Crafting the Corporate Governance Report: From Board Composition to Risk Management

The Hong Kong Exchange (HKEX) has significantly tightened its enforcement of corporate governance standards, with the Listing Division issuing 27 formal decisions in 2024 that specifically cited deficiencies in corporate governance reports — a 93% increase from the 14 such decisions in 2022. This escalation follows the implementation of the enhanced Corporate Governance Code (CG Code) amendments that took effect on 1 January 2022, which introduced mandatory disclosure requirements for board skills matrices, anti-corruption policies, and shareholder engagement. For issuers preparing their annual reports for the 2025 financial year, the stakes have never been higher: the CG Code now requires listed companies to disclose how the board has evaluated its own performance, to identify the specific skills and experience of each director, and to explain any deviation from the recommended board size of at least three independent non-executive directors. The HKEX’s thematic review of 2023 annual reports, published in September 2024, found that 38% of issuers failed to adequately disclose the board’s role in risk management, while 22% omitted the required explanation for having a combined Chairman and CEO role. These compliance gaps expose issuers to potential enforcement actions, including public censure and, in severe cases, suspension of trading under Listing Rule 6.01.

The Regulatory Framework: What the CG Code Now Requires

The CG Code, set out in Appendix 14 of the Main Board Listing Rules, operates on a “comply or explain” basis — a principle the SFC has repeatedly affirmed as the appropriate regulatory approach for Hong Kong’s market. The 2022 amendments, which were the most comprehensive revision since the Code’s introduction in 2005, shifted the disclosure burden from mere compliance to substantive explanation.

Board Composition and the Skills Matrix Mandate

Code Provision A.5.5 now requires every listed issuer to maintain a board skills matrix that identifies the specific skills, experience, and expertise of each director. This is no longer a voluntary best practice — it is a mandatory disclosure item under the CG Code. The matrix must be published in the annual corporate governance report, and issuers must explain how the board’s composition aligns with the company’s strategic objectives.

The HKEX’s 2024 thematic review found that 15% of issuers still disclosed a generic skills matrix that failed to differentiate between directors’ individual contributions. For example, listing “financial expertise” as a blanket qualification without specifying whether the director is a qualified accountant, a former CFO, or an audit committee chair with specific sector experience. The SFC’s enforcement division has indicated that such generic disclosures may constitute a breach of the requirement for “meaningful disclosure” under the Listing Rules, potentially triggering a referral to the Listing Committee.

The Three-Year Board Evaluation Cycle

Code Provision B.1.7 requires the board to conduct a formal evaluation of its own performance at least once every three years. The evaluation must cover the board as a whole, its committees, and individual directors. The results, including any actions taken to address identified weaknesses, must be disclosed in the corporate governance report.

A 2023 survey by the Hong Kong Institute of Chartered Secretaries found that 42% of issuers had not conducted any formal board evaluation in the preceding three years — a figure that the HKEX’s Listing Division has publicly described as “concerning.” For issuers caught in this gap, the 2025 annual report cycle presents an immediate compliance risk. The evaluation process must be documented, with external facilitation recommended for the first cycle to ensure independence.

The Combined Chairman and CEO Role: A Structural Tension

Code Provision A.2.1 requires a clear separation between the roles of Chairman and CEO. Where an issuer chooses to combine these roles — which the HKEX’s 2024 market statistics show occurs at 34% of Main Board issuers — the corporate governance report must include a specific explanation of why this structure is appropriate for the company, including the risk mitigation measures in place.

The Mayer Brown analysis of HKEX enforcement actions from 2020 to 2024 indicates that combined roles are a frequent subject of regulatory scrutiny, particularly when the company has experienced governance failures. In the 2023 enforcement case against China Everbright Bank (HKEX: 6818), the Listing Committee specifically noted that the issuer’s corporate governance report failed to explain how the board would ensure independent oversight when the Chairman also served as CEO — a deficiency that contributed to the public censure.

Risk Management and Internal Controls: From Disclosure to Substance

The CG Code’s Risk Management and Internal Controls section, set out in Part D, has been substantially rewritten to require a more granular disclosure of how the board oversees risk. The HKEX’s 2024 thematic review identified this as the area with the highest non-compliance rate, with 38% of issuers failing to adequately describe the board’s role.

The Board’s Risk Oversight Responsibility

Code Provision D.2.1 requires the board to maintain a sound system of risk management and internal controls, and to review their effectiveness at least annually. The review must cover all material controls, including financial, operational, and compliance controls, as well as risk management functions. The corporate governance report must include a statement from the board on the effectiveness of these systems, with the basis for the board’s conclusion.

The practical challenge for many issuers is that the board’s risk oversight often operates through the audit committee, which may not have the specific expertise to evaluate operational or strategic risks. The HKEX’s guidance note on risk management (GL117-24) recommends that issuers establish a separate risk committee or, at minimum, ensure that the audit committee’s terms of reference explicitly include risk oversight responsibilities. Issuers that rely on a combined audit and risk committee must disclose how the committee manages the potential conflict between its audit and risk functions.

The Internal Audit Function: Independent or Outsourced

Code Provision D.2.4 requires every listed issuer to have an internal audit function. While the Code permits outsourcing to an external service provider, the board must ensure that the function has sufficient resources, is independent from management, and reports directly to the audit committee. The corporate governance report must disclose whether the internal audit function is in-house or outsourced, and if outsourced, the identity of the service provider and the basis for the board’s conclusion that the arrangement provides adequate independence.

A 2024 study by KPMG Hong Kong found that 61% of Main Board issuers now outsource their internal audit function, up from 48% in 2020. The trend reflects cost pressures, but the HKEX has cautioned that outsourcing does not relieve the board of its responsibility to ensure the function’s effectiveness. The Listing Division’s enforcement action against Sino Oil and Gas (HKEX: 702) in 2023 specifically cited the issuer’s failure to ensure that its outsourced internal audit function had adequate access to management and board records — a deficiency that the Listing Committee found constituted a breach of the CG Code.

Whistleblowing Policies: The New Mandatory Disclosure

The 2022 CG Code amendments introduced a new mandatory disclosure requirement under Code Provision D.2.7: every issuer must have a whistleblowing policy that provides employees and other stakeholders with a confidential channel to raise concerns about possible improprieties. The policy must be disclosed in the corporate governance report, including the procedures for investigation and the protection afforded to whistleblowers.

The SFC’s 2024 enforcement report noted that whistleblowing mechanisms were a key factor in detecting 23% of market misconduct cases investigated during the year. For issuers, the absence of a properly disclosed whistleblowing policy is now a direct compliance breach. The policy must be approved by the board, communicated to all employees, and reviewed at least annually. The corporate governance report must include a summary of any whistleblowing reports received during the year and the actions taken.

Shareholder Communication and ESG Integration

The CG Code’s emphasis on shareholder communication has been strengthened through the introduction of mandatory disclosure requirements for shareholder engagement, particularly in relation to general meetings and dividend policy.

The Shareholder Communication Policy

Code Provision F.1.1 requires every issuer to maintain a shareholder communication policy that covers the methods of communication, the frequency of engagement, and the procedures for handling shareholder enquiries. The policy must be published on the issuer’s website and summarized in the corporate governance report. The HKEX’s 2024 thematic review found that 28% of issuers had not updated their shareholder communication policy to reflect the new requirements, with many still relying on generic statements that did not address specific engagement mechanisms.

The policy must include provisions for engaging with minority shareholders, particularly in relation to significant transactions that require shareholder approval under the Listing Rules. The SFC’s 2023 consultation on shareholder rights highlighted that minority shareholders in Hong Kong often face barriers to effective engagement, including language barriers and limited access to board members. The corporate governance report should disclose how the board ensures that minority shareholders’ views are considered in board decision-making.

Dividend Policy Disclosure

Code Provision F.1.3 requires issuers to disclose their dividend policy in the corporate governance report, including the factors the board considers when determining dividend payments. This is a significant change from the previous regime, where dividend policy was typically disclosed only in the directors’ report or the financial statements.

For issuers with a history of irregular or suspended dividends, the disclosure must explain the board’s rationale. The HKEX’s Listing Division has indicated that a simple statement that “dividends are at the board’s discretion” is insufficient — the report must identify the specific financial metrics, capital requirements, and strategic considerations that guide the board’s decision. In the 2024 enforcement action against China Huarong Asset Management (HKEX: 2799), the Listing Committee specifically criticized the issuer’s failure to disclose its dividend policy in the corporate governance report, noting that the omission deprived shareholders of material information needed to assess the company’s capital allocation strategy.

ESG Reporting Integration

The CG Code now requires the corporate governance report to include a cross-reference to the issuer’s Environmental, Social and Governance (ESG) report, which is governed by the ESG Reporting Guide set out in Appendix 27 of the Listing Rules. The cross-reference must identify how the board oversees ESG-related risks and opportunities, and how the ESG report aligns with the corporate governance framework.

The HKEX’s 2024 ESG disclosure statistics show that 92% of Main Board issuers now publish a standalone ESG report, but only 54% include a specific board statement on ESG oversight. The corporate governance report should bridge this gap by describing the board’s role in setting ESG strategy, the committee responsible for ESG oversight, and the frequency of board-level ESG reviews. The SFC’s 2024 circular on climate-related disclosures (dated 15 March 2024) emphasizes that the board’s oversight of climate risks must be documented in the corporate governance report, not merely in the ESG report, to ensure that investors can assess the board’s accountability.

Practical Compliance: Drafting the Report for the 2025 Cycle

The corporate governance report is not a standalone document — it must be read in conjunction with the directors’ report, the business review, and the ESG report. The HKEX’s Listing Rule 13.91 requires the report to be included in the annual report, and the Listing Division’s enforcement actions demonstrate that inconsistencies between these documents are a common trigger for regulatory inquiries.

The Board’s Statement of Responsibility

The corporate governance report must include a statement from the board confirming its responsibility for the company’s corporate governance practices. This statement, required under Code Provision A.1.1, must be signed by the Chairman or the board secretary. The statement should acknowledge the board’s overall responsibility for the CG Code compliance, while also noting the specific responsibilities delegated to committees.

A common drafting error is to use a generic statement that does not reflect the issuer’s specific governance structure. The Mayer Brown practice guide for 2025 recommends that the board statement include a reference to the issuer’s specific governance challenges, such as the board’s response to a significant shareholder resolution or the steps taken to address a regulatory finding from the previous year.

The Audit Committee Report

The audit committee’s report, which must be included in the corporate governance report under Code Provision C.3.3, must describe the committee’s work during the year, including the number of meetings held, the matters discussed, and the committee’s assessment of the internal control system. The report must also disclose the committee’s review of the external auditor’s independence and the fees paid to the auditor for non-audit services.

The HKEX’s 2024 thematic review found that 31% of issuers failed to disclose the specific non-audit services provided by the external auditor, a requirement that is now mandatory under the Listing Rules. The disclosure must include the nature of the services, the fees paid, and the audit committee’s basis for concluding that the services do not impair the auditor’s independence.

The Nomination Committee and Board Diversity

Code Provision B.3.1 requires the nomination committee to have a written terms of reference that addresses board diversity, including gender diversity. The corporate governance report must disclose the board’s diversity policy, the measurable objectives set for achieving diversity, and the progress made against those objectives.

The HKEX’s 2024 statistics show that the average gender diversity on Main Board boards has reached 18.5%, up from 12.3% in 2020. However, the SFC’s 2024 consultation on board diversity noted that only 34% of issuers have set specific, measurable targets for gender diversity — a deficiency that the Listing Division has indicated it will address through enhanced enforcement. The corporate governance report must include a timeline for achieving gender diversity targets, with specific milestones for the next three years.

Actionable Takeaways

1. Conduct a gap analysis of your current corporate governance report against the 2022 CG Code amendments before the 2025 annual report cycle, focusing on the board skills matrix, board evaluation, and risk management disclosure requirements.

2. Ensure the board evaluation process is documented with external facilitation for the first cycle, and include the results and action plan in the corporate governance report to satisfy Code Provision B.1.7.

3. Update the shareholder communication policy to include specific mechanisms for minority shareholder engagement, and publish the policy on the issuer’s website at least 30 days before the annual general meeting.

4. Cross-reference the corporate governance report with the ESG report to demonstrate board oversight of climate-related risks, as required by the SFC’s 2024 circular on climate disclosures.

5. Verify that the whistleblowing policy is approved by the board, communicated to all employees, and disclosed in the corporate governance report with a summary of any reports received during the year.