Robust risk governance and accountability are embedded throughout the Group through an established framework that ensures appropriate oversight of and accountability for the effective management of risk.
The Board has ultimate responsibility for the effective management of risk and approves HSBC's risk appetite. The Board is advised on risk-related matters by the following committees:
· The Group Risk Committee advises the Board on risk appetite and its alignment with strategy, risk governance and internal controls, and high-level risk related matters.
· The Financial System Vulnerabilities Committee reports to the Board on matters relating to financial crime and financial system abuse and provides a forward-looking perspective on financial crime risk.
· The Conduct & Values Committee oversees the design and application of HSBC's policies, procedures and standards to ensure that we conduct business responsibly and consistently adhere to HSBC Values, and advises the Board accordingly.
Executive accountability for the ongoing monitoring, assessment and management of the risk environment and the effectiveness of our risk management policies resides with the RMM, the Risk Management Meeting of the Group Management Board ('GMB'). Day-to-day risk management activities are the responsibility of senior managers of individual businesses, supported by global functions as described under 'Three lines of defence' below.
The consistency of governance structures across HSBC is enforced through risk management committees, as set out in our enterprise risk management framework, and adherence to consistent standards and risk management policies.
The executive and non-executive risk governance structures and their interactions are set out on page 193, with similar arrangements in place for major operating subsidiaries.
The report of the Group Risk Committee is on page 266, of the Financial System Vulnerabilities Committee is on page 268, and of the Conduct & Values Committee is on page 272.
The Group's Risk Appetite Statement ('RAS') is the written articulation of the aggregated level and types of risk that we are willing to accept in our business activities in order
to achieve our medium to long-term business objectives. It is a key component of our management of risk and is reviewed on an ongoing basis, with formal approval from the Board every six months on the recommendation of the Group Risk Committee.
The Group's actual risk appetite profile is reported to the RMM on a monthly basis to enable senior management to monitor the risk profile and guide business activity in order to balance risk and return, allowing risks to be promptly identified and mitigated, and inform risk-adjusted remuneration to drive a strong risk culture across the Group.
The RAS is established and monitored as part of the Global Risk Appetite Framework, which provides a globally consistent and structured approach to the management, measurement and control of risk by detailing the processes, governance and other features of how risk appetite is cascaded to drive day-to-day decision-making through policies, limits and the control framework.
Risk appetite informs the strategic and financial planning process, defining the desired forward-looking risk profile of the Group. It is also embedded in other enterprise risk tools such as top and emerging risks and stress testing, to ensure consistency in risk management.
Global businesses, geographical regions and strategic countries are required to have their own RASs, which are subject to assurance to ensure they remain directionally aligned to the Group's. All RASs and business activities are guided and underpinned by a set of qualitative principles, outlined in the Appendix to Risk on page 194. Additionally, quantitative metrics are defined along with appetite and tolerance thresholds for 10 risk areas.
The following processes to identify, manage and mitigate risks are integral to risk management at HSBC, helping to ensure that we remain within our risk appetite.
The risk map process provides a point-in-time view of the risk profile of the Group across a suite of risk categories including our material banking risks and insurance risks (see page 105). It assesses the potential for these risks to materially affect our financial results, reputation or business sustainability on current and projected bases.
The risk categories presented on the risk map are regularly assessed through our risk appetite profile, are stress tested and, where thematic issues arise, are considered for classification as top or emerging risks.
Identifying, managing and monitoring risks are integral to our approach to risk management. Our top and emerging risks process provides a forward-looking view of those risks which have the potential to threaten the execution of our strategy and our global operations. Top and emerging risks are generally described thematically, and may have an impact across multiple risk map categories, global businesses or regions.
We define a 'top risk' as a thematic issue arising across any combination of risk map categories, regions or global businesses which has the potential to have a material effect on the Group's financial results, reputation or long-term business model, and which may form and crystallise between six months and one year. The risk impact may be well understood by senior management, with some mitigating actions already in place. Stress tests of varying granularity may also have been carried out to assess the effect.
An 'emerging risk' is defined as a thematic issue that has large unknown components which may form and crystallise beyond a one-year time horizon. If it were to materialise, it could have a significant material effect on a combination of the Group's long-term strategy, profitability and reputation. Existing management action plans are likely to be minimal, reflecting the uncertain nature of these risks at this stage. Some high-level analysis and/or stress testing may have been carried out to assess the impact.
Our top and emerging risk framework enables us to identify and manage current and forward-looking risks to ensure our risk appetite remains appropriate. The ongoing assessment of our top and emerging risks is informed by a comprehensive suite of risk factors (see page 108) and the results of our stress testing programme. When our top and emerging risks result in our risk appetite being exceeded, or have the potential to exceed, we take steps to mitigate them, including reducing our exposure to areas of stress.
Our current top and emerging risks are discussed on page 110.
Our stress testing and scenario analysis programme examines the sensitivities of our capital plans and unplanned demand for regulatory capital under a number of scenarios and ensures that top and emerging risks are appropriately considered. These scenarios include, but are not limited to, adverse macroeconomic events, failures at country, sector and counterparty levels, geopolitical occurrences and a variety of projected major operational risk events.
At Board level, the Group Chief Risk Officer and the Group Finance Director are the two executive Directors jointly accountable for oversight of stress testing in HSBC. The Stress Testing Management Board, which is chaired by the Group Finance Director, is responsible for stress testing strategy and stewardship. Updates on stress testing are provided regularly to the RMM. The Group Risk Committee is informed and consulted on the bank's stress testing activities, as appropriate, and approves the key elements of the Bank of England concurrent stress test, including final results.
The development of macroeconomic scenarios is a critical part of the process. Potential scenarios are defined and generated by a panel of economic experts from various global teams, including Risk and Finance. Scenarios are translated into financial impacts, such as on our forecast profitability and RWAs, using a suite of stress testing models and methodologies. Models are subject to independent model review and go through a process of validation and approval. Model overlays may be considered where necessary.
Stress testing results are subject to a review and challenge process at regional, global business and Group levels and action plans are developed to mitigate identified risks. The extent to which these action plans would be implemented in the event of particular scenarios occurring depends on senior management's evaluation of the risks and their potential consequences, taking into account HSBC's risk appetite.
In addition to the Group-wide risk scenarios, each major HSBC subsidiary conducts regular macroeconomic and event-driven scenario analyses specific to their region. They also participate in local regulatory stress testing programmes, where required.
Stress testing is applied to risks such as operational risk, including market risk, liquidity and funding risk, credit risk and conduct to evaluate the potential effects of stress scenarios on portfolio values, structural long-term funding positions, income or capital.
Reverse stress testing is run annually on both Group and, where required, subsidiary entity bases. This stress test is conducted by assuming the business model is non-viable and works backwards to identify a range of occurrences that could bring that event about. Non-viability might occur before the bank's capital is depleted, and could result from a variety of events, including idiosyncratic or systemic events or combinations thereof. It could imply failure of the Group's holding company or one of its major subsidiaries. Reverse stress testing is used to strengthen our resilience by identifying potential stresses and vulnerabilities which the Group might face and helping to inform early-warning triggers, management actions and contingency plans designed to mitigate their effect, were they to occur.
HSBC participated in regulatory stress testing programmes in a number of jurisdictions during 2015, as outlined on page 116. In addition, we have conducted an internal stress test, incorporating the latest portfolio developments and business plan. For this exercise management considers that the Bank of England 2015 scenario reflects key risks which merit examination at this time. The results of this exercise are used for internal risk and capital management processes, including the Internal Capital Adequacy Assessment Process ('ICAAP').
We use the three lines of defence model to underpin our approach to strong risk management. It defines responsibilities for: identifying, assessing, measuring, managing, monitoring and mitigating risks; encouraging collaboration; and enabling efficient coordination of risk and control activities.
For details of the three lines of defence model, see page 177.
All employees are required to identify, assess and manage risk within the scope of their assigned responsibilities and, as such, they are critical to the effectiveness of the three lines of defence.
Clear and consistent employee communication on risk conveys strategic messages and sets the tone from senior leadership. We deploy a suite of mandatory training on critical risk and compliance topics to embed skills and understanding and strengthen the risk culture within HSBC. It reinforces the attitude to risk in the behaviour expected of employees, as described in our risk policies. The training is updated regularly, describing technical aspects of the various risks assumed by the Group and how they should be managed effectively. A confidential disclosure line enables staff to raise concerns (see page 179).
Our risk culture is reinforced by our approach to remuneration. Individual awards, including those for executives, are based on compliance with HSBC Values and the achievement of financial and non-financial objectives which are aligned to our risk appetite and global strategy.
For further information on risk and remuneration, see the Report of the Group Remuneration Committee on page 270.
Global Risk, headed by the Group Chief Risk Officer, is responsible for the enterprise risk management framework. This includes establishing global policy, monitoring risk profiles and forward-looking risk identification and management. Global Risk also has functional responsibility for risk management in support of HSBC's global businesses and regions through its Risk sub-functions, which are independent from the sales and trading functions of the Group's businesses. This independence ensures the necessary balance in risk/return decisions.
The material risk types associated with our banking and insurance manufacturing operations are described in the tables below.
Description of risks - banking operations
Credit risk (page 118) |
|
|
||
The risk of financial loss if a customer or counterparty fails to meet an obligation under a contract.
|
|
Credit risk arises principally from direct lending, trade finance and leasing business, but also from certain other products such as guarantees and derivatives. |
|
Credit risk is: · measured as the amount which could be lost if a customer or counterparty fails to make repayments. In the case of derivatives, the measurement of exposure takes into account the current mark-to-market value to HSBC of the contract and the expected potential change in that value over time caused by movements in market rates; · monitored within limits approved by individuals within a framework of delegated authorities. These limits represent the peak exposure or loss to which HSBC could be subjected should the customer or counterparty fail to perform its contractual obligations; and · managed through a robust risk control framework which outlines clear and consistent policies, principles and guidance for risk managers. |
Liquidity and funding risk (page 154) |
|
|
||
The risk that we do not have sufficient financial resources to meet our obligations as they fall due or that we can only do so at excessive cost.
|
|
Liquidity risk arises from mismatches in the timing of cash flows. Funding risk arises when the liquidity needed to fund illiquid asset positions cannot be obtained at the expected terms and when required. |
|
Liquidity and funding risk is: · measured using internal metrics including stressed operational cash flow projections, coverage ratios and advances to core funding ratios; · monitored against the Group's liquidity and funding risk framework and overseen by regional Asset and Liability Management Committees ('ALCO's), Group ALCO and the RMM; and · managed on a stand-alone basis with no reliance on any Group entity (unless pre-committed) or central bank unless this represents routine established business-as-usual market practice. |
Market risk (page 166) |
|
|
||
The risk that movements in market factors, including foreign exchange rates and commodity prices, interest rates, credit spreads and equity prices, will reduce our income or the value of our portfolios. |
|
Exposure to market risk is separated into two portfolios: · trading portfolios comprise positions arising from market-making and warehousing of customer-derived positions. · non-trading portfolios comprise positions that primarily arise from the interest rate management of our retail and commercial banking assets and liabilities, financial investments designated as available for sale and held to maturity, and exposures arising from our insurance operations (page 180). |
|
Market risk is: · measured in terms of value at risk, which is used to estimate potential losses on risk positions as a result of movements in market rates and prices over a specified time horizon and to a given level of confidence, augmented with stress testing to evaluate the potential impact on portfolio values of more extreme, though plausible, events or movements in a set of financial variables; · monitored using measures including the sensitivity of net interest income and the sensitivity of structural foreign exchange which are applied to the market risk positions within each risk type; and · managed using risk limits approved by the GMB for HSBC Holdings and our various global businesses. These units are allocated across business lines and to the Group's legal entities. |
Operational risk (page 176) |
|
|
|||
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including legal risk. |
|
Operational risk arises from day to day operations or external events, and is relevant to every aspect of our business. Compliance risk and Fiduciary risk are discussed below. Other operational risks are covered in the Appendix to Risk (page 217). |
|
Operational risk is: · measured using both the top risk analysis process and the risk and control assessment process, which assess the level of risk and effectiveness of controls; · monitored using key indicators and other internal control activities; and · managed primarily by global business and functional managers. They identify and assess risks, implement controls to manage them and monitor the effectiveness of these controls utilising the operational risk management framework. Global Operational Risk is responsible for the framework and for overseeing the management of operational risks within global businesses and global functions. |
|
Compliance risk (page 178) |
|
|
|||
The risk that we fail to observe the letter and spirit of all relevant laws, codes, rules, regulations and standards of good market practice, and incur fines and penalties and suffer damage to our business as a consequence. |
|
Compliance risk is part of operational risk, and arises from rules, regulations, other standards and Group policies, including those relating to anti-money laundering, anti-bribery and corruption, counter-terrorist and proliferation financing, sanctions compliance and conduct of business. The US DPA is discussed on page 113 and the Monitor on page 116. |
|
Compliance risk is: · measured by reference to identified metrics, incident assessments (whether affecting HSBC or the wider industry), regulatory feedback and the judgement and assessment of compliance officers in our global businesses, regions and functions; · monitored against our compliance risk assessments and metrics, the results of the monitoring and control activities of the second line of defence functions, including the Financial Crime Compliance and Regulatory Compliance sub-functions, and the results of internal and external audits and regulatory inspections; and · managed by establishing and communicating appropriate policies and procedures, training employees in them, and monitoring activity to assure their observance. Proactive risk control and/or remediation work is undertaken where required. |
|
Other material risks |
|
|
|
|
|
Reputational risk (page 189) |
|
|
|||
The risk of failure to meet stakeholder expectations as a result of any event, behaviour, action or inaction, either by HSBC itself, our employees or those with whom we are associated, that might cause stakeholders to form a negative view of the Group. This may result in financial or non-financial impacts, loss of confidence, or other consequences. |
|
Primary reputational risks arise directly from an action or inaction by HSBC, its employees or associated parties that are not the consequence of another type of risk. Secondary reputational risks are those arising indirectly and are a result of another risk caused either by HSBC, its employees or associated third parties. |
|
Reputational risk is: · measured by reference to our reputation as indicated by our dealings with all relevant stakeholders, including media, regulators, customers and employees; · monitored through a reputational risk management framework that is integrated into the Group's broader risk taxonomy; and · managed by every member of staff and is covered by a number of policies and guidelines. There is a clear structure of committees and individuals charged with mitigating reputational risk, including the Group Reputational Risk Policy Committee, the Global Risk Resolution Committee and reputational risk committees in the regions and global businesses. |
|
Fiduciary risk (page 189) |
|
|
|||
The risk of breaching our fiduciary duties, defined as any duty where HSBC holds, manages, oversees or has responsibilities for assets for a third party that involves a legal and/or regulatory duty to act with the highest standard of care and with utmost good faith. |
|
Fiduciary risk is part of operational risk, and arises from our business activities where we act in a fiduciary capacity ('designated businesses') as Trustee, Investment Manager or as mandated by law or regulation. |
|
Fiduciary risk is: · measured by each designated business monitoring against their own risk appetite statements and by the operational risk and control assessment process, which assesses the level of risk and the effectiveness of the key controls; · monitored through a combination of testing, key indicators and other metrics such as client and regulatory feedback; and · managed within the designated businesses via established governance frameworks, and comprehensive policies, procedures and training programmes. |
Pension risk (page 189) |
|
|
|||
The risk that contributions from Group companies and members fail to generate sufficient funds to meet the cost of accruing benefits for the future service of active members, and the risk that the performance of assets held in pension funds is insufficient to cover existing pension liabilities. |
|
Pension risk arises from investments delivering an inadequate return, economic conditions leading to corporate failures, adverse changes in interest rates or inflation, or members living longer than expected (longevity risk). Pension risk includes operational risks listed above. |
|
Pension risk is: · measured in terms of the schemes' ability to generate sufficient funds to meet the cost of their accrued benefits; · monitored through the specific risk appetite that has been developed at both Group and regional levels; and · managed locally through the appropriate pension risk governance structure and globally through the RMM.
|
|
Sustainability risk (page 190) |
|
|
|||
The risk that financial services provided to customers by the Group indirectly result in unacceptable impacts on people or on the environment. |
|
Sustainability risk arises from the provision of financial services to companies or projects which indirectly result in unacceptable impacts on people or on the environment. |
|
Sustainability risk is: · measured by assessing the potential sustainability effect of a customer's activities and assigning a Sustainability Risk Rating to all high risk transactions; · monitored quarterly by the RMM and monthly by Group Sustainability Risk; and · managed using sustainability risk policies covering project finance lending and sector-based sustainability policies for sectors and themes with potentially high environmental or social impacts. |
|
Our insurance manufacturing subsidiaries are separately regulated from our banking operations. Risks in the insurance entities are managed using methodologies and processes appropriate to insurance activities, but remain subject to oversight at Group level. Our insurance operations are also subject to the operational risks and the other material risk types presented above in relation to the banking operations, and these are covered by the Group's risk management processes.
Description of risks - insurance manufacturing operations
Financial risks (page 183) |
|
|
||
Our ability to effectively match the liabilities arising under insurance contracts with the asset portfolios that back Liabilities to policyholders under unit-linked contracts move in line with the value of the underlying assets, and as such the policyholder bears the majority of the financial risks. Contracts with DPF share the performance of the underlying assets between policyholders and the shareholder in line with the type of contract and the specific contract terms. |
|
Exposure to financial risks arises from: · market risk of changes in the fair values of financial assets or their future cash flows from fluctuations in variables such as interest rates, foreign exchange rates and equity prices; · credit risk and the potential for financial loss following the default of third parties in meeting their obligations; and · liquidity risk of entities not being able to make payments to policyholders as they fall due as there are insufficient assets that can be realised as cash. |
|
Financial risks are: · measured separately for each type of risk: - market risk is measured in terms of exposure to fluctuations in key financial variables; - credit risk is measured as the amount which could be lost if a customer or counterparty fails to make repayments; and - liquidity risk is measured using internal metrics including stressed operational cash flow projections. · monitored within limits approved by individuals within a framework of delegated authorities; and · managed through a robust risk control framework which outlines clear and consistent policies, principles and guidance for risk managers. Subsidiaries manufacturing products with guarantees are usually exposed to falls in market interest rates and equity prices to the extent that the market exposure cannot be managed by utilising any discretionary participation (or bonus) features within the policy contracts they issue. |
Insurance risk (page 188) |
|
|
||
The risk that, over time, the cost of the contract, including claims and benefits may exceed the total amount of premiums and investment income received. |
|
The cost of claims and benefits can be influenced by many factors, including mortality and morbidity experience, lapse and surrender rates. |
|
Insurance risk is: · measured in terms of life insurance liabilities; · monitored by the RBWM Risk Management Committee, which checks the risk profile of the insurance operations against a risk appetite for insurance business agreed by the GMB; and · managed both centrally and locally using product design, underwriting, reinsurance and claims-handling procedures. |
The chart below provides a high level guide to how our business activities are reflected in our risk measures and in the Group's balance sheet. The third-party assets and liabilities indicate the contribution each business makes to the balance sheet, while RWAs illustrate the relative size of the risks incurred in respect of each business.
Exposure to risks arising from the business activities of global businesses
For footnote, see page 191.
We have identified a comprehensive suite of risk factors which covers the broad range of risks our businesses are exposed to.
A number of the risk factors have the potential to affect the results of our operations or financial condition, but may not necessarily be deemed as top or emerging risks. However, they inform the ongoing assessment of our top and emerging risks. The risk factors are:
· Current economic and market conditions may adversely affect our results.
· We are subject to political and economic risks in the countries in which we operate, including the risk of government intervention.
· We may suffer adverse effects as a result of the interaction between market perceptions surrounding mainland China's slowdown, the course of global monetary policies, economic conditions in the eurozone and damage from plummeting oil prices, all of which may result in further capital outflows from emerging markets.
· Changes in foreign currency exchange rates may affect our results.
· Failure to implement and adhere to our obligations under the deferred prosecution agreements could have a material adverse effect on our results and operations.
· We may fail to effectively manage affiliate risk.
· Failure to comply with certain regulatory requirements could have a material adverse effect on our results and operations.
· We may fail to meet the requirements of regulatory stress tests.
· We are subject to a number of legal and regulatory actions and investigations, the outcomes of which are inherently difficult to predict.
· We are subject to unfavourable legislative or regulatory developments and changes in the policy of regulators or governments.
· We may fail to comply with all applicable regulations, particularly any changes thereto.
· We and our UK subsidiaries may become subject to stabilisation provisions under the Banking Act 2009, as amended, in certain significant stress situations.
· Structural separation of banking and trading activities proposed or enacted in a number of jurisdictions could have a material adverse effect on us.
· We are subject to tax-related risks in the countries in which we operate.
· The delivery of our strategic actions is subject to execution risk.
· We may not achieve any of the expected benefits of our strategic initiatives.
· We may fail to increase the cross-selling and/or business synergies required to achieve our growth strategy.
· We operate in markets that are highly competitive.
· Our risk management measures may not be successful.
·
Operational risks are inherent in our business.
· Our operations are subject to the threat of fraudulent activity.
· Our operations are subject to disruption from the external environment.
· Our operations utilise third-party suppliers and service providers.
· Our operations are highly dependent on our information technology systems.
· We may not be able to meet regulatory requests for data.
· Our operations have inherent reputational risk.
· We may suffer losses due to employee misconduct.
· We rely on recruiting, retaining and developing appropriate senior management and skilled personnel.
· Our financial statements are based in part on judgements, estimates and assumptions which are subject to uncertainty.
· We could incur losses or be required to hold additional capital as a result of model limitations or failure.
· Third parties may use us as a conduit for illegal activities without our knowledge.
· We have significant exposure to counterparty risk.
· Market fluctuations may reduce our income or the value of our portfolios.
· Liquidity, or ready access to funds, is essential to our businesses.
· Any reduction in the credit rating assigned to HSBC Holdings, any subsidiaries of HSBC Holdings or any of their respective debt securities could increase the cost or decrease the availability of our funding and adversely affect our liquidity position and interest margin.
· Risks concerning borrower credit quality are inherent in our businesses.
· Our insurance businesses are subject to risks relating to insurance claim rates and changes in insurance customer behaviour.
· HSBC Holdings is a holding company and, as a result, is dependent on loan payments and dividends from its subsidiaries to meet its obligations, including obligations with respect to its debt securities, and to provide profits for payment of future dividends to shareholders.
· We may be required to make substantial contributions to our pension plans.