The effectiveness of our risk management policies and strategies is a key factor in our success.
The internal audit function provides independent, objective assurance to the Management and the Risk and Audit Committees over the risk management and controls framework, to add value and to improve operations. It helps the Management accomplish its objectives by bringing a systematic and disciplined approach in the evaluation and improvement of the effectiveness of risk management, control, and governance processes. It also assesses the design and effectiveness of the primary and secondary controls and it places a degree of reliance on the effectiveness of the work completed by the internal control teams. The outcome is a holistic and timely view of how effectively the material risks within the Bank are being managed.
The Risk Management Committee (RMC), which reports directly to the Executive Committee, oversees the risk management framework for the Bank and its subsidiaries. Its main functions are to review all existing and potential risks on a systematic basis to ensure mechanisms exist for early identification of risks, adequate controls exist to mitigate risks, related returns consider risks and that capital is appropriately allocated to manage risks. The Committee is also responsible for reviewing, recommending and approving policies and methodologies for the management of risk, and overseeing the risk management of its sub-committees. More details on our management of risk can be found in the 'Corporate Governance and Other Information', 'Financial Review' and '2013 Financial Statements' sections of our 2013 Annual Report.
Establishing an appropriate risk appetite limit is a key element in our management of risk. The Group's Risk Appetite Statement for 2013, which was approved by the Board as advised by the Risk Committee, describes the types and amount of risk that we are prepared to accept in executing our business strategy and applies at Bank-wide, business group and individual risk levels. Our risk appetite framework is underpinned by the following core principles:
- We must maintain our strong balance sheet and brand
- We must maintain a healthy capital position
- We must be accountable in how we use shareholders' funds
- We must adopt conservative liquidity management policies and processes
- Our tolerance for any risk must be commensurate with and considered in light of potential returns
- We must always uphold the principle of sustainable long-term growth
The RMC undertakes regular reviews and monitors the Bank's risk profile against the limits set out in the Statement and determines appropriate management action in instances of material deviation from approved limits. Reports that detail the profile of the Statement - including material deviations from the same and, where required, suggestions for appropriate management action - are submitted to the Risk Committee and the Board by the Chief Risk Officer on a quarterly basis.
Product development and sign-off procedures are in place to ensure that the design of all new products and services are reviewed to ensure they meet market requirements and customer needs. All new products and material product variations must be approved by the Product Oversight Committee as a sub-committee of the RMC.
We maintain documented Business Continuity Plans for critical operations and significant risks, including arrangements for back-up site operations and a clearing and settlement services contingency plan to ensure that critical operations remain functional in emergency situations.
We support international responsible financing principles and sector-specific guidelines to help manage environment-related sustainability risks (see 'Responsible Banking Services' section below). We also require that our credit assessment executives conduct a sustainability risk assessment of all credit applications - both new applications and annual reviews - by our business customers.
Our key values include a solid commitment to quality, professionalism and integrity throughout our business. We have structures in place to ensure that our staff comply with both the letter and spirit of all relevant laws, codes, rules, regulations and guidelines and codes of conduct. In any jurisdiction where local compliance requirements are set at a lower standard than those established by our Group policies, our higher standards will apply where these do not contravene or conflict with local law.
Matters relating to internal control and risk management governance as well as policies and practices on compliance with legal and regulatory requirements are considered at Board meetings. Regular Business Governance Reports on financial crime compliance and regulatory compliance are submitted to the Executive Committee.
Among other things, the Audit Committee reviews our financial reporting, the nature and scope of audit reviews, the effectiveness of our systems of internal control, and compliance relating to financial reporting.
Staff Code of Conduct
To ensure the Bank operates according to the highest standards of ethical conduct and professional competence, all staff are required to strictly follow the Code of Conduct contained in our Staff Handbook. With reference to the applicable regulatory guidelines and other industry best practices, the Code sets out the ethical standards and values to which all Bank staff are required to adhere and information on various relevant legal and regulatory issues. Topics covered include the prevention of bribery, use of information, insider dealing and personal investment dealing, personal benefits, outside directorships/employment and equal opportunities policy.
A key factor in ensuring legal and regulatory compliance, as well as guarding against illegal activities such as fraud and money laundering, is to maintain a high level of staff awareness through training. All employees must complete e-Learning programme that covers anti-money laundering, sanctions and anti-bribery and corruption issues to ensure that they are familiar with the relevant laws and regulatory requirements. Other compliance training programmes include those covering equal opportunities, data privacy, occupational health and safety, and code of banking practice. All management employees have completed this training. Line managers with members of staff on leave are responsible for reminding such staff to complete the training when they return to work.
Insider Information and Conflicts of Interest
We have procedures in place to keep information confidential and manage actual or potential conflicts of interest. Stringent internal structures have been designed to prevent the misuse of insider information and avoid conflicts of interest. Staff working in sensitive or high-risk areas are required to undergo additional job-specific training.
We encourage the reporting of suspected internal business irregularities and provide clear channels specifically for this purpose.
Anti-money Laundering, Counter-terrorist Financing and Sanctions
We comply with high standards of anti-money laundering, counter-terrorist financing and sanctions practice. We have stringent internal guidelines and procedure manuals that detail regulations, guidelines and Group policies with respect to customer due diligence, ongoing monitoring, financial sanctions and terrorist financing, and reporting of suspicious transactions, as well as related staff training and record-keeping. All Bank staff are required to observe such policies and practices.
We have established a robust framework for the disclosure of price-sensitive information in compliance with the Listing Rules and other regulatory requirements. The framework sets out the procedures and internal controls for the handling and dissemination of price-sensitive information in a timely manner to help shareholders, customers, staff and other stakeholders understand the latest position of the Bank and its subsidiaries. The framework and its effectiveness are subject to review on a regular basis according to established procedures.
Ensuring the privacy of customer information and other data is among our most important responsibilities in maintaining our reputation for good governance and in establishing the trust that underpins lasting business relationships. We comply with all data privacy regulations and have formulated a set of 'Privacy Principles' to guide staff in protecting the data and privacy of customers. Specific processes for the handling and protection of customer data are set out in the relevant internal procedure manual. Data privacy matters are overseen by the Head of Financial Crime Compliance & Regulatory Compliance and the Data Protection Officer. Data Controlling Officers have been appointed at a functional or business unit level to promote data protection and disseminate information on related new guidelines or developments. We also produce a quarterly bulletin on personal data privacy to further ensure staff awareness of the latest internal and external requirements.
Equal Opportunities, Anti-discrimination and Human Rights
We fully comply with Hong Kong labour law. We also take steps to assess potential new client and supplier relationships with the aim of minimising the risk of indirectly facilitating the violation of any individual's labour or human rights.
We provide a wide range of staff training on the equal opportunities, diversity and human rights-related issues that are relevant to our operations and to creating a positive working environment. We follow the Board Diversity Policy, which was implemented in May 2013. More details on our equal opportunities policies and training can be found in the 'Our Commitment: Staff' section of this Report.
Responsible Banking Services
Lending and Investment Policies
Our financing decisions reflect our business principles, risk assessment processes and the needs of our customers.
Our credit evaluation process includes assessment of any potential environmental or socially sensitive-related risks. Measures to enable us to monitor the implementation of and compliance with environmental and social requirements by our clients are included in our financing agreement credit assessment process. In cases of material deviation from the required standards, we will work with the customer to establish a target date for compliance. Where no progress is made or in instances of a serious breach, we will exit the relationship.
For environmental risk-related matters, we follow the sustainability risk requirements laid down by the HSBC Group, which include specific guidelines on lending to businesses operating in sectors such as chemicals, energy, forestry, freshwater infrastructure, and mining and minerals. We have adopted the Equator Principles, a set of voluntary guidelines which define a process to implement common sustainability standards in project finance lending. We also have a defence equipment policy which clarifies our stance on lending to companies involved with weapons (see box: Responsible Financing).