Reawaken The Risk Governance in The Malaysian Corporate

_____________________________________________________________________________________________________ Risk governance is about balancing the company’s business interests and the interests of stakeholders who might suffer loss or harm from the company’s commercial activities. It is mainly concerned with preventing mistakes or wrongdoings than correcting them. This paper aim is to study the state of risk governance in the Malaysian corporate sector. It specifically studies the way risk governance is regulated and its relation to stakeholders’ interests. This study is based on the existing laws in Malaysia. The laws in the United Kingdom and the United States are studied for a comparative analysis and lessons to be learned. The paper suggests that the role of regulators is crucial to initiate and compel companies to establish and maintain a risk governance system and incorporate it as a corporate culture. It also suggests that co-regulation between the regulatory authorities and the industry is needed to successfully push efforts and participation by companies to establish and maintain an effective risk governance system. The paper is significant as it contributes to the improvement of risk governance in Malaysian businesses in general and in the corporate sector specifically and adds to the body of knowledge on law and governance.


Introduction
Failure of risk management (RM) and internal control system (ICS) has been identified in many instances as some of the most pivotal causes of corporate abuse (Abidin, Nawawi & Salin, 2019). Corporate scandals like Baring Brothers, Enron and the Société Générale Bank in France highlighted the devastating impact companies face when risks were poorly managed and controls inadequately set up. Among the risks that ought to have drawn the attention of management in these cases was segregation of officer's duties, supervision of traders, follow-up of audit reports and enquiry on the high profit generated by low-risk trading. A similar incident occurred in the cross-selling scandal in Wells Fargo which again raised the issue of poor risk governance that resulted in monetary and reputational damage to a company (Tayan, 2019). Other tragedies also took place that had some connection to corporate activities but had not directly impacted the company's business and shareholders. Incidents such as mining and workplace accidents, environmental disasters, supply of defective and dangerous products and misuse of customers' personal information grabbed media attention and had caused outrage among the public (Yockey, 2016). The backlash generated by these mishaps had attracted criticism of gatekeepers like directors and auditors and demands on companies be more responsible in their business activities (Coffee, 2005). Since then, numerous efforts have been www.msocialsciences.com taken to remedy the situation in the hope of preventing future recurrence (Lipson, 2015). However, recent corporate calamities not only suggest that such efforts have not been entirely successful but also undermine the role of the law in combating the issue. This raises questions and doubts on the efficacy and role of the law in protecting companies, investors and stakeholders.
Although Malaysia has yet to encounter corporate scandal that could rival those in the US, there have been instances of corporate manipulation termed 'mini-Enrons' as witnessed in the accounting fiasco at Transmile Group in Bursa Malaysia Securities Bhd v. Gan Boon Aun [2009], Megan Media Holding Bhd. and Wimems Corp Bhd to name a few (Omar, Said, & Johari, 2016). In all these cases, there were failures of internal controls in terms of director's duty, audit exercises and procedural safeguards, to name a few. A common pattern in these cases is the inability of audits to either detect accounting frauds or to report them to the board and shareholders. In another instance, Sime Darby suffered a loss of RM120 million in 2008 which hinted at the activity of a rogue trader that was poorly supervised (Bernama, 2012). In light of these cases, it appears that there are some weaknesses in the regulation of risk governance in Malaysia that warrants close examination.

Literature Review
The limited literature and case law on risk governance in Malaysia indicates that the existing laws and regulatory instruments have not addressed the weaknesses in the regulation of risk governance in the corporate sector. In particular, the interests of stakeholders have not been adequately taken into consideration. Companies routinely engage employees and carry out business activities that may involve risks to the safety and health of several people. This type of risk has been exemplified in past mishaps such as the Bright Sparklers fireworks factory in Sungai Buloh which exploded on 7 May 1991 and killed 22 workers. The Royal Commission that was established to investigate the incident made findings that the company had breached any of the safety regulations and rules and that the relevant authority had not done a good job in enforcing the said regulation (Shaluf et al., 2002). In 1993, a landslide occurred and caused the collapse of the Highland Towers apartment block and killed 48 people and left occupants in two adjoining blocks homeless when they were forced to evacuate on the fear that the premises were unsafe (Maniam, 2004). In 2019, chemical waste was dumped into the river in Johore causing 111 schools to close and more than 500 people ill (Moses & Zurairi, 2019).
These few examples demonstrate the damaging impact commercial activities can have on the public when risks were not properly managed.
RM is inherently linked to internal controls (IC). Each support and rely on the other to work. Nevertheless, there is no mention of RM in the Companies Act 2016. Section 246 of the Companies Act 2016 only provides that directors are required to set up an ICS to safeguard the company's assets and financial reporting. Thus, there is no legal requirement for both public and private companies in Malaysia to have a proper RM framework. Similarly, the Malaysian Code on Corporate Governance (MCCG), paragraph 15.23 and 15.26 of Chapter 15 in the Bursa Malaysia Listing Rules (BMLR) and the Paragraph 4.0 and 5.0 of Bursa Malaysia Practice Note 9 emphasised more on ICS until the amendment to the Code in 2012 where IC has been replaced by RM as one of the main principles. This can be seen in Recommendation 6.1, Malaysian Code on Corporate Governance 2012. As the code is voluntary, investors would be precluded from taking legal action thus, there is no threat of liability on the part of the company and its directors. Investors will have to rely on regulators like the Securities Commission to take legal action. Similarly, the BMLR makes it mandatory for listed companies to report their compliance to the MCCG implying that listed companies have to implement the MCCG. Nevertheless, a company may choose not to comply with any provisions of the MCCG and provide an explanation to justify this decision. Therefore, a company has the option to not set up a risk governance system and justifies the annual report. If the shareholders do not oppose this, the company has not committed any breach of the BMLR directives. As a result, there have been very few cases dealing with the liability of corporate officers concerning the management of risk and IC.
The attention of regulators and academia has focused more on financial companies as the previous financial crisis occurred in the financial markets (Waitzer & Sarro, 2014). From Nick Leeson who www.msocialsciences.com gambled away £800 million of Barings Plc's fund in 1995 to the €4.9 billion loss caused to Société Générale by Jerome Kerviel in 2008(Blanch, 2009 and the $2.3 billion loss suffered by UBS at the hand of Kweku Adoboli in 2011 (Chappelle, 2012), history is littered with examples of risk-taking gone wrong and in all cases, the company and the shareholders were not the only victims. Creditors and clients have lost money while employees lost their jobs when the institution collapsed or had to downsize which in turn caused domestic hardship and distressed the economy (Treasury Committee, 2009). The 2008 financial crisis did not directly affect Malaysia thus, the risk governance structure of financial companies in Malaysia could arguably be said to be effective at that time (Thomas, 2011).
Scotland, as per in Re Air Disaster at Lockerbie [1992], and the WannaCry ransomware attack (Berr, 2017) are just some examples of risk governance failure in the non-financial sector which has produced significant losses to members of society. Companies that were involved in these disasters have had to pay huge compensations to victims in addition to the damage to their business and reputation. The victims could sustain physical, psychological, and economic damages that may continue for a considerable period. Thus, failure of risk governance can affect all types of businesses.
Regulators also focused risk governance issues on the company, its business, and shareholders Although the failure of RM in the financial sector has been seen to cause most of the damage, similar failure in non-financial sectors can bring about a comparable outcome. The explosion of the Deepwater Horizon oil rig in the Gulf of Mexico (Bryant, 2011), the hijacking and the subsequent crash of the Pan Am Flight 103 in Lockerbie; issues relating to stakeholders were mostly overlooked. Businesses do not operate in a vacuum, they require and depend on various constituents and subsequently create risks and opportunities for various groups of people. These can include employees, customers, suppliers, society as well as the environment, the ecosystem, animals and plants and ultimately, the planet itself (Sjafjell, 2018).
Although CG codes have included stakeholders in certain provisions, the scope is quite minimal and normally limited to communication with relevant stakeholders or consideration of stakeholders' interests in general which is quite vague. Similarly, the Companies Act 2016 do not incorporate provisions for stakeholders' interests other than that of the employees and creditors. Directors are required to prepare a Director's Report under section 253 of the Companies Act 2016 and among the contents of the report is a business review which may include information on "(i) environmental matters, including the impact of the company's business on the environment; (ii) the company's employees; and (iii) social and community issues, including information about any policies of the company in relation to those matters and the effectiveness of those policies". The matter was considered by the CLRC in 2006 (Corporate Law Reform Committee, 2006), which took the view that stakeholders' interests should not be incorporated into the Act. Provision 4.7 states that "Whilst the CLRC supports the proposition that a company must be a good corporate citizen and for the long-term, sustainability of a company must foster a relationship with its stakeholders, the CLRC is of the view that social obligations of the company should not be incorporated in the Companies Act 1965." This paper does not intend to challenge the importance of shareholders in a company and that their interests deserve priority. The inclusion of stakeholders for consideration here is solely for issues of risk governance. This is because harm to stakeholders will also, in the long term, affect the interests of the company and its shareholders. Clarke (2016) has discussed the many ways climate change and the ensuing environmental disasters could devastate the lives and livelihood of the world population which will subsequently damage the economy in the long term and on a global scale. Thus, ignoring stakeholders' interests might very well be the wrong business strategy for a company. Thus, ignoring stakeholders' interests might very well be the wrong business strategy for a company.
It is important that regulators respond to all of this and finds a balance that will rein in undue excessive risk-taking with a healthy market that encourages innovation and dynamism (Haines, 2017). The backlash subsequently generated by such consequences had often resulted in excessive and sometimes unwarranted fear leading to unreasonable demand for reassurance that such things will never happen again (Bainbridge, 2012). Most of the time, the outcome is more and stringent regulation (Pascoe, 2008). It has been commented that regulation is usually the result of gut action by governments in face www.msocialsciences.com of public outrage such as the legislation passed in the US (Bainmbridge, 2006). For example, the Sarbanes-Oxley Act 2002 and Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and) Obstruct Terrorism Act of 2001 (PATRIOT). The government needed to be seen to be doing something and enacting a new piece of legislation is a good way of showing that something is being done (Rachagan, Kasipillai & Pascoe, 2011). However, other than amendments to the CG code in 2012 and 2017, there has been little development in the regulation of risk governance in Malaysia compared to other jurisdictions. The UK, for example, has focused on enhancing the best practices on risk governance in the 2014 corporate governance code. Consequently, the worldwide evolution of law and regulation on risk and control merits a review of the law and regulation in Malaysia to keep pace with global expectations and protect the capital market in Malaysia as well as the stakeholders concerned.

Methodology
This is qualitative research that triangulates the data obtained from an empirical study with doctrinal legal research. The qualitative method was considered to be the most suitable for this study. The doctrinal legal research referred to the laws and regulatory instruments in Malaysia, the UK and the US.
This study looks at the regulation in the UK for two reasons. Firstly, the regulation on risk governance was formally adopted in the UK code on CG which made the establishment and execution of IC and RM visible to shareholders and stakeholders alike. This provided a blueprint for other countries including Malaysia to introduce a system of corporate and risk governance in the corporate sector. As the Malaysian code on CG is modelled on the UK code, there are many similarities in the CG system in both countries. Furthermore, the corporate laws of Malaysia initially originated from English laws which provides a common framework for the legal system. Nevertheless, cultural, and socio-political factors have led to distinct evolution in the regulatory environment especially where self-regulation is prescribed. Hence, the transformation of this previously common regulatory heritage provides useful insights that may help to enhance risk governance in Malaysia.
Secondly, the UK had, from the onset, embarked upon a non-prescriptive regime for CG which heavily relies on the receptiveness of the industry to accept and adopt them. Although prescriptive laws are equally applied, self-regulation plays a major role in both corporate and risk governance. This stance has not changed for more than 20 years and is recognised to be a success. For instance, the London Stock Exchange is the world's sixth-largest stock exchange with a market capitalisation of more than US$3 trillion (London Stock Exchange, 2019). As of November 2019, there were 4,316,395 companies registered in the UK and 1,146 companies listed on the London Stock Exchange. This provides some indication that corporate regulation in the UK is favourable to entrepreneurs and investors. It is believed that the combination of the legal framework and non-prescriptive best practices have continued to make the UK attractive to investors (Financial Reporting Council,2015).
In contrast to the 'comply or explain' approach in the UK, the US had elected to use the 'comply or else' style of regulation. Therefore, the volume of cases and regulations in the US provides a useful insight into the implementation of a rule-based model of regulation on risk and IC that can be used as a comparison and benchmarking for Malaysia.

Regulation of Risk Governance in the UK, US, and Malaysia
Both the UK and Malaysia had opted for a non-prescriptive approach through the voluntary code on CG and supplemented by a few provisions in statutes. In the UK, sections 172 and 415 of the Companies Act 2006 enumerate the factors to be considered by the company in its risk governance initiatives. In Malaysia, section 246 of the Companies Act 2016 only requires the establishment of IC www.msocialsciences.com for all public companies. Both countries impose a mandatory duty on listed companies to report on the state of risk governance in their companies through the listing requirements which suggest that listed companies are required to have a risk governance system in place. Nevertheless, it is submitted that listed companies do have the option to not have the system if the company can justify its exclusion. Thus, risk governance is mostly a voluntary initiative for companies in the UK and Malaysia.
The US has opted for a rule-based approach through the directives in SOX, but it is restricted to IC only and the scope is limited to financial reporting only. All public companies are required to establish and periodically review and assess the IC and report on them annually. Consequently, the means of regulating is similar in all three jurisdictions, the difference being the regulatory mode of doing so.

Reporting and Disclosure of Risk Governance Mechanisms
All three jurisdictions require companies to report on their risk governance practices in their annual reports. In the UK, the report is required by the CG Code, UKLR, FCA rules & the Companies Act 2006 while in Malaysia, it is required by the MCCG & the BMLR. In the US, the report is mandated by SOX and must be certified by the CEO and CFO of the company. No certification is required in UK and Malaysia, but the CEO and CFO of Malaysian public companies are directed to assure the board that the report is indicative of the state of risk governance in their companies. Section 906 of SOX provides that in the event of any false or misleading information in the report, the officers are liable to a fine and/or imprisonment in the US while section 463(2) of Companies Act 2006, in the UK, the company's directors are liable to compensate the company for any loss suffered by the company that resulted from the inaccurate information. There is no legal provision for false or misleading information in the risk governance report in Malaysia.

The Role of Director in Risk Governance
The directors of a company have an implied duty to manage risks under the director's duty of care and diligence. It is incorporated into sections 172, 174 and 417 of the Companies Act 2006 in the UK while in Malaysia, it is contained in sections 213 and 246 of the Companies Act 2016. In the US, this is also implied under the director's duty of oversight in addition to the provisions of sections 302 and 404 of SOX. Moreover, the code on CG in the UK and Malaysia have designated directors as the appropriate persons to lead and oversee the risk governance practices in a company. Subsequently, a director may be liable for risk governance failure under the Companies Act 2016 or under common law. However, the absence of an express duty of oversight in Malaysia can lead directors to overlook their responsibility to manage risks and delegate it to other officers and simply endorse the decision of management. Therefore, the regulators should consider incorporating the duty of oversight into the Companies Act 2016.

The Role of Auditor
Auditors have an important role as the independent third party that verifies the existence and efficacy of a risk governance system in a company. Auditors provide information and assurance to shareholders and regulators as well as advice to companies. In the UK and Malaysia, there is no legal duty to audit RM and IC except in a financial audit. It is required by the listing requirements and is recommended by auditing standards in the form of a report on any observations on IC to the board. However, it does not require the auditors to make any opinion on the effectiveness of the IC. In the US, section 404 of SOX mandates the assessment of IC by an auditor which must be attested and reported. The auditor must state an opinion on the effectiveness of IC over financial reporting which means that they must conduct an audit of the IC. While there is no legal bar to offering non-audit services in the UK and Malaysia, this is prohibited by section 201(g) of SOX in the US. Therefore, the role of auditors is more pronounced in the US and carries more weight in the facilitation of risk governance in a company. www.msocialsciences.com

The Role of Risk Officer (RO)
The requirement for Risk Officer (RO) is mandatory for financial companies in the US and Malaysia. It is voluntary for the non-financial companies in all three jurisdictions. Nonetheless, respondents from the regulatory and auditing industry agree that RO might be needed in certain companies depending on the size and complexity of the business. The RO must occupy a management position and not be relegated to a mere compliance function. There is currently no specific guidance on the function and duties of RO for a non-financial company.

A Mandatory Risk Governance Mechanism
Section 246 of the Companies Act 2016 makes it mandatory for all public companies to set up an ICS. However, RM is absent from section 246. The establishment of IC is not possible without going through some form of the risk assessment process. Thus, section 246 is flawed without the RM counterpart. Therefore, section 246 should be amended to include RM as the prerequisite to the establishment of IC. The ambit of section 246 should also be widened to include other business and non-business risks as it currently covers IC on corporate assets and records of transactions only. This will make the Act align with the MCCG and the BMLR.

Certification of Statement on Risk Management and IC (SRMIC)
The reporting of a company's state of IC in the US requires certification by the company's CEO and CFO under SOX which focuses the attention of management on the integrity and efficacy of the controls. This was considered and rejected by the CLRC in 2012 but this decision should be presently reviewed as certification compels the CEO and CFO to devote time and thought to the company's risk governance and will help to sustain the company's ability to manage its risks and business strategy. It will also assist the company in ensuring the reliability of the SRMIC especially the risk disclosures. The absence of liability on the CEO and CFO in the current regulation does not promote the importance of risk governance and this can be indirectly seen by the poor SRMIC presented in some of the company's annual reports. This becomes more important given the refusal and inability of auditors to verify the company's risk governance system. Hence, it is suggested that the CEO and CFO should be required to certify the SRMIC and be subjected to personal liability in the event the information in the SRMIC is found to be false or misleading.

Co-Regulation by Industry
The governance of risks may be left to companies to self-regulate or to the state to legislate or it can be done by both in a co-regulatory model. The challenge of regulating risks is exacerbated by the uncertainty and unpredictability of risks and the way risks can change very quickly. Laws cannot catch up with the fast-changing innovation in the market and the risks resulting from the innovations. The technical aspect of certain risks requires expertise that regulators might not have. Therefore, coregulation between regulators and industry can provide a workable method to regulate risk governance where the law will provide the 'what' and 'why' while the industry will provide the 'how' according to the business norms in the industry. Members of the industry can use this forum to describe their problems, present their views and share their experiences and subsequently find ways to come up with soft laws in the form of industry guidelines or codes of conduct. This will enable the members to directly participate in the regulatory process and provide the impetus for compliance. This will also allow the industry to modify and update the regulation when it becomes necessary to accommodate changes in both the domestic and global markets. In turn, regulators can facilitate the engagement between companies, industry, and stakeholders by arranging consultation exercises and providing guidance to assist businesses in complying with the laws and regulations as done in the UK and US.

www.msocialsciences.com
This can help to reduce ambiguity and conflicts and thus promote voluntary and genuine compliance to the real objective of the regulations.
In short, the appeal of co-regulation by industry lies in the ability of the industry participants to tailor risk governance to the specific and critical risks that threaten the industry in a manner that is acceptable to the industry participants and effective in addressing the issue.

Role of Director
The success of risk governance depends very much on the commitment of the BOD. This involves the establishment and maintenance of a risk governance system that is regularly reviewed and monitored by top management. It is suggested that the law should clearly state that directors have to provide oversight on the company's affairs by incorporating a provision into the Companies Act 2016. The provision should mention that the board is collectively responsible to monitor management and the employees to ensure that the board is aware of what is happening in the company. The provision must state the scope and extent of the monitoring and the circumstances that could result in personal liabilities to the individual directors. The provision must also inform the board that merely establishing a risk governance system is not sufficient to discharge the duty unless the board monitors the reliability and effectiveness of the system.

Role of Auditor
Audit on risk governance should be conducted through a quality audit by recognised certification bodies such as SIRIM and Lloyds. If a risk governance audit is done by a quality audit team, external auditors will be free to provide consultancy and advisory service on the design of RM and IC. There will be no more issues of independence and objectivity since the external auditors are not checking and verifying their work. Alternatively, if there is a regulation by the industry as previously proposed, the audit can be done by industry regulators where the auditors will be from within the industry. This would ensure that the auditors have the required expertise and can easily determine whether the RM and ICS are adequate and effective. The auditors will also be in a better position to advise on how to improve and enhance the system. This will give added value to the audit exercise.

Role of Risk Officer
A RO is intended to occupy a similar function to an SHO under OSHA, the management of risks in a business. A RO should be the reference point for all risk-related matters and should act as the advisor to the board. To overcome the shortage of qualified ROs, there should be an avenue to provide education and training for candidates who are interested to become RO. Professional bodies like the Institute of Internal Auditors (IIA) and the Malaysian Institute of Accountants may offer such services and provide certification to ensure that candidates attain the required standards. IIA has started offering a Certified RM Assurance course and is already looking at the possibility of transforming into an Institute of Internal Auditors and Risk Managers in the future.

Conclusion
The UK, US and Malaysia have elected to use disclosure and self-reporting as the way to regulate risks. This method requires the active participation of shareholders to read the companies' reports and raise questions. This can also lead to legal action when the contents of the report are inaccurate or misleading. However, the shareholders in Malaysia have not shown the degree of active participation that exists in the UK and the US. Consequently, the objective of self-disclosure has not been achieved. Stakeholders are more vulnerable to the effect of risk governance failures as they could suffer monetary and physical harm whereas shareholders will only lose the money they invested. In all three jurisdictions, it was seen that the interests of stakeholders have not received much legal recognition and that statutes and courts decisions continue to favour shareholders as the main beneficiary of a company. The UK has enacted section 172 in the Companies Act 2006 that incorporated the elements of enlightened shareholder value and thus, allowed companies to consider stakeholders in making decisions. Although companies are not legally bound by the section, it can lead to engagement with stakeholders particularly in issues of risks to stakeholders. The codes on CG in UK and Malaysia continue to support the inclusion of stakeholders in companies' decision-making. This is in line with the stakeholder theory thus, answering the third research question.
Laws might not be the solution to all problems and various other alternatives may secure more effective results. Nevertheless, where the public interest is at risk, laws do play an important remedial and deterrent function especially when the aggrieved parties are from the section of the community that is underprivileged and underrepresented. Hence, in risk governance, and the context of Malaysia, laws cannot be excluded in favour of self-regulation. Instead, a co-regulatory approach might be more suitable where industry regulation supplement and enhance legislation. This would make the law more practical and amenable to businesses and thus, reduce conflicts and promote compliance.