The hand of the law

Corporate governance has become an issue of overwhelming importance for risk managers in Asia - particularly, in recent times, for those based in Singapore. General secretary of the Pan-Asia Risk & Insurance Management Association (PARIMA) and director of Tunstall and Associates Steve Tunstall says that recent changes of the Singapore Code of Corporate Governance mean that directors now have to mention risk management in their annual reports, which is driving more interest in the topic. “Some of the biggest risks facing many companies, not merely financial institutions, centre around compliance issues these days,”
he says. “So organisations need to ensure they keep up with the changing regulations in their area and that they deal with them in a practical and pragmatic manner.”

Of course, if a Singapore-based organisation is spread out across the region or the globe, it becomes “even more of a difficult ask”, Tunstall points out. “Many jurisdictions advance faster than others, so compliance
obligations are sometimes contradictory,” he says. “In that case, it is essential to establish how to deal with those to avoid ending up on the wrong side of the law and suffer reputational damage.” The entire area of compliance and changing regulation is particularly interesting in Singapore at the moment as its regulators are “really starting a more Western jurisdictional approach to regulation”, Tunstall says. “The entire compliance aspect is accelerating in terms of the energy required to keep up to date and the potential downside in case of a misstep.”

An area of great interest

Data protection is a particularly hot topic in Singapore because of new laws in this area, as Tunstall explains. “It’s not that onerous by overseas standards - many companies will be fully compliant already - but there’s been a bit of a panic, with some consultants talking up the problem. However, the changes bring Singapore only broadly in line with most other Westernised countries in terms of the rights and obligations for corporate data, particularly in respect of customer data, but employee data as well.”

There is still a way to go before it becomes really clear how those laws will be applied, Tunstall says, adding that data protection is an evolving issue that involves everyone. “Everybody, as individuals, is interested in
how companies look after the information we have shared with them,” he says. “So, big issues arise there in terms of how that’s managed within a company, but at the same time there are increasing pressures by all companies to use that data effectively.”

The entire compliance aspect is accelerating in terms of the energy required to keep up to date, and the potential downside in case of misstep’

Steve Tunstall, Tunstall & Associates

Partner at Clyde & Co Clasis Singapore Ian Roberts agrees that data protection is an area of great interest. “The Personal Data Protection Act 2012 (PDPA) came into full force in July 2014, regulating a person’s ability to carry out direct telemarketing activities (specifically to Singapore telephone numbers) and setting out obligations relating to the collection, use and disclosure of personal data (both electronic and non-electronic),” he says. “All organisations must designate a data protection officer to be responsible for ensuring compliance with the PDPA and to ensure that reasonable security arrangements and processes are in place to comply with their obligations when collecting, storing, using and transferring personal data within Singapore and overseas.”

Organisations will also be obliged to deal with requests from individuals to access and/or correct their personal data. “Enforcement will largely be complaints-based and the Personal Data Protection Commission has the power to issue financial penalties of up to US$1m for breach of these obligations, while breaches of certain specific offences under the PDPA may carry up to three years’ imprisonment and/or a fine of up to US$100,000.”

In addition to the new obligations under the PDPA, the Monetary Authority of Singapore (MAS) has issued new technology risk management guidelines, which also came into effect in July, setting out requirements for financial institutions to maintain high availability for critical systems and to protect customer information from unauthorised disclosure. Roberts explains that all financial institutions must now have systems in place to detect malfunctions and security breaches and are required to notify MAS within one hour of discovering a breach that has a severe and widespread effect on operations. “Contravention of the updated notice may attract a fine, termination of licence and other sanctions,” he warns.

Global best practice

Singapore-based governance and risk manager Eric Lee says corporate governance rules in Singapore are a reflection of global best practices. “As such, corporations typically can learn from practical implementation lessons of firms elsewhere, reducing the steep learning curve,” he says. Franck Baron, chairman of PARIMA and general manager for risk management and insurance at international healthcare, medical assistance and security services company International SOS, agrees that Singapore provides a relatively sophisticated regulatory and corporate governance framework. “This being said, the need for a truly enterprise-wide embedded
risk management is still there,” he cautions.

Vice-president of group risk at Barclays Bank Geetha Kanagasingam agrees that Singapore has a fairly mature environment in terms of regulations that enforce good corporate governance requirements for listed entities and she expects to see improvements in the governance risk of such corporates. “I’m expecting to see a more robust governance framework put in place with greater recognition given to the role of risk managers,” she says. “However, I do not expect to see improvements at the same pace for SMEs in Singapore in light of the less stringent requirements coupled with the cost of implementation.”

Further concerns are expressed by Microsoft Asia’s chief security officer Pierre Noel, who believes that for many organisations in Singapore “the overall responsibility of the board of directors is more rubber stamping than
anything”. “The climate is not conducive for corporate directors to take a more inquisitive approach,” he says. “Also, chief risk officers seldom exist within unregulated organisations in Singapore, and when the role exists, their ability to engage effectively with the board is often limited. I’m afraid it will take some severe incidents for corporate governance to evolve and give a more effective place to overall enterprise risk management in Singapore.” As Roland Teo, board member of the Risk & Insurance Management Association of Singapore, board member of PARIMA and head of risk management office for a Singaporean healthcare group puts it: “Although many Singapore companies are ‘compliant’, unfortunately, not many are compliant in form and substance”

For more risk analysis from Singapore click here to download StrategicRISK’s Singapore Country Report