Good risk management and control lie at the heart of any business, particularly a financial services firm – they are integral parts of providing consistent, high-quality returns to shareholders. If we fail to adequately manage and control our risks we may suffer significant financial losses. Potentially more important is the resultant damage to the reputation, which could undermine the share price by reducing the client base and impairing the ability to retain talented employees. Ultimately, regulators might be forced to impose constraints upon our business.
We recognize that taking risk is core to the financial business and that operational risks are an inevitable consequence of being in business.
The aim is not, therefore, to eliminate all risks but to achieve an appropriate balance between risk and return. Thus, in the day-to-day business and in the strategic management of the balance sheet and capital, we seek to limit the scope for adverse variations in the earnings and exposure to “stress events” for all the material risks we face.
We have to base our approach to risk management and control on five principles. Business management is accountable for all the risks assumed throughout the firm and is responsible for the continuous and active management of risk exposures to ensure that risk and return are balanced. This responsibility applies not only to the traditional banking risks of credit and market risk but also to the many and varied operational risks that potentially arise from inadequate or failed internal processes, people or systems or from external causes, which may be deliberate, accidental or natural.
An independent control process is implemented when required by the nature of the risks, in particular to balance short-term profit incentives and the long-term interests of the Bank. The control functions are responsible for providing an objective check on risk-taking activities. Comprehensive, transparent and objective risk disclosure to the senior management, the Board of Directors, shareholders, regulators, rating agencies and other stakeholders is the cornerstone of the risk control process.
We have to protect our earnings by controlling risk at the level of individual exposures, at a portfolio level and in aggregate, across all risk types and businesses, relative to our risk capacity – the level of risk we are capable of absorbing, based on our earnings power.
We protect our reputation by managing and controlling the risks incurred in the course of the business, and for this reason we avoid concentrations of exposure and limit potential stress losses, not only from credit, market and liquidity risks but also from operational risks. We avoid extreme positions in transactions that are sensitive for tax, legal, regulatory or accounting reasons, and adopt a cautious approach to any risks that cannot be sensibly evaluated or priced.
We have to adopt the highest standards in protecting the confidentiality and integrity of our client information, and aim to maintain the highest ethical standards in all our business dealings.
All employees, but in particular those involved in risk decisions, must make our reputation an overriding concern. Responsibility for our reputation cannot be delegated or syndicated.
Excellence in risk management is fundamentally based upon a management team that makes risk identification and control critical components of its processes and plans. Responsibility therefore flows from the top.
The Board of Directors is responsible for the firm’s fundamental approach to risk, for approving our risk principles and for determining our risk capacity.
The Chairman’s Office oversees the risk profile of the firm on behalf of the Board of Directors and has ultimate authority for credit, market and other risk related matters
The Chief Risk Officer (CRO) has overall responsibility for the development and implementation of the Group’s risk control principles, frameworks, limits and processes across market, credit and operational risk.
The Chief Financial Officer (CFO) is responsible for transparency in the financial performance of the bank and its Business Groups, including high-quality and timely reporting and disclosure in line with regulatory requirements, corporate governance standards and global best practice. He is responsible for implementation of the risk control principles in the areas of capital management, liquidity, funding and tax.
The General Counsel is responsible for implementation of the risk control principles in the areas of legal and compliance. Within the Business Groups, the control functions are empowered to enforce the risk principles and are responsible for the implementation of independent control processes.
The risk control process
There are five critical elements in our independent risk control process:
1. we identify risk, through the continuous monitoring of portfolios, by assessing new businesses and complex or unusual transactions, and by reviewing our own risks in the light of market developments and external events
2. we measure quantifiable risks, using methodologies and models which have been independently validated and approved
3. we establish risk policies to reflect our risk principles, risk capacity and risk appetite, consistent with evolving business requirements and international best practice
4. we have comprehensive risk reporting to stakeholders, and to management at all levels, against the approved risk control framework and, where applicable, limits
5. we control risk by monitoring and enforcing compliance with the risk principles, and with policies, limits and regulatory requirements.
Coordinated processes involving all relevant control and logistics functions are applied before commencement of any new business or significant change in business, and before the execution of any transaction which is complex or unusual in its structure or is sensitive to tax, legal, regulatory or accounting considerations. These processes, which involve the business, risk control, legal, compliance, financial control and logistics functions, ensure that all critical elements are addressed in a comprehensive and holistic way, including the assurance that transactions can be booked in a way that will permit appropriate ongoing risk monitoring, reporting and control.