To meet this requirement and to discharge its obligations under the FCA Handbook and the PRA Handbook, procedures have been designed for safeguarding assets against unauthorised use or disposal; for maintaining proper accounting records; and for ensuring the reliability and usefulness of financial information used within the business or for publication.

These procedures can only provide reasonable assurance against material mis-statement, errors, losses or fraud. They are designed to provide effective internal control within the Group and accord with the Financial Reporting Council's guidance for directors issued in 2014, internal control and related financial and business reporting. The procedures have been in place throughout the year and up to 21 February 2017, the date of approval of the Annual Report and Accounts 2016.

In 2014, the Group Audit Committee (‘GAC’) endorsed the adoption of the COSO 2013 framework for the monitoring of risk management and internal control systems to satisfy the requirements of Section 404 of the Sarbanes-Oxley Act of 2002.

The key risk management and internal control procedures include the following:

  • The Group’s Global Standards Manual (‘GSM’) outlines the core principles within which the Group must operate wherever we conduct business. The GSM overlays all other policies and procedures throughout the Group. The requirements of the GSM are mandatory, apply to and must be observed by all businesses within the Group, regardless of the nature or location of their activities.

  • Delegation of authority within limits set by the Board: subject to certain matters reserved for the Board, the Group Chief Executive has been delegated authority limits and powers within which to manage the day-to-day affairs of the Group, including the right to sub-delegate those limits and powers. Each relevant group managing director or executive Director has delegated authority within which to manage the day-to-day affairs of the business or function for which he or she is accountable. Delegation of authority from the Board requires those individuals to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of control that are appropriate to their business or function. Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of the appropriate global function is required, however, to credit proposals with specified higher risk characteristics. Credit and market risks are measured and reported at subsidiary company level and aggregated for risk concentration analysis on a Group-wide basis.

  • Risk identification and monitoring: Systems and procedures are in place to identify, assess, control and monitor the material risk types facing HSBC. Our risk measurement and reporting systems are designed to help ensure that risks are comprehensively captured with all the attributes necessary to support well-founded decisions, that those attributes are accurately assessed and that information is delivered in a timely manner for those risks to be successfully managed and mitigated.

  • Changes in market conditions/practices: processes are in place to identify new risks arising from changes in market conditions/practices or customer behaviours, which could expose HSBC to heightened risk of loss or reputational damage. The Group employs a top and emerging risks framework at all levels of the organisation, which enables it to identify current and forward-looking risks and to take action which either prevents them materialising or limits their impact.

  • Responsibility for risk management: All employees are responsible for identifying and managing risk within the scope of their role as part of the three lines of defence model, which is an activity-based model to delineate management accountabilities and responsibilities for risk management and the control environment. The second line of defence sets the policy and guidelines for managing specific risk areas, provides advice and guidance in relation to the risk, and challenges the first line of defence (the risk owners) on effective risk management.

  • Strategic plans: strategic plans are prepared for global businesses, global functions and geographical regions within the framework of the Group’s overall strategy. Annual Operating Plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that the Group is prepared to take in executing its strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives.

  • IT operations: centralised control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable.

  • Subsidiary certifications to Group Risk Committee (‘GRC’): half-yearly confirmations are provided to the GRC from the risk committees of principal subsidiary companies confirming that the committees have challenged management on the quality of the information provided, reviewed the actions proposed by management to address any emerging issues or trends indicating material divergence from the Group’s risk appetite and that the risk management and internal control systems in place are operating effectively.

The key risk management and internal control procedures over financial reporting include the following:

  • Disclosure Committee: the Disclosure Committee, which is chaired by the Group Company Secretary, supports the discharge of the Group’s obligations under relevant legislation and regulation including the UK and Hong Kong Listing Rules, the Market Abuse Regulation and SEC rules. In so doing the Committee is empowered to (i) determine whether a new event or circumstances should be disclosed, including the form and timing of such disclosure and (ii) review all material disclosures made or to be made by the Group. The membership of the Disclosure Committee includes the Group Finance Director, Group Chief Risk Officer, Chief Legal Officer, Group Chief Accounting Officer, Global Head of Public Affairs, Global Head of Investor Relations, Group Head of Strategy and Planning and Group Financial Controller. The integrity of disclosures is underpinned by structures and processes within the Global Finance and Global Risk functions that support rigorous analytical review of financial reporting and the maintenance of proper accounting records.

  • Financial reporting: the Group’s financial reporting process is controlled using documented accounting policies and reporting formats, supported by detailed instructions and guidance on reporting requirements, issued to all reporting entities within HSBC in advance of each reporting period end. The submission of financial information from each reporting entity is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels.

  • Subsidiary certifications to the GAC: half-yearly confirmations are provided to the GAC from the audit committees of principal subsidiary companies regarding whether their financial statements have been prepared in accordance with Group policies, present fairly the state of affairs of the relevant principal subsidiary and are prepared on a going concern basis. 

The internal control responsibilities of the GRC and GAC were complemented by the activities of the Conduct & Values Committee and the Financial System Vulnerabilities Committee which, respectively, oversaw internal control over conduct-related matters and financial crime compliance. Collectively, these controls are designed to provide effective internal control within the Group.

The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of the Group's framework of controls. In 2015, deficiencies in the design and operational effectiveness of a number of controls associated with IT privileged access were identified. Significant improvement in the control environment has been observed as a result of management’s progress on the execution of the IT privileged access remediation programme. Management has assessed the effectiveness of relevant IT, business, monitoring and period-end mitigating controls for 2016.

The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of the Group's system of risk management and internal control covering all material controls, including financial, operational and compliance controls, risk management systems, the adequacy of resources, qualifications and experience of staff of the accounting and financial reporting function and the Global Risk function, and their training programmes and budget. The annual review of the effectiveness of the Group’s system of risk management and internal control over financial reporting was conducted with reference to the COSO framework. The annual review of other controls was undertaken using the Group’s risk management framework. Based on the assessment performed, the Directors concluded that for the year ended 31 December 2016, the Group’s internal controls were effective.

Related content

Board committees

The Board has appointed a number of committees consisting of certain Directors, Group Managing Directors and certain co-opted non-director members.

Leadership

Find out more about our Board of Directors and senior management team.