The Directors are responsible for maintaining and reviewing the effectiveness of risk management and internal control systems and for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. To meet this requirement and to discharge its obligations under the ‘Handbook of Rules and Guidance’ issued by the FCA and PRA, procedures have been designed for safeguarding assets against unauthorised use or disposal; for maintaining proper accounting records; and for ensuring the reliability and usefulness of financial information used within the business or for publication. These procedures can only provide reasonable and not absolute assurance against material misstatement, errors, losses or fraud.
These procedures are designed to provide effective internal control within HSBC and accord with the Financial Reporting Council’s guidance for directors issued in its revised form in 2005 and which is the subject of a recent consultation which closed in January 2014. They have been in place throughout the year and up to 24 February 2014, the date of approval of the Annual Report and Accounts 2013. In the case of companies acquired during the year, the risk management and internal controls in place are being reviewed against HSBC’s benchmarks and integrated into HSBC’s processes.
HSBC’s key risk management and internal control procedures include the following:
- Group standards. Functional, operating, financial reporting and certain management reporting standards are established by global function management committees, for application throughout HSBC. These are supplemented by operating standards set by functional and local management as required for the type of business and geographical location of each subsidiary
- Delegation of authority within limits set by the Board. Authority is delegated to each relevant Group Managing Director to manage the day to day affairs of the business or function for which he or she is accountable within limits set by the Board. Delegation of authority from the Board requires those individuals to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of control that are appropriate to the business or function. Appointments to the most senior positions within HSBC requires the approval of the Board
- Risk identification and monitoring. Systems and procedures are in place to identify, control and report on the major risks facing HSBC including credit, market, liquidity and funding, capital, financial management, model, reputational, pension, strategic, sustainability, operational (including accounting, tax, legal, regulatory compliance, financial crime compliance, fiduciary, security and fraud, systems operations, project and people risk), insurance and Islamic finance risk. Exposure to these risks is monitored by risk management committees, asset, liability and capital management committees and executive committees in subsidiaries and, for the Group, in Risk Management Meetings (‘RMM’) of the GMB which are chaired by the Group Chief Risk Officer. RMM meets regularly to address asset, liability and risk management issues. HSBC’s operational risk profile and the effective implementation of the Group’s operational risk management framework is monitored by the Global Operational Risk and Control Committee (‘GORCC’), which reports to the RMM. Model risks are monitored by the Model Oversight Committee which also reports to the RMM. The minutes of the GMB meetings and the RMM are provided to members of the GAC, the GRC and the Board
- Changes in market conditions/practices. Processes are in place to identify new risks arising from changes in market conditions/practices or customer behaviours, which could expose HSBC to heightened risk of loss or reputational damage. During 2013, attention was focused on:
– emerging markets’ slowdown;
– increased geopolitical risk;
– regulatory developments affecting our business model and Group profitability;
– regulatory investigations, fines, sanctions commitments and consent orders and requirements relating to conduct of business and financial crime negatively affecting our results and brand;
– dispute risk;
– heightened execution risk;
– internet crime and fraud;
– information security risk; and
– model risk.
- Strategic plans. Periodic strategic plans are prepared for global businesses, global functions and certain geographical regions within the framework of the Group’s strategy. Annual Operating Plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that we are prepared to take in executing our strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives
- Disclosure Committee. The Disclosure Committee reviews material public disclosures made by HSBC Holdings for any material errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the heads of Global Finance, Legal, Risk (including Financial Crime Compliance and Regulatory Compliance), Communications, Investor Relations, and Internal Audit functions and representatives from the principal regions and global businesses. The integrity of disclosures is underpinned by structures and processes within the Global Finance and Risk functions that support expert and rigorous analytical review of financial reporting complemented by certified reviews by heads of global businesses, global functions and certain legal entities
- Financial reporting. The Group financial reporting process for preparing the consolidated Annual Report and Accounts 2013 is controlled using documented accounting policies and reporting formats, supported by a chart of accounts with detailed instructions and guidance on reporting requirements, issued by Group Finance to all reporting entities within the Group in advance of each reporting period end. The submission of financial information from each reporting entity to Group Finance is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels
- Responsibility for risk management. Management of global businesses and global functions are primarily accountable for managing, measuring and monitoring their risks and controls. Processes consistent with the three lines of defence risk management and the internal control model are in place to ensure weaknesses are escalated to senior management and addressed
- IT operations. Centralised functional control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable
- Functional management. Global functional management is responsible for setting policies, procedures and standards for the following risks: credit, market, liquidity and funding, capital, financial management, model, reputational, pension, strategic, sustainability and operational risk (including accounting, tax, legal, financial crime compliance, regulatory compliance, fiduciary, information security, security and fraud, systems and people risk) insurance and Islamic finance risk. Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of the appropriate global function is required, however, to credit proposals with specified higher risk characteristics. Credit and market risks are measured and reported on in subsidiaries and aggregated for review of risk concentrations on a Group-wide basis
- CEO Attestation process. Global Operational Risk coordinate the annual CEO Attestation process under which the chief executive officer of each of the Group’s material subsidiaries confirms that the internal control framework applicable to that subsidiary has been assessed and any significant open issues have been identified, with action plans in place to address weaknesses. The remediation of these issues is monitored by the Operational Risk and Internal Control (‘ORIC’) teams for the relevant regions/global businesses and reports on progress are presented to their ORIC committees and quarterly to Global Operational Risk. An annual report and updates on identified issues and remediation plans are presented to the GRC and the GAC
- Internal Audit. The establishment and maintenance of appropriate systems of risk management and internal control is primarily the responsibility of business management. The Global Internal Audit function, which is centrally controlled, provides independent and objective assurance in respect of the adequacy of the design and operating effectiveness of the Group’s framework of risk management, control and governance processes across the Group, focusing on the areas of greatest risk to HSBC using a risk-based approach. The Group Head of Global Internal Audit reports to the Chairman of the GRC and Chairman of the GAC in relation to the independence of the function and resourcing, with a secondary executive reporting line to the Group Chief Executive Officer
- Internal Audit recommendations. Executive management is responsible for ensuring that recommendations made by the Global Internal Audit function are implemented within an appropriate and agreed timetable. Confirmation to this effect must be provided to Global Internal Audit
- Reputational risk. Policies to guide subsidiary companies and management at all levels in the conduct of business to safeguard the Group’s reputation are established by the Board and its committees, subsidiary company boards and their committees and senior management. Reputational risks can arise from a variety of causes including environmental, social and governance issues, as a consequence of operational risk events and as a result of employees acting in a manner inconsistent with HSBC Values. HSBC’s reputation depends upon the way in which it conducts its business and may be affected by the way in which clients, to which it provides financial services, conduct their business or use financial products and services
Role of GAC and GRC
On behalf of the Board, the GAC has responsibility for oversight of risk management and internal controls over financial reporting and the GRC has responsibility for oversight of risk management and internal controls, other than over financial reporting.
During the year, the GRC and the GAC have kept under review the effectiveness of this system of internal control and have reported regularly to the Board. In carrying out their reviews, the GRC and the GAC receive regular business and operational risk assessments, regular reports from the Group Chief Risk Officer and the Global Head of Internal Audit; reports on the annual reviews of the internal control framework of HSBC Holdings which cover all internal controls, both financial and non-financial; annual confirmations from chief executives of principal subsidiary companies as to whether there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls; internal audit reports; external audit reports; prudential reviews; and regulatory reports. The GRC monitors the status of top and emerging risks and considers whether the mitigating actions put in place are appropriate. In addition, when unexpected losses have arisen or when incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the GRC and the GAC review special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by management to address the issue.
Effectiveness of internal controls
The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of our system of risk management and internal control covering all material controls, including financial, operational and compliance controls, risk management systems, the adequacy of resources, qualifications and experience of staff of the accounting and financial reporting function and the risk function, and their training programmes and budget. The review does not extend to joint ventures or associates.
The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of our framework of controls.