The Directors are responsible for internal control in HSBC and for reviewing its effectiveness. Procedures have been designed for safeguarding assets against unauthorised use or disposition; for maintaining proper accounting records; and for the reliability and usefulness of financial information used within the business or for publication. Such procedures are designed to manage rather than eliminate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement, errors, losses or fraud. The procedures also enable HSBC Holdings to discharge its obligations under the Handbook of Rules and Guidance issued by the FSA, HSBC's lead regulator.
The key procedures that the Directors have established are designed to provide effective internal control within HSBC and accord with the Internal Control: Revised Guidance for Directors on the Combined Code on Corporate Governance issued by the Financial Reporting Council. Such procedures for the ongoing identification, evaluation and management of the significant risks faced by HSBC have been in place throughout the year and up to 28 February 2011, the date of approval of the Annual Report and Accounts 2010. In the case of companies acquired during the year, the internal controls in place are being reviewed against HSBC's benchmarks and integrated into HSBC's processes.
Key internal control procedures include the following:
- authority to operate the various subsidiaries and responsibilities for financial performance against plans and for capital expenditure are delegated to their respective chief executive officers within limits set by the Board. Delegation of authority from the Board to individuals requires those individuals to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of control appropriate to the business. The appointment of executives to the most senior positions within HSBC requires the approval of the Board;
- functional, operating, financial reporting and certain management reporting standards are established by GMO management committees, for application across the whole of HSBC. These are supplemented by operating standards set by functional and local management as required for the type of business and geographical location of each subsidiary;
- systems and procedures are in place in HSBC to identify, control and report on the major risks including credit, market, liquidity and operational risk (including accounting, tax, legal, compliance, fiduciary, information, physical security, business continuity, fraud, systems and people risk). Exposure to these risks is monitored by risk management committees, asset and liability committees and executive committees in subsidiaries and, for HSBC as a whole, by the GMB. A Risk Management Meeting of the GMB, chaired by the Group Chief Risk Officer, is held in each month (except August) to address asset, liability and risk management issues. The minutes of this meeting are submitted to the GAC, the GRC and the Board;
- the Global Operational Risk and Control Committee ('GORCC'), which reports to the Risk Management Meeting of the GMB, meets at least quarterly to monitor HSBC's operational risk profile and review the effective implementation of the Group's operational risk management framework. The GORCC receives quarterly reports on the Group's operational risk profile, including top risks, control issues, internal and external operational loss events and key risk indicators. The GORCC communicates the lessons learned from operational events both within HSBC and in the wider industry;
- a Disclosure Committee has been established to review material public disclosures made by HSBC Holdings for any material errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the heads of the Finance, Legal, Risk, Compliance, Corporate Communications, Investor Relations and Internal Audit functions and representatives from the principal regions, customer groups and global businesses. The integrity of disclosures is underpinned by structures and processes within the Finance and Risk functions that support expert and rigorous analytical review of financial reporting;
- the group financial reporting process for preparing the consolidated Annual Report and Accounts 2010 is controlled using documented accounting policies and reporting formats, supported by a chart of accounts with detailed instructions and guidance on reporting requirements, issued by Group Finance to all reporting entities within the Group in advance of each reporting period end. The submission of financial information from each reporting entity to Group Finance is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels;
- processes are in place to identify new risks from changes in market conditions/practices or customer behaviours, which could expose HSBC to heightened risk of loss or reputational damage. During 2010, attention was focused on refinement and operation of the stress testing framework; the roll-out of enhanced counterparty risk aggregation, risk management information, portfolio and crisis management processes; the mitigation of information risks; enhancement of policies and practices relevant to the prevention of financial crimes; and changes in the regulation of and public policy towards the financial services industry. From January 2011, risk review and audit functions have increased their focus on global thematic risks;
- periodic strategic plans are prepared for key customer groups, global product groups, support functions and certain geographies within the framework of the Group Strategic Plan. Rolling operating plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that HSBC is prepared to take in executing its strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives;
- governance arrangements are in place to provide oversight of, and advice to the Board on, material risk-related matters including assurance that risk analytical models are fit for purpose, used accordingly and complemented by both model-specific and enterprise-wide stress tests that evaluate the impact of severe yet plausible events and other unusual circumstances not fully captured by quantitative models;
- centralised functional control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable. Credit and market risks are measured and reported on in subsidiaries and aggregated for review of risk concentrations on a Group-wide basis;
- functional management in GMO is responsible for setting policies, procedures and standards for the following risks: credit; market; liquidity; operations; IT; fraud; business continuity; security; information; insurance; accounting; tax; legal; regulatory compliance; fiduciary; human resources; reputational; sustainability; residual value; shariah and strategic risks. Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of GMO is required, however, to credit proposals with specified higher risk characteristics;
- policies to guide subsidiary companies and management at all levels in the conduct of business to safeguard the Group's reputation are established by the Board and the GMB, subsidiary company boards, Board committees and senior management. Reputational risks can arise from environmental, social or governance issues, or as a consequence of operational risk events. As a banking group, HSBC's good reputation depends upon the way in which it conducts its business but it can also be affected by the way in which clients, to which it provides financial services, conduct their business or use financial products and services;
- the establishment and maintenance of appropriate systems of internal control is primarily the responsibility of business management. The Internal Audit function, which is centrally controlled, monitors the effectiveness of internal control structures across the whole of HSBC focusing on the areas of greatest risk to HSBC as determined by a risk-based grading approach. The head of this function reports to the Group Chairman, the Group Chief Executive, the GRC and the GAC; and
- executive management is responsible for ensuring that recommendations made by the Internal Audit function are implemented within an appropriate and agreed timetable. Confirmation to this effect must be provided to Internal Audit. Executive management must also confirm annually as part of the Internal Audit process that offices under their control have taken, or are in the process of taking, the appropriate actions to deal with all significant recommendations made by external auditors in management letters or by regulators following regulatory inspections.
Historically the GAC has provided oversight of internal controls and risk as well as oversight of financial reporting. Currently there is a degree of overlap between the responsibilities of the GAC and the GRC in relation to internal controls and risk governance. Each committee is reviewing its terms of reference with the aim of minimising the overlap.
The GRC and the GAC have kept under review the effectiveness of this system of internal control and have reported regularly to the Board. The key processes used by the GRC and the GAC in carrying out their reviews include: regular business and operational risk assessments; regular reports from the heads of key risk functions including Internal Audit and Compliance; the production annually of reviews of the internal control framework applied at GMO and major operating subsidiary levels measured against HSBC benchmarks, which cover all internal controls, both financial and non-financial; semi-annual confirmations from chief executives of principal subsidiary companies as to whether there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls; internal audit reports; external audit reports; prudential reviews; and regulatory reports. The GRC and the GAC keep under review a risk map of the status of key risk areas which impact the Group and considers whether the mitigating actions put in place are appropriate. In addition, when unexpected losses have arisen or when incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the GRC and the GAC review special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by management to address the issue.
The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of HSBC's system of internal control covering all material controls, including financial, operational and compliance controls and risk management systems and the adequacy of resources, qualifications and experience of staff of the issuer's accounting and financial reporting function, and their training programmes and budget. The review does not extend to joint ventures or associates. The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of HSBC's framework of controls.
Related links
Downloads
Most computers will open these documents automatically, but you may need to download the free Adobe Reader
Releases and filings
HSBC is not responsible for the content of external sites.
