Operational Risk

This page available in: English 中文

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, including reputation, legal and compliance risk but excluding strategic risk.

The objective is to manage operational risk at appropriate levels relative to the markets in which the businesses operate.

Operational Risk Governance, Framework and Tools
Operational risk is managed through a framework of policies and procedures by which business and support units properly identify, assess, monitor, mitigate and report their risks. The Operational Risk Management Committee attended by senior management
meets monthly to provide oversight of operational risk matters across the Group.

The operational risk governance structure includes three lines of defence. The businesses, as the first line of defence, are responsible for establishing a robust control environment as part of their day-to-day operations. Operational Risk Management and
Compliance, which provide relevant policies, tools and systems, serve as the second line of defence. Internal Audit acts as the third line of defence and provides independent and objective assurance of the effectiveness of the internal controls.

A key component of the operational risk management framework is risk identification and control self-assessments. This is achieved through the Group-wide implementation of a set of operational risk tools. Operational risk self-assessments involve identifying and assessing inherent risks, as well as assessing the effectiveness of controls to mitigate these risks.

Key Operational Risk Indicators are statistical data collected and monitored by business and support units on an ongoing basis to enable early detection of operational control weaknesses. A database of operational risk events and losses has been established to facilitate the analysis of loss trends and root causes. The toolkits are supported by a web-based system which allows the Group and key stakeholders to document, track and manage action plans.

Several risk mitigation policies and programmes are in place to maintain a sound operating environment. An outsourcing policy ensures that all significant risks arising from outsourcing arrangements are identified and effectively managed on a continuous basis.

A product programme committee reviews and ensures that risks associated with the introduction of new products and services are identified, analysed and addressed prior to launch. A product sales committee reviews product suitability, product risk disclosures and reputation issues before the distribution of investment products.

A business continuity and crisis management programme has been developed and tested to ensure prompt recovery of critical business functions following unforeseen events. Senior management provides an annual attestation to the Board on the state of business continuity readiness of the Group.

A technology risk management framework has been established, enabling the Group to manage technology risks in a systematic and consistent manner.

Regulatory compliance risk refers to the risk of non-compliance with laws, regulations, rules, standards and codes of conduct. This risk is identified, monitored and managed through a structured framework of policies, procedures and guidelines maintained by the Group. The framework also manages the risk of breaches and sanctions relating to Anti-Money Laundering and Countering the Financing of Terrorism.

The Group actively manages fraud and bribery risks. Tools and policies, including a whistle-blowing programme, a material risk notification protocol and a fraud risk awareness training programme, have been developed to manage such risks. All employees are guided by a Code of Conduct, which includes anti-bribery and corruption provisions.

Reputation risk is the risk of adverse impact on earnings, liquidity or capital arising from negative stakeholder perception or opinion of the Group’s business practices, activities and financial condition. The Group recognises the impact of reputation risk and a framework has been developed to identify and manage the risk across the Group.

To mitigate operational losses resulting from significant risk events, a Group insurance programme covering crime, fraud, civil liability, property damage, public liability, as well as directors’ and officers’ liability has been put in place.