Universal registration document and annual financial report 2020

2020 Universal registration document and annual financial report - BNP PARIBAS106

2 CorPorate GovernanCe and internal Control

Internal control

■ a structured risk identification, assessment and management system (involving, among others, a decision-making system, delegation, organisational principles, controls, reporting and alert mechanism, etc.);

■ control and oversight that is independent of risk: the Heads of the operational activities have the ultimate responsibility for those risks created by their activities and as such, the foremost responsibility of implementing and operating a system that identifies, assesses and manages risk. The internal control system provides for mandatory intervention, and as early as possible, of functions exercising independent control under a second level of control. This intervention takes the following forms:

■ defining the overall normative framework for risk identification, assessment and management,

■ defining cases where a prior second review by a function exercising a second-level control shared with the operational entity is necessary for decision-making,

■ independent controls, called second-level controls, carried out by said function on the system implemented by the Heads of the operational activities and on their operations (result of the risk identification and assessment process, relevance and compliance of the risk control systems and in particular, compliance with the limits set);

■ separation of duties: this is a key element of the risk control system. It consists of assigning certain operational tasks that contribute to the performance of a single process to stakeholders at various hierarchical levels or to separate these tasks by other means, in particular by electronic means. Thus, for example, tasks related to transaction initiation, confirmation, accounting, settlement and accounts reconciliation must be performed by different parties;

■ proportionality of risks: the internal control system must be implemented under an approach and with an intensity that is proportionate to the risks involved. This proportionality is determined based on one or more criteria:

■ risk intensity as identified in the context of assessment programmes ( Risk ID , RCSA, etc.),

■ amount of allocated capital and/or ratios in terms of solvency and liquidity,

■ criticality of activities with regard to systemic issues,

■ regulatory conditions governing the exercise of business activities, size of business activities carried out,

■ customer type and distribution channels,

■ complexity of the products designed or marketed and/or services provided,

■ complexity of the processes carried out and/or the level of use of outsourcing with internal/external entities of the Group,

■ sensitivity of the environment where the activities are located,

■ legal form and/or presence of minority shareholders;

■ appropriate governance: the internal control system is subject to governance involving the different stakeholders and covering the various aspects of internal control, both organisational and monitoring and oversight; the Internal Control Committees are a key instrument in this system; the framework is part of the decision-making processes managed through a system of delegations in the management

reporting lines. They may involve the input of a third party belonging to another reporting line, whenever the systems defined by the Operational Entities and/or the functions exercising a second-level control so provide. The escalation process allows for disagreements between the operational entities and functions exercising second-level control, especially those related to decision-making, to be escalated to the higher hierarchical and possibly functional levels, to which the two parties report, and at the end, when these disputes cannot be resolved in this way, to arbitration conducted by the Group s Executive Officers. This process is implemented in accordance with the powers conferred to the Group Risk Officer, who may exercise his right of veto under the conditions set out in the RISK charter;

■ a requirement for formalisation and traceability: Internal Control relies on the instructions of the Executive Officers, written policies and procedures and audit trails. As such, the controls, their results, their implementation and the feedback from the entities to the higher levels of the Group s governance are documented and traceable;

■ a duty of transparency: all Group employees, irrespective of their position, have a duty to communicate, in a transparent manner, that is, spontaneously and promptly, to a higher level within the organisation to which they belong:

■ any information required for a proper analysis of the situation of the entity in which the employee operates, and which may impact the risks or the reputation of the entity or the Group,

■ any question that the employee could not resolve independently in the exercise of his duties,

■ any anomaly of which the employee becomes aware of.

In addition, every employee has the right to confidentially raise concerns, as provided for by the Group Code of conduct and exercised within the framework of the whistleblowing system established by Compliance;

■ human resources management taking into account internal control objectives: the internal control objectives to be considered in employee career management and remuneration (including: as part of the employee evaluation process, training, recruitment for key positions, and in determining remuneration);

■ continuous adaptation of the system in response to changes: the internal control system must be actively managed by its various stakeholders. This adjustment in response to changes of any kind that the Group must face must be done according to a periodic cycle defined in advance but also continuously as soon as events so justify.

Compliance with these principles is verified on a regular basis, in particular through assignments carried out by the periodic control teams (General Inspection).

ORGANISATION OF INTERNAL CONTROL BNP Paribas Group s internal control system is organised around three lines of defence, under the responsibility of the Executive Officers and under the oversight of the Board of directors.

Permanent control is the ongoing implementation of the risk management system and is provided by the first two lines of defence. Periodic control, provided by the third line of defence, has an audit and assessment function that is performed according to its own audit cycle.