HSBC 2013 Annual Report Download - page 50

Download and view the complete annual report

Please find page 50 of the 2013 HSBC annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 127

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127

HSBC BANK CANADA
48
Management’s Discussion and Analysis (continued)
Operational risk
Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and
systems or from external events.
Operational risk is relevant to every aspect of
our business, and covers a wide spectrum of issues,
in particular legal, compliance, security and fraud.
Losses arising from breaches of regulation and law,
unauthorized activities, error, omission, inefficiency,
fraud, systems failure or external events all fall within
the definition of operational risk.
Responsibility for minimizing operational risk lies
with the bank’s management and staff. Each business
unit and functional head is required to maintain
oversight over the operational risks and internal controls
for the business and operational activities that they are
responsible for.
Operational risk management framework
The Operational Risk function and the operational risk
management framework (‘ORMF’) assist business
management in discharging their responsibilities. The
ORMF defines minimum standards and processes, and
the governance structure for operational risk and internal
control in our businesses and functions.
To implement the ORMF a ‘three lines of defence’
model is used for the management of risk, as described
below:
First line of defence: Every employee is responsible
for the risks that are a part of their day-to-day
jobs. The first line of defence ensures all key risks
within their operations are identified, mitigated and
monitored by appropriate internal controls within an
overall control environment.
Second line of defence: Consists of Functions such
as Risk, Finance and Human Resources who are
responsible for providing assurance, challenge and
oversight of the activities conducted by the first line.
Third line of defence: Internal Audit provides
independent assurance over the first and second lines
of defence.
The ORMF has been codified in a high level
standards manual supplemented with detailed policies,
which describe our approach to identifying, assessing,
monitoring and controlling operational risk and
give guidance on mitigating action to be taken when
weaknesses are identified.
Business and Functional management is responsible
for maintaining an acceptable level of internal control,
commensurate with the scale and nature of operations,
and for identifying and assessing risks, designing controls
and monitoring the effectiveness of these controls. The
ORMF helps managers to fulfil these responsibilities
by defining a standard risk assessment methodology
and providing a tool for the systematic reporting of
operational incident information. A centralized database
is used to record the results of the operational risk
management process. Significant improvement has
been made in strengthening the first line of defence
via enhancement of the Business Risk and Control
Management (‘BRCM’) network. BRCMs act as risk
and control subject matter experts for Businesses and
Functions. They assist management in developing risk
and control assessments and developing and executing
key control monitoring to confirm the continued
operation of key controls to management. They are
responsible for reporting issues identified through risk
and control monitoring and testing, reviewing adequacy
of action plans and progress monitoring of remediation
plans to closure.
An Operational Risk and Internal Control function,
reporting to the Chief Risk Officer, provides end-to-
end oversight, challenge and review of the ORMF. The
function works closely with the Bank’s Operational
Risk and Internal Control Committee (an authorized
subcommittee of the RMC), whose mission is to
provide governance and strategic oversight of the bank’s
operational risk management framework. We actively
manage operational risk to reduce exposure to events
that could lead to negative impacts.
We continued to enhance our ORMF policies and
procedures in 2013 and undertook various activities
to further embed the use of the framework in the
management of the business. Articulating our risk
appetite for material operational risks helps business
understand the level of risk our organization is willing
to accept. Monitoring operational risk exposure against
risk appetite on a regular basis and implementing our
risk acceptance process drives risk awareness in a more
forward-looking manner and assists management in
determining whether further action is required.