We regularly review our policies and procedures for safeguarding against reputational risk. This is an evolutionary process which takes account of relevant developments, industry guidance, best practice and societal expectations.
We have always aspired to the highest standards of conduct and, as a matter of routine, take account of reputational risks to our business. Reputational risks can arise from a wide variety of causes. As a banking group, our good reputation depends not only upon the way in which we conduct our business, but also by the way in which clients to whom we provide financial services, and our vendors, conduct themselves.
The Global Head of Financial Crime Compliance and the Global Head of Regulatory Compliance are the risk stewards for reputational risk. The development of policies, and an effective control environment for the identification, assessment, management and mitigation of reputational risk, is co-ordinated through the Group Reputational Risk Policy Committee (‘GRRPC’), which is chaired by the Group Chairman. The primary role of the GRRPC is to consider areas and activities presenting significant reputational risk and, where appropriate, to make recommendations to the Group Risk Management Meeting for policy or procedural changes to mitigate such risk. Each of the Group’s geographical regions is required to ensure that reputational risks are also considered at a regional level, either through a special section of their respective Regional Risk Management Committee meetings, or a Regional Reputational Risk Policy Committee. A summary of the minutes from the regional meetings is tabled at GRRPC. Significant issues posing reputational risk are reported to Group Risk Committee and the Holdings Board and, where appropriate, to the Conduct & Values Committee.
In July 2014, the new Reputational Risk and Customer Selection policies were issued which define a consistent and structured approach to managing these risks. Each of the global businesses and functions is required to have a procedure to assess and address reputational risks potentially arising from proposed business transactions and client activity. These are supported by a central team which ensures that issues are directed to the appropriate forum, that decisions taken are implemented and that management information is collated and actions reported to senior management. In 2014, the combined Reputational Risk and Client Selection committees were created within the global businesses with a clear process to escalate and address matters at the appropriate level. The global functions manage and escalate reputational risks within established operational risk frameworks.
Standards on all major aspects of business are set for HSBC and for individual subsidiaries, businesses and functions. Reputational risks, including environmental, social and governance matters, are considered and assessed by the Board, the GMB, the Risk Management Meeting, the Global Standards Steering Meeting, subsidiary company boards, Board committees and senior management during the formulation of policy and the establishment of our standards. These policies, which form an integral part of the internal control system, are communicated through manuals and statements of policy and are promulgated through internal communications and training. The policies set out our risk appetite and operational procedures in all areas of reputational risk, including money laundering deterrence, counter-terrorist financing, environmental impact, anti-bribery and corruption measures and employee relations. The policy manuals address risk issues in detail and co-operation between Group departments and businesses is required to ensure a strong adherence to our risk management system and our sustainability practices.
The objective of our operational risk management is to manage and control operational risk in a cost effective manner within targeted levels of operational risk consistent with our risk appetite, as defined by the GMB.
Operational risk is organised as a specific risk discipline within Global Risk, and a formal governance structure provides oversight over its management. The Global Operational Risk function reports to the Group Chief Risk Officer and supports the Global Operational Risk Committee. It is responsible for establishing and maintaining the operational risk management framework (‘ORMF’) and monitoring the level of operational losses and the effectiveness of the control environment. It is also responsible for operational risk reporting at Group level, including the preparation of reports for consideration by the Risk Management Meeting and Group Risk Committee. The Global Operational Risk Committee meets at least quarterly to discuss key risk issues and review the effective implementation of the ORMF.
The ORMF defines minimum standards and processes and the governance structure for the management of operational risk and internal control in our geographical regions, global businesses and global functions. The ORMF has been codified in a high level standards manual supplemented with detailed policies which describes our approach to identifying, assessing, monitoring and controlling operational risk and gives guidance on mitigating action to be taken when weaknesses are identified.
Business managers throughout the Group are responsible for maintaining an acceptable level of internal control commensurate with the scale and nature of operations, and for identifying and assessing risks, designing controls and monitoring the effectiveness of these controls. The ORMF helps managers to fulfil these responsibilities by defining a standard risk assessment methodology and providing a tool for the systematic reporting of operational loss data.
A centralised database is used to record the results of the operational risk management process. Operational risk and control self-assessments are input and maintained by business units. Business and functional management and Business Risk and Control Managers monitor the progress of documented action plans to address shortcomings. To ensure that operational risk losses are consistently reported and monitored at Group level, all Group companies are required to report individual losses when the net loss is expected to exceed US$10,000, and to aggregate all other operational risk losses under US$10,000. Losses are entered into the Group Operational Risk database and are reported to the Risk Management Meeting on a monthly basis.