Last checked at 18 Mar 2016 16:53
Group Risk Committee
I am pleased to present the 2015 report of the Group Risk Committee ('GRC'). 2015 was a particularly busy year for the GRC. In addition to its regular reviews of the Group's risk map, risk appetite and top and emerging risks, the GRC focused on the management of current and forward-looking risks, programmes to implement comprehensive reforms to the ways financial crime compliance is managed and the execution of Global Standards. The GRC has closely monitored the strengthening of the risk framework for managing and mitigating operational risk, as this now represents a greater proportion of the Group's capital demands. The GRC held three additional meetings during the year dedicated to reviewing the results of BoE's stress tests, reviewing the lessons learned from the BoE and internal stress testing exercises and proposals for enhancing the Group's stress testing capability. During the year, the GRC also reviewed management's assessment of information security, cyber-crime and data management risks and management's mitigating actions. Like the Group Audit Committee, the GRC has taken steps to enhance its governance arrangements with the regional and business risk committees to ensure closer interaction and dialogue across the Group. I should like to thank my colleagues on the Committee and senior management for their contribution to the Committee's activities. Joachim Faber Chairman Group Risk Committee 22 February 2016 |
Members
Joachim Faber (Chairman)
John Lipsky
Rachel Lomax
Heidi Miller
Role and responsibilities
The role and responsibilities of the GRC are set out in its terms of reference. Its terms of reference can be found on our website at http://www.hsbc.com/about-hsbc/corporate-governance/board-committees.
The key areas of responsibility for the GRC include:
· advising the Board on high-level risk-related matters and risk governance, including current and forward looking risk exposures, future risk strategy and management of risk within the Group;
· advising the Board on risk appetite and risk tolerance;
· reviewing the effectiveness of the Group's risk management systems framework and internal control systems (other than internal financial control systems which is the responsibility of the GAC);
· monitoring executive control and management of risk including top and emerging risks; and
· advising the Group Remuneration Committee on the alignment of remuneration with risk appetite.
Governance
The GRC has overall non-executive responsibility for the oversight of risk across the Group.
All of HSBC's activities involve the measurement, evaluation, acceptance and management of risk or combinations of risks. The Board, advised by the GRC, requires and promotes a strong risk governance culture which shapes the Group's attitude to risk. The Board and the GRC oversee the maintenance and development of a strong risk management framework by continually monitoring the risk environment, top and emerging risks facing the Group and mitigating actions planned and taken.
Oversight of specific areas of risk is undertaken by the Conduct & Values Committee (page 272) to ensure that HSBC conducts business responsibly and consistently adheres to HSBC Values and by the Financial System Vulnerabilities Committee (page 268) for matters relating to anti-money laundering, sanctions, terrorist financing and proliferation financing. Both committees regularly update the GRC on their responsibilities.
The GRC, together with the GAC, has set core terms of reference for subsidiary company non-executive risk and audit committees.
During 2015, the GRC held 10 meetings and attendance of the current GRC members is set out in the table on page 258. The Group Chief Risk Officer, Group Finance Director, Chief Legal Officer, Group Head of Internal Audit, Global Head of Regulatory Compliance, Global Head of Financial Crime Compliance and other members of senior management attended meetings of the GRC by invitation to contribute to discussions relating to their respective areas of expertise. The Chairman of the GRC had meetings with a number of these attendees separately to discuss specific issues.
The GRC has worked closely with the GAC to ensure that any areas of significant overlap are appropriately addressed. The GRC and the GAC met jointly during 2015 to address areas of commonality between the committees and to avoid unnecessary duplication. The committees also discussed the importance of building strong alignment with the major regional and global business risk and audit committees and implemented proposals to improve inter-committee communication.
A forum for the chairs of the major regional and global businesses' audit and risk committees was held in June 2015 which resulted in an enhanced reporting protocol, providing clearer lines of accountability at Group, regional, country and business line levels. The operation of this enhanced protocol will be closely monitored during the year and reviewed at the next annual forum.
The GRC met with the Group Chief Risk Officer and Group Head of Internal Audit without the presence of management. The GRC Chairman reported matters of significance to the Board after each meeting and the minutes of the meetings were made available to all Board members.
How the Committee discharged its responsibilities
The GRC reviewed the Group Risk Appetite Statement, the risk map (which describes the Group's risk profile by risk type across the global businesses) and monitored the top and emerging risks (together with mitigating actions for identified risks) with management at each of its meetings.
Page 102 provides further information on the top and emerging risks, the risk map and the risk appetite for the Group.
The GRC requested reports and updates from management on risk-related issues identified for in-depth consideration and received regular reports on matters discussed at the RMM. In addition, during 2015 the GRC invited senior management from the global businesses to present their respective risk control frameworks. The GRC welcomed, as a result, the enhanced discussions on the risk environment and will continue this cycle of presentations throughout 2016.
A particular focus for the GRC during 2015 was the Group's exposure to execution risk. Regular reports were received from the Group Chief Operating Officer, who attended the GRC meetings, updating the GRC on the status of the Group's highest priority programmes and mitigating measures being put in place to manage the identified risks appropriately.
In addition to addressing the matters noted above, the GRC focused on a number of key areas including those set out in the table below.
Internal control and risk management
The GRC reviewed the Group's risk management framework and system of internal control (other than internal financial control systems, which covered by the GAC) and the developments affecting them over the course of 2015. In carrying out its review, the GRC received regular business and operational risk assessments, regular reports from the Group Chief Risk Officer and the Group Head of Internal Audit, reports on the annual reviews of the risk control framework of the global businesses which cover all internal controls, half yearly confirmations to the GRC from risk committees of principal subsidiary companies and reports confirming if there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls. In light of these findings, the GRC assessed the statement of internal controls systems prior to its endorsement by the Board. The Board's assessment as to the effectiveness of the system can be found on page 275 under the heading 'Internal Control'.
Ongoing development
Throughout the year, the GRC received presentations on a range of topics, including Volcker Rule governance and briefings on developments in the regulatory environment.
Committee effectiveness
The effectiveness of the GRC was evaluated as part of the overall performance evaluation of the Board.
Principal activities and significant issues considered include:
The Group Risk Appetite Statement ('RAS') and monitoring of the Group risk profile against the RAS | The GRC reviewed management proposals for revisions to the Group RAS metrics for 2015. Following review, the Committee recommended the Group RAS, which contained a number of refinements including the cost efficiency, common equity tier 1 capital and sovereign exposure ratio, to the Board. The GRC regularly reviews the Group's risk profile against the key performance metrics set out in the RAS. It reviewed management's assessment of risk and provided scrutiny of management's proposed mitigating actions. |
BoE stress test | The GRC monitored the BoE stress testing exercise and reviewed the results of stress testing prior to submission to the regulator. It received reports over the course of the BoE stress testing exercise and met three times during the year solely to consider stress testing related matters. Top and emerging risks were reviewed at every GRC meeting and areas identified where management needed to assess vulnerabilities via stress testing. The GRC oversaw a review of the lessons learned from this stress testing exercise and proposals for enhancing the Group's stress testing capability. Internal Audit assessed progress on the regulatory stress tests programmes and reported its conclusions and recommendations to the GRC. |
Execution risk | Execution risk is the risk relating to the delivery of the Group strategy and the progress and status of high priority programmes is a standing agenda item for the GRC. Monitoring of this risk and challenging management's assessment of execution risk and corresponding mitigating actions remain a priority for the GRC. In addition to the regular reports received and 'deep-dive reviews' conducted on specific issues identified, the GRC requested reports from Internal Audit on the themes identified during the course of its work. |
Legal and regulatoryrisks | The GRC received regular reports on legal and regulatory risks, reviewed management actions to mitigate these risks and considered the potential impact of future developments in this area on the Group. In 2015, these included reports concerning risks related to investigations of HSBC's Swiss Private Bank by a number of tax administration, regulatory and law enforcement authorities. |
IT and data-related risks | During the year, the GRC considered a number of IT and data-related risks including internet crime and fraud, data management and aggregation, and information security. The GRC reviewed management's assessment of these risks and management actions to mitigate them. IT and data-related risks are expected to remain an area of focus for the GRC during the course of 2016. |