Alt+0 to show this section, Tab to navigate forward, Shift+Tab key to navigate backward, Enter to access link, and Esc to reset

Press tab key to access skip links section. Press Alt+0 to access it anytime.


The Directors are responsible for maintaining and reviewing the effectiveness of risk management and internal control systems and for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. To meet this requirement and to discharge its obligations under the FCA Handbook and PRA Handbook, procedures have been designed for safeguarding assets against unauthorised use or disposal; for maintaining proper accounting records; and for ensuring the reliability and usefulness of financial information used within the business or for publication. These procedures can only provide reasonable but not absolute assurance against material mis-statement, errors, losses or fraud.

These procedures are designed to provide effective internal control within HSBC and accord with the Financial Reporting Council’s guidance for directors issued in its revised form in 2005. HSBC’s procedures have been in place throughout the year and up to 23 February 2015, the date of approval of the Annual Report and Accounts 2014. This guidance was amended following consultations undertaken by the Financial Reporting Council in November 2013 and April 2014, resulting in revised guidance on risk management, internal control and related financial and business reporting. The revised guidance applies to companies with financial years beginning on or after 1 October 2014.

In the case of companies acquired during the year, the risk management and internal controls in place are being reviewed against HSBC’s benchmarks and integrated into HSBC’s processes. In 2014 the GAC and GRC endorsed the adoption of the COSO 2013 framework for the monitoring of risk management and internal control systems to satisfy the requirements of Section 404 of the Sarbanes-Oxley Act of 2002, the UK Corporate Governance Code and the Hong Kong Corporate Governance Code. Full implementation of the COSO 2013 framework will be completed in 2015. HSBC continued to evaluate its internal control over financial reporting under the Financial Reporting Council’s Internal Control Revised Guidance for Directors and the original 1992 Framework for the year ended 31 December 2014.

HSBC’s key risk management and internal control procedures include the following:

  • Group Standards. Functional, operating, financial reporting and certain management reporting standards are established by global function management committees, for application throughout HSBC. These are supplemented by operating standards set by functional and local management as required for the type of business and geographical location of each subsidiary.
  • Delegation of authority within limits set by the Board. Authority is delegated within limits set by the Board to each relevant Group Managing Director to manage the day to day affairs of the business or function for which he or she is accountable. Delegation of authority from the Board requires those individuals to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of control that are appropriate to their business or function. Appointments to the most senior positions within HSBC require the approval of the Board.
  • Risk identification and monitoring. Systems and procedures are in place to identify, control and report on the major risks facing HSBC including credit, market, liquidity and funding, capital, financial management, model, reputational, pension, strategic, sustainability, operational (including accounting, tax, legal, regulatory compliance, financial crime compliance, fiduciary, security and fraud, systems operations, project and people risk) and insurance risk. Exposure to these risks is monitored by risk management committees, asset, liability and capital management committees and executive committees in subsidiaries and, for the Group, in Risk Management Meetings (‘RMM’) of the GMB which are chaired by the Group Chief Risk Officer. RMM meets regularly to discuss enterprise-wide risk management issues. Asset, liability and capital management issues are monitored by the Group ALCO, which also reports to the RMM. HSBC’s operational risk profile and the effective implementation of the Group’s operational risk management framework are monitored by the Global Operational Risk Committee (‘GORC’), which reports to the RMM. Model risks are monitored by the Model Oversight Committee which also reports to the RMM. The minutes of the GMB meetings and the RMM are provided to members of the GAC, the GRC and the Board.
  • Changes in market conditions/practices. Processes are in place to identify new risks arising from changes in market conditions/practices or customer behaviours, which could expose HSBC to heightened risk of loss or reputational damage. During 2014, attention was focused on:

    – economic outlook and government intervention;
    – increased geopolitical risk;
    – regulatory developments affecting our business model and Group profitability;
    – regulatory investigations, fines, sanctions commitments and consent orders and requirements relating to conduct of business and financial crime negatively affecting our results and brand;
    – dispute risk;
    – heightened execution risk;
    – people risk;
    – third party risk management;
    – internet crime and fraud;
    – information security risk;
    – data management; and
    – model risk.

  • Strategic plans. Periodic strategic plans are prepared for global businesses, global functions and certain geographical regions within the framework of the Group’s strategy. Annual Operating Plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that we are prepared to take in executing our strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives.
  • Disclosure Committee. The Disclosure Committee reviews material public disclosures made by HSBC Holdings for any material errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the heads of Global Finance, Legal, Risk (including Financial Crime Compliance and Regulatory Compliance), Communications, Investor Relations, and Internal Audit functions and representatives from the principal regions and global businesses. The integrity of disclosures is underpinned by structures and processes within the Global Finance and Global Risk functions that support expert and rigorous analytical review of financial reporting complemented by certified reviews by heads of global businesses, global functions and certain legal entities.
  • Financial reporting. The Group financial reporting process for preparing the consolidated Annual Report and Accounts 2014 is controlled using documented accounting policies and reporting formats, supported by a chart of accounts with detailed instructions and guidance on reporting requirements, issued by Group Finance to all reporting entities within the Group in advance of each reporting period end. The submission of financial information from each reporting entity to Group Finance is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels.
  • Responsibility for risk management. Management of global businesses and global functions are primarily accountable for measuring, monitoring, mitigating and managing their risks and controls. Processes are in place to ensure weaknesses are escalated to senior management and addressed, supported by our three lines of defence model.
  • IT operations. Centralised functional control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable.
  • Functional management. Global functional management is responsible for setting policies, procedures and standards for the following risks: credit, market, liquidity and funding, capital, financial management, model, reputational, pension, strategic, sustainability and operational risk (including accounting, tax, legal, financial crime compliance, regulatory compliance, fiduciary, information security, security and fraud, systems and people risk) and insurance risk. Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of the appropriate global function is required, however, to credit proposals with specified higher risk characteristics. Credit and market risks are measured and reported at subsidiary company level and aggregated for risk concentration analysis on a Group-wide basis.
  • Internal Audit. The establishment and maintenance of appropriate systems of risk management and internal control is primarily the responsibility of business management. The Global Internal Audit function, which is centrally controlled, provides independent and objective assurance in respect of the adequacy of the design and operating effectiveness of the Group’s framework of risk management, control and governance processes across the Group, focusing on the areas of greatest risk to HSBC using a risk-based approach. The Group Head of Internal Audit reports to the Chairman of the GAC and administratively to the Group Chief Executive.
  • Internal Audit recommendations. Executive management is responsible for ensuring that recommendations made by the Global Internal Audit function are implemented within an appropriate and agreed timetable. Confirmation to this effect must be provided to Global Internal Audit
  • Reputational risk. Policies to guide subsidiary companies and management at all levels in the conduct of business to safeguard the Group’s reputation are established by the Board and its committees, subsidiary company boards and their committees and senior management. Reputational risks can arise from a variety of causes including environmental, social and governance issues, as a consequence of operational risk events and as a result of employees acting in a manner inconsistent with HSBC Values. HSBC’s reputation depends upon the way in which it conducts its business and may be affected by the way in which clients, to which it provides financial services, conduct their business or use financial products and services.

Role of GAC and GRC

On behalf of the Board, the GAC has responsibility for oversight of risk management and internal controls over financial reporting and the GRC has responsibility for oversight of risk management and internal controls, other than over financial reporting.

During the year, the GRC and the GAC have kept under review the effectiveness of this system of internal control and have reported regularly to the Board. In carrying out their reviews, the GRC and the GAC receive regular business and operational risk assessments, regular reports from the Group Chief Risk Officer and the Group Head of Internal Audit; reports on the annual reviews of the internal control framework of HSBC Holdings which cover all internal controls, both financial and non-financial; half yearly-confirmations to the GAC from audit and risk committees of principal subsidiary companies regarding whether their financial statements have been prepared in accordance with Group policies, present fairly the state of affairs of the relevant principal subsidiary, are prepared on a going concern basis; and confirm if there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls; internal audit reports; external audit reports; prudential reviews; and regulatory reports. The GRC monitors the status of top and emerging risks and considers whether the mitigating actions put in place are appropriate. In addition, when unexpected losses have arisen or when incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the GRC and the GAC review special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by management to address the issue.

Effectiveness of internal controls

The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of our system of risk management and internal control covering all material controls, including financial, operational and compliance controls, risk management systems, the adequacy of resources, qualifications and experience of staff of the accounting and financial reporting function and the risk function, and their training programmes and budget. The review does not extend to joint ventures or associates. The annual review of the effectiveness of our system of risk management and internal control was conducted with reference to COSO principles functioning as evidenced by specified entity level controls. A report on the effectiveness of each entity level control and regular risk and control reporting was escalated to the GRC and GAC from certain key management committees.

The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of our framework of controls.