Risk management & internal control

The Group’s risk governance structure is based on a “Three Lines of Defense” model, with oversight and directions from the Board and Audit committee.

Framework

The risk management and internal control system is to help the Group achieve its long-term vision and mission and business sustainability by identifying and evaluating the Group’s risks and by formulating appropriate mitigating controls to protect our business, stakeholders, assets and capital. Risk management and internal control system is embedded in our business functions and we believe that it enhances long-term shareholder value. The risks of the Group are subject to and are directly linked to the Group’s strategy.

The Board oversees management in the design, implementation and monitoring of the Risk Management and Internal Control Systems, which are designed to manage rather than eliminate the risk of failure to achieve business objectives, and to provide reasonable but not absolute assurance against material misstatement or loss. A review of its effectiveness is conducted annually by the Risk Management Committee (“RMC”) and reported to the Board through the Audit Committee. The primary responsibility for detailed risk identification and management lies with the respective business heads.

The RMC, reporting to the Audit Committee, is responsible for strengthening the Group’s risk management culture, ensuring the overall framework of risk management is comprehensive and responsive to changes in the business, and managing the internal audit function. It regularly reviews the completeness and accuracy of risk assessments, risk reporting and the adequacy of risk mitigation efforts.

As the first line of defense, individual business units identify operational risks, develop and implement respective controls. These activities are monitored and evaluated by division heads and relevant staff managers, and are oversighted by the RMC as the second line of defense. As the third line, internal / external reviews are regularly conducted and reported to the Audit Committee charged with the role to ensure that the enterprise risk management arrangements and structures are appropriate and effective.

The Group has in place a risk management and internal control framework that is consistent with the COSO (the Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management (ERM) - Integrated Framework and has the following five components:

Governance and Culture

The Group has defined organisation tone to reinforce enterprise risk management culture, including ethical values, desired behaviors and risk appetite. Sound organisational structure is established to delegate business functions to respective business units within limits set by head office management or Executive Directors in the pursuit of the Group’s strategy and business objective.

Strategy and Objective-setting

The Board meets on a regular basis to discuss and agree on business strategies, plans and budgets prepared by individual business units. The board considers business context and risk implications while establishing the strategies to ensure that the Group’s strategies align, support and integrate with the defined vision and mission.

Performance

The Group identifies, assesses and prioritises the risks that are most relevant to the Group’s success according to their likelihood and impacts. Based on risk assessment, mitigation plans are developed and implemented by individual business units. The result of this process is summarised and reported to the Board annually.

Review and Revision

The Group continuously reviews the Group’s risk framework in light of substantial changes and pursues improvements of enterprise risk management.

Information, Communication, and Reporting

The Group encourages obtaining and sharing information, from both internal and external sources, which flows up, down and across the Group. Information systems, channels and reporting tools are established to support enterprise risk management communications in the Group.

Annual Assessment of Risk and Internal Controls

Risks and their respective mitigating controls, identified and updated via our annual internal online risk assessment questionnaire completed by senior staff members, are documented in the Group’s risk register which is reviewed by the Audit Committee at least annually. This exercise enables the design of better or more suitable internal controls.

We also conduct an annual customer and investor surveys which generate feedback that we act on to further enhance the quality of our service and our investor relations and corporate governance practices.

The RMC conducts regular meetings with division heads and managers from the headquarters and regional offices so as to keep abreast of issues and new risks that are embedded in the business operations and to enhance existing procedures and controls in line with business need and market changes. The Group has a robust mechanism of regular reporting of key business and operations performance to both management and the Board, a key element to a healthy risk management system.

The mitigating controls of the Group’s risks are reviewed and tested periodically by the RMC. The frequency of testing of individual internal controls is by reference to the ranking of the underlying risk areas and the strategy of the Group. With the assistance of appropriate staff members from other departments, internal controls testing on the selected controls takes place annually.

The criteria for assessing the effectiveness of internal controls are based on whether mitigating controls have been operated and enforced throughout the period being reviewed.

Findings and recommendations are communicated with the relevant division heads and staff to formulate measures to enhance or rectify any control deficiency.

Effectiveness of the Risk Management and Internal Control Systems

The RMC reports at least twice a year to the Audit Committee which regularly assesses the effectiveness of risk management and internal control systems as the Group develops. Such systems are crucial for the fulfillment of the Group’s business objectives. The Audit Committee reviews how management designs, implements and monitors those systems, the findings, recommendations and follow-up procedures of the annual assessment, as well as management’s confirmation on the effectiveness of the Group’s risk management and internal control systems, and reports to the Board annually.

In respect of the year ended 31 December 2017, the Board, with confirmation from management, considered the risk management and internal control systems effective and adequate. No significant areas of concern were identified.

Principal Risks

See the Corporate Governance and Strategy Delivery and Risks sections in our 2017 Annual Report