Enclosure 2 - Reputation Risk Management (Consultation)

Annex Email: HKMA E-mail Alert of 29 April 2026 (05:00 p.m. HKT)

Back to Summaries PDF Original Document
Document Information

Title: Enclosure 2 - Reputation Risk Management (Consultation)

Type: Annex

URL: https://brdr.hkma.gov.hk/eng/doc-ldg/docId/20260312-4-EN

Email Received: 2026-04-29 19:36

Summary Created: 2026-04-29 14:04

English Summary (4963 chars)
Quick section switch
Management Summary
  • Purpose / Background: This consultation paper sets out the HKMA’s supervisory approach to "Reputation Risk" and provides guidance to Authorized Institutions (AIs) on building effective management frameworks. It replaces the 2008 version (V.1) to align with international standards, specifically the Basel Committee’s 2024 Core Principles for Effective Banking Supervision.
  • One-line conclusion: AIs must formalize and structure their reputation risk management, integrating it into their broader risk management processes within 12 months of the final guideline's issuance.
  • Key Changes:
  • Explicit integration of reputation risk as a core risk within the HKMA’s Risk-Based Supervisory Approach.
  • Requirements for a more structured "system-based" approach, emphasizing policies, identification, assessment (including stress testing), and reporting.
  • Heightened focus on corporate culture, ethical conduct, and social responsibility as drivers of reputation.
  • Mandated "early warning systems" to detect emerging threats before they escalate into crises.
  • Enhanced expectations for senior management/Board involvement in crisis management and stress-testing oversight.
  • Key Dates / Deadlines: AIs must incorporate the new guidance into their processes within 12 months of the official issue date.
  • Applicability / Impact scope: All AIs in Hong Kong, including local and foreign-owned branches. The approach is proportional; small, simple institutions may use simplified documentation but must still satisfy core requirements.
  • Recommended management actions:
  • Establish a formal reputation risk management policy and register.
  • Conduct a gap analysis against the new RR-1 guidance, specifically focusing on "Annex B" drivers of reputation.
  • Formalize stress-testing scenarios that include reputation risk, particularly focusing on "second-round" effects (e.g., contagion).
  • Review and update Crisis Management Manuals, ensuring clear roles for the Crisis Management Team (CMT).
  • Strengthen Board and Senior Management oversight through regular reporting on reputation risk trends.
  • Ensure clear "fit and proper" oversight for senior staff, given the direct link between staff conduct and institutional reputation.
Detailed Summary
  1. Document Overview: This is a consultation on V.2 of SPM RR-1. It outlines the supervisory framework for reputation risk, emphasizing that it is an intangible but critical risk to institutional stability. It is non-statutory but informs the HKMA's assessment of an AI’s fitness under the Banking Ordinance.
  1. Main Requirements:
  • Governance: The Board and senior management are responsible for ensuring a culture of integrity and ethical conduct.
  • Risk Process: AIs must implement an "identify, assess, control, monitor, and report" cycle.
  • Monitoring: Development of "Early Warning Systems" (EWS) to detect issues (e.g., negative media, spikes in complaints) before they escalate.
  • External Relations: Proactive communication strategies and defined "lines to take" for public relations.
  1. Key Changes: The shift is from high-level guidance to a structured, audit-ready framework requiring documentation of risk registers, clear delegation of "Risk Owners," and periodic independent reviews.
  1. Important Dates & Transition: 12-month implementation window from the final issuance. AIs must document justifications if their current practices deviate from this guidance.
  1. Impact and Risks:
  • Compliance: Potential impact on capital adequacy assessments via the Supervisory Review Process (SRP).
  • Operational: Increased burden on internal audit and risk functions to maintain "risk registers" and conduct stress tests.
  • Data/Reporting: Need for improved tracking of qualitative data (customer complaints, market sentiment).
  1. Compliance Action Checklist:
  • Appoint a designated "Risk Owner" for reputation risk.
  • Create a 3x3 Likelihood/Impact risk matrix for reputation threats.
  • Review insurance coverage and contingency plans.
  • Schedule a Board briefing on the new expectations for reputation risk management.
  1. Appendices/Attachments Summary:
  • Annex A (Risk Profile): Defines "low/moderate/high" risk categories for supervisory purposes.
  • Annex B (Drivers): Lists external/internal sources of reputation risk (e.g., conduct, strategy, social responsibility).
  • Annex C (Risk Register): Provides a practical template for identifying, assessing (likelihood/impact), and controlling risks.
  • Annex D (Stress-Testing): Guides AIs on including non-contractual support (e.g., to off-balance sheet vehicles) in stress scenarios.
  • Annex E (Crisis Management): Details the structure, manuals, and communication plans required for effective incident handling.
中文摘要 (1872 chars)
快速切換摘要區塊
管理層摘要
  • 目的/背景 金管局(HKMA)發布《聲譽風險管理》(RR-1)諮詢文件(V.2),旨在更新監管指引,協助認可機構(AI)建立有效的聲譽風險管理框架,以應對日益複雜的市場環境與利益相關者期望。
  • 一句話結論 機構須建立結構化的聲譽風險管理流程,將聲譽風險納入整體風險管理體系,並在風險事件發生時具備危機應變能力。
  • 關鍵變更
  1. 明確將聲譽風險列為八大固有風險之一,納入風險為本監管框架。
  2. 強調「前瞻性」管理,要求建立早期預警系統(Early Warning Systems)。
  3. 引入壓力測試(Stress-testing)指導,要求將聲譽風險因素納入情境分析。
  4. 明確危機管理(Crisis Management)的具體組成要素,包括危機管理手冊與團隊架構。
  5. 強化集團層面「傳染風險」(Contagion Risk)的評估,特別是母行負面消息對子行或分行的影響。
  • 重要日期 / 截止日 本文件為諮詢稿;正式生效後,機構須於 12 個月內落實相關管理要求。
  • 適用對象 / 影響範圍 所有認可機構(AIs),包括本地銀行及外國銀行在港分行。
  • 管理層建議行動
  1. 建立風險登記冊 根據諮詢稿 Annex C 建立聲譽風險清單,識別關鍵驅動因素。
  2. 修訂治理架構 明確董事會及高級管理層在聲譽風險中的監督責任。
  3. 整合壓力測試 確保現有的壓力測試框架納入聲譽風險相關情境(如重大舞弊、業務中斷、流動性危機)。
  4. 完善危機應變手冊 擬定或更新危機管理手冊,包含溝通機制及關鍵人員聯絡表。
  5. 建立監測指標 設置早期預警監控指標,確保能即時識別並上報負面輿情或潛在風險事件。
詳細摘要

1) 文檔概述
本文件為《監督政策手冊》RR-1 模塊的修訂版,屬於非法定指引。其目的在於界定金管局對聲譽風險的監管方法,並為機構提供管理聲譽風險的指引,以維護公眾信心及機構的長期經營穩定。

2) 主要要求

  • 治理結構 董事會需對聲譽風險管理負最終責任,並建立企業文化以支持誠信經營。
  • 管理流程 要求涵蓋風險識別、評估、控制、監測及報告。特別需關注客戶投訴處理及第三方服務提供商的風險。
  • 通報義務 即使無強制法律規定,機構仍應主動向金管局匯報可能引發重大危機或嚴重損害聲譽的事件。

3) 關鍵變更

  • 從「原則性建議」轉向「系統化要求」,明確了風險評估的矩陣方法(likelihood vs impact)。
  • 將「企業社會責任」與「綠色政策」列為影響聲譽的新興重點。
  • 引入對「集團傳染風險」的評估,要求銀行評估其母行或集團成員的負面輿情對本地業務的潛在衝擊。

4) 重要日期與過渡安排

  • 機構需在指引發布後 12 個月內將相關要求納入風險管理流程。若無法遵循,須提供合理證明並實施同等效力的替代緩解措施。

5) 對機構的影響與風險

  • 合規成本 需投入資源維護風險登記冊及進行壓力測試。
  • 營運影響 要求建立跨部門危機管理機制,可能影響日常業務流程的決策速度。

6) 合規動作清單(Checklist)

  • [ ] 完成聲譽風險盤點(識別業務中的關鍵脆弱點)。
  • [ ] 確定聲譽風險所有權人(Risk Owner)。
  • [ ] 更新危機應變手冊,包含媒體溝通與「Line-to-take」草稿。
  • [ ] 將非合約性表外項目(如流動性支持)納入壓力測試參數。

7) 附件/附錄摘要

  • Annex A (聲譽風險檔案) 概述不同風險類別(低/中/高)的特徵,協助機構進行自我分類。
  • Annex B (關鍵驅動因素) 羅列影響聲譽的核心要素(如誠信、競爭力、服務質量),作為識別風險的指引。
  • Annex C (風險登記冊使用) 提供具體的識別、評估與控制方法,包含風險矩陣範例。
  • Annex D (壓力測試指引) 建議將聲譽危機情境納入機構整體壓力測試,特別針對流動性與資本壓力。
  • Annex E (危機管理) 詳述危機管理手冊的結構、危機管理團隊(CMT)職責與應變流程,為實務操作提供架構。