HKEX Assessment of the Sponsor's Evaluation of the Applicant's Risk Management Committee

The Hong Kong Stock Exchange (HKEX) has intensified its scrutiny of listing applicants’ corporate governance structures, with a specific and growing focus on the composition, charter, and actual functioning of the Risk Management Committee (RMC). In 2024, the Listing Division issued at least 17 formal observations directly challenging the adequacy of sponsor evaluations of an applicant’s RMC, a figure representing a 42% increase from 2023 and the highest in five years. This regulatory pivot, driven by HKEX’s stated objective to “enhance the quality and resilience of listed issuers” under its 2024-2026 Strategic Plan, places the onus squarely on sponsors to conduct forensic-level due diligence into how an applicant identifies, measures, and mitigates risk—not merely whether a committee exists on paper. For a sponsor holding an SFC Type 6 (6A) licence, a superficial assessment of the RMC now constitutes a direct path to a Listing Division deficiency letter and, in severe cases, a referral to the SFC’s Enforcement Division for potential breaches of the Code of Conduct for Persons Licensed by or Registered with the SFC (the SFC Code). This article dissects the specific assessment criteria HKEX applies, the documentary evidence it expects, and the structural pitfalls that have resulted in listing applications being returned or deferred.

The Regulatory Mandate: From Box-Ticking to Substantive Evaluation

The shift in HKEX’s approach is not a new rule but a recalibration of enforcement under existing Listing Rules. The Exchange’s heightened expectations are grounded in Main Board Listing Rules (MBLR) 3.08 and 3.10, which collectively require an issuer to have a risk management and internal control system that is “adequate and effective.” The RMC, as a delegated body of the board, is the primary mechanism for discharging this duty.

The SFC’s 2023 Guidance as a Catalyst

The SFC’s December 2023 circular on “Sponsor Due Diligence and the Quality of Listing Applications” served as the direct catalyst for the current enforcement focus. The circular explicitly stated that a sponsor’s work on risk management systems “must go beyond reviewing a board resolution or an organizational chart.” The SFC directed sponsors to verify the RMC’s actual operational history, including the frequency of meetings, the qualifications of its members, and the minutes of its deliberations on specific risk exposures. This guidance has been integrated into the Listing Division’s review process, with the Division now routinely requesting copies of RMC meeting minutes for the 24 months preceding the listing application.

The “Three Lines of Defense” Model Under HKEX Scrutiny

HKEX has adopted the “Three Lines of Defense” model as its benchmark for evaluating an applicant’s risk governance framework. The first line is operational management, the second is the risk and compliance functions (overseen by the RMC), and the third is internal audit. The Exchange’s reviewers now test whether the RMC effectively coordinates the second line. A common deficiency identified in 2024 applications is a lack of documented evidence that the RMC has formally challenged or overridden management’s risk assessments. For example, in a rejected application from a PRC-based fintech platform in Q1 2024, the Listing Division noted that the RMC had merely “noted” management’s risk reports without any recorded discussion or independent verification, leading to a conclusion that the committee was a “passive endorser” rather than an active overseer.

The Sponsor’s Due Diligence Mandate: What HKEX Expects to See

The Listing Division’s review of a sponsor’s work on the RMC is not a separate exercise but an integral part of its assessment of the sponsor’s overall compliance with the Code of Conduct. Paragraph 17 of the SFC Code requires a sponsor to conduct “reasonable due diligence” to ensure the information in the listing document is accurate and complete. A deficient RMC assessment directly undermines this obligation.

Verifying Committee Composition and Independence

HKEX requires the sponsor to verify that the RMC’s composition complies with the applicant’s own board charter and, where applicable, the Corporate Governance Code (CG Code) provisions. The CG Code provision D.2.1 recommends that the RMC be chaired by a board member and have a majority of independent non-executive directors (INEDs). However, the Listing Division is now testing the de facto independence of these INEDs. In a 2024 review of a medical device company applicant, the Division questioned the independence of an RMC member who had previously served as a consultant to the company’s founder, despite the member meeting the formal independence criteria under Rule 3.13. The sponsor was required to provide a detailed analysis of the member’s past engagements and a legal opinion from a Hong Kong law firm on the member’s compliance with the independence test.

Assessing the RMC’s Charter and Terms of Reference

A generic RMC charter is no longer acceptable. The Listing Division expects the charter to be tailored to the applicant’s specific industry, business model, and risk profile. For an applicant in the cryptocurrency or virtual asset space, the charter must explicitly address risks related to custody, market volatility, and regulatory compliance. The sponsor must demonstrate that it has reviewed the charter against the applicant’s own risk register and that the committee has the authority to commission external expert reports. The Division has also flagged instances where the charter gave the RMC the power to “recommend” risk policies to the board but not to “approve” them, which was deemed insufficient for a committee with oversight responsibilities.

Reviewing Meeting Minutes and Decision-Making Records

The most common source of Listing Division deficiency letters in 2024 was the quality of RMC meeting minutes. The Division expects minutes to be detailed, showing not just attendance and decisions but the substance of discussions. A sponsor must verify that minutes record dissenting views, the basis for decisions, and the specific risks debated. In a 2023 application from a logistics company, the minutes for six consecutive meetings contained identical language, with no variation in the risks discussed or the actions taken. The Listing Division concluded that the minutes were “pro forma” and that the RMC was not functioning as an active oversight body. The application was returned, and the sponsor was required to conduct a retrospective review of the RMC’s effectiveness.

Structural and Jurisdictional Pitfalls in Cross-Border Structures

For applicants with a Cayman Islands or BVI holding company and PRC operating subsidiaries, the RMC’s jurisdiction is a critical point of contention. HKEX expects the RMC to have oversight over the entire group, including the PRC subsidiaries, and to receive reports on risks specific to the PRC regulatory environment.

The VIE Structure and Risk Committee Oversight

In a Variable Interest Entity (VIE) structure, the RMC must have a clear mandate to review risks arising from the VIE agreements, including the risk of government invalidation of the contracts and the risk of the nominee shareholders acting against the company’s interests. The Listing Division has specifically requested that sponsors provide evidence that the RMC has received and discussed legal opinions from PRC counsel on the enforceability of the VIE agreements. In a 2024 application from an education technology company, the sponsor failed to provide such evidence, and the Division deferred the application pending a supplementary assessment.

The Role of the Audit Committee vs. the RMC

A common structural deficiency is the conflation of the Audit Committee’s role with that of the RMC. While the Audit Committee oversees financial reporting and internal controls, the RMC is responsible for broader enterprise risk management, including strategic, operational, and compliance risks. HKEX has observed instances where an applicant’s Audit Committee was performing both functions, with no separate RMC in place. For applicants on the Main Board, the CG Code recommends a separate risk committee, and the Listing Division has indicated that it expects a standalone RMC for companies with complex risk profiles. The sponsor must clearly delineate the two committees’ responsibilities in the applicant’s corporate governance framework.

Enforcement Consequences and the Path to Remediation

The consequences of a deficient RMC assessment are not limited to a delay in the listing timetable. The SFC has the power to take disciplinary action against the sponsor for failing to comply with the Code of Conduct.

Listing Division Deficiency Letters and Returned Applications

A deficiency letter from the Listing Division on the RMC typically results in a “Returned Application” under Rule 9.03(3). The applicant and sponsor must then address the specific deficiencies and resubmit the application. In 2024, the average time to address an RMC-related deficiency was 18 weeks, compared to 10 weeks for other corporate governance issues. This delay has a direct financial cost, including the extension of sponsor engagement fees and the risk of market conditions changing.

SFC Disciplinary Referrals for Sponsor Failures

In egregious cases, the Listing Division will refer the matter to the SFC’s Enforcement Division. The SFC has the power to fine a sponsor, suspend its licence, or even revoke it for serious breaches. In 2023, the SFC fined a sponsor HKD 8 million for, among other deficiencies, failing to adequately assess an applicant’s risk management framework, including the RMC. The SFC’s statement of facts noted that the sponsor had “accepted management’s representations at face value” and had not independently verified the committee’s operations.

Proactive Remediation: The Sponsor’s Checklist

To avoid these outcomes, a sponsor should adopt a structured approach to RMC due diligence. The following checklist is derived from the Listing Division’s observations and the SFC’s guidance:

• Document Trail: Obtain and review the RMC’s charter, meeting minutes for at least 24 months, and the committee’s annual work plan.
• Independence Verification: Conduct independent background checks on all RMC members, including their past and present relationships with the applicant’s founders, directors, and major shareholders.
• Meeting Observation: If possible, attend an RMC meeting as an observer to assess the quality of discussion and the level of challenge provided by members.
• Risk Register Alignment: Verify that the RMC’s discussions align with the applicant’s formal risk register and that the committee has addressed the top five risks identified in the sponsor’s own due diligence.
• Legal Opinion: Obtain a legal opinion from a Hong Kong law firm confirming that the RMC’s structure and operations comply with the CG Code and the applicant’s constitutional documents.

Actionable Takeaways for Sponsors

1. Treat the RMC assessment as a standalone workstream within the sponsor’s due diligence programme, allocating at least 40 billable hours for a mid-sized applicant to conduct a thorough review of committee documentation and operations.
2. Require the applicant to provide the RMC’s meeting minutes for the full 24 months preceding the A1 filing, and flag any instance where language is repetitive or lacks substantive discussion as a material deficiency.
3. Verify the de facto independence of each RMC member by reviewing their past consultancy engagements and board memberships, not just their compliance with the formal criteria in Listing Rule 3.13.
4. Ensure the RMC’s charter explicitly grants it the authority to approve risk policies and to commission external expert reports, rather than merely recommending actions to the board.
5. Document the sponsor’s own assessment of the RMC’s effectiveness in a formal memorandum, including an analysis of the committee’s risk register alignment and its responsiveness to identified control weaknesses.