How Sponsors Can Establish an Effective Compliance Dashboard and Key Risk Indicators

The SFC’s thematic inspection findings on sponsor due diligence, published in its October 2024 circular, revealed that 70% of reviewed deal files contained at least one material deficiency in verifying issuer information — a statistic that should command the full attention of every compliance officer holding a Type 6 (advising on corporate finance) licence under the Securities and Futures Ordinance (Cap. 571). This figure, drawn from a sample of 30 IPO applications submitted between 2021 and 2023, underscores a persistent gap between the procedural requirements of the Code of Conduct for Persons Licensed by or Registered with the SFC (the Code of Conduct) and the actual execution of sponsor work. The 2024 circular explicitly warns that the SFC will consider disciplinary action — including licence suspension — where systemic failures in internal controls are identified. For sponsors operating in Hong Kong’s Main Board and GEM markets, where a single IPO can involve a sponsor team of 15 to 20 professionals and a due diligence timeline stretching 12 to 18 months, the margin for error is vanishingly small. Building an effective compliance dashboard with clearly defined key risk indicators (KRIs) is no longer a best-practice recommendation; it is a regulatory imperative that directly affects a sponsor’s ability to retain its licence and participate in future listings.

The Regulatory Foundation: Why a Dashboard Is Non-Negotiable in 2025

The SFC’s expectations for sponsor compliance systems have crystallised into a framework that leaves little room for ambiguity. Paragraph 17.1 of the Code of Conduct requires licensed corporations to maintain “adequate and appropriate internal controls and risk management procedures.” For sponsors, this translates into a requirement to demonstrate, on demand, that every stage of the due diligence process — from initial client acceptance to final prospectus verification — is documented, reviewed, and traceable. The 2024 circular goes further, stating that the SFC expects sponsors to implement “a systematic approach to identify, assess, and mitigate risks” in each engagement.

The 2024 Circular as a Baseline

The October 2024 circular is not a standalone document. It builds on the SFC’s 2017 thematic review of sponsor work, which similarly found deficiencies in areas such as verification of third-party confirmations and assessment of issuer business models. The 2024 iteration, however, introduces a sharper focus on the timing and completeness of due diligence steps. The SFC found that in 40% of the reviewed files, key verification procedures — such as site visits or customer interviews — were conducted after the draft prospectus had already been filed with the HKEX. This sequencing failure directly contravenes the requirement under paragraph 17.6(b) of the Code of Conduct that sponsors must exercise “due and diligent enquiry” before submitting a listing application.

A compliance dashboard that tracks the completion status of each due diligence workstream against a pre-defined timeline — with automated alerts for any step that falls outside the acceptable window — addresses this specific regulatory concern. The dashboard must integrate data from the sponsor’s project management system, document repository, and client communication logs to provide a real-time view of whether each verification activity has been completed before the relevant prospectus section is finalised.

Linking KRIs to the Sponsor’s Legal Liability

Beyond procedural compliance, the dashboard must reflect the sponsor’s exposure to legal liability under the Securities and Futures Ordinance. Section 109 of the SFO imposes criminal liability on any person who makes a false or misleading statement in a prospectus, with a maximum penalty of HKD 1,000,000 and imprisonment for 10 years. Sponsors, as the primary gatekeepers of the listing process, face the highest risk of being named in enforcement actions when a prospectus contains material misstatements.

The KRI framework should therefore include metrics that quantify the residual risk of undisclosed adverse information. For example, the number of third-party confirmations that were not returned within the agreed timeframe, or the percentage of customer interviews where the counterparty refused to provide a signed statement. These metrics do not prove that a misstatement exists, but they flag areas where the sponsor’s verification coverage is incomplete — and where the SFC would almost certainly focus its inquiry during a post-listing inspection.

Designing the Compliance Dashboard: Core Components and Data Architecture

A compliance dashboard for a Hong Kong sponsor is not a generic project management tool. It must be purpose-built to reflect the specific workflows and risk profiles of the sponsor’s business, which typically involves managing 5 to 15 concurrent mandates, each with its own team structure, timeline, and regulatory filing calendar. The dashboard’s architecture must enable the compliance officer — who may oversee multiple deal teams — to identify at a glance which mandates are trending toward a KRI breach.

Workflow Integration and Data Feeds

The dashboard’s effectiveness depends entirely on the quality and timeliness of its underlying data. The most common failure mode in sponsor compliance systems is manual data entry, where deal team members are expected to update a spreadsheet or a web form after completing each task. In practice, this creates a lag of 24 to 72 hours between the completion of a due diligence step and its reflection in the compliance record. The SFC’s 2024 findings suggest that this lag is a contributing factor to the sequencing failures described above — if the dashboard shows a task as “not started” when it has actually been completed, the compliance officer cannot intervene in time.

The solution is to integrate the dashboard directly with the sponsor’s existing workflow tools. Most Hong Kong sponsors use a combination of Microsoft SharePoint or a cloud-based document management system for storing due diligence materials, and a project management platform such as Asana, Monday.com, or Jira for tracking task assignments. The dashboard should pull data from these systems via API or scheduled data extracts, rather than relying on manual updates. Key data points include:

• Task completion dates for each due diligence workstream (e.g., legal due diligence, financial due diligence, business due diligence, management interviews, site visits)
• Document upload timestamps for prospectus draft versions and supporting evidence
• Approval status from the sponsor’s internal review committee
• Client response times to information requests
• External confirmations received (e.g., from customers, suppliers, regulators)

Visualising the Risk Heat Map

The dashboard’s primary visual output should be a risk heat map that plots each active mandate on a two-axis grid: the x-axis representing the severity of the highest-risk KRI for that mandate, and the y-axis representing the probability of that KRI breaching its threshold within the next 30 days. This format allows the compliance officer to allocate attention to the mandates that sit in the top-right quadrant — high severity, high probability — while monitoring the others through automated alerts.

The severity axis should be calibrated to the sponsor’s own risk appetite, but the SFC’s 2024 circular provides useful guidance on what constitutes a high-severity KRI. Any mandate where the sponsor has not completed customer verification for more than 50% of the issuer’s top 10 customers by revenue within 60 days of the initial client acceptance meeting should be flagged as high severity. Similarly, any mandate where the internal review committee has raised more than three unresolved queries on the same prospectus section should trigger an automatic escalation to the sponsor’s head of compliance.

Key Risk Indicators: Defining the Metrics That Matter

Selecting the right KRIs is the most critical design decision in building a compliance dashboard. The SFC does not prescribe a fixed set of KRIs for sponsors, but the 2024 circular and the Code of Conduct together imply a framework that covers three dimensions: timeliness, completeness, and quality of due diligence.

Timeliness KRIs

The first category of KRIs tracks whether each due diligence workstream is progressing according to the timeline agreed at the outset of the mandate. The SFC’s 2024 findings make clear that delays in completing verification work are not merely administrative issues — they are indicators of potential systemic failure. A KRI that triggers when the sponsor’s financial due diligence team has not completed its review of the issuer’s audited financial statements within 45 days of the engagement letter being signed should be considered a minimum standard.

A more advanced timeliness KRI tracks the gap between the date a due diligence finding is recorded and the date it is resolved. The 2024 circular notes that in 25% of the reviewed files, significant adverse findings — such as discrepancies between the issuer’s management accounts and its bank statements — remained unresolved for more than 90 days. A dashboard that flags any finding unresolved beyond 30 days gives the compliance officer a window to intervene before the issue becomes a regulatory exposure.

Completeness KRIs

Completeness KRIs measure whether the sponsor has obtained all required evidence for each due diligence workstream. The Code of Conduct, at paragraph 17.6(c), requires sponsors to “maintain a complete and accurate record of all due diligence work performed.” In practice, this means that for each verification step, the dashboard should track whether the supporting documentation has been uploaded to the document repository and approved by the team leader.

A practical KRI in this category is the confirmation return rate — the percentage of third-party confirmations (e.g., from customers, suppliers, banks, regulators) that have been received within the expected timeframe. The SFC’s 2024 circular found that in 35% of reviewed files, the sponsor had not obtained written confirmations from the issuer’s top five customers. A KRI that flags any mandate where the confirmation return rate falls below 80% after 60 days would have caught this deficiency in real time.

Quality KRIs

Quality KRIs are the most difficult to automate but the most important for demonstrating compliance with the sponsor’s duty of care. These KRIs assess whether the due diligence performed is sufficient to support the statements made in the prospectus, as required by paragraph 17.6(a) of the Code of Conduct.

One approach is to track the rate of substantive queries raised by the sponsor’s internal review committee. A high query rate on a particular section of the prospectus — for example, the “Business” section — may indicate that the due diligence team has not obtained sufficient evidence to support the issuer’s claims about its market position or competitive advantages. The dashboard should flag any mandate where the query rate exceeds 5 queries per 10 pages of the prospectus draft, as this suggests a systemic gap in the due diligence approach.

Implementation: Building the Dashboard Within the Sponsor’s Operating Model

The most sophisticated dashboard design is worthless if it cannot be integrated into the sponsor’s daily workflow. Implementation requires a clear allocation of responsibilities, a defined escalation protocol, and a commitment to regular review by senior management.

Role-Based Access and Responsibilities

The dashboard should provide different views for different user roles. The deal team leader needs a detailed view of each workstream’s status, with drill-down capability to individual tasks and documents. The compliance officer needs a portfolio-wide view that highlights mandates approaching KRI thresholds. The sponsor’s designated director — who bears ultimate responsibility under the SFC’s licensing regime — needs a summary view that shows the overall compliance posture of the firm, with the ability to drill into any mandate that triggers a red flag.

The SFC’s 2024 circular emphasises that senior management must be “actively involved” in the sponsor’s compliance framework. A dashboard that automatically sends a weekly summary to the designated director, highlighting any mandate that has triggered a KRI breach, satisfies this expectation without requiring the director to log into the system daily.

Escalation Protocol and Remediation Tracking

When a KRI breaches its threshold, the dashboard must trigger a defined escalation protocol. The first step should be an automated notification to the deal team leader and the compliance officer, with a required response within 48 hours explaining the cause of the breach and the proposed remediation plan. If the breach is not resolved within 14 days, the dashboard should escalate the matter to the designated director and the sponsor’s risk committee.

The dashboard must also track the status of each remediation action. A common finding in the SFC’s 2024 review was that sponsors identified deficiencies during the due diligence process but failed to document how those deficiencies were resolved. The dashboard should require the deal team to upload evidence of remediation — such as a signed confirmation from a previously unresponsive customer — before the KRI can be reset to green.

Regular Review and Calibration

A compliance dashboard is not a static tool. The KRIs and thresholds should be reviewed at least annually, and more frequently if the SFC issues new guidance or if the sponsor experiences a regulatory incident. The review should involve the compliance officer, the designated director, and representatives from the deal teams, to ensure that the KRIs remain relevant to the sponsor’s actual business risks.

For example, if the SFC issues a future circular focusing on sponsor verification of issuer intellectual property rights, the dashboard should incorporate a new KRI that tracks the completion status of IP due diligence for any issuer in the technology or life sciences sector. The review process should also consider whether existing KRIs are generating false positives — alerts that do not correspond to genuine compliance risks — as these will erode the dashboard’s credibility with deal teams.

Closing: Five Actionable Takeaways

1. Integrate the dashboard directly with your existing workflow tools (SharePoint, Asana, Jira) via API to eliminate manual data entry and ensure real-time visibility of due diligence progress.
2. Define a minimum set of three KRI categories — timeliness, completeness, and quality — with specific thresholds calibrated to the SFC’s 2024 circular findings, such as a 60-day limit for customer verification completion.
3. Implement an automated escalation protocol that notifies the deal team leader and compliance officer within 48 hours of a KRI breach, and escalates to the designated director if unresolved after 14 days.
4. Require evidence of remediation — such as signed third-party confirmations or internal review committee approvals — before any KRI breach can be reset to green, to create an audit trail that satisfies the SFC’s documentation expectations.
5. Schedule a formal KRI review at least annually, with input from deal teams and compliance, to incorporate new regulatory guidance and eliminate false positives that undermine the dashboard’s operational credibility.