BOC Hong Kong : Mandate of the Risk Committee

BOC HONG KONG (HOLDINGS) LIMITED

Mandate of the Risk Committee

1. Purpose

1.1 The Risk Committee (the "Committee") is a standing committee of the Board of Directors (the "Board"). The purpose of the Committee is to assist the Board in discharging its role in monitoring and in exercising oversight over the management of the risk exposures of BOC Hong Kong (Holdings) Limited (the "Company"), Bank of China (Hong Kong) Limited (the "Bank") and its subsidiaries (together, the "Group"). The Management of the Company and the Bank performs the daily risk management responsibilities of the Group according to the risk acceptance criteria as prescribed in the risk appetite statement and policies established by the Committee.

The following are the oversight responsibilities of the Committee:

1. • the establishment of risk appetite, risk profile and risk management strategy of the Group;
   • the identification, assessment and management of the material risks faced by the various business units of the Group;
   • the review and assessment of the adequacy of the Group's risk management policies, process, system and internal control; and
   • the review and monitoring of compliance with the Group's risk management process, system and internal control including compliance with prudential, legal and regulatory requirements governing the business of the Group.
2. The function of the Committee is oversight. In this regard, the Committee's principal role shall be:
3. • reviewing, approving and monitoring high level risk related policy issues;
   • exercising its power of approval on significant or high risk exposures or transactions;
   • reviewing significant breaches of the Bank's risk limits;
   • defining the roles and responsibilities of the Chief Risk Officer of the Company and the Bank and assessing his/her effectiveness and independence in the management of all risk exposures of the Company and the Bank; and
   • evaluating the Company's remuneration system from the risk management perspective.
4. Within the risk acceptance criteria and policies established by the Committee, the Management of the Company and the Bank is responsible for the development, implementation and operation of risk management process, system and internal control of the Group so as to create and maximize shareholder value by:
5. • proactively bringing a risk management perspective to business decisions through promoting awareness of the need to manage risk and the achievement of a balance between risk and return, and inculcating the risk culture in every aspect of the bank's business operation;
   • development of internal rating system and the internal rating-based risk identification, measurement and control procedures to support the measurement and

Page 1 of 8

October 2019

monitoring of risk capital and so as to comply with Basel and regulatory requirements;

• designing and implementing a risk management framework which appropriately balances the "risk and reward" components;
• ensuring that risk-related policies and procedures are adhered to throughout the Group; and
• ensuring a better understanding with the Group's major stakeholders about the risk management decision making process.

The risk management functions of the Company and the Bank, working as a partner with the business units, shall assist the Chief Executive and Chief Risk Officer to manage the risks of the Group and support them in all risk-taking activities.

2. Roles and Responsibilities

2.1 Identification and monitoring of risks

2.1.1 The Committee has oversight responsibility for credit risk, market risk, operational risk, technology risk, interest rate risk, liquidity risk, legal risk, compliance risk, strategic risk and reputation risk, and any other material risk which may arise from time to time. The Committee is responsible for monitoring these risks on a consolidated basis across the Group.

2.2 Risk appetite and strategy

1. The Committee shall review and recommend for approval by the Board:
2. • risk principles and objectives governing the extent to which the Group is willing to assume risk (i.e. risk appetite) based on the Group's strategic objectives, nature and complexity of business, ability to absorb losses in relation to its capital base and the minimum expected return acceptable for a specified level of risk;
   • targeted balance sheet and related business strategies including lending, funding, investment and trading strategies proposed by the Management of the Company and the Bank; and
   • high level risk governance structure of the Group including the mandate and approval authority to be delegated to the highest management, the Chief Executive of the Company and the Bank who is responsible for managing all risk exposures undertaken by the Group arising from transactions approved in the ordinary course of the Group's banking business.
3. As directed by the Board, the Committee shall be responsible for reviewing and approving major risk management policies including but not limited to the following:
4. • scope of risk taking in which the Group is prepared to engage or is restricted from engaging; and
   • risk limits and general risk acceptance criteria covering market risk, interest rate risk, credit risk and liquidity risk limits, and to the extent possible, also all kinds of operational risks.

Page 2 of 8

October 2019

2.2.3 The Committee shall also consider implications from changes in the Group's external environment (e.g. regulatory environment), business strategy and risk appetite, and initiate necessary changes to the risk management strategy for the Board's approval.

2.3 Risk oversight

1. Approve and review major risk management policies.
   The Committee shall approve and review major risk management policies proposed by the Management and ensure that they are adequate to carry out the Group's risk management strategy, specifically relating to the following areas:
2. • general framework of delegation of approval authorities to various levels of the Management;
   • basis and methodologies for risk identification, measurement, monitoring, reporting and validation; and
   • monitoring and reporting of the Group's risk profile, risk exposures against limits, and non-compliance with the Group's risk management policies and procedures.
3. Review material risk exposures/activities

1. As the top management, the Chief Executive of the Company and the Bank is responsible for managing all risk exposures undertaken by the Group arising from transactions approved in the ordinary course of the Group's banking business. However, the Committee shall recommend for approval by the Board procedures and thresholds (which could be in terms of risk characteristics, size on single/group borrower basis, complexity and novelty of the transaction, concentration or prudential limits or other criteria which the Committee considers appropriate) beyond which the Chief Executive shall be required to submit his decision to the Committee prior to the Group entering into any binding commitments or taking any steps which may impact on the business reputation of the Group. In reviewing such proposal, the Committee is entitled to rely on the soundness and completeness of risk analysis conducted by the Management and assume that, unless expressly drawn to its attention, all applicable risk management and prudential standards and regulations have been complied with and the Chief Executive is in full support of the proposal. After due and careful consideration, the Committee may:
2. • not approve the transaction if it believes there are reasons that the transaction shall not proceed; or
   • concur with the Chief Executive's decision with or without altering any term or condition of the transaction; or
   • refer the transaction to the Board if the Committee considers there are no reasons not to approve the transaction but it is deemed so significant that Board approval is desirable.
3. The Committee is expected to review, approve and oversee risk-related activities that may significantly alter the Group's risk profile such that substantial upgrading of existing expertise or entirely new expertise is required to manage the risk arising from such activities. These would involve the introduction of new business lines or products and the establishment or substantial expansion of the Group's operation in new or existing geographical locations.

Page 3 of 8

October 2019

2.3.3 Monitor compliance with the Group's risk management policies and procedures

1. Apart from the prior review aforesaid, the Committee shall periodically review material risk exposures approved by the Chief Executive to monitor compliance with the Group's risk management policies and procedures.
2. The Committee shall review material non-compliance with the Group's risk management policies that may result in significant financial loss or risk implications and proposed rectification actions.
3. The Committee shall periodically review relevant risk information from the Group's and the Bank's Risk Management Department, Legal & Compliance and Operational Risk Management Department, Financial Crime Compliance Department, Asset and Liability Management Committee, and other business and supporting units as considered necessary.

2.4 Roles and responsibilities of the Management

1. Chief Executive
   To enhance efficiency and market responsiveness, the Committee shall only be responsible for approving general risk acceptance criteria and high-level policies while the Chief Executive of the Company and the Bank shall be given the authority to approve detailed risk management policies including those relating to specific types of products/borrowers and establishment of detailed implementation procedures within the general criteria and policies approved by the Committee, and to manage the risk profile of the Group to ensure continuity of the Group as an institution and compliance with statutory, regulatory and social obligations through the effective use of key control mechanisms.
2. Chief Risk Officer
   The role of Chief Risk Officer is established by the Company and the Bank with the function of assisting the Chief Executive to manage all risk exposure of the Group. The Chief Risk Officer who receives reports from the risk management functions of the Company and the Bank acts independently with his/her mandate being set by the Committee and performance appraisal being approved by the Board. In his/her day-to-day functioning, the primary reporting line of the Chief Risk Officer shall be to the Chief Executive. The Chief Risk Officer shall support the Chief Executive who is responsible for all risk-taking activities. The Risk Committee shall also provide inputs to the Chief Executive Officer in the appraisal and evaluation of the performance of the Chief Risk Officer.

2.5 Reporting Responsibilities

2.5.1 The Committee shall report to the Board on the matters set out in this Mandate, regularly update the Board about the Committee's activities and consider other topics as defined by the Board.

Page 4 of 8

October 2019

1. The Committee shall regularly communicate with other Board committees as appropriate.
2. The Committee shall review any other reports submitted by the Group relating to the Committee's responsibilities.

3. Composition

3.1 Membership

1. The Committee members are non-executive directors. Advisor(s) of the Board (if any) may be appointed by the Board to act as the Advisor(s) to the Committee.
2. Members of the Committee shall possess appropriate authority and necessary skills and experience and be prepared to determine and advise on risk management issues.
3. A quorum shall be two members.
4. Members of the Committee shall:
5. • regularly attend the meetings of the Committee and actively express their opinions on the matters discussed during the meeting; and
   • keep abreast of the roles and responsibilities of the Committee as well as their responsibilities as members of the Committee and of the risk profile, risk management conduct, business activities and development of the Group.

3.2 Other attendees

1. The Chief Risk Officer and representatives from the Risk Management Department, the Legal & Compliance and Operational Risk Management Department and the Financial Crime Compliance Department of the Company and the Bank are normally expected to attend meetings of the Committee to render assistance. If required, other members of the Management of the Company and the Bank, including the Chief Executive, relevant Deputy Chief Executive(s), Chief Financial Officer, Chief Operating Officer and representatives of external consultants are also expected to attend some or all or parts of the Committee meetings. All these "other attendees" are expected to provide open, candid and comprehensive input to the Committee as requested.
2. The secretary/secretaries of the Committee (the "Committee secretary") shall be appointed by the Board.

3.3 Roles

3.3.1 The Chairman of the Committee shall be appointed by the Board. The duties and responsibilities of the Chairman of the Committee include but are not limited to:

• providing leadership for the Committee and ensuring that the Committee works effectively and discharges its responsibilities;

Page 5 of 8

October 2019

• ensuring that all key and appropriate issues are discussed by the Committee in a timely manner, and that clear and explicit conclusions are achieved for every agenda item discussed in the meetings;
• being primarily responsible for drawing up and approving the agenda for each Committee meeting taking into account, where appropriate, any matters proposed by the other Committee members and the Management for inclusion in the agenda so as to ensure that, other than exceptional circumstances, all Committee members and the Management are given an opportunity to include matters in the agenda for a Committee meeting. The Chairman may delegate such responsibility to a designated member or the Committee secretary;
• ensuring that all members are properly briefed on issues arising at Committee meetings, and that Committee members receive adequate information, which must be timely, complete and reliable. The Chairman may delegate such responsibility to a designated member or the Committee secretary;
• encouraging all Committee members to make a full and active contribution to the Committee's affairs and take the lead to ensure that the Committee acts in the best interests of the Group; and
• attending in person or nominating another Committee member to attend the annual general meeting and answering questions at the meeting.

3.3.2 The duties and responsibilities of the Committee secretary include but are not limited to:

• providing technical advice and expertise to support the work of the Committee, the Chairman of the Committee and other Committee members;
• organizing, administering and coordinating the operation of the Committee;
• arranging Committee meetings as coordinated by the Board Secretary;
• reviewing the material to be presented to the Committee, ensuring the Management submits reports and documents to the Committee appropriately and in a timely manner;
• reporting on the work of the Committee to the Board under the authorization of the Chairman of the Committee;
• requesting the Management to provide relevant data and material to assist the Committee members to understand the relevant information;
• facilitating induction for new Committee members and assisting with professional development as required;
• coordinating the work of the Committee with similar functions in Bank of China group; and
• other duties and responsibilities entrusted by the Committee.

3.4 Independence Standards

3.4.1 The Committee members who are independent non-executive directors shall observe the independence standards approved by the Board.

3.5 Nomination, Terms, Remuneration and Training

3.5.1 The Nomination and Remuneration Committee is responsible for nominating Committee members from amongst the non-executive directors for approval by the

Page 6 of 8

October 2019

Board. The terms of appointment of the Committee members shall be consistent with that of the board of directors, and shall be re-appointed by the board of directors when the terms expired.

1. The Committee shall communicate adequately with the Nomination and Remuneration Committee before the latter makes recommendations to the Board on the selection criteria, nominated candidates and terms of appointment of the Committee members to ensure that they serve the purpose of the Committee.
2. The remuneration of the Committee members shall be approved by the Board based on the recommendation of the Nomination and Remuneration Committee, if no authorization is needed from or such authorization has been granted by the shareholders.
3. The Committee shall communicate adequately with the Nomination and Remuneration Committee before the latter reviews and approves induction / training procedures for the Committee members, to ensure that the procedures are practical for the Committee. The Committee secretary is responsible for the implementation of induction / training procedures for the Committee members with the coordination of the Board Secretary.
4. Every new Committee member shall receive a comprehensive, formal and tailored induction on appointment; and all Committee members shall participate in a program of continuous professional development to develop and refresh their knowledge and skills to ensure that their contribution to the Committee remains informed and relevant. The Group shall fund such induction / training programmes.

3.6 Frequency of meetings

3.6.1 The Committee shall meet at least four times a year, with meetings timed to align with the Group's financial reporting cycle. In addition, there shall be open dialogue between the Management and the Committee between meetings on an as-needed basis. The Committee may request for additional meetings with the Management or other advisors between scheduled meetings if they consider it necessary.

4. Authority

1. The Committee is authorized to seek adequate administrative support from the Management of the Company and the Bank and have separate and independent access to the Group's senior management.
2. The Management of the Company and the Bank is expected to support the work of the Committee with the utmost good faith and to ensure that the Committee is provided with all the information relating to the risk profile, risk management, operation, business and conditions of the Group necessary and appropriate for the Committee to discharge its responsibilities on a fair and timely basis. The Committee is authorized to require any member of the Management of the Company and the Bank and any employee of the Group to respond to queries raised by any member of the Committee as promptly and fully as possible. Information provided to the Committee shall be

Page 7 of 8

October 2019

accurate and complete and be in such form and of such quality as will enable the Committee to make an informed decision.

1. The Committee is authorized to invite any person it thinks fit to attend the meetings of the Committee.
2. The Committee shall be authorized, on its own initiative or at the request of the Board, to investigate major risk management matters and review the policies and practices of the Group's business, legal and compliance, strategic planning and risk management related matters, and advise the Board of the results of such investigation or review and its recommendations.
3. Members of the Committee are authorized, upon reasonable request, to seek independent professional advice in appropriate circumstances, at the Group's expense.
4. The Committee is authorized to have access to the advice and services of the Committee secretary and the Board Secretary with a view to ensuring that Committee procedures, and all applicable rules and regulations, are followed.

5. Consulting or special sub-committees

1. As necessary and appropriate, the Committee may form and dismiss consulting or special sub-committees after approval by the Board.
2. The Committee is responsible for the management of the sub-committees and delegating sufficient power and authority to them for ensuring effective and efficient operation.

6. Annual performance appraisal

1. The Committee shall, with the assistance of the Nomination and Remuneration Committee, monitor and review its composition, evaluate the balance of skills, knowledge and experience on the Committee and monitor and review its processes and effectiveness at least on an annual basis. The result shall be reported to the Board.
2. The Committee shall also monitor and review the continuing adequacy of its Mandate from time to time, and report to the Board the main findings.

7. Effective date and amendments

1. This Mandate shall come into effect on the date when it is approved by the Board.
2. Any amendments to this Mandate shall be recommended by the Committee and come into effect on the date when they are approved by the Board.

Page 8 of 8

October 2019