Universal registration document and annual financial report 2020

2020 Universal registration document and annual financial report - BNP PARIBAS 107

2CorPorate GovernanCe and internal Control

Internal control

The functions exercising the second and the third lines of defence are so-called functions exercising independent control. They report directly to the Executive Officers and with respect to Compliance, LEGAL, RISK and General Inspection, they report on the performance of their duties to the Board of directors.

KEY PLAYERS IN INTERNAL CONTROL ■ The operational entities are the first line of defence: the operational entities are primarily responsible for managing their risks and are the front-line in permanent control. They act within the framework defined by the Group s Executive Officers and reviewed by its Board of directors, transcribed in the form of policies and procedures and to the extent necessary, tailored by the corporate bodies of the Group s entities.

■ The risk control system operated by the first line of defence forms what is called the first-level control system. It is implemented by employees and/or their reporting line and/or control teams that do not operate the processes under their control.

The operational entities cover:

■ all operating Divisions and Businesses, whether these are profit centres or their support functions;

■ all cross-divisional functions, including the control functions for the processes that they operate directly and not under the responsibility of the second line of defence;

■ all the Territories, attached to an operating Division.

■ The functions exercising second-level control (second line of defence):

■ the functions exercising second-level control are responsible, under the delegation given by the Executive Officers, for the organisation and functioning of the risk control system and its compliance with laws and regulations on a range of areas (subjects and/or processes), as defined in their Charter of Responsibility;

■ as such, in their field of expertise and, where appropriate, after having consulted the operational entities, they define the general normative framework in which they manage the risk for which they are responsible, the terms of their intervention (thresholds, delegations, escalation, etc.), implement this system in the relevant areas and for which they are responsible, for first-level and second-level permanent control. They challenge and provide an independent view of risk identification and assessment vis-à-vis operational entities. They also contribute to spreading a culture of risk and ethics within the Group;

■ the Heads of these functions provide the Executive Officers and Board of directors with a reasoned opinion on the level of risk control, current or potential, in particular regarding the Risk Appetite Statement as defined and propose any actions for improvement that they deem necessary;

Key players in Internal Control

Three lines of defence

Compliance** LEGAL**

RI SK **

Gr ou p Ta x D

ep art me

nt*

FINANCE*

Operational Entities

Level 1 controls (L1Cs)

L1Cs L2Cs

L3Cs

Level 2 controls (L2Cs)

Permanent control

Periodic control

Supervisory Board

(*) 2nd level non-integrated functions (**) 2nd level integrated functions

Management body

Direct hierarchical reporting Reports to (for the integrated control functions)

The Compliance, LEGAL, RISK and General Inspection functions report on the performance of their duties to the Board of directors.

Level 3 controls (L3Cs)

General inspection