Risk management & internal control

The Group’s risk governance structure is based on a “three lines of defence” model, with oversight and direction from the Board and Audit Committee.

Framework

The risk management and internal control systems are to help the Group achieve its long-term vision and mission and business sustainability by identifying and evaluating the Group’s risks and formulating appropriate mitigating controls to protect our business, stakeholders, assets and capital. Risk management and internal control systems are embedded in our business functions and we believe that they enhance long-term shareholder value. The risks of the Group are subject to and are directly linked to the Group’s strategy.

The Board oversees management in the design, implementation and monitoring of the Risk Management and Internal Control Systems, which are designed to manage rather than eliminate the risk of failure to achieve business objectives, and to provide reasonable but not absolute assurance against material misstatement or loss. A review of their effectiveness are conducted annually by the Risk Management Committee (“RMC”) and reported to the Board through the Audit Committee. The primary responsibility for detailed risk identification and management lies with the respective business units.

The RMC, reporting to the Audit Committee, is responsible for strengthening the Group’s risk management culture, ensuring the overall framework of risk management is comprehensive and responsive to changes in the business and market, and managing the internal audit function. It regularly reviews the completeness and accuracy of risk assessments, risk reporting and the adequacy of risk mitigation efforts.

As the first line of defence, individual business units identify operational risks, develop and implement respective controls. These activities are monitored and evaluated by division heads and relevant staff managers, and are overseen by the RMC as the second line of defence. As the third line of defence, internal / external reviews are regularly conducted and reported to the Audit Committee charged with the role to ensure that the enterprise risk management arrangements and structures are appropriate and effective.

The Group has in place a risk management and internal control framework that is consistent with the COSO (the Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management (ERM) - Integrated Framework and has the following five components:

Governance and Culture

The Group has reinforced enterprise risk management culture, including ethical values, desired behaviours and risk appetite. Sound organisational structure is established to delegate business functions to respective business units within limits set by the head office management or Executive Directors in the pursuit of the Group’s strategy and business objective.

Strategy and Objective-setting

The Board meets on a regular basis to discuss and agree on business strategies, plans and budgets prepared by management. The Board considers business context and risk implications when establishing strategies to ensure that they align, support and integrate with the defined vision and mission.

Performance

The Group identifies, assesses and prioritises the risks that are most relevant to the Group’s success according to their likelihood and impacts. Based on the risk assessment, mitigation plans or controls enhancement are developed and implemented by individual business units. The result of this process is reported to the Board by the RMC annually.

Review and Revision

The Group continuously reviews its risk framework in light of substantial changes and pursues improvements of enterprise risk management.

Information, Communication, and Reporting

The Group encourages obtaining and sharing information, from both internal and external sources, which flows up, down and across the organisation. Information systems, channels and reporting tools are established and regularly upgraded to support enterprise risk management communications of the Group.

Annual Assessment of Risk and Internal Controls

The Group carries out an annual risk assessment by way of an online questionnaire completed by senior staff members with the objective to improve the design and the effectiveness of the Group’s internal controls. Any changes in risk profile and related mitigating measures, new risks and other proposal in risk management are evaluated and documented in the Group’s risk register. The impact of risks, mitigants and recommendations are communicated to the relevant business divisions.

The mitigating controls of the Group’s risks are reviewed and tested periodically by the RMC. The frequency of testing of individual internal controls is by reference to the ranking of the underlying risk areas and the strategy of the Group. The Group adopts a peer review format in its annual testing of internal controls by appointing appropriate staff members auditing selected controls of departments other than their own.

The criteria for assessing the effectiveness of internal controls are based on whether the mitigating controls have been operated and enforced throughout the period being reviewed. Findings and recommendations are communicated with the relevant division heads and staff to formulate measures to enhance or rectify any control deficiency.

The RMC conducts regular meetings with division heads and managers at the headquarters and regional offices so as to keep abreast of issues and new risks that are embedded in business operations and to enhance existing procedures and controls in line with business needs and market changes. The Group has a robust mechanism of regular reporting of key business and operations performance to both management and the Board, which is a key element of a healthy risk management system.

We also conduct annual customer and investor surveys which generate feedback that we act on to further enhance the quality of our service and our investor relations and corporate governance practices.

Effectiveness of the Risk Management and Internal Control Systems

The RMC reports at least twice a year to the Audit Committee which regularly assesses the effectiveness of the risk management and internal control systems as the Group develops. Such systems are crucial for the fulfillment of the Group’s business objectives. The Audit Committee reviews how management designs, implements and monitors those systems, the findings, recommendations and follow-up procedures of the annual risk assessment and internal controls testing, as well as the Group’s risk register and management’s confirmation on the effectiveness of the Group’s risk management and internal control systems, and reports to the Board annually.

In respect of the year ended 31 December 2019, the Board, with confirmation from management, considers the risk management and internal control systems effective and adequate. No significant areas of concern were identified.

Principal Risks

See the Corporate Governance and Strategy Delivery and Risks sections in our 2019 Annual Report