Risk Management

The effectiveness of our risk management policies and strategies is a key factor in our success.

The primary role of Internal Audit function (INA) is to help the Board and Executive Management to protect the assets, reputation and sustainability of the Bank. INA provides independent and objective assurance as to whether the design and operational effectiveness of the Bank's framework of risk management, control and governance processes, as designed and represented by management, is adequate. The Bank has adopted a risk management and internal control structure, referred to as the 'Three Lines of Defence', to ensure it achieves its commercial aims while meeting regulatory and legal requirements and its responsibilities to shareholders, customers and staff. INA's role as the third line of defence is independent of the first and second lines of defence.

The Bank has set up a Risk Management Committee (RMC) to oversee the risk management framework for the Bank and its subsidiaries. The RMC reports directly to the Executive Committee. Its main functions are to review all existing and potential risks on a systematic basis to ensure mechanisms exist for early identification of risks, adequate controls exist to mitigate risks, related potential returns take risks into account and that capital is appropriately allocated to manage risks, including but not limited to the eight types of risks stipulated in HKMA's SPMs, namely, credit risk, market risk, liquidity risk, interest rate risk, operational risk, legal and compliance risk, reputation risk and strategic risk.

The Risk Committee is established to be responsible for, among other things, the Bank's high level risk related matters, risk appetite and tolerance, risks associated with proposed strategic acquisitions or disposals, risk management reports from the Management and the effectiveness of the Bank's risk management framework and the systems of internal control and compliance (other than internal financial and compliance regarding financial reporting).

Risk Appetite Statement is a key component of risk management framework. The Group's Risk Appetite Statement for 2014 was approved by the Board as advised by the Risk Committee, which expresses the types and quantum of risk to which the Bank wishes to be posed and which not, on the basis of our core values, business strategy and risk management competencies. The setting of risk appetite is fundamental to the sound management of the Group and the setting and execution of business strategy. Our risk appetite framework is underpinned by the following core risk principles:

• Strong balance sheet and strong brand
• Healthy capital position
• Accountable use of shareholders' funds
• Conservative liquidity management
• Risk must be commensurate with returns
• Sustainable long term growth
• Risk diversification

These core risk principles are applied to define the Risk Appetite Statement on a Bank-wide and individual risk and business level, which cover key risk types and exposures that are faced by the Group's business activities. The RMC undertook regular reviews and monitors the Group's risk profile against the limits set out in the Risk Appetite Statement and determine appropriate management action if material exceptions from approved limits. Reports are submitted to the Risk Committee and the Board from the Chief Risk Officer on the actual profile and projected positions of the Risk Appetite Statement, including material exceptions and management action were required.

Product development and sign-off procedures are in place to ensure that the design of all new products and services are reviewed to ensure they meet market requirements and customer needs. All new products and material product variations must be approved by the Product Oversight Committee as a sub-committee of the RMC. The public release of any new product or service is subject to regulatory review on top of the internal control process.

We maintain documented Business Continuity Plans for critical operations and significant risks, including arrangements for recovery site operations and a clearing and settlement services contingency plan to ensure that critical operations remain functional in emergency situations.

We support international responsible financing principles and sector-specific guidelines to help manage environment-related sustainability risks (see 'Responsible Banking Services' section below). We also require that our credit assessment executives conduct a sustainability risk assessment of all credit applications - both new applications and annual reviews - by our business customers.

Compliance
Our key values include a solid commitment to quality, professionalism and integrity throughout our business. We have structures in place to ensure that our staff comply with both the letter and spirit of all relevant laws, codes, rules, regulations, guidelines and codes of conduct. In any jurisdiction where local compliance requirements are set at a lower standard than those established by our Group policies, our higher standards will apply where these do not contravene or conflict with local law.

Matters relating to internal control and risk management governance as well as policies and practices on compliance with legal and regulatory requirements are considered at Board meetings. Regular Business Governance Reports on financial crime compliance and regulatory compliance are submitted to the Executive Committee.

Among other things, the Audit Committee reviews our financial reporting, the nature and scope of audit reviews, the effectiveness of our systems of internal control, and compliance relating to financial reporting.

Staff Code of Conduct
To ensure the Bank operates according to the highest standards of ethical conduct and professional competence, all staff are required to strictly follow the Code of Conduct contained in our Staff Handbook. With reference to the applicable regulatory guidelines and other industry best practices, the Code sets out the ethical standards and values to which all Bank staff are required to adhere information on various relevant legal and regulatory issues. Topics covered include the prevention of bribery, use of information, insider dealing and personal investment dealing, personal benefits, outside directorships/employment and equal opportunities policy.

Staff Awareness
A key factor in ensuring legal and regulatory compliance, as well as guarding against illegal activities such as fraud and money laundering, is to maintain a high level of staff awareness through training. All employees must complete e-Learning programmes that cover anti-money laundering, sanctions, and anti-bribery and corruption issues to ensure that they are familiar with the relevant laws and regulatory requirements. Other compliance training programmes include those covering equal opportunities, data privacy, occupational health and safety, and code of banking practice.

Conflicts of Interest
We have procedures in place to keep information confidential and manage actual or potential conflicts of interest. Stringent internal structures have been designed to prevent the misuse of inside information and avoid conflicts of interest. Staff working in sensitive or high-risk areas are required to undergo additional job-specific training.

Whistle-blowing
We encourage the reporting of suspected internal business irregularities and provide clear channels specifically for this purpose.

Anti-Money Laundering and Counter Terrorist Financing, Sanctions and Anti-Bribery and Corruption
We maintain consistently high financial crime controls everywhere we operate. The Bank has been actively managing financial crime risk to detect, deter and protect against financial crimes such as money laundering, sanctions-busting and bribery and corruption. We have stringent internal guidelines and procedure manuals that detail regulations, guidelines and Group policies with respect to customer due diligence, ongoing monitoring, financial sanctions and terrorist financing, and reporting of suspicious transactions, as well as related staff training and record-keeping. All Bank staff are required to observe such policies and practices.

We have a zero tolerance approach to bribery and corruption. Matters and policies in relation to anti-bribery and corruption are submitted to the Board and Chief Executive for consideration and comments. The Bank has also set up an Anti-Bribery and Corruption division under the Financial Crime Compliance to oversee the matters. Its main functions include, but are not limited to, the following:

• 1) reviewing gifts and hospitality received or offered by staff;
• 2) drafting policies and regulations governing the receipt and offer of personal benefits by staff; and
• 3) providing recommendations to the Chief Executive and the Board.

To ensure that our staff comply with the requirements imposed by different legislation and uphold high ethical standards, all employees are required to complete anti-bribery and corruption e-learning programmes. All business functions and units are also requested by the Management to ensure they comply with the policies regarding anti-bribery and corruption and gifts and entertainment.

Inside Information
The Bank has put in place a robust framework for the disclosure of inside information in compliance with the Securities and Futures Ordinance. The framework sets out the procedures and internal controls for the handling and dissemination of inside information in a timely manner so as to allow shareholders, customers, staff and other stakeholders to apprehend the latest position of the Bank and its subsidiaries. The framework and its effectiveness are subject to review on a regular basis according to established procedures.

Data Privacy
Ensuring the privacy of customer information and other data is among our most important responsibilities in maintaining our reputation for good governance and in establishing the trust that underpins lasting business relationships. We comply with all data privacy regulations and have formulated a set of 'Privacy Principles' to guide staff in protecting the data and privacy of customers. Specific processes for the handling and protection of customer data are set out in the relevant internal procedure manual. Data privacy matters are overseen by the Head of Regulatory Compliance and the Data Protection Officer. Data Controlling Officers have been appointed at a functional or business unit level to promote data protection and disseminate information on related new guidelines or developments.

Equal Opportunities, Anti-discrimination and Human Rights
We comply with all relevant Hong Kong labour laws. We also take steps to assess potential new client and supplier relationships with the aim of minimising the risk of indirectly facilitating the violation of any individual's labour or human rights.

We provide a wide range of staff training on the equal opportunities, diversity and human rights-related issues that are relevant to our operations and to creating a positive working environment. We follow the Board's Diversity Policy, which was adopted by the Board in May 2013. More details on our equal opportunities policies and training can be found in the 'Our Commitment: Staff' section of this Report.