Internal control

The Directors are responsible for internal control in HSBC and for reviewing its effectiveness. Procedures have been designed for safeguarding assets against unauthorised use or disposal; for maintaining proper accounting records; and for the reliability and usefulness of financial information used within the business or for publication. Such procedures are designed to manage and mitigate the risk of failure to achieve business objectives and can only provide reasonable and not absolute assurance against material misstatement, errors, losses or fraud. The procedures also enable HSBC Holdings to discharge its obligations under the Handbook of Rules and Guidance issued by the FSA, HSBC's lead regulator.

The key procedures that the Directors have established are designed to provide effective internal control within HSBC and accord with the Internal Control: Revised Guidance for Directors on the Combined Code on corporate governance issued by the Financial Reporting Council. Such procedures for the ongoing identification, evaluation and management of the significant risks faced by HSBC have been in place throughout the year and up to 4 March 2013, the date of approval of the Annual Report and Accounts 2012. In the case of companies acquired during the year, the internal controls in place are being reviewed against HSBC's benchmarks and integrated into HSBC's processes.

Key internal control procedures include the following:

• Global standards. Functional, operating, financial reporting and certain management reporting standards are established by global function management committees, for application throughout HSBC. These are supplemented by operating standards set by functional and local management as required for the type of business and geographical location of each subsidiary
• Delegation of authority within limits set by the Board. Authority to operate the various subsidiaries and responsibilities for financial performance against plans and for capital expenditure are delegated to their respective chief executive officers within limits set by the Board. Delegation of authority from the Board to individuals requires those individuals to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of control appropriate to the business. The appointment of executives to the most senior positions within HSBC requires the approval of the Board
• Risk identification and monitoring. Systems and procedures are in place in HSBC to identify, control and report on the major risks including credit, market, liquidity, capital, financial management, model, reputational, pension, strategic, sustainability and operational risk (including accounting, tax, legal, compliance, fiduciary, information, external fraud, internal fraud, political, physical, business continuity, systems operations, project and people risk) and Islamic finance risk. Exposure to these risks is monitored by risk management committees, asset and liability committees and executive committees in subsidiaries and, for HSBC as a whole, by the GMB. Risk Management Meetings, chaired by the Group Chief Risk Officer, are held in each month (except August) to address asset, liability and risk management issues. The minutes of these meetings are provided to members of the GAC, the GRC and the Board
• Global Operational Risk and Control Committee. The Global Operational Risk and Control Committee (GORCC), which reports to the Risk Management Meeting, meets at least quarterly to monitor HSBC's operational risk profile and review the effective implementation of the Group's operational risk management framework. The GORCC receives quarterly reports on the Group's operational risk profile, including performance against risk appetite, top and emerging risks, control issues, operational risk loss events and key risk indicators
• Disclosure Committee. The Disclosure Committee reviews material public disclosures made by HSBC Holdings for any material errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the Heads of Global Finance, Legal, Risk and Compliance, Communications, Investor Relations and Internal Audit functions and representatives from the principal regions and global businesses. The integrity of disclosures is underpinned by structures and processes within the Finance and Risk functions that support expert and rigorous analytical review of financial reporting complemented by certified reviews by heads of global businesses, global functions and certain legal entities
• Financial reporting. The Group financial reporting process for preparing the consolidated Annual Report and Accounts 2012 is controlled using documented accounting policies and reporting formats, supported by a chart of accounts with detailed instructions and guidance on reporting requirements, issued by Group Finance to all reporting entities within the Group in advance of each reporting period end. The submission of financial information from each reporting entity to Group Finance is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels
• Changes in market conditions/practices. Processes are in place to identify new risks arising from changes in market conditions/practices or customer behaviours, which could expose us to heightened risk of loss or reputational damage. During 2012, attention was focused on

  – severe economic slowdown in mature economies impacting global growth;
  – eurozone members departure from the currency union;
  – increased geopolitical risk;
  – emerging market slowdown;
  – macroeconomic risks within developed economies;
  – regulatory developments affecting our business model and Group profitability;
  – regulatory investigations, fines, sanctions and requirements relating to conduct of business and financial crime negatively affecting our results and brand;
  – dispute risk;
  – regulatory commitments and consent orders including the Deferred Prosecution Agreements;
  – challenges to achieving our strategy in a downturn;
  – internet crime and fraud;
  – social media risk;
  – level of change creating operational complexity and heightened operational risk;
  – information risk; and
  – model risk.

• Strategic plans. Periodic strategic plans are prepared for global businesses, global functions and certain geographies within the framework of the Group's strategy. Annual Operating Plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that we are prepared to take in executing our strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives
• Responsibility for risk management. Management of global businesses and global functions are primarily accountable for managing, measuring and monitoring their risks and controls. Processes consistent with the Three Lines of Defence principle are in place to ensure weaknesses are escalated to senior management and addressed.
• IT operations. Centralised functional control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable
• Functional management. Global functional management is responsible for setting policies, procedures and standards for the following risks: credit, market, liquidity, capital, financial management, model, reputational, pension, strategic, sustainability and operational risk (including accounting, tax, legal, compliance, fiduciary, information security, security and fraud, systems and people risk). Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of the appropriate global function is required, however, to credit proposals with specified higher risk characteristics. Credit and market risks are measured and reported on in subsidiaries and aggregated for review of risk concentrations on a Group-wide basis
• CEO Attestation process. Global Operational Risk coordinate the annual CEO Attestation process under which the chief executive officer of each of the Group's material subsidiaries confirms that the internal control framework applicable to that subsidiary has been assessed and any significant open issues have been identified, with action plans in place to address weaknesses. The remediation of these issues is monitored by the Operational Risk and Internal Control (ORIC) teams for the relevant regions/global businesses and reports on progress are presented to their ORIC committees and quarterly to Global Operational Risk. An annual report and updates on identified issues and remediation plans are presented to the GRC and the GAC
• Internal Audit. The establishment and maintenance of appropriate systems of internal control is primarily the responsibility of business management. The Global Internal Audit function, which is centrally controlled, provides independent assurance in respect of the design and operating effectiveness of the risk management and control frameworks across the Group, focusing on the areas of greatest risk to HSBC as determined by a risk-based approach. The head of this function reports to the Group Chairman, the Group Chief Executive Officer, the GAC and the GRC on risk-related matters
• Internal Audit recommendations. Executive management is responsible for ensuring that recommendations made by the Internal Audit function are implemented within an appropriate and agreed timetable. Confirmation to this effect must be provided to Internal Audit.
• Reputational risk. Policies to guide subsidiary companies and management at all levels in the conduct of business to safeguard the Group's reputation are established by the Board and its committees, subsidiary company boards and their committees and senior management. Reputational risks can arise from a variety of causes including environmental, social or governance issues, as a consequence of operational risk events or as a result of employees acting in a manner inconsistent with HSBC's Values. As a banking group, HSBC's good reputation depends upon the way in which it conducts its business but it can also be affected by the way in which clients, to which it provides financial services, conduct their business or use financial products and services

The GAC has non-executive responsibility for oversight of internal controls over financial reporting and the GRC has non-executive responsibility for internal controls other than over financial reporting.

The GRC and the GAC have kept under review the effectiveness of this system of internal control and have reported regularly to the Board of Directors. In carrying out their reviews the GRC and the GAC receive regular business and operational risk assessments; regular reports from the Group Chief Risk Officer and the Head of Global Internal Audit; reports on the annual reviews of the internal control framework of HSBC Holdings which cover all internal controls, both financial and non-financial; annual confirmations from chief executives of principal subsidiary companies as to whether there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls; internal audit reports; external audit reports; prudential reviews; and regulatory reports. The GRC monitors the status of top and emerging risks which impact the Group and considers whether the mitigating actions put in place are appropriate. In addition, when unexpected losses have arisen or when incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the GRC and the GAC review special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by management to address the issue.

The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of our system of internal control covering all material controls, including financial, operational and compliance controls, risk management systems, the adequacy of resources, qualifications and experience of staff of the accounting and financial reporting function, and their training programmes and budget. The review does not extend to joint ventures or associates. The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of our framework of controls.