A risk management and internal control system, which is an integral part of the Group’s management system, is based on the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control - Integrated Framework (2013) and International Organisation for Standardisation (ISO) 31000 Risk Management - principles and guidelines, and is designed to provide reasonable, though not absolute, assurance against material misstatement or loss and to manage rather than eliminate risks of failure to achieve business objectives. Key control procedures and measures include:
- Establishing a structure with defined authority and proper segregation of duties
- A clear organisational structure with defined lines of responsibility to facilitate systematic delegation of authority
- Written policies, procedures and guidelines with defined limits of delegated authority to facilitate effective segregation of duties and controls
- Monitoring the strategic initiative and performance
- The relevant Divisions/Departments carry out their respective business operating plans as laid down in the initiative in accordance with the adopted policies and procedures
- An annual budget with financial targets provides the foundation for the allocation of resources in accordance with prioritised business opportunities
- Variance analyses help identify possible deficiencies and enables timely remedial actions to be taken where necessary
- Designing an effective accounting and information system
- A comprehensive accounting system for providing financial and operational performance indicators to facilitate problem identification, and to ensure complete, relevant and accurate financial information for timely reporting and disclosure purpose
- An information system for identifying, capturing and communicating pertinent information to enable employees to carry out their responsibilities
- Regular reviews for ensuring proper and legitimate dissemination of financial information
- System and procedures are in place to identify, assess and manage risks including legal, credit, market, concentration, operational, environmental, behavioural and systemic risks that may have an impact on the Cash and Derivatives Markets in Hong Kong. Exposure to these risks is monitored by the Executive Risk Committee and the Risk Committee on an on-going basis
- Handling and dissemination of inside information
- Stringent regulations are set out in the HKEX Code of Conduct that prohibit inappropriate use of confidential or inside information
- Guidelines on reporting and disseminating material information, maintaining confidentiality and dealing restrictions are set out in the Continuous Disclosure and Communication Policy (Policy). The Materiality Guidelines (Guidelines) are posted on HKEX’s Intranet for employees’ reference. The Group Company Secretary will review the Policy and Guidelines periodically and make recommendations on amendments thereto, if necessary, in order to ensure their effectiveness in making accurate, balanced and timely disclosure of information in accordance with HKEX’s disclosure obligations in the changing regulatory environment
- Ensuring swift actions and timely communication with our stakeholders
- The Group Incident Escalation and Reporting Policy sets out the manner in which relevant incidents are escalated and reported to various levels within the organisation to facilitate swift action and timely communication with our stakeholders where appropriate
- An effective communication system is in place to provide transparent, regular and timely disclosures
- Encouraging reporting on serious concern about malpractice
- The Group operates a Group Whistleblowing Policy which enables employees to raise concerns about any malpractice, impropriety or fraud relating to internal controls and other matters confidentially, and anonymously to the designated officer(s) or if they so wish, directly to the chairman of HKEX Audit Committee, LME Audit Committee or LME Clear Audit Committee, without fear of reprisal or victimisation
- Under the Group Whistleblowing Policy, HKEX Audit Committee, LME Audit Committee and LME Clear Audit Committee are responsible for reviewing the effectiveness of the actions taken in response to disclosures made under the policy by employees of HKEX and its subsidiaries
- In addition to the internal reporting procedures available under the Group Whistleblowing Policy, HKEX also has in place arrangements for external parties to raise concerns in confidence. For example, clear instructions are provided on the HKEX Market website (General Enquiries section) for external parties, including investors, suppliers, vendors and other third parties, to make complaints and raise concerns in relation to improper or unethical behavior via the designated channels
- Ensuring controls and reviews of IT application systems as well as principal operations
- Various controls and independent reviews are in place to uphold the integrity, reliability, availability, security and stability of the Group’s IT application systems
- Group Internal Audit Department and external consultants conduct independent reviews of the risks associated with, and controls over, the Group’s principal operations and critical IT applications