The Board aims at making a balanced, clear and comprehensive assessment of the Bank’s performance, position and prospects. An annual operating plan is reviewed and approved by the Board on an annual basis. Reports on financial results, business performance and variances against the approved annual operating plan are made available to the Board for review and monitoring on a monthly basis.
Strategic planning cycles are generally from three to five years. The Bank’s strategic plan for 2018- 2020 was approved by the Board in November 2017. Progress of the implementation of the key initiatives in the strategic plan is reported to and reviewed by the Board and Executive Committee on a quarterly basis.
The annual and interim results of the Bank are announced in a timely manner within three months and two months respectively after the end of the relevant year or period.
The Directors acknowledge their responsibilities for preparing the accounts of the Bank. As at 31 December 2018, the Directors were not aware of any material uncertainties relating to events or conditions which may cast significant doubt upon the Bank’s ability to continue as a going concern. Accordingly, the Bank’s Directors have prepared the financial statements of the Bank on a going-concern basis.
The Board is responsible for internal control of the Bank and its subsidiaries and for reviewing its effectiveness.
The Bank’s internal control system comprises a well-established organisational structure and comprehensive policies and standards. Areas of responsibilities for each business and functional unit are clearly defined to ensure effective checks and balances.
Procedures have been designed for safeguarding assets against unauthorised use or disposition; for maintaining proper accounting records; and for ensuring the reliability of financial information used within the business or for publication. The procedures provide reasonable but not absolute assurance against material errors, losses or fraud. Procedures have also been designed to ensure compliance with applicable laws, rules and regulations.
Systems and procedures are in place in the Bank to identify, control and report on the major types of risks the Bank encounters. Business and functional units are responsible for the assessment of individual types of risk arising under their areas of responsibilities, the management of the risks in accordance with risk management procedures and the reporting on risk management. The Bank maintains an effective risk management framework through the setting up of specialised management committees for the oversight and monitoring of major risk areas and the establishment of risk management departments under the relevant control functions of the Bank. Relevant risk management reports are submitted to Asset and Liability Management Committee, Risk Management Meeting, Executive Committee and Risk Committee, and ultimately to the Board for oversight and monitoring of the respective types of risk. The Bank’s risk management policies and major control limits are approved by the Board or its delegated committees, and are monitored and reviewed regularly according to established policies and procedures.
A review of the effectiveness of the Bank’s internal control system covering all material controls, including financial, operational, compliance, and risk management controls, is conducted annually. The review at the end of 2018 was conducted with reference to the COSO (The Committee of Sponsoring Organisations of the Treadway Commission) internal control framework, which assesses the Bank’s internal control system against the five elements of control environment, risk assessment, control activities, information and communication, and monitoring. The review results have been reported to the Audit Committee, Risk Committee and the Board. The Board is satisfied that such system is effective and adequate. In addition, the Bank, through the Audit Committee, has also reviewed the adequacy of resources, qualifications and experience of staff of the Accounting and Financial Reporting functions, and their training programmes and budget.
The Bank has put in place a robust framework for the disclosure of inside information in compliance with the Securities and Futures Ordinance. The framework sets out the procedures and internal controls for the handling and dissemination of inside information in a timely manner so as to allow all the stakeholders to apprehend the latest position of the Bank and its subsidiaries. The framework and its effectiveness are subject to review on a regular basis according to established procedures.
The primary role of the Internal Audit function is to help the Board and the Management to protect the assets, reputation and sustainability of the Bank. The Internal Audit function provides independent and objective assurance as to whether the design and operational effectiveness of the Bank’s framework of risk management, control and governance processes, as designed and represented by the Management, is adequate.
The Bank has adopted a risk management and internal control structure, referred to as the “Three Lines of Defence”, to ensure it achieves its commercial aims while meeting regulatory and legal requirements, and its responsibilities to shareholders, customers and staff. The Internal Audit function’s role as the third line of defence is independent of the first and second lines of defence. The Bank’s Head of Audit reports to the Chairman and the Audit Committee.
An Internal Audit Charter is reviewed and approved by the Audit Committee periodically which has detailed the purpose, authority, independence and objectivity, accountabilities and scope of work, and standards of audit practices to govern the work of the Internal Audit function. Further, the Internal Audit function also maintains a quality assurance and improvement programme that covers all aspects of internal audit activity, including conformance with The Institute of Internal Auditors' (IIA) Standards, applicable regulatory guidance and internal audit policies and procedures.
Results of audit work together with an assessment of the overall risk management and control framework are reported to the Audit Committee and the Risk Committee as appropriate. The Internal Audit function also reviews the Management’s action plans in relation to audit findings and verifies the adequacy and effectiveness of the mitigating controls before formally closing the issue.
PricewaterhouseCoopers is the Bank’s external auditor. The Audit Committee is responsible for making recommendations to the Board on the appointment, re-appointment, removal and remuneration of the external auditor. The external auditor’s independence and objectivity, and the effectiveness of the audit process are also reviewed and monitored by the Audit Committee on a regular basis.
During 2018, fees paid to the Bank’s external auditor for audit services amounted to HK$22.4 million, compared with HK$20.6 million in 2017. For non-audit services, the fees paid to the Bank’s external auditor amounted to HK$8.5 million, compared with HK$8.9 million in 2017. In 2018, the non-audit service assignments covered by these fees included the following:
|Nature of service||Fees paid (HK$million)|
|Other assurance services
The Audit Committee assists the Board in meeting its responsibilities for ensuring effective systems of internal control and compliance relating to financial reporting, and in meeting its financial reporting obligations.
The Risk Committee assists the Board in meeting its responsibilities for ensuring effective systems of risk management, internal control and compliance (other than that relating to financial reporting), in meeting its risk governance obligations. The Risk Committee also advises and assists the Board’s review of the effectiveness of culture enhancement initiatives.