Enclosure 3 - Strategic Risk Management (Consultation)

Annex Email: HKMA E-mail Alert of 29 April 2026 (05:00 p.m. HKT)

Back to Summaries PDF Original Document
Document Information

Title: Enclosure 3 - Strategic Risk Management (Consultation)

Type: Annex

URL: https://brdr.hkma.gov.hk/eng/doc-ldg/docId/20260312-5-EN

Email Received: 2026-04-29 19:36

Summary Created: 2026-04-29 14:05

English Summary (5199 chars)
Quick section switch
Management Summary
  • Purpose / Background: This document (SR-1 V.2) provides updated non-statutory guidance on the HKMA’s supervisory approach to "Strategic Risk"—the risk to earnings, capital, and reputation arising from adverse strategic decisions, improper implementation, or lack of responsiveness to environmental changes. It aligns HKMA standards with the Basel Committee’s 2024 Core Principles for Effective Banking Supervision.
  • One-line conclusion: AIs must formalize their strategic risk management frameworks to ensure they are commensurate with their size and complexity, focusing on robust planning, execution, and performance feedback loops.
  • Key Changes:
  • Explicit integration of "Strategic Risk" as one of the eight core inherent risks in the HKMA’s risk-based supervisory framework.
  • Enhanced emphasis on board-level oversight and active engagement in the strategic planning process.
  • Requirement to maintain a formal, documented "Strategic Risk Management Framework" (SRMF).
  • Introduction of stress testing as a tool to evaluate strategic plan viability under adverse scenarios.
  • Requirement for performance evaluation systems to bridge the gap between planning and implementation.
  • Key Dates / Deadlines: Consultation phase (active). No immediate hard deadline for full compliance, but AIs are expected to make steady progress; the HKMA will monitor development against individual institutional circumstances.
  • Applicability / Impact scope: Applies to all Authorized Institutions (AIs). The level of sophistication required is proportionate to the AI's size, business nature, and complexity.
  • Recommended management actions:
  • Conduct a gap analysis between current strategic planning processes and the SR-1 V.2 framework requirements.
  • Formally document the roles/responsibilities of the Board, senior management, and specialized risk units regarding strategic decision-making.
  • Implement periodic (at least annual) reviews of strategic plans and capital/funding needs.
  • Integrate qualitative stress testing into the strategic planning cycle to identify potential threats to business objectives.
  • Develop clear performance indicators (both financial and non-financial) to track strategy execution and report variances to the Board.
Detailed Summary

1) Document Overview
SR-1 V.2 serves as a guidance note clarifying how the HKMA supervises strategic risk. It defines strategic risk as a function of goal compatibility, strategy quality, resource deployment, and execution capability. While non-statutory, it informs the HKMA's assessment of an AI's internal controls (Seventh Schedule, Banking Ordinance).

2) Main Requirements

  • Framework: AIs must establish a structured SRMF to identify, assess, monitor, and control strategic risk.
  • Oversight: The Board and senior management must actively oversee strategic planning, approve the strategic plan, and ensure it aligns with the AI's risk appetite.
  • Planning: Strategies must be supported by adequate capital, funding, HR, and IT infrastructure. Plans should cover a 3-5 year horizon.
  • Monitoring: AIs must implement performance evaluation systems to track actual outcomes against planned goals and report significant variances.

3) Key Changes

  • Shift from general guidance to a more formal "system-based" supervisory approach.
  • Increased expectation for the use of stress testing to validate strategic assumptions.
  • Explicit requirement for managing "change" (organizational/cultural resistance) as part of the implementation strategy.

4) Important Dates & Transition
This is a consultation draft. The HKMA recognizes the evolution of strategic risk management and does not mandate immediate full compliance. Instead, AIs must demonstrate "steady progress" toward implementation.

5) Impact and Risks

  • Operational: Increased burden on Board/Management to document decision-making logic.
  • Compliance: Failure to show an effective framework may trigger a requirement for an independent auditors’ report under §59(2) of the Banking Ordinance.
  • Financial/Capital: Poor strategic choices will now be directly linked to the Supervisory Review Process (SRP) for capital adequacy assessments.

6) Compliance Action Checklist

  • [ ] Review organizational structure to ensure a designated function supports strategic risk monitoring.
  • [ ] Incorporate stress-testing scenarios into the annual strategic planning exercise.
  • [ ] Update Management Information Systems (MIS) to ensure data accuracy for performance reporting to the Board.
  • [ ] Establish formal "trigger points" on KPIs that necessitate a formal Board review of current strategies.

7) Appendices/attachments summary

  • Annex A (Common causes of strategic failure): Provides hypothetical examples of planning/implementation failures (e.g., over-reliance on past success, aggressive expansion without expertise) to guide AIs in refining their SRMF.
  • Annex B (Strategic risk profile): Categorizes risk profiles as low, moderate, or high, serving as the benchmark for the HKMA's supervisory assessment process.
中文摘要 (1881 chars)
快速切換摘要區塊
管理層摘要
  • 目的/背景 本諮詢文件(SR-1 V.2)旨在更新香港金融管理局(HKMA)對認可機構(AIs)在「策略風險管理」方面的監管指引,以符合 2024 年 4 月巴塞爾委員會發布的最新《銀行監管核心原則》。
  • 一句話結論 機構需建立具備結構化的「策略風險管理框架」,明確董事會與高管職責,透過規劃、評估、監控及壓力測試,確保機構發展策略與其風險承受能力及資源匹配。
  • 關鍵變更
  1. 引入更系統化的策略風險管理流程定義(策略目標、商業與營運策略、變更管理)。
  2. 強調「績效評估與反饋」機制,將實際執行結果與目標對比。
  3. 強調壓力測試應涵蓋非財務影響及質性分析。
  4. 明確要求資源分配(人員、技術、資金)與策略執行的一致性。
  5. 明確跨境機構可根據集團統一框架進行合規,但需證明其本地適用性。
  • 重要日期 / 截止日 本文件為諮詢稿(Consultation),具體實施日期將於諮詢後公佈。HKMA 允許機構分階段優化框架,不要求立即全面達標。
  • 適用對象 / 影響範圍 所有認可機構(AIs),包括本地銀行集團、海外銀行分行及子公司。
  • 管理層建議行動
  1. 審視並更新現有的策略規劃流程,確保納入風險視角。
  2. 建立定期的績效評估機制,並針對重大偏差設定「觸發點」(Trigger points)。
  3. 強化壓力測試框架,納入對策略失敗情境的假設與應變計劃。
  4. 對董事會進行策略風險相關培訓,確保其對策略方向有充分監督與挑戰能力。
  5. 若採用集團化管理,需確保本地運作與總行架構的銜接及透明度。
詳細摘要

1) 文檔概述

  • 性質 非法定指引(Guidance note)。
  • 目的 闡述 HKMA 對策略風險的監管方法,指導 AIs 建立識別、評估、監控與控制策略風險的機制。
  • 適用範圍 涵蓋所有 AIs。

2) 主要要求

  • 治理結構 董事會及高級管理層對策略風險負最終責任;需設立專責職能部門,負責策略規劃的協調與風險分析。
  • 策略流程 規劃需涵蓋企業、業務及營運三個層次,並與機構的企業使命、價值觀及風險偏好對齊。
  • 資源管理 策略實施前需確保資金、人員(專才)、技術設施(IT)及管理能力的配套到位。
  • 變更管理 針對組織架構重組或重大轉型,需制定「變更計劃」以處理文化衝突或技能缺口。

3) 關鍵變更

  • 由原 2007 年版本(V.1)轉型為更具體化的框架,強化了對「策略失敗原因」的預警分析。
  • 明確將「壓力測試」納入常規監管關注點,特別是用於檢視策略在不利環境下的韌性。

4) 重要日期與過渡安排

  • HKMA 承認能力提升為漸進過程,機構應逐步落實。若未完全對標,需提供合理充分的證明,說明替代控管措施(Alternative measures)。

5) 對機構的影響與風險

  • 合規 影響現有的策略審核流程,需增加更多風險指標與質性論證。
  • 營運 需優化管理資訊系統(MIS),以便將策略執行情況即時反饋給董事會。
  • 報告 要求機構在重大戰略變動(如進軍高風險新業務)前,主動諮詢 HKMA。

6) 合規動作清單(Checklist)

  • [ ] 董事會是否每年定期審核策略目標與風險偏好?
  • [ ] 是否已建立將策略轉化為具體業務目標的機制?
  • [ ] 是否擁有衡量策略執行成效的 KPI(含財務與非財務指標)?
  • [ ] 是否已針對策略目標進行至少一次壓力測試?
  • [ ] 獨立審計/內部審計是否已將「策略風險管理」列入年度檢查範圍?

7) 附件/附錄摘要

  • Annex A (Common causes of strategic failure) 羅列了如「目標與風險承受力不符」、「缺乏適當人才」、「過度依賴舊經驗」等失敗案例,供機構進行風險自我評估與修正。
  • Annex B (Strategic risk profile) 總結了低、中、高不同風險類別的特徵,協助機構對照自身情況並進行分類管理。