This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more about cookies


Risk management and internal control

The Board is responsible for ensuring that an appropriate and effective system of internal control and risk management is in place across the Group. The framework of risk management and internal controls centres on clear delegated authorities to ensure Board oversight and control of important decisions. The framework is underpinned by the Group Code of Business Conduct, which sets out the ethical standards the Board requires of itself, employees, agents and others working in the Group. The framework is designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss.

Internal control

The Group Governance Manual (the Manual) sets out the delegated authorities and establishes the requirements for subsidiaries to seek approvals from or report to Group Head Office. Group-wide standards are established through policies and other governance arrangements, which are also included in the Manual.

Internal controls and processes, based on the provisions established in the Manual, are in place across the Group. These include controls for the preparation of financial reporting. The operation of these controls and processes facilitates the preparation of reliable financial reporting and the preparation of local and consolidated financial statements in accordance with the applicable accounting standards and requirements of the Sarbanes-Oxley Act. These controls include certifications by the Chief Executive and Chief Financial Officer of each business unit regarding the accuracy of information provided for use in preparation of the Group’s consolidated financial reporting and the assurance work carried out in respect of US reporting requirements.

The Board has delegated authority to the Audit Committee to review the framework and effectiveness of the Group’s systems of internal control. The Audit Committee is supported in this responsibility by the assurance work carried out by Group-wide Internal Audit and the work of the business unit audit committees, which oversee the effectiveness of controls in each respective business unit. Details of how the Audit Committee oversees the framework of controls and their effectiveness on an ongoing basis, is set out more fully in the Audit Committee report.

Risk management

A key component of the Manual is the Group Risk Framework, which requires all business units to establish processes for identifying, evaluating and managing the risks facing the business.

The Board determines the nature and extent of the principal risks it is willing to take in achieving its strategic objectives. It has delegated authority to the Risk Committee to review and approve changes to the Group Risk Framework and risk policies and approve changes to risk limits within the overall Board approved risk appetite. The Risk Committee reviews compliance with the Group Risk Framework and risk policies through its regular activities detailed in the Risk Committee report.

The Group’s risk governance arrangements, which support the Board, the Risk Committee and the Audit Committee, are based on the principles of the ‘three lines of defence’ model: risk taking and management, risk control and oversight, and independent assurance.

First line of defence (risk taking and management)

  • Takes and manages risk exposures in accordance with the risk appetite, mandate and limits set by the Board;
  • Identifies and reports the risks that the Group is exposed to, and those that are emerging;
  • Promptly escalates any limit breaches or any violations of risk management policies, mandates or instructions;
  • Identifies and promptly escalates significant emerging risk issues; and
  • Manages the business to ensure full compliance with the Group risk management framework as set out in the Manual, which includes the Group Risk Framework and risk policies as well as approvals requirements, among other requirements.

Second line of defence (risk control and oversight)

  • Assists the Board to formulate and then implement the approved risk appetite and limit framework, risk management plans, risk policies, risk reporting and risk identification processes; and
  • Reviews and assesses the risk-taking activities of the first line of defence and where appropriate, challenges the actions being taken to manage and control risks and approves any significant changes to the controls in place.

Third line of defence (independent assurance)

  • Provides independent assurance on the design, effectiveness and implementation of the overall system of internal control, including risk management and compliance.

The three lines of defence model is adopted at the Group level as follows:

The three lines of defence model

Formal review of controls

A formal evaluation of the systems of internal control and risk management is carried out at least annually. The report is considered by the Audit Committee and Risk Committee prior to the Board reaching a conclusion on the effectiveness of the systems in place. This evaluation takes place prior to the publication of the Annual Report.

As part of the evaluation, the Chief Executive and Chief Financial Officer of each business unit, including Group Head Office, certify compliance with the Group’s governance policies and the risk management and internal control requirements. The Group Risk function facilitates a review of the matters identified by this certification process. This includes the assessment of any risk and control issues reported during the year, risk and control matters identified and reported by the other Group oversight functions and the findings from the reviews undertaken by Group-wide Internal Audit, which carries out risk-based audit plans across the Group. Issues arising from any external regulatory engagement are also taken into account.

For the purposes of the effectiveness review, the Group has followed the FRC Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. In line with this guidance, the certification provided above does not apply to certain material joint ventures where the Group does not exercise full management control. In these cases, the Group satisfies itself that suitable governance and risk management arrangements are in place to protect the Group’s interests. However, the relevant Group company which is party to the joint venture must, in respect of any services it provides in support of the joint venture, comply with the requirements of the Group’s internal governance framework.

Effectiveness of controls

In accordance with provision C.2.3 of the UK Corporate Governance Code and provision C.2.1 of the HK Corporate Governance Code, the Board reviewed the effectiveness and performance of the system of risk management and internal control during 2016. This review covered all material controls, including financial, operational and compliance controls, risk management systems and the adequacy of the resources, qualifications and experience of staff of the Group’s accounting, internal audit and financial reporting functions. The review identified a number of areas for improvement and the necessary actions have been or are being taken.

The Board confirms that there is an ongoing process for identifying, evaluating and managing the significant risks faced by the Group, which has been in place throughout the period and up to the date of this report, and confirms that the system remains effective.

Next page:

Reporting tools

Save pages of the report
to download, print or email

View your pages


Your comments and ideas
help us to shape future reports
to suit your needs

Tell us your views