The Group Risk Committee ('GRC') oversees and advises the Board on high level risk-related matters and internal control, other than internal financial controls, which are overseen by the Group Audit Committee. The GRC is responsible for ensuring that Group risk profile and underlying business activity is in line with risk appetite as approved by the Board.
The tone from the top of the Group, which is set by senior management, is critical to effective risk management. During the year the GRC continued to focus on steps taken to communicate and reinforce the Group's commitment to 'doing the right thing'. This focus is reflected in the advice the GRC provides to the Group Remuneration Committee in connection with executive pay.
The implications of an evolving legal and regulatory framework for financial institutions present an ongoing challenge. The 2014 PRA and EBA stress testing programmes were a particular area of focus for the GRC during the year. The nature and pace of legal and regulatory change in 2014 has also led to increased scrutiny by the GRC of the Group's risk appetite profile and management actions to mitigate legal and regulatory risks and exposures.
Geopolitical risk has remained an ongoing theme for the GRC, and during the year, the GRC held a joint meeting with the Group Audit Committee to consider key risks in China and the Asia Pacific region. It is expected that geopolitical risk will also be a theme for the GRC throughout 2015.
Heidi Miller joined the GRC in September 2014 and brings with her significant global financial services experience. Heidi has held a range of senior financial services sector appointments, most recently as President of JPMorgan International. Further details are provided in Heidi's biography on page 267.
Toward the end of 2014 a regulatory driven industry-wide review of IT infrastructure commenced which will continue into 2015.
Joachim Faber
Chairman, Group Risk Committee
23 February 2015
The GRC is responsible for:
· advising the Board on high-level risk-related matters and risk governance, including current and forward looking risk exposures, future risk strategy and management of risk within the Group;
· advising the Board on risk appetite and risk tolerance;
· reviewing the effectiveness of the Group's risk management systems framework and internal control systems (other than internal financial control systems which is the responsibility of the Group Audit Committee);
· monitoring executive control and management of risk including top and emerging risks; and
· advising the Group Remuneration Committee on the alignment of remuneration with risk appetite.
The GRC is comprised of independent non-executive Directors as listed below.
|
|
Meetings attended |
|
Meetings eligible to attend |
Members |
|
|
|
|
Joachim Faber (Chairman) |
|
13 |
|
13 |
John Coombe1 |
|
5 |
|
5 |
John Lipsky |
|
13 |
|
13 |
Rachel Lomax |
|
13 |
|
13 |
Heidi Miller2 |
|
4 |
|
4 |
|
|
|
|
|
Meetings held in 2014 |
|
|
|
13 |
1 Retired as a Director and member on 23 May 2014.
2 Appointed a member on 1 September 2014.
By invitation, John Trueman, a non-executive director of HSBC Bank plc, attended meetings of the GRC throughout 2014. Safra Catz, a non-executive Director of HSBC Holdings plc, attended two presentations given to the GRC on IT-related matters.
All of HSBC's activities involve the measurement, evaluation, acceptance and management of risk or combinations of risks. The Board, advised by the GRC, requires and encourages a strong risk governance culture which shapes the Group's attitude to risk. The Board and the GRC oversee the maintenance and development of a strong risk management framework by continually monitoring the risk environment, top and emerging risks facing the Group and mitigating actions planned and taken.
The governance structure of the Board and its committees for the management of risk is set out in the table on page 24. The GRC has overall non-executive responsibility for oversight of risk across the Group. The Conduct & Values and the Financial System Vulnerabilities committees are responsible for the oversight of specific areas of risk which include the promotion and embedding of HSBC Group Values and HSBC Group principles and the oversight of matters relating to anti-money laundering, sanctions, terrorist financing and proliferation financing. The Conduct & Values and the Financial System Vulnerabilities committees regularly update the GRC on their activities.
Each major Group operating subsidiary has established a board committee with non-executive responsibility for oversight of risk-related matters and an executive committee with responsibility for risk-related matters. The GRC has set core terms of reference for subsidiary company non-executive risk and audit committees.
Further details of the structures in place for the management of risk across the Group are provided on pages 112 to 118.
The GRC discussed top and emerging risks and the Group's risk profile with management at each of its meetings. In monitoring top and emerging risks the GRC received reports and presentations from the Group Chief
Risk Officer (an executive Director), the Global Head of Financial Crime Compliance and Group Money Laundering Reporting Officer, and the Global Head of Regulatory Compliance. During the year, other members of the senior management attended GRC meetings including the Group Chief Operating Officer, the Global Head of Risk Strategy and Chief of Staff, the Head of Group Performance and Reward and the Group Chief Data Officer.
The Group Chief Risk Officer provided regular reports and presentations to the GRC, including at each meeting a presentation of the 'risk map' which describes our risk profile by risk type in the global businesses and regions, the Group Risk Appetite Statement, and the top and emerging risks report which summarised the mitigating actions for identified risks. The GRC requested reports and updates from management on risk-related issues identified for in-depth consideration and also received regular reports on matters discussed at Risk Management Meetings of the GMB.
Page 118 provides further information on the top and emerging risks for the Group.
Throughout the year, the GRC Chairman met with the Group Chief Risk Officer, the Group Head of Internal Audit, the Group Finance Director, the Chief Legal Officer and other senior executives as required.
In addition to addressing the matters noted above, the GRC focused on a number of key areas including those set out in the table below.
Principal activities and significant issues considered include:
Key area |
Action taken |
The Group Risk Appetite Statement and monitoring
|
The GRC reviewed management proposals for revisions to the Group Risk Appetite Statement metrics for 2014. Following review, the Committee recommended a number of refinements to the Group Risk Appetite Statement to the Board including the cost efficiency, Common Equity Tier 1 Capital and sovereign exposure ratios. The GRC regularly reviews the Group's risk profile against the key performance metrics set out in the Risk Appetite Statement. The GRC reviewed management's assessment of risk and provided scrutiny of management's proposed mitigating actions. |
PRA and EBA concurrent |
The GRC monitored the PRA and EBA stress testing exercises and reviewed the results of stress testing prior to submission to the respective regulators. It received reports over the course of the PRA and EBA stress testing exercises and met three times during the year solely to consider stress testing related matters. At these meetings the GRC reviewed the stress test scenarios as set by the PRA and EBA and the enhancements to these scenarios where appropriate. The GRC oversaw a review of the lessons learnt from this stress testing exercise. Internal Audit assessed progress on the regulatory stress tests programmes and reported its conclusions and recommendations to the GRC. |
Execution risk |
Execution risk is the risk relating to the delivery of the Group strategy and is a standing agenda item for the GRC. Monitoring of this risk and challenging management's assessment of execution risk and corresponding mitigating actions remain a priority for the GRC. In addition to the regular reports received and 'deep-dive reviews' conducted on specific issues identified, the GRC requested reports from Internal Audit on the themes identified during the course of its work. |
Legal and regulatory risks
|
The legal and regulatory environment continues to evolve in both complexity and the level of requirements placed on financial services sector firms. The GRC received regular reports on legal and regulatory risks, reviewed management actions to mitigate these risks and considered the potential impact of future developments in this area on the Group. In 2015, these included reports concerning risks related to investigations of HSBC's Swiss Private Bank by a number of tax administration, regulatory and law enforcement authorities. A particular area of focus for the GRC remains the uncertainty in respect of capital adequacy regulatory requirements; further time has been scheduled for the GRC to address this matter. |
IT and data-related risks |
During the year, the GRC considered a number of IT and data-related risks including internet crime and fraud, data management and aggregation, and information security. The GRC reviewed management's assessment of these risks and management actions to mitigate them. IT and data-related risks are expected to remain an area of focus for the GRC during the course of 2015. |
Geopolitical risk
|
The GRC received regular reports on geopolitical risks including the crises in the Middle East and Ukraine and the continued tensions in respect of maritime sovereignty in the South China Sea. Management provided regular updates on the implementation of mitigating actions in response to these matters which included the augmentation of anti-money laundering, sanctions and financial crime compliance controls. The GRC also held a joint meeting with the Group Audit Committee which focused on issues faced in mainland China and the Asia-Pacific region. |
Further information on the identification, management and mitigation of the risks set out above is provided on pages 114 to 117.