Information extracted from the section "Corporate Governance" of 2019 Annual Report:


Risk Management and Internal Control

The Board is responsible for evaluating and determining the nature and extent of the risks it is willing to take in achieving the Group’s strategic objectives, and ensuring that the Group establishes and maintains appropriate and effective risk management and internal control systems. The Board oversees the Management in the design, implementation and monitoring of the risk management and internal control systems. According to the Board’s scope of delegation, the Management is responsible for the day-to-day operations and risk management, and the Management needs to provide a confirmation to the Board on the effectiveness of these systems.

The risk management and internal control systems are designed to manage rather than eliminate the risk of failure to achieve business objectives, and can only provide reasonable and not absolute assurance against material misstatement or loss; to manage the risk of system failure; and to assist in the achievement of the Group’s objectives. In addition to safeguarding the Group’s assets, it also ensures the maintenance of proper accounting records and compliance with relevant laws and regulations.

The Group conducts an annual review of the effectiveness of its risk management and internal control systems covering all material controls, including financial, operational and compliance controls as well as risk management. The review is conducted by reference to the guidelines and definitions given by the regulatory and professional bodies for the purpose of assessing five different internal control elements, namely, the control environment, risk assessment, control activities, information and communication, and monitoring. The assessment covers all the major internal controls and measures, including financial, operational and compliance controls as well as risk management functions. The review also considers the adequacy of resources, staff qualifications and experience and training of the Group’s accounting, financial reporting and internal audit functions. The review is coordinated by the Group’s internal audit which, after the Management and various business departments have performed their self-assessment and the Management has confirmed the effectiveness of the relevant systems, carries out an independent examination and other post-assessment work on the review process and results. The results of the 2019 review, which have been reported to the Audit Committee and the Board, revealed that the Group’s risk management and internal control systems were effective and adequate.

In addition, the key procedures that the Group has essentially established and implemented to provide internal controls are summarised as follows:

•    a rational organisational structure with appropriate personnel is developed and whose responsibility, authority, and accountability are clearly delineated. The Group has formulated policies and procedures to ensure reasonable checks and balances for all the operating units, reasonable safeguard for the Group’s assets and adherence to relevant laws and regulations and risk management in its operations;

•    the Management draws up and continuously monitors the implementation of the Group’s strategies, business plans and financial budgets. The accounting and management systems that are in place provide the basis for evaluating financial and operational performance;

•    the Group has various risk management and human resources policies. There are specific units and personnel that are responsible for handling reputation, strategic, legal, compliance, credit, market, operational, liquidity and interest rate risks. There are also procedures and internal controls for the handling and dissemination of inside information. The Group has set up mechanisms to identify, evaluate and manage all the major risks, and has established corresponding internal control procedures as well as processes for resolving internal control defects. (Details about the Group’s risk management are provided on pages 43 to 48 of this Annual Report);

•    the Group has established an information technology governance structure that produces a range of reports on information systems and management, including information on the monitoring of various business units, financial information and operating performance. Such information facilitates the Management, business units and the regulatory bodies in assessing and monitoring the Group’s operation and performance. Proper communication channels and reporting mechanisms are in place at various business units and levels to facilitate exchange of information;

•    pursuant to a risk-based approach and in accordance with the internal audit plan approved by the Audit Committee, the Group’s internal audit conducts independent reviews on such aspects as financial activities, various business areas, various kinds of risks, operations and activities. Reports are submitted directly to the Audit Committee. The Group’s internal audit closely follows up on the items that require attention in a systematic way and reports to the Management and the Audit Committee in a timely manner; and

•    the Audit Committee reviews the reports submitted by external auditor to the Group’s Management in connection with the annual audit as well as the recommendations made by regulatory bodies on risk management and internal control. The Group’s internal audit follows up on the same to ensure timely implementation of the recommendations, and also periodically reports the status of the implementation to the Management and the Audit Committee.

The Group is committed to upholding good corporate governance practices and the internal control system of all subsidiaries are reviewed regularly. During the year of 2019, continuous improvements on the organisation structure and segregation of duty, the risk management policy and procedure, and the enhancement of disclosure transparency have been undertaken by the Group. In response to internal and external changes in global economic condition, operating environment, regulatory requirement and business development, the Group has implemented a series of measures and undertaken an on-going review on the effectiveness of the internal control mechanism. In 2019, areas for improvement have been identified and appropriate measures have been implemented.