Risk management & internal control

The Group’s risk governance structure is based on a “three lines of defence” model, with oversight and direction from the Board and Audit Committee.


The risk management and internal control system is to help the Group achieve its long-term vision and mission and business sustainability by identifying and evaluating the Group’s risks and by formulating appropriate mitigating controls to protect our business, stakeholders, assets and capital. Risk management and internal control system is embedded in our business functions and we believe that it enhances long-term shareholder value. The risks of the Group are subject to and are directly linked to the Group’s strategy.

TThe Board oversees management in the design, implementation and monitoring of the Risk Management and Internal Control Systems, which are designed to manage rather than eliminate the risk of failure to achieve business objectives, and to provide reasonable but not absolute assurance against material misstatement or loss. A review of its effectiveness is conducted annually by the Risk Management Committee (“RMC”) and reported to the Board through the Audit Committee. The primary responsibility for detailed risk identification and management lies with the respective business heads.

The RMC, reporting to the Audit Committee, is responsible for strengthening the Group’s risk management culture, ensuring the overall framework of risk management is comprehensive and responsive to changes in the business, and managing the internal audit function. It regularly reviews the completeness and accuracy of risk assessments, risk reporting and the adequacy of risk mitigation efforts.

As the first line of defense, individual business units identify operational risks, develop and implement respective controls. These activities are monitored and evaluated by division heads and relevant staff managers, and are overseen by the RMC as the second line of defense. As the third line, internal / external reviews are regularly conducted and reported to the Audit Committee charged with the role to ensure that the enterprise risk management arrangements and structures are appropriate and effective.

The Group has in place a risk management and internal control framework that is consistent with the COSO (the Committee of Sponsoring Organisations of the Treadway Commission) Enterprise Risk Management (ERM) - Integrated Framework and has the following five components:

Governance and Culture

The Group has defined organisation tone to reinforce enterprise risk management culture, including ethical values, desired behaviours and risk appetite. Sound organisational structure is established to delegate business functions to respective business units within limits set by head office management or Executive Directors in the pursuit of the Group’s strategy and business objective.

Strategy and Objective-setting

The Board meets on a regular basis to discuss and agree on business strategies, plans and budgets prepared by individual business units. The Board considers business context and risk implications while establishing the strategies to ensure that the Group’s strategies align, support and integrate with the defined vision and mission.


The Group identifies, assesses and prioritises the risks that are most relevant to the Group’s success according to their likelihood and impacts. Based on risk assessment, mitigation plans are developed and implemented by individual business units. The result of this process is summarised and reported to the Board annually.

Review and Revision

The Group continuously reviews the Group’s risk framework in light of substantial changes and pursues improvements of enterprise risk management.

Information, Communication, and Reporting

The Group encourages obtaining and sharinginformation, from both internal and external sources, which flows up, down and across the Group. Information systems, channels and reporting tools are established to support enterprise risk management communications in the Group.

Annual Assessment of Risk and Internal Controls

The Group carries out an annual risk assessment by way of an online questionnaire completed by senior staff members with the objective to improve the design and the effectiveness of the Group’s internal controls. Any changes in risk profile and related mitigating measures, new risks and other proposal in risk management are evaluated and documented in the Group's risk register. The impact of risks, mitigants and recommendations are communicated to the relevant business divisions.

The mitigating controls of the Group’s risks are reviewed and tested periodically by the RMC. The frequency of testing of individual internal controls is by reference to the ranking of underlying risk areas and the strategy of the Group. The Group adopts a peer review format in its annual testing of internal controls by appointing appropriate staff members auditing selected controls of departments other than their own.

The criteria for assessing the effectiveness of internal controls are based on whether mitigating controls have been operated and enforced throughout the period being reviewed. Findings and recommendations are communicated with the relevant division heads and staff to formulate measures to enhance or rectify any control deficiency.

The RMC conducts regular meetings with division heads and managers from the headquarters and regional offices so as to keep abreast of issues and new risks that are embedded in business operations and to enhance existing procedures and controls in line with business needs and market changes. The Group has a robust mechanism of regular reporting of key business and operations performance to both management and the Board, a key element to a healthy risk management system.

We also conduct an annual customer and investor surveys which generate feedback that we act on to further enhance the quality of our service and our investor relations and corporate governance practices.

Effectiveness of the Risk Management and Internal Control Systems

The RMC reports at least twice a year to the Audit Committee which regularly assesses the effectiveness of risk management and internal control systems as the Group develops. Such systems are crucial for the fulfillment of the Group’s business objectives. The Audit Committee reviews how management designs, implements and monitors those systems, the findings, recommendations and follow-up procedures of the annual risk assessment and internal controls testing, as well as the Group's risk register and management’s confirmation on the effectiveness of the Group’s risk management and internal control systems, and reports to the Board annually.

In respect of the year ended 31 December 2018, the Board, with confirmation from management, considered the risk management and internal control systems effective and adequate. No significant areas of concern were identified

Principal Risks

See the Corporate Governance and Strategy Delivery and Risks sections in our 2018 Annual Report