regulatory change in 2013 has led to increased scrutiny by the GRC of the Group's risk appetite profile and management actions to mitigate risks and exposures.
We have set out in the report below further information on the role and activities of the GRC during 2013.
On behalf of the Committee I should like to thank John Coombe, who will be stepping down as a Director with effect from the 2014 Annual General Meeting, for his valuable contribution.
Joachim Faber
Chairman, Group Risk Committee
24 February 2014
Role and members
The GRC is responsible for advising the Board on high-level risk-related matters and risk governance and for non-executive oversight of risk management and internal controls (other than financial reporting).
|
Meetings attended |
Meetings eligible to attend |
Members1 |
|
|
Joachim Faber2 (Chairman) |
9 |
9 |
John Coombe ..................... |
9 |
9 |
Rona Fairhead3 ................... |
5 |
5 |
John Lipsky ....................... |
9 |
9 |
Rachel Lomax .................... |
9 |
9 |
|
|
|
Meetings held in 2013 .... |
9 |
|
1 All members are independent non-executive Directors. . With effect from the conclusion of the 2014 Annual General Meeting, John Coombe will retire as a Director and member of the GRC.
2 Appointed chairman of the Committee on 24 May 2013.
3 Retired as a member and chairman of the Committee on 24 May 2013.
John Trueman, a non-executive director of HSBC Bank plc and Chairman of its risk committee, and Robert Herdman, a non-executive director of HSBC North America Holdings Inc. and HSBC Bank USA have both attended meetings of the GRC by invitation during 2013. Their experience of risk-related matters in the financial services industry is valued by the Committee.
Governance
All of HSBC's activities involve, to varying degrees, the measurement, evaluation, acceptance and management of risk or combinations of risks. The Board, advised by the Committee, requires and encourages a strong risk governance culture which shapes the Group's attitude to risk. The Board and the Committee oversee the maintenance and development of a strong risk management framework by continually monitoring the risk environment, top and emerging risks facing the Group and mitigating actions planned and taken.
The Committee monitors the effectiveness of the Group's risk management and internal controls systems other than over financial reporting, which are monitored by the GAC.
The governance structure for the management of risk is set out in the following table. Each major operating subsidiary has established a board committee with non-executive responsibility for oversight of risk-related matters and an executive committee with responsibility for risk-related matters.
Governance structure for the management of risk
Authority |
|
Membership |
|
Responsibilities include: |
Board |
|
Executive and non-executive Directors |
|
· Approving risk appetite, strategy and performance targets for the Group · Approving appointment of chief risk officers of subsidiary companies · Encouraging a strong risk governance culture which shapes the Group's attitude to risk |
|
|
|
|
|
GRC |
|
Independent non-executive Directors |
|
· Advising the Board on: - risk appetite and alignment with strategy - alignment of remuneration with risk appetite (through advice to the Group Remuneration Committee) - risks associated with proposed strategic acquisitions and disposals · Overseeing high-level risk related matters · Reviewing the effectiveness of the Group's systems of risk management and internal controls (other than over financial reporting) · Overseeing the maintenance and development of a supportive culture in relation to the management of risk |
Authority |
|
Membership |
|
Responsibilities include: |
|
|
|
|
|
Financial System Vulnerabilities Committee
|
|
Executive Directors and co-opted non-director members |
|
· Overseeing controls and procedures designed to identify areas of exposure to financial crime or system abuse · Overseeing matters relating to anti-money laundering, sanctions, terrorist financing and proliferation financing · Reviewing policies and procedures to ensure continuing obligations to regulatory and law enforcement agencies are met |
GAC |
|
Independent non-executive Directors |
|
· Overseeing risks relating to financial reporting and internal control over financial reporting. |
|
|
|
|
|
Risk Management Meeting of the GMB
|
|
Group Chief Risk Officer Chief Legal Officer Group Chief Executive Group Finance Director All other Group Managing Directors |
|
· Formulating high-level global risk policy · Exercising delegated risk management authority · Overseeing implementation of risk appetite and controls · Monitoring all categories of risk and determining appropriate mitigating action · Promoting a supportive Group culture in relation to risk management |
|
|
|
|
|
Global Standards Steering Meeting of the GMB |
|
Group Chief Risk Officer Chief Legal Officer Group Chief Executive Group Finance Director Global Head of Financial Crime Compliance and Group Money Laundering Reporting Officer All other Group Managing Directors |
|
· Developing and implementing Global Standards reflecting best practices which must be adopted and adhered to throughout the Group · Overseeing initiatives to ensure our conduct matches our values |
|
|
|
|
|
Global Risk Management Board |
|
Group Chief Risk Officer Chief Risk Officers of HSBC's global businesses and regions Heads of risk areas within the Global Risk Function |
|
· Supporting the Risk Management Meeting and the Group Chief Risk Officer in providing strategic direction for the Global Risk function, setting priorities and overseeing their execution · Overseeing consistent approach to accountability for, and mitigation of, risk across the Global Risk function |
|
|
|
|
|
Subsidiary board committees responsible for risk-related matters and global business risk committees |
|
Independent non-executive directors and/or HSBC Group employees with no line or functional responsibility for the activities of the relevant subsidiary or global business, as appropriate |
|
· Providing reports to the GRC or intermediate risk committee on risk-related matters and internal controls (other than over financial reporting) of relevant subsidiaries or businesses, as requested |
Risk reporting and monitoring
The GRC regularly monitors:
· the Group's risk appetite and risk profile against key performance/risk indicators, as set out in the Group's Risk Appetite Statement, on Group-wide, global business and regional bases;
· the top and emerging risks facing the Group; and
· the risk profiles for separate categories of risk within the Group's business identified in the Group's Risk Appetite Statement, on Group-wide, global business and regional bases;
and reviews the mitigating actions proposed by management.
Reports on these items are presented at each meeting of the Committee. Regular reports from the Risk Management Meeting of the GMB, which is the executive body responsible for overseeing risk, are also presented.
In carrying out its responsibilities the Committee is closely supported by the Group Chief Risk Officer. The Committee also receives regular presentations from the Global Head of Financial Crime Compliance and Group Money Laundering Reporting Officer, Global Head of Regulatory Compliance, Group Head of Internal Audit, the Chief Legal Officer and other business, function and risk heads.
Risk appetite
Risk appetite is a key component of our management of risk. The Board, advised by the GRC, approves the Group's risk appetite, which describes the types and levels of risk that the Group is prepared to accept in executing our strategy and which is set out in the Group's Risk Appetite Statement. Embedding risk appetite statements and the related monitoring and reporting framework across the Group has continued to be an area of significant focus in 2013 with initiatives undertaken to:
· further enhance the Global risk appetite framework for consistent adoption by all regions and global businesses within the Group; and
· complete a formal triennial review and assessment that HSBC's risk appetite framework remains fit for purpose, is in line with best practice and adheres to the highest standards.
Our risk appetite framework is underpinned by the core characteristics listed to the right. These core characteristics are applied to define the risk appetite statements on Group-wide, global business and regional levels. The relevant strategic and operational objectives, within which we expect
businesses and regions to operate, are expressed quantitatively across the following dimensions:
Risk appetite: core characteristics
· Risk must be commensurate with sustainable returns
· Strong balance sheet
· Healthy capital position
· Conservative liquidity management
· Strong brand
· Robust Group structure of separate legal entities
· The global businesses should produce sustainable long-term earnings growth
· Risk diversification
Strategic and operational objectives |
|
Earnings |
1. Generate sustainable economic profit commensurate with the risks taken |
Capital and liquidity |
2. Maintain capital in excess of regulatory and internal economic capital requirements |
3. Maintain a strong capital ratio comprising a high proportion of core tier 1 (common equity tier 1 from 2014) |
|
4. Maintain a well-diversified funding structure with a particular focus on advances to core funding ratios |
|
5. Off-balance sheet vehicles should not be material in size relative to the total balance sheet |
|
Impairments |
6. Manage impairments within the Group's tolerance |
Risk category and diversification |
7. Manage all risk categories within the risk appetite |
8. Harness benefits from business diversification to generate non-volatile and sustainable earnings |
|
Intra-Group lending |
9. Group entities should operate at all times within intra-group exposure limits |
Scenario and stress testing |
10. Use robust and appropriate scenario stress testing to assess the potential impact on the Group's capital adequacy and strategic plans |
Top and emerging risks
Identifying and monitoring top and emerging risks is integral to our approach to risk management. We define a 'top risk' as being a current, emerged risk which has arisen across any of our risk categories, regions or global businesses and has the potential to have a material impact on our financial results or our reputation and the sustainability of our long-term business model, and which may form and crystallise within a one-year horizon. We consider an 'emerging risk' to be one which has large uncertain outcomes which may form and crystallise beyond a one-year horizon and, if it were to crystallise, could have a material effect on our long-term strategy.
The GRC discusses top and emerging risks with management at each of its meetings. Current top and emerging risks, which are summarised below, are viewed as falling into three broad categories: macroeconomic and geopolitical; macro-prudential, regulatory and legal risks to our business model; and risks related to our business operations, governance and internal control systems.
The following table shows the current top and emerging risks identified through our risk management processes:
Current top and emerging risks
Categories |
Top and emerging risks |
Macroeconomic and geopolitical risk
|
· Emerging markets slowdown · Increased geopolitical risk |
Macro-prudential, regulatory and legal risks to our business model |
· Regulatory developments affecting our business model and Group profitability · Regulatory investigations, fines, sanctions, commitments and consent orders and requirements relating to conduct of business and financial crime negatively affecting our results and brand · Dispute risk |
Risks related to our business operations, governance and internal control systems |
· Heightened execution risk · Internet crime and fraud · Information security risk · Data management · Model risk |
Stress testing
Our stress testing and scenario analysis programme is central to the monitoring of top and emerging risks. It highlights the vulnerabilities of our business and capital plans to the adverse effects of extreme but plausible events.
The outcome of the testing and analysis is also used to assess the potential impact of the relevant scenarios on the demand for regulatory capital compared with its supply.
Management develops action plans to mitigate risks identified. The extent to which those action plans are implemented depends on management's evaluation of the risks and their potential consequences, taking into account HSBC's risk appetite.
Further information on scenario stress testing is set out on page 139.
Stress tests and scenario tests fall into three main classifications: regulatory scenarios; Group-wide business scenarios; and specific business or exposure scenarios.
During 2013, the GRC reviewed the outcome of a number of stress tests undertaken by the Group and action plans to mitigate risks where appropriate, including a Group reverse liquidity test and stress tests on the Annual Operating Plan under severe eurozone crisis and US fiscal cliff scenarios, the potential consequences of a breach of the Deferred Prosecution Agreements, worsening economic conditions in Japan and Brazil, a global slowdown scenario, including a hard landing in mainland China, and a eurozone break-up.
The development of HSBC's stress testing and scenario testing analysis programme will continue to be an area of focus for the Committee.
Committee activities
The GRC undertook the following key activities in the discharge of its responsibilities:
· Oversight of executive risk management. Regular reports and presentations were received from the Group Chief Risk Officer including at each meeting a presentation of a 'risk map', which provides analysis, on Group-wide, global business and regional bases, of risk profiles for categories of risk identified in the Group Risk Appetite Statement, and a top and emerging risks report which summarises proposed mitigating actions for identified risks. The Committee received regular reports on matters discussed at Risk Management Meetings.
· Legal and regulatory environment. Reports were received from the Chief Legal Officer on forward-looking legal risks, the Global Head of Financial Crime Compliance and Group Money Laundering Reporting Officer, the Global Head of Regulatory Compliance on forward-looking compliance risks and the Head of Group Performance and Reward. Regular updates were received on the US regulatory and law enforcement authorities and US dispute risk and compliance matters in the US and the steps taken to remediate these compliance issues.
· Obligations under US and UK agreements. Regular updates have been received and reviewed on the Group's progress in meeting obligations under the agreements and orders entered into or made in connection with the resolution of the investigations by US and UK regulatory and law enforcement authorities in December 2012 and actions completed to date.
· HSBC Global Standards. The Committee received regular updates on the Global Standards initiative being undertaken by the Group and the activities of the Global Standards Steering Meeting.
· Financial Crime. The Committee received regular reports on the activities of the Financial System Vulnerabilities Committee.
· Compliance-related initiatives. The Committee received regular reports on the restructuring of the Compliance function, including the development of the blueprint and target operating model for each of the Financial Crime Compliance team and the Regulatory Compliance team and the establishment of a project management office for implementation of compliance-related initiatives.
· US matters. The Committee received regular reports from the Chief Executive Officer of HSBC USA on compliance and regulatory matters in the US.
· Country risk tolerances. The Committee considered enhancements to the Group's country risk tolerance framework. The risk tolerance in respect of the Group's two home markets and 20 priority markets were considered by the Committee.
· Risk data aggregation and risk reporting. The Committee received reports on actions to comply with the Basel Committee on Banking Supervision's principles on data aggregation and risk reporting.
·
· Review of risk management and internal controls. The Committee undertook an annual review of HSBC's systems of internal controls, other than over financial reporting. During 2013, the Committee monitored the effectiveness of such risk management and internal controls and reported regularly to the Board as described on page 364. A series of presentations were made, and reports submitted, by the heads of the global businesses and global functions to the Committee on the risk control framework in their respective business or function. Reports from the Group Head of Internal Audit on the internal audit process and weaknesses identified in internal controls (other than over financial reporting) were presented to the Committee, as well as reports from regulators relating to the internal control systems.
· Risk appetite. The Committee reviewed the alignment of risk appetite and Group strategy. Regular reviews were undertaken of the Group's risk profile against the key performance indicators set out in the Risk Appetite Statement which considered the need for any adjustment to the risk appetite. The Risk Appetite Statement for 2014 was recommended to the Board for approval, to be used in the preparation of the Annual Operating Plan for 2014. Reports and presentations were received from the Group Chief Risk Officer, including on the results of HSBC's stress testing and scenario analysis programme.
· Alignment of remuneration with risk appetite. Presentations and reports were received on remuneration-related proposals to assist the Committee in giving advice to the Group Remuneration Committee on the alignment of remuneration with risk appetite. The GRC considered risk-related issues to have been appropriately taken into account by the Group Remuneration Committee, including when determining the total variable pay funding pool for the 2013 performance year and the proposed design of the performance scorecard for the 2014 performance year. The Committee received presentations on the procedure for determining individual variable pay awards, including the risk assessment process for identifying matters for which risk-related adjustments may be made to individual and team awards. The process by which an individual's adherence to HSBC Values and the Group's risk-related policies and procedures is taken into account in performance assessment and determination of variable pay was also reported to the Committee. The Committee provided advice and feedback on risk-related matters to the Group Remuneration Committee where appropriate.
· Reputational risk. The Committee received reports from executive management on reputational risk.
· Benchmarking. The Committee received reports on internal benchmarking exercises undertaken against third party assessment of industry best practices for risk and compliance functions.
· Top and emerging risks. In monitoring top and emerging risks the Committee received reports from the Group Chief Risk Officer and the Global Head of Financial Crime Compliance and Group Money Laundering Reporting Officer, the Global Head of Regulatory Compliance as well as other members of senior management on risks identified and developments in the Group's business, including model risk, people risk, the changing regulatory environment; the implications of regulatory investigations and global market risk such as the implications of an emerging market slowdown and the impact on trade and capital flows.
· Acquisitions and disposals. The Committee received reports and presentations on risk issues relating to proposed strategic acquisitions and the risk management of disposals and advised the Board appropriately.
· Operational risk. The Committee received regular reports on the Group's operational risk management framework.
· Oversight of risk governance framework. Minutes of the GAC, the Financial System Vulnerabilities Committee, Group Remuneration Committee, GMB including the Risk Management Meeting and the Global Standards Steering Meeting, and the Group Reputational Risk Policy Committee were made available to Committee members.
· Terms of reference and Committee effectiveness. The Committee undertook a review of its terms of reference and of its own effectiveness.
In addition to the scheduled Committee meetings, the Chairman met regularly with the Group Chief Risk Officer, the Group Head of Internal Audit, the Group Finance Director, the Chief Legal Officer and other senior executives as required.
The Group Finance Director, Group Chief Risk Officer, Group Chief Accounting Officer, Group Company Secretary and the external auditor and other senior executives attended Committee meetings.
Professional external advice on US compliance matters has been provided by Promontory Financial Group, US financial consultants.
Terms of reference and subsidiary company risk oversight
The GRC is responsible for non-executive oversight of risk management and internal controls, other than internal controls over financial reporting which is the responsibility of the GAC.
To ensure consistency of scope and approach by subsidiary company committees, the GRC has established core terms of reference to guide subsidiary companies when adopting terms of reference for their non-executive risk committees (or audit committees if those committees are also responsible for the oversight of risk related matters).
The Committee's endorsement is required for any proposed material changes to subsidiary company risk committee terms of reference and for appointments to such committees.
A forum for the chairmen of HSBC's principal subsidiary company committees with responsibility for non-executive oversight of financial reporting and risk-related matters was held in June 2013 to share understanding and to facilitate a consistent approach to the way in which these subsidiary committees operate. The next forum will be held in June 2014.
Chairman's Statement
Having been established in January 2013, the FSVC has two primary purposes - to oversee our compliance with regulatory orders, including oversight of the relationship with the Monitor, and to help identify and then oversee appropriate responses to emerging exogenous threats to HSBC. By so doing, we support HSBC's objective of adopting and enforcing high compliance standards throughout the Group and also help protect HSBC. We recognise that in the past HSBC did not consistently identify, and so prevent, misuse and abuse of the financial system through its network. The adoption of high compliance standards - allied with the highest standards of behaviour - forms part of our strategy to eliminate the possibility of this happening again, and will address our obligations under the deferred prosecution agreements and other agreements and orders entered into or made with US and UK regulatory and law enforcement authorities in 2012.
The FSVC will continue to focus in 2014 on approving and monitoring the adoption of controls and procedures which will underpin our high behavioural and compliance standards. Building and maintaining a strong compliance culture throughout the Group, which is essential to the success of our strategy, will remain a focus area for the FSVC in 2014.
An equally important aspect of the FSVC's role is providing the Group with a forward-looking perspective on financial crime risk and other exogenous threats such as cyber-security. The five subject matter experts appointed to the FSVC, as well as Sir Jonathan Evans who joined the Committee on 6 August 2013, have provided invaluable guidance and advice in identifying risk areas where the Group could become exposed, and working with us to mitigate those risks. In 2014, we will continue to build on this work and I'm delighted that Sir Jonathan has agreed to take over the chairmanship of the Committee during the second quarter of this year.
I would also like to welcome our new Director, Kathleen Casey, who will be joining the FSVC in March 2014.
We have set out in the report below further information on the role and activities of the FSVC during 2013.
Rona Fairhead
Chairman, Financial System Vulnerabilities Committee
24 February 2014