The Board is responsible for maintaining and reviewing the effectiveness of risk management and internal control systems and for determining the aggregate level and types of risks it is willing to take in achieving its strategic objectives.
To meet this requirement and to discharge its obligations under the FCA Handbook and PRA Handbook, procedures have been designed for safeguarding assets against unauthorised use or disposal; for maintaining proper accounting records; and for ensuring the reliability and usefulness of financial information used within the business or for publication.
These procedures can only provide reasonable but not absolute assurance against material mis-statement, errors, losses or fraud. They are designed to provide effective internal control within HSBC and accord with the Financial Reporting Council’s guidance for directors issued in 2014, internal control and related financial and business reporting. Our procedures have been in place throughout the year and up to 22 February 2016, the date of approval of the Annual Report and Accounts 2015.
In 2014, the GAC endorsed the adoption of the COSO 2013 framework for the monitoring of risk management and internal control systems to satisfy the requirements of Section 404 of the Sarbanes-Oxley Act of 2002. Additionally, the risk management framework enabled the GRC to monitor controls over principal risks to meet the requirements of the UK Corporate Governance Code and the Hong Kong Corporate Governance Code.
HSBC’s key risk management and internal control procedures include the following:
Group Standards. The Global Standards Manual (‘GSM’) brings together the common standards and principles used in the conduct of all business, whatever its location or nature. The GSM overlays all other manuals throughout the Group and is a fundamental component of the Group’s risk management structure. It establishes the high level standards and policies by which, and within which, all members of the Group conduct their businesses. The GSM is mandatory and applies to, and must be observed by, all businesses within the Group, regardless of the nature or location of their activities.
Delegation of authority within limits set by the Board. Subject to certain matters reserved for the Board, the Group Chief Executive has been delegated authority limits and powers within which to manage the day-to-day affairs of the Group, including the right to sub-delegate those limits and powers. Each relevant Group Managing Director or Group Executive Director has delegated authority within which to manage the day-to-day affairs of the business or function for which he or she is accountable. Delegation of authority from the Board requires those individuals to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of control that are appropriate to their business or function. Appointments to the most senior positions within HSBC require the approval of the Board.
Risk identification and monitoring. Systems and procedures are in place to identify, control and report on the material risk types facing HSBC as set out below:
– wholesale credit risk;
– retail credit risk;
– insurance risk;
– asset, liability and capital management risk;
– market risk;
– financial management risk;
– model risk;
– reputational risk;
– pension risk;
– strategic risk;
– sustainability risk; and
– operational risk (including accounting, tax, legal, regulatory compliance, financial crime compliance, fiduciary, political, physical, internal, external, contingency, information security, systems, operations, project and people risks).
Exposure to these risks is monitored by risk management committees, asset, liability and capital management committees and executive committees in subsidiaries and, for the Group, in Risk Management Meetings of the GMB (‘RMM’) which are chaired by the Group Chief Risk Officer. The RMM meets regularly to discuss enterprise-wide risk management matters. Asset, liability and capital management matters are monitored by the Group ALCO, which reports to the RMM.
HSBC’s operational risk profile and the effective implementation of the Group’s operational risk management framework are monitored by the Global Operational Risk Committee, which reports to the RMM.
Model risks are monitored by the Model Oversight Committee which also reports to the RMM.
Changes in market conditions/practices. Processes are in place to identify new risks arising from changes in market conditions/practices or customer behaviours, which could expose HSBC to heightened risk of loss or reputational damage. The Group employs a top and emerging risks framework at all levels of the organisation, which enables it to identify current and forward-looking risks and to take action which either prevents them materialising or limits their impact. During 2015, attention was focused on:
– economic outlook and capital flows;
– geopolitical risk;
– turning of the credit cycle;
– regulatory developments affecting the business model and profitability;
– regulatory commitments and consent orders;
– regulatory focus on conduct of business and financial crime;
– dispute risk;
– people risk;
– execution risk;
– third-party risk management;
– model risk;
– cyber threat and unauthorised access to systems; and
– data management.
Strategic plans. Strategic plans are prepared for global businesses, global functions and geographical regions within the framework of the Group’s overall strategy. Annual Operating Plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that the Group is prepared to take in executing its strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives.
Disclosure Committee. The Disclosure Committee reviews material public disclosures made by HSBC Holdings for any material errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the heads of Finance, Legal, Risk, Communications and Investor Relations. The integrity of disclosures is underpinned by structures and processes within the Global Finance and Global Risk functions that support expert and rigorous analytical review of financial reporting complemented by certified reviews by heads of global businesses, global functions and certain legal entities.
Financial reporting. The Group’s financial reporting process for preparing the consolidated Annual Report and Accounts 2015 is controlled using documented accounting policies and reporting formats, supported by a chart of accounts with detailed instructions and guidance on reporting requirements, issued by Group Finance to all reporting entities within HSBC in advance of each reporting period end. The submission of financial information from each reporting entity to Group Finance is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels.
Responsibility for risk management. Management are primarily accountable for measuring, monitoring, mitigating and managing the risks and controls in their areas of responsibility. Processes are in place to ensure weaknesses are escalated to senior management and addressed, supported by the three lines of defence model.
IT operations. Centralised control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable.
Global function management. Management of the global functions are responsible for setting policies, procedures and standards to control the principal risks detailed under ‘Risk identification and monitoring’ above.
Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of the appropriate global function is required, however, to credit proposals with specified higher risk characteristics. Credit and market risks are measured and reported at subsidiary company level and aggregated for risk concentration analysis on a Group-wide basis.
Internal Audit. The establishment and maintenance of appropriate systems of risk management and internal control is the responsibility of business management. The Global Internal Audit function, which is centrally controlled, provides independent and objective assurance in respect of the adequacy of the design and operating effectiveness of the Group’s framework of risk management, control and governance processes across the Group, focusing on the areas of greatest risk to HSBC using a risk-based approach. The Group Head of Internal Audit reports to the Chairman of the GAC and administratively to the Group Chief Executive. Executive management is responsible for ensuring that issues raised by the Global Internal Audit function are addressed within an appropriate and agreed timetable. Confirmation to this effect must be provided to Global Internal Audit.
Role of Board Committees
On behalf of the Board, the GAC has responsibility for overseeing risk management and internal controls over financial reporting and the GRC has responsibility for overseeing risk management and internal controls, other than over financial reporting.
During the year, the GRC and the GAC have kept under review the effectiveness of this system of internal control and have reported regularly to the Board. In carrying out their reviews, the GRC and the GAC received:
regular business and operational risk assessments;
regular reports from the Group Chief Risk Officer and the Group Head of Internal Audit;
reports on the annual reviews of the risk control framework of HSBC Holdings which cover all internal controls, both financial and non-financial;
half yearly confirmations to the GAC and GRC from audit and risk committees of principal subsidiary companies regarding, in relation to audit committees, whether their financial statements have been prepared in accordance with Group policies, present fairly the state of affairs of the relevant principal subsidiary and are prepared on a going concern basis;
reports confirming if there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls;
internal audit reports;
external audit reports;
prudential reviews; and
The GRC and GAC have separately established governance frameworks for their respective oversight and interaction with the audit and risk committees of key entities within the Group. These provide for regular reporting, issues escalation and processes for the nomination and endorsement of subsidiary committee appointments. These principles and processes have in turn been cascaded by these key entities to their respective subsidiaries to provide clear vertical channels of governance.
The internal control responsibilities of the GAC and GRC are complemented by the activities of the Conduct & Values Committee ('CVC') and the Financial System Vulnerabilities Committee ('FSVC') which, respectively, oversee internal controls over conduct-related matters and financial crime compliance. The GRC receives regular reports at each of its meetings on the activities of both the CVC and the FSVC. The GRC monitors the status of top and emerging risks and considers whether the mitigating actions put in place are appropriate. In addition, when unexpected losses have arisen or when incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the GRC and the GAC review special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by management to address the issue.
Effectiveness of internal controls
The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of our system of risk management and internal control covering all material controls, including financial, operational and compliance controls, risk management systems, the adequacy of resources, qualifications and experience of staff of the accounting and financial reporting teams and the Global Risk function, and their training programmes and budget. The annual review of effectiveness of our system of risk management and internal control over financial reporting was conducted with reference to the COSO framework. The annual review of other controls was undertaken using the risk management framework on pages 102 to 103.
The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of our framework of controls. In particular, during the year it was determined that the control environment associated with IT privileged access required significant improvement. Deficiencies were noted in the design and operation of controls for the granting, release and monitoring of privileged access in a number of systems. For the identified deficiencies management responded by implementing a programme to determine the scale and nature of the deficiencies, remediate identified control deficiencies and determine if privileged access had been misused during 2015. Management also identified and assessed the effectiveness of relevant IT, business, monitoring and period-end mitigating controls.