Last checked at 18 Mar 2016 16:55
Internal control
The Board is responsible for maintaining and reviewing the effectiveness of risk management and internal control systems and for determining the aggregate level and types of risks it is willing to take in achieving its strategic objectives.
Procedures
To meet this requirement and to discharge its obligations under the FCA Handbook and PRA Handbook, procedures have been designed for safeguarding assets against unauthorised use or disposal; for maintaining proper accounting records; and for ensuring the reliability and usefulness of financial information used within the business or for publication.
These procedures can only provide reasonable but not absolute assurance against material mis-statement, errors, losses or fraud. They are designed to provide effective internal control within HSBC and accord with the Financial Reporting Council's guidance for directors issued in 2014, internal control and related financial and business reporting. Our procedures have been in place throughout the year and up to 22 February 2016, the date of approval of the Annual Report and Accounts 2015.
In 2014, the GAC endorsed the adoption of the COSO 2013 framework for the monitoring of risk management and internal control systems to satisfy the requirements of Section 404 of the Sarbanes-Oxley Act of 2002. Additionally, the risk management framework enabled the GRC to monitor controls over principal risks to meet the requirements of the UK Corporate Governance Code and the Hong Kong Corporate Governance Code.
HSBC's key risk management and internal control procedures include the following:
· Group Standards. The Global Standards Manual ('GSM') brings together the common standards and principles used in the conduct of all business, whatever its location or nature. The GSM overlays all other manuals throughout the Group and is a fundamental component of the Group's risk management structure. It establishes the high level standards and policies by which, and within which, all members of the Group conduct their businesses. The GSM is mandatory and applies to, and must be observed by, all businesses within the Group, regardless of the nature or location of their activities.
· Delegation of authority within limits set by the Board. Subject to certain matters reserved for the Board, the Group Chief Executive has been delegated authority limits and powers within which to manage the day-to-day affairs of the Group, including the right to sub-delegate those limits and powers. Each relevant Group Managing Director or Group Executive Director has delegated authority within which to manage the day-to-day affairs of the business or function for which he or she is accountable. Delegation of authority from the Board requires those individuals to maintain a clear and appropriate apportionment of significant responsibilities and to oversee the establishment and maintenance of systems of control that are appropriate to their business or function. Appointments to the most senior positions within HSBC require the approval of the Board.
· Risk identification and monitoring. Systems and procedures are in place to identify, control and report on the material risk types facing HSBC as set out below:
- wholesale credit risk;
- retail credit risk;
- insurance risk;
- asset, liability and capital management risk;
- market risk;
- financial management risk;
- model risk;
- reputational risk;
- pension risk;
- strategic risk;
- sustainability risk; and
- operational risk (including accounting, tax, legal, regulatory compliance, financial crime compliance, fiduciary, political, physical, internal, external, contingency, information security, systems, operations, project and people risks).
Exposure to these risks is monitored by risk management committees, asset, liability and capital management committees and executive committees in subsidiaries and, for the Group, in Risk Management Meetings of the GMB ('RMM') which are chaired by the Group Chief Risk Officer. The RMM meets regularly to discuss enterprise-wide risk management matters. Asset, liability and capital management matters are monitored by the Group ALCO, which reports to the RMM.
HSBC's operational risk profile and the effective implementation of the Group's operational risk management framework are monitored by the Global Operational Risk Committee, which reports to the RMM.
Model risks are monitored by the Model Oversight Committee which also reports to the RMM.
· Changes in market conditions/practices. Processes are in place to identify new risks arising from changes in market conditions/practices or customer behaviours, which could expose HSBC to heightened risk of loss or reputational damage. The Group employs a top and emerging risks framework at all levels of the organisation, which enables it to identify current and forward-looking risks and to take action which either prevents them materialising or limits their impact. During 2015, attention was focused on:
- economic outlook and capital flows;
- geopolitical risk;
- turning of the credit cycle;
- regulatory developments affecting the business model and profitability;
- regulatory commitments and consent orders;
- regulatory focus on conduct of business and financial crime;
- dispute risk;
- people risk;
- execution risk;
- third-party risk management;
- model risk;
- cyber threat and unauthorised access to systems; and
- data management.
· Strategic plans. Strategic plans are prepared for global businesses, global functions and geographical regions within the framework of the Group's overall strategy. Annual Operating Plans, informed by detailed analysis of risk appetite describing the types and quantum of risk that the Group is prepared to take in executing its strategy, are prepared and adopted by all major HSBC operating companies and set out the key business initiatives and the likely financial effects of those initiatives.
· Disclosure Committee. The Disclosure Committee reviews material public disclosures made by HSBC Holdings for any material errors, misstatements or omissions. The membership of the Disclosure Committee, which is chaired by the Group Company Secretary, includes the heads of Finance, Legal, Risk, Communications and Investor Relations. The integrity of disclosures is underpinned by structures and processes within the Global Finance and Global Risk functions that support expert and rigorous analytical review of financial reporting complemented by certified reviews by heads of global businesses, global functions and certain legal entities.
· Financial reporting. The Group's financial reporting process for preparing the consolidated Annual Report and Accounts 2015 is controlled using documented accounting policies and reporting formats, supported by a chart of accounts with detailed instructions and guidance on reporting requirements, issued by Group Finance to all reporting entities within HSBC in advance of each reporting period end. The submission of financial information from each reporting entity to Group Finance is subject to certification by the responsible financial officer, and analytical review procedures at reporting entity and Group levels.
· Responsibility for risk management. Management are primarily accountable for measuring, monitoring, mitigating and managing the risks and controls in their areas of responsibility. Processes are in place to ensure weaknesses are escalated to senior management and addressed, supported by the three lines of defence model.
· IT operations. Centralised control is exercised over all IT developments and operations. Common systems are employed for similar business processes wherever practicable.
· Global function management. Management of the global functions are responsible for setting policies, procedures and standards to control the principal risks detailed under 'Risk identification and monitoring' above.
Authorities to enter into credit and market risk exposures are delegated with limits to line management of Group companies. The concurrence of the appropriate global function is required, however, to credit proposals with specified higher risk characteristics. Credit and market risks are measured and reported at subsidiary company level and aggregated for risk concentration analysis on a Group-wide basis.
· Internal Audit. The establishment and maintenance of appropriate systems of risk management and internal control is the responsibility of business management. The Global Internal Audit function, which is centrally controlled, provides independent and objective assurance in respect of the adequacy of the design and operating effectiveness of the Group's framework of risk management, control and governance processes across the Group, focusing on the areas of greatest risk to HSBC using a risk-based approach. The Group Head of Internal Audit reports to the Chairman of the GAC and administratively to the Group Chief Executive. Executive management is responsible for ensuring that issues raised by the Global Internal Audit function are addressed within an appropriate and agreed timetable. Confirmation to this effect must be provided to Global Internal Audit.
Role of Board Committees
On behalf of the Board, the GAC has responsibility for overseeing risk management and internal controls over financial reporting and the GRC has responsibility for overseeing risk management and internal controls, other than over financial reporting.
During the year, the GRC and the GAC have kept under review the effectiveness of this system of internal control and have reported regularly to the Board. In carrying out their reviews, the GRC and the GAC received:
· regular business and operational risk assessments;
· regular reports from the Group Chief Risk Officer and the Group Head of Internal Audit;
· reports on the annual reviews of the risk control framework of HSBC Holdings which cover all internal controls, both financial and non‑financial;
· half yearly confirmations to the GAC and GRC from audit and risk committees of principal subsidiary companies regarding, in relation to audit committees, whether their financial statements have been prepared in accordance with Group policies, present fairly the state of affairs of the relevant principal subsidiary and are prepared on a going concern basis;
· reports confirming if there have been any material losses, contingencies or uncertainties caused by weaknesses in internal controls;
· internal audit reports;
· external audit reports;
· prudential reviews; and
· regulatory reports.
The GRC and GAC have separately established governance frameworks for their respective oversight and interaction with the audit and risk committees of key entities within the Group. These provide for regular reporting, issues escalation and processes for the nomination and endorsement of subsidiary committee appointments. These principles and processes have in turn been cascaded by these key entities to their respective subsidiaries to provide clear vertical channels of governance.
The internal control responsibilities of the GAC and GRC are complemented by the activities of the Conduct & Values Committee ('CVC') and the Financial System Vulnerabilities Committee ('FSVC') which, respectively, oversee internal controls over conduct-related matters and financial crime compliance. The GRC receives regular reports at each of its meetings on the activities of both the CVC and the FSVC. The GRC monitors the status of top and emerging risks and considers whether the mitigating actions put in place are appropriate. In addition, when unexpected losses have arisen or when incidents have occurred which indicate gaps in the control framework or in adherence to Group policies, the GRC and the GAC review special reports, prepared at the instigation of management, which analyse the cause of the issue, the lessons learned and the actions proposed by management to address the issue.
Effectiveness of internal controls
The Directors, through the GRC and the GAC, have conducted an annual review of the effectiveness of our system of risk management and internal control covering all material controls, including financial, operational and compliance controls, risk management systems, the adequacy of resources, qualifications and experience of staff of the accounting and financial reporting teams and the Global Risk function, and their training programmes and budget. The annual review of effectiveness of our system of risk management and internal control over financial reporting was conducted with reference to the COSO framework. The annual review of other controls was undertaken using the risk management framework on pages 102 to 103.
The GRC and the GAC have received confirmation that executive management has taken or is taking the necessary actions to remedy any failings or weaknesses identified through the operation of our framework of controls. In particular, during the year it was determined that the control environment associated with IT privileged access required significant improvement. Deficiencies were noted in the design and operation of controls for the granting, release and monitoring of privileged access in a number of systems. For the identified deficiencies management responded by implementing a programme to determine the scale and nature of the deficiencies, remediate identified control deficiencies and determine if privileged access had been misused during 2015. Management also identified and assessed the effectiveness of relevant IT, business, monitoring and period-end mitigating controls.
Going concern and viability
The financial statements are prepared on a going concern basis, as the Directors are satisfied that the Group and Parent Company have the resources to continue in business for the foreseeable future.
In addition to the requirement to consider whether the going concern basis is appropriate, the Directors now have an obligation under the UK Corporate Governance Code to state in a Viability Statement whether they believe the Group and parent company will be able to continue in operation and meet their liabilities, taking account of their current position and principal risks, our top and emerging risks, and specify the period covered by and the appropriateness of this statement.
It is expected that the period assessed under the Viability Statement will be significantly longer than 12 months, which is the period over which going concern is assessed. For HSBC, the Directors have a reasonable expectation that the Group and parent company will be able to continue in operation and meet liabilities as they fall due over the next three years.
In making the going concern and viability assessments, the Directors have considered a wide range of information relating to present and future conditions, including future projections of profitability, cash flows, capital requirements and capital resources.
The assessment has been made over a period of three years as this is within the period covered by the Group's future projections of profitability, the period over which regulatory and internal stress testing is carried out, and the period over which key capital and leverage ratios are forecast. Therefore detailed management information exists for three years, enabling Directors to assess the viability of the Group.
The Directors are satisfied that the period is sufficient to enable a reasonable assessment of viability to be made. In doing so, the Directors have assessed the principal risks (which for the Group are set out in our top and emerging risks on page 43), including the status of the DPA, as more fully described on page 307, that could threaten the Group's future prospects and business model. They considered the effect that those risks could have on the Group's risk profile relative to the risk appetite approved by the Board (see pages 101 and 102). The Directors view all of the identified top and emerging risks as relevant to the assessment of viability. In doing so, the Directors considered the range of information concerning each principal risk, including but not limited to the Annual Operating Plan, the programme of regulatory and internal stress tests, risk appetite and legal reports. The Directors also considered the information from the two reverse stress tests which the Group runs, one based on extreme macroeconomic dislocation in Europe and Asia, the other linked to the DPA. The Directors considered the principal risks in forming the strategic actions set out on page 18, ensuring that the forward-looking risk profile of the Group remained within our risk appetite.
Information relevant to the assessment of viability can be found in the following sections of the Annual Report and Accounts 2015:
· HSBC's principal activities, business and operating models, strategic direction and top and emerging risks are described in the 'Strategic Report';
· a financial summary, including a review of the consolidated income statement and the consolidated balance sheet, is provided in the 'Financial Review';
· HSBC's objectives, policies and processes for managing credit, liquidity and market risk are described under 'Risk'; and
· the capital position of the Group, regulatory developments, and the approach to management and allocation of capital are set out in the 'Capital' section.
Assessment of risks
The Directors have carried out a robust assessment of the principal risks facing the Group, together with mitigating actions planned or taken. The activities of the Board and its subcommittees and the significant issues considered by them are described on page 262.
In assessing these risks, Directors considered a wide range of information including:
· enterprise risk reports: risk appetite (see page 102), top and emerging risks (see page 103) and risk map (see page 103);
· reports and updates from management of risk-related issues identified for in-depth consideration;
· reports and updates over the course of the Bank of England stress testing exercise;
· reports and updates on the Group's compliance-related initiatives made in connection with the resolution of the investigations by US and UK regulatory and law enforcement authorities in December 2012 and also more generally;
· reports and updates on the Group's initiatives to deliver against key conduct, values and culture initiatives; and
· reports to the Board on matters discussed at the RMM.
Employees
At 31 December 2015 we had a total workforce of 264,000 full-time and part-time employees compared with 266,000 at the end of 2014 and 263,000 at the end of 2013.
Our main centres of employment were the UK with approximately 47,000 employees, India 33,000, Hong Kong 30,000, mainland China 22,000, Brazil 21,000, Mexico 16,000, the US 14,000 and France 9,000.
Employees performing at their best and the environment we create to make that possible are critical. We encourage employees to speak up, and reflect our purpose and values in the decisions we make and how we make them, as these decisions shape the future of our customers and colleagues.
Employee relations
We consult with and, where appropriate, negotiate with employee representative bodies. It is our policy to maintain well-developed communications and consultation programmes with all employee representative bodies and there have been no material disruptions to our operations from labour disputes during the past five years.
Diversity and inclusion
HSBC is committed to building a culture where all employees are valued and respected and where their opinions count. We remain committed to meritocracy, which requires a diverse and inclusive culture where employees believe that their views are heard, their concerns are attended to and they work in an environment where bias, discrimination and harassment on any matter, including gender, age, ethnicity, religion, sexual orientation and disability, are not tolerated and where advancement is based on objective criteria. An inclusive culture helps us respond to our diverse customer base, while developing and retaining a secure supply of skilled, committed employees. Our culture will be strengthened by employing the best people and optimising their ideas, abilities and differences.
Oversight of our diversity and inclusion agenda and related activities resides with the Global Diversity and Inclusionsub-function.
Employee development
The development of our employees is essential to the future strength of our business. We continue to develop and implement practices that build employee capability, and identify, develop and deploy talented employees to ensure an appropriate supply of high calibre individuals with the values, skills and experience for current and future senior management positions.
In 2015, we focused on developing technical skills, experiences and behaviours necessary to deliver against our Global Standards commitments, along with several Group-wide programmes on individual leadership, team management and on-boarding employees into HSBC.
Employment of disabled persons
We believe in providing equal opportunities for all employees. The employment of disabled persons is included in this commitment and the recruitment, training, career development and promotion of disabled persons is based on the aptitudes and abilities of the individual. Should employees become disabled during their employment with us, efforts are made to continue their employment and, if necessary, appropriate training and reasonable equipment and facilities are provided.
Health and safety
HSBC is committed to providing a safe and healthy environment for our employees, customers and visitors. We aim always to meet the minimum health and safety standards required by law wherever we operate and, where reasonably practical, to exceed them.