HSBC 2014 Annual Report Download - page 76

Download and view the complete annual report

Please find page 76 of the 2014 HSBC annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 200

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200

HSBC BANK PLC
Report of the Directors: Risk (continued)
74
The present value of the group’s defined benefit pension
schemes’ liabilities was as follows:
2014
2013
£bn
£bn
At 31 December
Liabilities (present value)
20.1
18.5
%
%
Assets:
Equities
16
15
Debt securities
65
55
Other (including property)
19
30
100
100
Operational risk
(Unaudited)
Operational risk is relevant to every aspect of our
business and covers a wide spectrum of issues, in
particular legal, compliance, security and fraud. Losses
arising from breaches of regulation and law,
unauthorised activities, error, omission, inefficiency,
fraud, systems failure or external events all fall within
the definition of operational risk.
Responsibility for minimising operational risk lies with
groups management and staff. Each country, business
unit and function is required to implement appropriate
internal controls to manage the operational risks of the
business and operational activities for which they are
responsible.
Operational risk management framework
The Operational Risk function and the operational risk
management framework (‘ORMF) directs business
management in discharging their responsibilities.
The ORMF defines minimum standards and processes,
and the governance structure for operational risk and
internal control across the Group. To implement the
ORMF, a ‘three lines of defence’ model is used for the
management of risk, as described below:
The first line of defence is the business who are
responsible for ensuring that all key risks within their
operations are identified, mitigated and monitored by
appropriate internal controls within an overall control
environment. Every employee is responsible for the
risks that are a part of their day-to-day jobs.
The second line of defence consists of the Functions,
such as Risk (including Regulatory and Financial Crime
Compliance), Finance and HR who are responsible for
providing oversight and challenge of the activities
conducted by the first line.
The third line of defence covers the role of Internal
Audit, who provide independent assurance over the
first and second lines of defence.
The ORMF consists of a number of components,
including:
Risk and Control Assessments (‘RCAs’), which are used
to identify and assess the material business risks and
controls;
Key Indicators, which are used to help monitor the
risks and controls;
Principal Risk Analysis, which provide management
with a quantified view of specific operational risks;
Internal incidents, which are used to forecast typical
losses; and
External data, which is used to inform the group’s risk
assessments.
Activity to embed the use of our operational risk
management framework continued in 2014. At the same
time, we are streamlining operational risk management
processes and harmonising framework components and
risk management processes. This is expected to lead to a
stronger operational risk management culture and more
forward-looking risk insights to enable businesses to
determine whether material risks are being managed
within the Group’s risk appetite and whether further
action is required. In addition, the Security and Fraud
Risk and Financial Crime Compliance functions have built
a Financial Intelligence Unit (‘FIU’) which provides
intelligence on the potential risks of financial crime
posed by customers and business prospects to enable
better risk management decision-making. The FIU
provides context and expertise to identify, assess and
understand financial crime risks holistically in clients,
sectors and markets.
Articulating the risk appetite for material operational
risks helps the banks management understand the level
of risk that it is willing to accept. Monitoring operational
risk exposure against the approved risk appetite
measures on a regular basis, and implementing risk
acceptance processes, drives risk awareness in a
forward-looking manner. It assists management in
determining whether further action is required to
proactively manage operational risks within acceptable
levels.
Operational risk and control assessments are performed
by individual business units and functions. The risk and
control assessment process is designed to provide
business areas and functions with a forward looking view
of operational risks and an assessment of the
effectiveness of controls, and a tracking mechanism for
action plans so that they can proactively manage
operational risks within acceptable levels. Risk and
control assessments are reviewed and updated at least
annually.
Appropriate means of mitigation and controls include:
making specific changes to strengthen the internal
control environment;
investigating whether cost-effective insurance cover
is available to mitigate the risk; and
other means of protecting us from loss.
A centralised database is used to record the results of
the operational risk management process. RCAs are
input and maintained by business units, and action plans
monitored. To ensure that operational risk losses are
consistently reported and monitored at country, regional
and group level, all business units/functions are required
to report individual losses when the net loss is expected
to exceed US$10,000. Reviews (for lessons learnt and
root causes) are performed around significant
incidents/losses or when trends arise, to improve
processes and controls.