Assessment of Risk Management and Internal Control Effectiveness
Updated: 16 Mar 2020
The Risk Committee is delegated by the Board with responsibilities to oversee the Group’s overall Risk Management Framework and to advise the Board on the Group’s risk-related matters. It is also responsible for reviewing the Group’s risk policies and assessing the effectiveness of the Group’s risk controls/mitigation tools.
The Audit Committee, on behalf of the Board, reviews the effectiveness of the internal control systems in detecting fraud, irregularities or infringement of laws, rules and regulations or material control failures on a regular basis by reviewing the work and findings of Internal Audit Department (IAD) and the Group's external auditor, and regular reports from management including those on risk management, regulatory compliance and legal matters. The Audit Committee has delegated authority from the Board to review the adequacy of resources, staff qualifications and experience, training programmes and budget of the Group’s accounting, internal audit and financial reporting functions on an annual basis and monitor HKEX’s compliance with the requirements of the Corporate Governance Code in respect of risk management and internal controls.
The Board has reviewed the adequacy and effectiveness of the Group’s risk management and internal control systems, at least quarterly, through the Risk Committee and the Audit Committee. The management annual confirmation on the effectiveness of the Group’s risk management and internal control systems is reviewed by the Audit Committee and the Risk Committee.
Divisions and Departments assess effectiveness of existing controls, provide treatment plans where required, and monitor risk mitigating activities.
Enterprise Risk Management reports risks regularly at appropriate management levels within the Group and provides assurance on the progress of treatment plans. The Board receives periodic Group Risk Reports including the top risks to the Group, changes in the nature and extent of the significant risks, and associated action plans and controls. Principal risks of the Group are summarised in the
Risk Committee Report
IAD conducts independent reviews of the adequacy and effectiveness of the Group’s internal control systems and regularly reports the review results to the Board through the Audit Committee. The IAD’s work covers all material controls, including financial, operational, IT, risk management, information security, outsourcing, legal, compliance and those controls designed to detect material fraud.