Alt+0 to show this section, Tab to navigate forward, Shift+Tab key to navigate backward, Enter to access link, and Esc to reset
The Board is responsible for maintaining and reviewing the effectiveness of risk management and internal control systems and for determining the aggregate level and types of risks it is willing to take in achieving its strategic objectives.
To meet this requirement and to discharge its obligations under the FCA Handbook and PRA Handbook, procedures have been designed for safeguarding assets against unauthorised use or disposal; for maintaining proper accounting records; and for ensuring the reliability and usefulness of financial information used within the business or for publication.
These procedures can only provide reasonable but not absolute assurance against material mis-statement, errors, losses or fraud. They are designed to provide effective internal control within HSBC and accord with the Financial Reporting Council’s guidance for directors issued in 2014, internal control and related financial and business reporting. Our procedures have been in place throughout the year and up to 22 February 2016, the date of approval of the Annual Report and Accounts 2015.
In 2014, the GAC endorsed the adoption of the COSO 2013 framework for the monitoring of risk management and internal control systems to satisfy the requirements of Section 404 of the Sarbanes-Oxley Act of 2002. Additionally, the risk management framework enabled the GRC to monitor controls over principal risks to meet the requirements of the UK Corporate Governance Code and the Hong Kong Corporate Governance Code.
HSBC’s key risk management and internal control procedures include the following:
– wholesale credit risk;
– retail credit risk;
– insurance risk;
– asset, liability and capital management risk;
– market risk;
– financial management risk;
– model risk;
– reputational risk;
– pension risk;
– strategic risk;
– sustainability risk; and
– operational risk (including accounting, tax, legal, regulatory compliance, financial crime compliance, fiduciary, political, physical, internal, external, contingency, information security, systems, operations, project and people risks).
Exposure to these risks is monitored by risk management committees, asset, liability and capital management committees and executive committees in subsidiaries and, for the Group, in Risk Management Meetings of the GMB (‘RMM’) which are chaired by the Group Chief Risk Officer. The RMM meets regularly to discuss enterprise-wide risk management matters. Asset, liability and capital management matters are monitored by the Group ALCO, which reports to the RMM.
HSBC’s operational risk profile and the effective implementation of the Group’s operational risk management framework are monitored by the Global Operational Risk Committee, which reports to the RMM.
Model risks are monitored by the Model Oversight Committee which also reports to the RMM.
– economic outlook and capital flows;
– geopolitical risk;
– turning of the credit cycle;
– regulatory developments affecting the business model and profitability;
– regulatory commitments and consent orders;
– regulatory focus on conduct of business and financial crime;
– dispute risk;
– people risk;
– execution risk;
– third-party risk management;
– model risk;
– cyber threat and unauthorised access to systems; and
– data management.
On behalf of the Board, the GAC has responsibility for overseeing risk management and internal controls over financial reporting and the GRC has responsibility for overseeing risk management and internal controls, other than over financial reporting.
During the year, the GRC and the GAC have kept under review the effectiveness of this system of internal control and have reported regularly to the Board. In carrying out their reviews, the GRC and the GAC received:
The GRC and GAC have separately established governance frameworks for their respective oversight and interaction with the audit and risk committees of key entities within the Group. These provide for regular reporting, issues escalation and processes for the nomination and endorsement of subsidiary committee appointments. These principles and processes have in turn been cascaded by these key entities to their respective subsidiaries to provide clear vertical channels of governance.
The internal control responsibilities of the GAC and GRC are complemented by the activities of the Conduct & Values Committee ('CVC') and the Financial System Vulnerabilities Committee ('FSVC') which, respectively, oversee internal controls over conduct-related matters and financial crime compliance. The GRC receives regular reports at each of its meetings on the activities of both the CVC and the FSVC. The GRC monitors the status of top and emerging risks and considers whether the mitigating actions put in place are appropriate. In addition, when unexpected losses have arisen or when incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the GRC and the GAC review special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by management to address the issue.
The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of our system of risk management and internal control covering all material controls, including financial, operational and compliance controls, risk management systems, the adequacy of resources, qualifications and experience of staff of the accounting and financial reporting teams and the Global Risk function, and their training programmes and budget. The annual review of effectiveness of our system of risk management and internal control over financial reporting was conducted with reference to the COSO framework. The annual review of other controls was undertaken using the risk management framework on pages 102 to 103.
The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of our framework of controls. In particular, during the year it was determined that the control environment associated with IT privileged access required significant improvement. Deficiencies were noted in the design and operation of controls for the granting, release and monitoring of privileged access in a number of systems. For the identified deficiencies management responded by implementing a programme to determine the scale and nature of the deficiencies, remediate identified control deficiencies and determine if privileged access had been misused during 2015. Management also identified and assessed the effectiveness of relevant IT, business, monitoring and period-end mitigating controls.
The Board has appointed a number of committees consisting of certain Directors, Group Managing Directors and certain co-opted non-director members.
Find out more about our Board of Directors and senior management team.