|
|
· Risk identification and monitoring. Systems and procedures are in place to identify, control and report on the major risks facing HSBC (see page 36) including credit, market, liquidity and funding, capital, financial management, model, reputational, pension, strategic, sustainability, operational (including accounting, tax, legal, regulatory compliance, financial crime compliance, fiduciary, security and fraud, systems operations, project and people risk), insurance and Islamic finance risk. Exposure to these risks is monitored by risk management committees, asset, liability and capital management committees and executive committees in subsidiaries and, for the Group, in Risk Management Meetings ('RMM') of the GMB which are chaired by the Group Chief Risk Officer. RMM meets regularly to address asset, liability and risk management issues. HSBC's operational risk profile and the effective implementation of the Group's operational risk management framework is monitored by the Global Operational Risk and Control Committee ('GORCC'), which reports to the RMM. Model risks are monitored by the Model Oversight Committee which also reports to the RMM. The minutes of the GMB meetings and the RMM are provided to members of the GAC, the GRC and the Board.
|
|
|
· Changes in market conditions/practices. Processes are in place to identify new risks arising from changes in market conditions/ practices or customer behaviours, which could expose HSBC to heightened risk of loss or reputational damage. During 2013, attention was focused on:
|
|
|
- emerging markets' slowdown;
|
|
|
- increased geopolitical risk;
|
|
|
- regulatory developments affecting our business model and Group profitability;
|
|
|
- regulatory investigations, fines, sanctions commitments and consent orders and requirements relating to conduct of business and financial crime negatively affecting our results and brand;
|
|
|
- dispute risk;
|
|
|
- heightened execution risk;
|
|
|
- internet crime and fraud;
|
|
|
- information security risk; and
|
|
|
- model risk.
|
|
|
· Strategic plans. Periodic strategic plans are prepared for global businesses, global functions and certain geographical regions within the framework of the Group's strategy. Annual Operating Plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that we are prepared to take in executing our strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives.
|
|
|
· Disclosure Committee. The Disclosure Committee reviews material public disclosures made by HSBC Holdings for any material errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the heads of Global Finance, Legal, Risk (including Financial Crime Compliance and Regulatory Compliance), Communications, Investor Relations, and Internal Audit functions and representatives from the principal regions and global businesses. The integrity of disclosures is underpinned by structures and processes within the Global Finance and Risk functions that support expert and rigorous analytical review of financial reporting complemented by certified reviews by heads of global businesses, global functions and certain legal entities.
|
|
|
· Financial reporting. The Group financial reporting process for preparing the consolidated Annual Report and Accounts 2013 is controlled using documented accounting policies and reporting formats, supported by a chart of accounts with detailed instructions and guidance on reporting requirements, issued by Group Finance to all reporting entities within the Group in advance of each reporting period end. The submission of financial information from each reporting entity to Group Finance is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels.
|
|
|
· Responsibility for risk management. Management of global businesses and global functions are primarily accountable for managing, measuring and monitoring their risks and controls. Processes consistent with the three lines of defence risk management and the internal control model are in place to ensure weaknesses are escalated to senior management and addressed.
|
|
|
· IT operations. Centralised functional control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable.
|
|
|
· Functional management. Global functional management is responsible for setting policies, procedures and standards for the following risks: credit, market, liquidity and funding, capital, financial management, model, reputational, pension, strategic, sustainability and operational risk (including accounting, tax, legal, financial crime compliance, regulatory compliance, fiduciary, information security, security and fraud, systems and people risk) insurance and Islamic finance risk. Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of the appropriate global function is required, however, to credit proposals with specified higher risk characteristics. Credit and market risks are measured and reported on in subsidiaries and aggregated for review of risk concentrations on a Group-wide basis.
|
|
|
· CEO Attestation process. Global Operational Risk coordinate the annual CEO Attestation process under which the chief executive officer of each of the Group's material subsidiaries confirms that the internal control framework applicable to that subsidiary has been assessed and any significant open issues have been identified, with action plans in place to address weaknesses. The remediation of these issues is monitored by the Operational Risk and Internal Control ('ORIC') teams for the relevant regions/ global businesses and reports on progress are presented to their ORIC committees and quarterly to Global Operational Risk. An annual report and updates on identified issues and remediation plans are presented to the GRC and the GAC.
|
|
|
· Internal Audit. The establishment and maintenance of appropriate systems of risk management and internal control is primarily the responsibility of business management. The Global Internal Audit function, which is centrally controlled, provides independent and objective assurance in respect of the adequacy of the design and operating effectiveness of the Group's framework of risk management, control and governance processes across the Group, focusing on the areas of greatest risk to HSBC using a risk-based approach. The Group Head of Global Internal Audit reports to the Chairman of the GRC and Chairman of the GAC in relation to the independence of the function and resourcing, with a secondary executive reporting line to the Group Chief Executive Officer.
|
|
|
· Internal Audit recommendations. Executive management is responsible for ensuring that recommendations made by the Global Internal Audit function are implemented within an appropriate and agreed timetable. Confirmation to this effect must be provided to Global Internal Audit.
|
|
|
· Reputational risk. Policies to guide subsidiary companies and management at all levels in the conduct of business to safeguard the Group's reputation are established by the Board and its committees, subsidiary company boards and their committees and senior management. Reputational risks can arise from a variety of causes including environmental, social and governance issues, as a consequence of operational risk events and as a result of employees acting in a manner inconsistent with HSBC Values. HSBC's reputation depends upon the way in which it conducts its business and may be affected by the way in which clients, to which it provides financial services, conduct their business or use financial products and services.
|