By Mak Yuen Teen
CNA did an excellent job in editing the commentary they invited me to write on SingPost’s latest crisis, which can be accessed from here:
My commentary was written on 27 December and yesterday morning (29 December), I signed off on the version CNA initially published. SingPost made a further announcement at 10.26 pm last night (29 December). CNA has kindly updated the article to take into account SingPost’s latest announcement.
Understandably, CNA had to remove certain content to fit their length requirements and accommodate some other information to be added. Nevertheless, I thought some readers may like to read my full version, which is reproduced below.
Just to add some further points following SingPost’s announcement last night, when it said that management made misrepresentations on three occasions between 11 March and 3 April 2024. It has now been disclosed that those were the dates of two AC meetings. This raised a further question as to whether management were present throughout those AC meetings while the 3 managers who were sacked in June were interviewed. That would be inappropriate.
SingPost also said last night that the incident was reported as a substantiated case relating to fraud in its FY2023/24 Sustainability Report on pages 76 and 78. To be clear, the Sustainability Report did not say that this was from a whistleblowing report (but to be fair, companies are not required to disclose number of whistleblowing reports). In fact, we had already collected data for SingPost in our current study on whistleblowing policies of SGX-listed issuers and included SingPost among those that did not disclose whether there were whistleblowing reports.
On another note, another GLC mentioned 8 incidents from whistleblowing reports, but said they were amongst the reported incidents, so did not actually disclose the total number of reports. There are many companies that said they had zero reports – which could mean a number of things, including the possibility that no one trusts the whistleblowing policy enough to blow the whistle. We will share all this when we release our report, likely in February 2025.
____________________
On 22 December 2024, Singapore Post (SingPost) plunged into its latest crisis when it announced the sudden termination of its Group CEO (GCEO), Group CFO (GCFO) and CEO of International Business Unit Operations (CEO-IBU). The company said they were “grossly negligent and had omitted to consider material facts that compromised their decision-making and/or failed to perform their duties responsibly and reliably”, particularly in relation to the handling of whistleblowing reports. Those reports “alleged manual entries of certain delivery status codes by the International Business Unit Operations (SP IBU Ops) for international parcels for international transhipment parcels which the Company had agreed to deliver under an agreement with one of its largest customers, allegedly without basis or supporting documentation and with the intention of avoiding contractual penalties under the agreement.”
All three terminated executives have said that they will take strong steps to contest their firing, alleging that it is without merits and procedurally unfair.
This adds to the ongoing business challenges faced by SingPost and leaves a vacuum in senior management as the company executes the sale of its Australian business announced on 2 December. At that time, the GCEO said: “Once the transaction is complete, the board and management will review and reset the group’s strategic plan, with a continued focus on shareholder value.” He is now gone and there has been a further destruction in shareholder value, with SingPost’s share price falling 6.25% to 52.5 cents as at 26 December, a far cry from its peak of $2.16 reached in January 2015.
This latest incident raises new questions about SingPost’s corporate governance, including its communication, internal controls, internal audit, whistleblowing policy, investigation process, succession planning and corporate culture.
Connecting the dots
Let’s start with communication. The announcement on 22 December 2024 about the termination was more than two pages long but lacked important details. It included statements that could arguably have led to incorrect conclusions or raised deeper concerns.
Its announcement did not say exactly when the whistleblowing reports were received, when the Group Internal Audit (GIA) commenced investigations, when the external legal counsel and a forensics service provider were engaged, when further investigations by the external parties were concluded, when the three managers were sacked, and when disciplinary proceedings against the senior management commenced. The only dates the company disclosed in the announcement were the conclusion of the disciplinary proceedings against the three senior executives on 20 December and their immediate termination the following day.
The whistleblowing report to the company was said to be received “earlier in the year”. It was only in a news report three days later, presumably in response to queries from the public or media, that the company said it was January, and some of the other dates were disclosed.
It has still not disclosed the identity of the external legal counsel and forensics service provider who were appointed.
SingPost has also not disclosed whether senior management were placed on leave when investigations and disciplinary proceedings involving them were ongoing. Evidently it did not because the GCEO was still speaking on behalf of the company when the deal to sell the Australian business was announced in early December. Companies often ask management to step aside when there are investigations against them to avoid the possibility of them influencing investigations.
SingPost should have expected questions about the timeline and conduct of the investigations, which would provide an indication of whether the appropriate actions were taken in a timely fashion. It came across as reactive.
Are the internal controls adequate?
The Board said it believes that the Group’s internal controls and risk management systems are adequate. That was what the Board had said year after year in its corporate governance report, before this latest breach of its internal controls. It said that “appropriate actions have been taken on the matters, and operational measures have been enhanced to prevent similar measures” but provided no details.
Did it commission a comprehensive independent review of its internal controls and implement recommended enhancements? How are these enhancements able to prevent future recurrence of manual entries made without proper basis and documentation? It is also important that the Board ensures this is not a systemic weakness in internal controls.
Who actually led the investigations?
SingPost said that the GIA commenced investigations into the whistleblowing reports under the oversight of the AC. The company does not provide much information about the GIA in its corporate governance report beyond standard boilerplate disclosure.
The Institute of Internal Auditors (IIA) states that investigation is not typically an IA task and the internal auditor should not be expected to have the expertise of a person whose primary responsibility is to investigate fraud. IIA states that if IA is required to investigate fraud, they “should have the necessary skills and experience”.
From LinkedIn, I found that the Head of the GIA is a Certified Fraud Examiner which suggests he is qualified to investigate fraud. But this does not mean he or the GIA are equipped to undertake investigations. The company ultimately had to hire an external forensics firm, suggesting a lack of forensic capabilities which are often important for in-depth investigations.
As recommended, the GIA reports directly to the AC, with only administrative reporting to the GCEO. Nevertheless, there may be questions as to whether the GIA would be sufficiently objective and independent as an investigation may reveal deficiencies in its own effectiveness, given its role in providing assurance over internal controls.
What is of more concern is whether the initial investigations were actually led by the GIA or management. SingPost said that “external professional advisers were engaged to review and assess the matter independently of management, as the Audit Committee had no assurance concerning management’s representations and handling of the internal investigations”.
Why were management handling the internal investigations? Did the AC delegate the investigations, at least initially, to management and left it to supervise the GIA? SingPost’s whistleblowing policy committed to independent investigation of complaints, and management cannot be said to be independent. The proper process ought to be having an properly qualified independent party investigating and reporting directly to the AC.
Other gaps in the whistleblowing policy
SingPost’s whistleblowing policy does not require whistleblowers to provide their names and contact details, which is good.
However, it did not mention that all whistleblowing complaints will be acknowledged, if the whistleblower disclose their identity. SingPost said that a whistleblowing report on the same matter was also sent to the Info-communications Media Development Authority of Singapore (“IMDA”).
Whistleblowers may send reports to external agencies and even third parties if they feel that their reports are not taken seriously. While whistleblowing policies should never discourage whistleblowers from reporting to regulators, or in the case SGX-listed companies to the SGX Regco Whistleblowing Office, once a report is made to an external regulator, the company may lose its ability to conduct the investigations on its own terms.
The GIA is the designated independent function to maintain the dedicated whistleblowing channels and investigate whistleblowing reports. A postal address for the GIA (and a SingPost email address) is provided for external parties to send whistleblowing reports to. Employees are advised to refer to “internal procedures which are posted on the intranet”. There is no provision in the policy disclosed publicly for whistleblowing to the AC Chairman, contrary to recommended good practice.
The policy states that the identity of the whistleblowers and the persons implicated will be kept strictly confidential and will only be released to persons on a “need to know” basis? Who are the persons who are generally considered “need to know”? A whistleblower may not feel secure about reporting if they feel that their report and identity may be disclosed to individuals who may be complicit in the alleged misconduct.
SingPost did not disclose whether they received any whistleblowing reports although to be fair, neither did another 85 out of 229 companies we have covered so far in a study of whistleblowing policies of SGX-listed issuers. None of the three listed banks here do so.
SingPost employees looking at this case may feel unsafe about whistleblowing as the investigations were not that independent after all and they may feel that their identities may be revealed to persons who are deemed to “need to know” – but really should not know.
Who will man the Post?
In accordance with its leadership succession plan, the current CFO of the Australian business, the FMH Group, will be appointed as the new GCFO subject to the necessary regulatory approvals. However, no interim GCEO has been appointed. The Board Chairman will provide increased guidance to, and exercise greater oversight of, the senior management leadership team on behalf of the Board.
The succession plan for the GCEO may have envisaged the GCFO as the interim GCEO in the event the GCEO leaves, but in this case, both the GCEO and GCFO have been terminated. Succession planning needs to consider a range of scenarios, both expected and unexpected. There does not appear to be a clear Plan B that provides for other potential interim solutions to a vacant GCEO position.
An ad hoc Executive Committee comprising certain board and management members is one possible way to manage SingPost during this difficult period.
Ruling out deeper corporate culture issues
The Board should also look into what may have caused employees to falsify the key performance indicators (KPIs) in the service level agreement (SLA) with the customer. Were the KPIs too demanding such that they were impossible to achieve? Was there too much pressure exerted on them to meet the KPIs? Were their jobs or remuneration significantly at stake if they do not meet the KPIs? There may be deeper corporate culture issues which the Board should be alert to. When a company is facing financial challenges, as SingPost is, the risk of fraud often increases.
It is unfortunate that this is the third major controversy that has plagued SingPost over the past 20 years, not counting the operational and service issues during this period. Each new scandal is another blow to its reputation. In my view, SingPost has never fully regained stakeholder trust from its earlier crises. The Board must leave no stones unturned in reviewing all aspects of its corporate governance.
Doing the right thing
Finally, amidst all the negative news, we should not forget the one(s) who did the right thing – the whistleblowers. If they had not blown the whistle, the eventual consequences for SingPost could be much worse. Companies should do more not only to protect whistleblowers but recognise them as valued employees. If they are still around, how about recognising them as employees of the year – without disclosing their identity of course? That would send the right message.
_____________________
The writer is Professor (Practice) of Accounting at NUS Business School, where he is the founding director of the Centre for Investor Protection. He is also a founding director of Corporate Monitor, which published a report on SingPost in August this year. He owns shares in SingPost. The views in this article are his personal views.
