAC is required by law to “protect and enhance the value of SOEs”. Since its establishment in 2003, SC SASAC has been keen on risk management. It learned from past experiences that the only way to “protect and enhance the value of SOEs” is to take proactive risk management measures. Soon after its establishment, SC SASAC started the Enterprise Risk Management for SOEs project. After three years of research and trial, SC SASAC issued Enterprise Risk Management Guidelines for SC SOEs in 2006, requiring all SC SOEs to implement risk management accordingly. Enterprise Risk Management Guidelines for SC SOEs by SC SASAC is a complete risk management standard very similar to ISO 31000 (see appendix A for this Author's Translation of the ERM Guidelines for SC SOEs). These guidelines use the same definitions for basic concepts like risk. The guidelines also describe a generic risk management process and define a comprehensive risk management framework, both of which are aligned with that of ISO 31000. Due to SC SASAC's continual prodding and insistence, SC SOEs have become the most active and advanced implementers of enterprise risk management in China. These SOEs embody enterprise risk management in China. Therefore, this article focuses on these non-financial SOEs.

7.3 CURRENT DEVELOPMENT

Besides SC SASAC's Enterprise Risk Management Guidelines for SC SOEs, there are several other regulatory documents recently published in China regarding risk management. The ones most relevant to the non-financial SOEs are the standard for internal control and corresponding implementation guidelines (2008, 2010), jointly issued by the Ministry of Finance and four other government agencies. These guidelines consist of an Enterprise Internal Control Standard, issued in 2008, and twenty detailed implementation guidelines, issued in 2010. Enterprise Internal Control Standard features an internal control structure similar to the COSO internal control framework of 1992. Eighteen of the twenty detailed implementation guidelines are set for the implementation of internal control in specific business and management areas such as financial reporting, fund management, budgeting, and contract management. There are also the Internal Control Assessment Guidelines for self-assessment purposes, and the Internal Control Audit Guidelines for external auditors to audit the internal control for overall effectiveness. All SC SOEs and public companies are currently required to maintain an internal control framework accordingly. Effective January 1st, 2012, all public companies listed on the two domestic stock exchanges must implement internal control according to the Enterprise Internal Control Standard and the implementation guidelines, disclose internal control self-assessment results in annual reporting, and allow external auditors to give their opinions on the companies' internal control on financial reporting and report on other “material weaknesses”.

In 2007, China Standardization Administration Commission (CSAC) established the national technical committee in risk management, TC310. In December 2009, TC310 published the first national standard in risk management, GB/T 24353 2009, Risk management – Principles and guidelines on implementation. GB/T 24353 2009 is the Chinese version of the international standard ISO 31000. It was adapted from ISO 31000 with the same structure and definitions of basic terms of risk management but with a few minor changes for improvement. Similar to ISO 31000, GB/T 24353 2009 is not mandatory and is not made for certification purposes. Based on GB/T 24353 2009, a series of national risk management standards applicable to various specific areas were made, such as:

  • Guidelines on Enterprise Legal Risk Management;
  • Supply Chain Risk Management Guidelines; and
  • Guidelines on Corporate Governance Risk Management.

Because the national standard GB/T 24353 2009 is not mandatory, most SOEs regard it as a mere benchmark. But since SOEs are under the supervision of SASAC, they follow the SC SASAC Enterprise Risk Management Guidelines for SC SOEs more rigidly. Though SC SASAC has not given a clear deadline for its implementation completion, some of the requirements in Enterprise Risk Management Guidelines for SC SOEs have become mandatory since its publication. For example, SC SASAC requires that all SOEs under its supervision carry out an annual risk management assessment and file a corresponding report using a pre-designed template by SASAC, which varies yearly to reflect SASAC's current concerns. In 2013, SC SASAC issued the Risk Management Implementation Benchmark, and planned to push forward in the next 3–5 years for the completion of enterprise risk management implementation.

Currently, most of the SOEs under SC SASAC have already started enterprise risk management implementation, meaning, they already have a multi-year implementation plan and build the framework accordingly. The majority of SC SOEs have already set up a risk management subcommittee within their boards, and most of SOEs have appointed an executive at headquarters level in charge of risk management implementation. Several have even appointed corporate CROs. The majority of SOEs have established a risk management department or similar functions in their headquarters. Some SOEs have further carried the integration of risk management into their business processes such as legal affairs, planning, procurement, sales, customer relationship, and trading. In doing so, more and more SOEs now use quantitative tools such as Monte Carlo simulation for risk modeling. Some SOEs have implemented risk management information systems, drawing data from their existing ERP (enterprise resource planning) and MIS (management information systems), and integrating them with OA (operations analysis). Risk management has become a regular course on the corporate training menu due to the influx of SOEs who have begun to realize their needs for talent in this area.

7.4 IMPLEMENTATION CASE STUDY

Unlike the implementation of internal control, for which all companies in China follow pretty much the same basic pattern, risk management implementation takes a variety of paths. Risk management implementation patterns vary in terms of parameters such as Who, Where, When, What and How. For instance, both top-down and bottom-up approaches are used by large SOEs of similar governance structures with no noticeable difference in terms of overall efficiency. Some SOEs start with building an overall framework and then embed risk management into different business areas, while others embed risk management in those specific areas first and then build a company-wide framework for integration. Some SOEs tackle risk management with an all-risk included risk assessment first and then focus on specific risk areas of their concerns, while others implement individual risk management systems first and then start integrating risk management practices with a unified company standard.

Three cases of risk management implementation representing three different approaches will be summarized. These cases are composite examples from the author's own experiences of implementing risk management in China.

7.4.1 Implementation Case I

Case I represents the most common type of implementation in recent years among large SOEs in China. At least 70 large SOEs, such as Shenhua, Aviation Industry Corporation of China, and China Eastern Airlines, started their enterprise risk management this way.

This type of implementation represents the top-down approach. It occurs in companies that have not done any company-wide formal risk management plan or process. The implementation typically starts with a board decision to go into enterprise risk management. It is considered the basic implementation that takes less than a year to complete. The implementation usually follows this series of steps:

  1. The company's Board of Directors decides to do enterprise risk management. The decision is made, most likely due to external pressure from SASAC requirements because SASAC's Enterprise Risk Management Guidelines for SC SOEs requires the company's board be accountable for the effectiveness of the company's risk management. In other cases, the board's decision may have been stimulated by internal factors such as the review of recent loss events. The company's CEO will implement the board's decision.
  2. The CEO delegates the responsibility to a vice president, sets up a risk management function within one of the existing departments, and puts said function in charge of any risk management implementation planning. Occasionally, the CEO himself/herself is in charge of the implementation directly.
  3. As the company would have had no prior experiences in formal risk management framework, the risk management function contracts an external consultancy to do the work. They plan to finish the basic implementation by the end of year, so that the board can get the risk assessment report in time for the annual adjustment of the business plan. Given the size of the company and the complex nature of the job, the experience rather than the size of the consultancy is considered a vital success factor for the implementation.
  4. The risk management function and the consultancy put forward a detailed work plan with a scope and methods for approval by senior executives. In this plan, the business case for risk management is made in order to get the commitment from the senior executives.
  5. After the approval of the work plan, the consultancy directs the company's staff to carry out a company-wide risk assessment. The risk assessment follows a pre-designed process that is most effective with intensive training sessions for the company's staff. It usually combines qualitative methods such as brainstorming and the Delphi method with quantitative methods such as PRA (probabilistic risk analysis) and event tree analysis that draw data from the historical records. After all risks are identified, the top risks are confirmed by the senior management. The results of the risk management are put into a company risk database for future use.
  6. The consultancy and the function design the risk management system together. This system has organizational arrangements such as risk management policy, risk management function, annual risk assessment procedure, and reporting. These arrangements are placed together into a company risk management handbook.
  7. The Board and senior executives approve the risk management handbook, confirming the risk map with top-level risk criteria and the risk management policy statement.

After the first year of basic implementation, the companies will continue according to their long-term implementation plan. Although their first actions are similar, companies most likely branch off into different paths and approaches afterward.

7.4.2 Implementation Case II

This case, based on Sinopec and SinoChem's similar experiences, exemplifies a situation where the company wants to integrate risk management into its business areas. These business areas could be anything from quality control to inventory management. In the description below, the example of commodity trading as such a business area is used. The situation may occur in all types of companies whether or not they have implemented a formal risk management framework.

The implementation usually follows this series of steps:

  1. The company decides to embed risk management into its commodity trading practice. The overall objective is to reduce the likelihood of big losses while maintaining a high level of profitability. These big losses need to be further broken down into manageable losses.
  2. The company assigns the responsibility to a risk management function, which is set to assist the business units involved to accomplish the goal within a nine-month period. As the risk management function surveys the situation, it finds an insufficient amount of internal human resource for the job. Hence, it decides to seek help from a consultancy.
  3. The risk management function and the consultancy work out a plan with a scope and a timetable after consulting with the business functions. The scope is confirmed by listing the business processes involved and people responsible for the processes.
  4. The risk management function and the consultancy clarify the business process by formalizing all procedures using tools such as process charts and a control matrix.
  5. The risk management function and the consultancy identify all risks from these processes related to the objectives in three categories: financial, operational, and legal compliance.
  6. The risk management function and the consultancy analyze the risks identified by likelihood, consequence, and suddenness. They then put these risks into a risk map amongst other charts.
  7. The risk management function and the consultancy set up integrated risk criteria embracing suddenness.
  8. With the new risk criteria, the risk management function and the consultancy choose the top risks to be treated.
  9. The business functions, with help from the consultancy and the risk management function, implement controls to treat risks with expected goals and a monitoring mechanism. They then send reports to different levels of executives in the company.
  10. Together with the business functions, the risk management function and the consultancy set up a schedule to review annually the effectiveness of the risk management policy and its practices. Based on the review results, the risk management policy is adjusted accordingly.

The process described here is virtually duplicable to any specific business areas with adjustment made to risk criteria and metrics used for measuring risks.

It is important that the business functions are fully involved in the integration process for the risk management to be effective. After all, it is the business functions that are responsible for executing risk controls daily.

7.4.3 Implementation Case III

Implementation case III describes the risk management implementation for a situation where the company wants to focus its implementation of risk management for a single specific risk across all business areas. This example shows a company like China Mobile focusing specifically on legal risk.

The implementation usually follows this series of steps:

  1. The company decides to implement a legal risk management system company wide in 3 years' time based on the new regulatory requirements and the national standard GB/T 27914.
  2. The company's legal department is assigned to lead the project to accomplish the goal with help from a consultancy and all business units.
  3. The legal department and the consultancy work out a more detailed plan with a scope and a timetable after consulting with business units. The plan outlines a system implemented at the company's headquarters first, and then extended to provincial business units in the subsequent years.
  4. The legal risk management system is implemented in the company's headquarters in a similar way to that described above in Implementation case II.
  5. Based on the implementation experience of the company's headquarters, the company-wide legal risk management handbook is written and the implementation specifications for provincial business units are designed. The legal department specifies the performance and maintenance standards for review of business unit implementation, legal risk management information system requirements, and technical specs.
  6. The provincial business units, in turn, implement the legal risk management systems and corresponding IT systems.

From experience, it can be said that for a large corporation with a multi-level structure, all risk management systems for a single risk can be implemented similarly to the case described here. For instance, several Chinese SOEs carried out similar implementations for work safety and credit risk management. Most of the implementations were top-down (like in this example). However, there are cases where the implementation was first carried out in the business unit level. It is from the successful trial implementation that the company-wide specifications and work plan are rolled out to all business units throughout the company.

7.5 LESSONS LEARNED

Some important lessons have been learned from the implementation of enterprise risk management in recent years in China. These lessons are deduced from real life experiences of implementing risk management in large companies. Since the risk management implementation in China's SOEs was initiated from SASAC for all large SOEs, it had an unprecedented scale and strong character of enterprise risk management in style. Meanwhile, the sheer size and complexity of China's SOEs produced great diversity in risk management implementation. These characteristics of China's risk management implementation have made the lessons gathered from experiences especially worthwhile for large companies looking to engage in enterprise risk management.

Five lessons are listed below that we think are most important for enterprise risk management implementation in large companies:

  1. Enterprise risk management implementation is a journey that takes years to shape up. For enterprise risk management to be mature, a multi-phase approach is required with each phase of implementation iterative in terms of the basic risk management process and its continuous framework improvement for better overall performance.
  2. Commitment from the board/top executives for enterprise risk management implementation is actually to a plan with clearly defined objectives within an acceptable timeframe and an operational road map to achieve the objectives. Without such a plan, it is unlikely that the commitment from the top management becomes materialized.
  3. For enterprise risk management to be sustainable beyond compliance, its objectives must be tangible on KPIs (key performance indicators) of the organizations sooner or later. Without impact on the company's KPIs, the risk management will be reduced to formality and the commitment from the top management will fade.
  4. Each implementation is tailored to suit the unique characteristics and the needs of the organization; no single approach fits all. This is especially true after the establishment of the basic risk management framework. The specific approaches taken by the organizations depend on the context.
  5. In all cases, the implementations integrate both framework and process components. The risk management process is effected by the risk management framework. In other words, the framework is the enabler of the process. Without an appropriate internal risk management framework, the risk management process is not sustainable. The framework itself also becomes more effective and completes itself through the process. One cannot build a complete framework for a large company without iterative execution of the risk management process.

The enterprise risk management for China's SOEs currently continues every day. SC SASAC still pushes for more risk management success, as it just published a new risk management implementation benchmark in early 2013. So, there will be more cases to observe and more lessons to learn from China's large SOEs. Stay tuned.

7.6 QUESTIONS FOR STUDENTS AND PRACTITIONERS

  1. For each of the implementation categories discussed in this case identify the critical risks associated with the ERM implementation process as described. How would you suggest modifying the process so that these critical risks are addressed? Indicate how you might go about making these changes, keeping in mind the scope issues your recommended changes may require and the culture and business need of the organization(s) that utilized the method in question.
  2. How do the risk management practices for state-owned enterprises in China differ from enterprise risk management practices utilized in private industry and non-state owned enterprises in your country?
  3. Obtain a copy of the ISO 31000 risk management framework and compare it with the Enterprise Risk Management Guidelines for Central Enterprises in this case study's Appendix A. What are the similarities; what are the differences? Offer suggestions to both frameworks on how they might adopt one or more features of the other framework that will improve the framework. Explain why these changes would benefit the framework.
  4. China has a strong central government and many state-owned enterprises. However, there are many independent businesses in China, some owned completely by Chinese interests and some are foreign owned or owned jointly by foreign and local investors. Assume that Chinese leaders want to continue their significant GDP growth going forward. Assume that they have identified risk management as a key to that growth strategy. If you were consulted on how to help China enable a culture of risk management in all industries, outline the strategy you would recommend and include a timeline and penalties for non-compliance (if that is to be part of the plan).
  5. Other than restricting entry of others into particular categories of business, what other strategic risks do state-owned enterprises create or could create for private businesses?
  6. All governments have “state-owned” enterprises of one form or another whether it is healthcare, bridges, roads, or schools and universities. Identify one of the local “state owned” enterprises in your area and identify the critical risks that can affect that enterprise.

APPENDIX A

Note: This is a translation by the author of this article. It is not the official translation of the Chinese government. Reference to the official Chinese version should be consulted wherever possible at these links: SASAC: www.sasac.gov.cn, and Ministry of Finance: www.mof.gov.cn

Enterprise Risk Management Guidelines for Central Enterprises (2006. 6.6)

Chapter I General Provisions

Article 1 The Enterprise Risk Management Guidelines for Central Enterprises (hereinafter referred to as the Guidelines) are formulated, in accordance with the Company Law of the People's Republic of China, the Interim Regulations on Supervision and Management of State-owned Assets of Enterprises, and other related laws and regulations, for the purpose of directing the Central Enterprises (hereinafter also referred to as the enterprises), for which the State-owned Assets Supervision and Administration Commission of the State Council (hereinafter referred to as SASAC) performs the investor responsibility, on enterprise risk management, so as to enhance core competencies, to improve return on investment, and to promote sustainable, healthy, and stable growth.

Article 2 The Central Enterprises should implement the Guidelines based on their own specific conditions. For those central enterprises that are state wholly-owned, the board of directors is responsible for supervising and guiding the implementation of the Guidelines. For those enterprises that are state controlled, SASAC and the SASAC nominated directors, via the shareholder meeting and the board of directors in accordance with all statutory procedures, are responsible for supervising and guiding the implementation of the Guidelines.

Article 3 The term “enterprise risk” or “risk” in the Guidelines means the effect of the future uncertainty on the enterprise's objectives. The enterprise risks can be generally classified as strategic risks, financial risks, market risks, operational risks, and compliance (with laws, regulatory rules and internal policies) risks. Risks can also be classified as pure risks (meaning no gains possible) and speculative risks (meaning both gains and losses possible).

Article 4 The term “enterprise risk management” in the Guidelines means the process, together with the methodology, in which an enterprise, in order to achieve the enterprise's overall business objectives, carries out the basic process of the risk management through all management activities and business operations, cultivates sound risk culture, establishes and maintains the enterprise risk management system which includes the risk management strategy, risk financing, risk management organizational structure, risk management information system and internal control system, so as to provide reasonable assurance for reaching the integrated goals of enterprise risk management.

Article 5 The term “basic process of the risk management” in the Guidelines means the execution of the following five main steps:

  1. Establish the context information.
  2. Assess risks.
  3. Establish the risk management strategy.
  4. Design and implement the risk management solutions.
  5. Monitor and improve.

Article 6 The term “internal control system” in the Guidelines means the system consisting of internal policies, structures, processes, and procedures, designed and implemented through the basic process of the risk management, for the business and management processes including strategic planning, product research and development, investment, fund raising, marketing, financial management, internal auditing, legal affairs management, human resource management, procurement, manufacturing and servicing, sales, inventory, distribution logistics, quality management, safety assurance, and environmental protection, etc.

Article 7 The integrated goals of the enterprise risk management are:

  1. To ensure the enterprise risks are compatible with the enterprise's strategic objectives and are tolerable.
  2. To ensure the communications among all parties, especially between the enterprise and its shareholders, are reliable, that include providing reliable financial reports.
  3. To ensure the compliance.
  4. To ensure the effective execution of the policies and other important measures of the enterprise and efficient management, enhance the effectiveness and efficiency of the operations, and reduce the uncertainty in reaching the business goals.
  5. To ensure the enterprise has the proper contingency plan with respect to significant risks, protecting the enterprise from great losses caused by disasters and human errors.

Article 8 Enterprises, when working on enterprise risk management, should stress the importance of preventing and controlling the loss and damage that might result from risks. Meanwhile, enterprises should manage speculative risks, by viewing them as resources of a special kind, to create value and achieve business objectives.

Article 9 Enterprises should, while stressing the practicality and end-results, approach enterprise risk management proactively, and focus on major risks, material events (meaning major risk events), and the internal controls of important business processes. The enterprises who are ready should push forward all-round and establish the enterprise risk management system as soon as possible; other enterprises should make general plans for fulfilment of enterprise risk management, where the enterprises may first select one or more areas of business activities, such as strategic planning, capital investment and acquisition, financial reporting, internal auditing, derivative trading, legal affairs, safety, and account receivable, to establish internal control systems for gaining experiences and development of talents, effecting fulfilment of the enterprise risk management system step-by-step.

Article 10 Enterprises should integrate enterprise risk management with their overall management, embedding risk management requirements into all business and management processes. The enterprises that are ready may establish “three lines of defense” for risk management, with the various functional departments and business units as the “first line”, the risk management function department and the risk management committee of the Board as the “second line”, and the internal audit department and the audit committee of the Board as the “third line”.

Chapter II Context Information of Risk Management

Article 11 For the execution of enterprise risk management, enterprises should collect continuously a wide range of context information that relates to the risks and risk management of the enterprises from internal and external sources, including historical data and forecast. Enterprises should assign the responsibility of context information collection to all functions and business units.

Article 12  With respect to the strategic risks, enterprises should collect widely the domestic and international cases, where firms suffered losses from strategic risks, and at least the following important information that relates to the enterprises:

  1. International and domestic macroeconomic conditions and policies, the industry conditions, and the government industrial policies.
  2. Information on related scientific progresses and technical innovations.
  3. Market demand for the enterprises' own products and services.
  4. Strategic alliances, and the possibility of forming strategic partnerships.
  5. Information relevant to major customers, suppliers, and competitors.
  6. The enterprises' strengths and the gap in comparison with the major competitors.
  7. The enterprises' own and business plan, plan for investment and fund raising, annual operational goals, overall business strategy, together with the data used in the strategies, plans, goals, etc.
  8. The business processes or activities that are mistake laden or error prone in the enterprises' processes for outside investment.

Article 13 With respect to the financial risks, enterprises should collect widely the domestic and international cases, where financial risks resulted in firm crisis, and at least the following important information that relates to the enterprises (including industry benchmarks when available):

  1. Liability, contingent liability, debt ratio, solvency.
  2. Cash flow, account receivable and its percentage of sales, working capital turnover.
  3. Inventory and its percentage of cost of sales, account payable and its percentage of total purchasing.
  4. Manufacturing overheads, G&A expenses, financial expenses, operational expenses.
  5. Profitability.
  6. Mistake laden or error prone processes in cost accounting and treasury management cycles.
  7. Industrial accounting policy, accounting estimation, gaps and adjustments with IFRS (such as for pension and deferred tax treatments).

Article 14 With respect to the market risks, enterprises should collect widely the domestic and international cases, where firms suffered losses from ignoring the market risks or lacking of proper responses, and at least the following important information that relates to the enterprises:

  1. Change in prices and supply–demand relation for the enterprises' products and services.
  2. Sufficiency, stability for supplies of such as energy, raw materials, and parts and change in prices.
  3. Credit reports of major customers and major suppliers.
  4. Change in tax laws, interest rates, currency exchange rates, and stock indexes.
  5. Potential competitors, competitors and their major products and substitute products.

Article 15 With respect to the operational risks, enterprises should collect at least the following important information that relates to the enterprises and the enterprises' industries:

  1. Product structure and new product development.
  2. New market development, marketing strategy involving product and service pricing and distribution channels, and market environment.
  3. Organizational effectiveness, existing management practices, corporate culture, knowledge structures and experiences of senior and middle management and employees in the important business processes.
  4. Mistake laden and error prone business processes or activities involving trading of futures and other derivatives.
  5. Mistake laden and error prone business processes or activities with regard to quality, safety, environmental protection, and information security management.
  6. Losses or business control malfunctions caused by unethical behaviors of internal and external personnel.
  7. Natural disasters that caused losses, and other pure risks besides the situations above.
  8. Capability of supervising, operation assessment and continuous improvement of the existing business processes and information system operation.
  9. Current conditions and capability of enterprises' risk management.

Article 16 With respect to the compliance risks, enterprises should collect widely the domestic and international cases where firms suffered losses from ignoring the compliance risks or lacking proper responses, and at least the following important information that relates to the enterprises:

  1. Domestic and international political and legal environment.
  2. New laws, regulations and policies that may impact the enterprises.
  3. Employees' ethical compliance.
  4. Important agreements and trade contracts signed.
  5. Intellectual properties of the enterprises and their competitors.

Article 17 Enterprises should go through the necessary steps of selection, reconciliation, comparison, classification, and confirmation of the context information for the purpose of risk assessment.

Chapter III Risk Assessment

Article 18 Enterprises should carry out risk assessment for their important businesses and the corresponding important processes with the risk management context information collected. Risk assessment consists of three steps as risk identification, risk analysis, and risk evaluation.

Article 19 Enterprises' risk assessment may be carried out by their internal function departments and business units, and assisted by professional consultancies in risk management that are qualified, reputable, and capable.

Article 20 Risk identification means to see if there are risks in the business units, important business activities and important business processes, and what risks are there. Risk analysis means to define clearly the identified risks and their characteristics, analyze and describe the possibilities and the conditions for the risk event occurrences. Risk evaluation is to estimate the impact of the risks on the enterprises' objectives, and the value of the risks.

Article 21 Enterprises should combine the qualitative and quantitative methods in risk identification, risk analysis, and risk evaluation. The qualitative methods include questionnaires, facilitated workshops, expert opinions, scenario analysis, policy analysis, industry benchmarking, management interview, and onsite inspection, etc. The quantitative methods include statistical analysis (e.g. trend analysis), computer simulation (e.g. Monte Carlo method), failure mode and effect analysis, and event tree analysis, etc.

Article 22 Enterprises should, for quantitative risk assessment, decide on the risk metrics and the risk models consistently across the enterprises, and, via various testing methods, make sure the assumptions made, the parameters chosen, the data sources, and the procedures for the quantitative assessment processes are valid and accurate. Enterprises should review, adjust, and improve the assumptions and the parameters periodically or based on the changes of the environment as well as the results from the comparison of the estimates of the assessment system to the real data.

Article 23 Risk analysis should cover the relationship between the risks to uncover the risk portfolio effects such as natural hedges and off-setting risk events so that all risks may be managed with an integrated strategy.

Article 24 Enterprises may, when assessing more than one risk, compare the risks by mapping them to a coordinate system with the possibility of risk event occurrence as one dimension and the impact of the risk event as the other, so as to set the priority and determine the corresponding management strategies.

Article 25 Enterprises should treat risk management information dynamically, following through the steps of risk identification, risk analysis and risk evaluation periodically or non-periodically to refresh the information on new risks and changes of the existing risks.

Chapter IV Risk Strategy

Article 26 The term “Risk strategy” in the Guidelines means the integrated strategy that, based on the enterprises' overall business strategy, their own conditions and the external environment, consists of the enterprises' risk appetite, risk tolerance, criteria for effective risk management, the choices of risk management tactics including risk acceptance, risk avoidance, risk transform, risk hedging, risk compensation, and risk control, and the corresponding principles for allocation of necessary human and financial resources.

Article 27 In general, for strategic risks, financial risks, operational risks, and compliance risks, the available strategies include risk acceptance, risk avoidance, risk transform action, and risk control. For risks that may be managed by risk financing methods such as insurance, futures, and hedging, one may adopt strategies including risk transfer, risk hedging, and risk compensation.

Article 28 Enterprises should determine their risk appetite and risk tolerance level consistently based on the characteristics of their businesses, that is, to determine what risks they are willing to accept as well as accordingly the upper and lower limits for the tolerance of those risks, and to determine the early warning indicators and the responses correspondingly. To determine the risk appetite and the risk tolerance, one should balance the risks and the rewards, avoiding the tendencies: one is pursuing the profit without properly taking risk factors like circumstances into considerations, usually indicated by incorrect emphasis on the risk part of the notion of more risk implying more rewards, the other is preventing risks at all costs, causing loss of opportunities of development.

Article 29 Enterprises should determine, based on the principle of balancing risk and reward as well as the positions of the risks on the risk map, the priority of risk management, the capital budget for the risk management expenses, and the overall arrangements in organizational structure, human resources and the risk responses.

Article 30 Enterprises should periodically review and analyze the effectiveness and the justification of the existing risk strategies, and improve the risk strategies continuously to the perfection. The enterprise should emphasize the review of the real effect of implementation based on the risk appetite, the risk tolerance, and the risk early-warning indicators for controls, and define qualitatively or quantitatively the criteria for the effectiveness.

Chapter V Risk Management Solutions

Article 31 Enterprises should design solutions for all risks or every significant risk in accordance with the risk management strategy. The solutions should in general consist of objectives, organizational leadership, business and management processes and procedures involved, resources needed, concrete responses before, in the middle of, and after the occurrence of the risk event, as well as risk management tools such as Key Risk Indicator Management and Loss Event Management.

Article 32 Enterprises should, while outsourcing the risk management solutions, pay attention to the balance of risk and reward, the quality of the outsourcing job, the protection of the business secret, and take steps correspondingly to control and to prevent from the risk of unhealthy reliance on the outsourcers for the risk solutions.

Article 33 Enterprises should satisfy the laws and regulations when establishing a risk management internal control system, be consistent with business strategy and risk management strategy, balance risk control with operational efficiency and effectiveness, aim at each management process and operation flow related to the significant risks, establish entire process flow control measurement, control the key points and adopt the corresponding control measurements to operational flows related to other risks.

Article 34 Enterprises should consider the following criteria when establishing internal control system:

  1. Establishment of internal control position authorization system. Clearly define objects, terms, range and limits of each internal control position, any organizations or individuals should not make any risky decisions beyond authorization.
  2. Establishment of internal reporting system. Clearly define the reporters and reportees, time, contents, frequency, information transfer route, and organization or individual who is responsible for managing the report.
  3. Establishment of internal control approval system: for all internal control related material events, clearly define the procedure, terms, range, limit, necessary document of the approval, and regulate the responsibilities of the approval department or individuals.
  4. Establishment of internal control duty system. Comply with the principle of consolidation between right, obligation and duty, and clearly define the duty and reward scheme for each related departments, business units and individuals.
  5. Establishment of internal control audit system. Integrating with the requirement, methodology, standard and procedure of the internal control, clearly define the object, content, method of the audit and related department who is responsible for the audit.
  6. Establishment of internal control assessment system. Qualified enterprises should integrate their internal control performance with related salary management.
  7. Establishment of significant risk warning system. Constant supervision on the significant risk, timely risk reporting, proper contingent plan in respect to significant risk and adjustment of the control method regarding different circumstances.
  8. Establishment of power balancing system. Clearly regulate the segregation of duties, this mainly includes: authorization approval, operation, accounting record, asset safekeeping and audit. Consider having two personnel responsible for one important position and restrict each other; clearly define the superior department or individuals of the position, related supervision measure and supervision responsibility; make this position the key point of the internal audit.

Article 35 Enterprises should seriously implement the risk management solution in terms of duty divisions between each department and business unit, to ensure each step is completed smoothly.

Chapter VI Monitoring and Improvement

Article 36 Enterprise should focus on significant risks, material events, important management and business processes, supervise initial information, risk assessment, risk management strategy, key control activity and the implementation of risk management solution. Enterprise should use stress testing, back testing, work-through testing and self-assessment on risk control to test the validity risk management, and improve in time when situation changes and limitation realized.

Article 37 Enterprises should establish the proper information exchange channel regarding risk management through the whole basic risk management process, as to communicate within all functional department and business units, and ensure that the information could be transferred timely, accurately and completely, which is the foundation of risk management monitoring and improvement.

Article 38 The related departments and business units should examine and assess risk management system periodically in order to find flaws and improve risk management timely. The assessment reports should be submitted to risk management departments in a timely manner.

Article 39 Risk management departments should constantly check the implementation status and efficiency of risk management in functional departments and business units, assess risk management strategy in accordance with Article 30 in the guidelines, evaluate risk management solutions across functional departments and business units, issue comments regarding adjustment or improvement, issue valuation and recommendation report regarding current risk management system, and timely submit reports to general manager of the enterprise or any other senior managers who are responsible for risk management.

Article 40 The internal audit department should monitor and evaluate risk management department, other related departments and business units, in terms of the implementation and validity of risk management work at least once per year, and the report should be delivered to the board of directors or risk management committee and audit committee. This project could be implemented in line with annual audit, term audit or special audit.

Article 41 Enterprises could engage some professional consultancies in risk management that are qualified, reputable, and capable to carry out current risk management assessment of the enterprises and provide risk management assessment report with advices for improvement. Generally, the report should contain situation of implementation, existing deficiency and improvement suggestions of the following aspects:

  1. Basic risk management process and risk management strategy.
  2. Risk management of the significant risks, material events, important management and business processes in the enterprise and the establishment of the internal control system.
  3. Risk management organizational structure and information system.
  4. The integrated goals of enterprise risk management.
Chapter VII Risk Management Organizational Structure

Article 42 Enterprises should establish and maintain the risk management organizational structure, which includes the standardized corporate governance structure, the risk management function and internal auditing departments, and management organizational structure and responsibility of other related function departments and business units.

Article 43 Enterprises should establish and maintain the standardized corporate governance structure. The shareholder meeting (for the state wholly-owned companies or the state wholly-owned enterprises, it means SASAC, hereinafter with the same meaning), the board of directors, the board of supervisors and managers should perform their responsibilities according to the laws, so as to form the monitoring mechanism that is efficient in functioning and effectively balanced.

Article 44 State-wholly-owned and state-controlled enterprises should establish external director or independent director system; the number of external directors or independent directors should exceed half of the board, in order to guarantee the board of directors can make independent judgment and choice beside management on important decision-making and significant risk management.

Article 45 The board of directors is responsible for the shareholder meeting according to the effectiveness of the overall risk management work. The board of directors mainly implements the following responsibilities in the aspects of the overall risk management:

  1. Deliberate and submit yearly working reports of the enterprise overall risk management to the shareholder meeting.
  2. Ensure the overall objectives, risk appetite and risk endurance of the enterprise's risk management and authorize the risk management strategy and momentous risk management solutions.
  3. Know and master each significant risk faced by enterprises and its management status, make effective risk controlling decisions.
  4. Authorize judgment standards or judgment mechanisms of the important decision-makings, significant risks, material events and important operational processes.
  5. Authorize the risk assessment report of important decision-makings.
  6. Authorize the risk management supervisory auditing report submitted by the internal auditing department.
  7. Authorize the setting and responsibility solutions of the risk management organization.
  8. Authorize risk management measures, correct and deal with risk decision behaviors that violate risk management rules made by any organization or individual.
  9. Supervise the cultivation of enterprise's risk management culture, overall risk management and other important proceedings.

Article 46 In enterprises with good qualifications, the board of directors can establish the risk management committee. The committee caller should be the chairman of the board who meanwhile is not the general manager; the caller should be an external director or independent director if the chairman of the board is meanwhile the general manager. In the committee, there should be directors who are familiar with important management, operational flow and processes of the enterprise, or directors who have risk management and monitoring knowledge or experience, and certain knowledge of law.

Article 47 Risk management committee is responsible to the board of directors, and performs the following responsibilities:

  1. Submit annual enterprise risk management report.
  2. Deliberate risk management policy and important risk management solution.
  3. Deliberate judgmental standard or judgmental mechanism on important judgments, significant risk, material events and important operational processes, and risk assessment report on important judgments.
  4. Deliberate risk management supervision and evaluation audit integration report submitted by internal audit department.
  5. Deliberate risk management organizational structure settings and responsibility solutions.
  6. Transact other proceedings on enterprise risk management authorized by the board of directors.

Article 48 The general manager of the enterprises should be responsible for the validity of enterprise risk management and report to the board of directors. The general manager or the senior manager nominated by general manager should take charge of the routines of ERM, draw out the organizational structure settings and responsibilities scheme of ERM.

Article 49 The enterprise should establish full time department or ensure related functional departments to perform the responsibility of enterprise risk management. This department should be responsible to general manager or nominated senior managers, and perform the following responsibilities:

  1. Research and propose enterprise risk management reports.
  2. Research and propose judgmental standard or judgmental mechanism across functional departments on important judgment, significant risk, material event and important operational process.
  3. Research and propose risk assessment report on important judgment across functional departments.
  4. Research and propose risk management strategy and cross-functional departments solution on significant risk management, and be responsible for the implementation of the solution and daily monitoring of the risk.
  5. Be responsible to evaluate the effectiveness of enterprise risk management, and propose improvement solution on enterprise risk management.
  6. Be responsible to establish a Risk Management Information System.
  7. Be responsible to coordinate daily enterprise risk management work.
  8. Be responsible to supervise and monitor functional departments, business units, wholly-owned subsidiaries and controlled subsidiaries to develop enterprise risk management.
  9. Manage other works related to risk management.

Article 50 Enterprises should establish an Audit Committee under the board of directors. The internal audit department should be responsible to the Audit Committee. The responsibilities of Audit Committee and internal audit department should comply the related regulations in “Interim Measures for Internal Audit Management of Central Enterprises” (Decree of SASAC No.8). In risk management field, the internal audit department is responsible for researching and developing the risk management Monitoring and Reviewing System, designing related procedures, conducting monitoring and reviewing and preparing auditing reports.

Article 51 Other functional departments and business units of the enterprise should accept the arrangement, coordination, guidance and supervision conducted by risk management department and internal audit department. Their main responsibilities are as follows:

  1. Implement basic risk management processes.
  2. Research and develop the criteria or mechanisms for judging significant decisions, risks, events and business process within own functional department or business unit.
  3. Prepare risk assessment report of significant decisions within their own functional department or business unit.
  4. Perform the tasks of establishing risk management information system within own functional department or business unit.
  5. Perform the task of building risk culture.
  6. Establish and improve the internal risk control system within own functional department or business unit.
  7. Undertake other tasks related to risk management.

Article 52 Enterprises should direct and supervise their wholly-owned subsidiary companies and controlled subsidiary companies to establish their risk management organizational structure through legal processes. The establishment should correspond with parent enterprise, or be highly effective related to the characteristics of the subsidiaries.

Chapter VIII Risk Management Information System

Article 53 The enterprise should apply information technology to all tasks related to risk management, establish a risk management information system that covers basic risk management process and all steps of internal control system, including information collection, information storage, information process, information analysis, information test, information delivery, information report, information disclosure, etc.

Article 54 The enterprise should adopt controls to ensure the consistency, accuracy, timeliness, accountability, completeness between risk management information system input data and quantitative risk values. Input data to information system should not be altered without authorization.

Article 55 The risk management information system should include all kinds of risk measurements, quantitative analysis and quantitative test; be able to reflect risk metrics, sort frequency, supervision state of significant risk and important business process in real time; carry out information alarm when significant risk exceeds its risk acceptable range, and satisfy the requirements of internal information reporting system of risk management and external information disclosure regulation.

Article 56 The risk management information system should enable integration and sharing of information within departments and business segments. Risk management information system should meet not only the requirements of single risk management task, but also the synthesized risk management requirements from overall enterprise, cross-functional departments and business segments.

Article 57 The enterprise should ensure the stability and security of the risk management information system, and improve and update it continuously.

Article 58 Enterprises that have established or just established an Enterprise Management Information System, should complement, regulate and update its existing management processes and management procedures, and establish a matured Risk Management Information System. Enterprises that have not yet established an Enterprise Management Information System, should unify the risk management system with enterprise management processes and management software, to plan, design, implement and run them simultaneously.

Chapter IX Risk Culture

Article 59 Enterprises should strive to establish a corporate culture that is risk conscious, to enhance employees' awareness of risks and risk management, so as to assure the achievement of the risk management objectives of the enterprises.

Article 60 Cultivation of risk management culture should be embedded into the overall process of cultivation of corporate culture. Enterprises should cultivate a sound risk culture, establish the correct risk management philosophy, and enhance the awareness across the enterprises, in order to transform the risk management into the common understanding and conscious actions of the employees and to promote the risk management mechanism that is systematic, normal and highly effective.

Article 61 The enterprise should engage to build its risk management culture environment at different corporate levels. The board of directors should pay great attention to the cultivation of risk management culture, and the general manager is responsible for the daily work of cultivation of risk management culture. The director and senior management personnel should demonstrate and lead in cultivation of risk management culture. The management and operations personnel who are responsible for key management processes, key business processes and risk control points should be the main forces of cultivation of risk management culture.

Article 62 Enterprises should establish the employee code of conduct, in order to foster a risk culture in that everyone conducts ethically and compliantly. Enterprises should punish seriously those employees who violated the laws, regulations, or the corporate policies, and who committed fraud and corruption.

Article 63 The staff of the enterprise, especially the managerial staff and the operating staff, should endeavor to promulgate the enterprise risk management idea through many kinds of forms and cultivate the sound enterprise risk management culture. The culture must emphasize that the risk is ubiquitous, the risk is ever-present and everyone must control the pure risks strictly, handle the speculative risks prudently and take the post responsibilities of risk management seriously.

Article 64 The cultivation of the risk management culture should be integrated with the salary policy and the human resources policy, as to enhance the risk awareness of managerial personnel, especially senior managers, and prevent behaviors like blind expansion, one-sided pursuit of performance and risk neglect.

Article 65 Enterprises should establish a risk management training program for the personnel in charge of important management and business processes, key business activities and risk controls. Enterprises should adopt various methods to enhance the risk awareness, to intensify the training on knowledge of related processes and controls, to nurture the internal talents on risk management, and to cultivate the risk culture.

Chapter X Supplementary Provisions

Article 66 For those central enterprises that are state wholly-owned and have not yet formed the board of directors, the executive management meeting of the enterprises should take over the responsibility that is assigned to the board of directors in the Guidelines, and the general manager should be responsible for the implementation of the Guidelines. Other state-owned or state-controlled enterprises may implement the Guidelines accordingly.

Article 67 The documents supplementary to the Guidelines for the risk management of the enterprises with respect to investing, financial reporting and derivative trading are published separately.

Article 68 The SASAC shall have the power of the interpretation of the Guidelines.

Article 69 The Guidelines shall become effective on the date of promulgation.

NOTES

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.90.185