Universal registration document and annual financial report 2020

2020 Universal registration document and annual financial report - BNP PARIBAS112

2 CorPorate GovernanCe and internal Control

Internal control

■ several initiatives were carried out during the year, including:

■ strengthening the generic control plan covering the 5 processes controlled from end to end by the function (Legal and Regulatory Monitoring; Legal Advice; Outsourcing; Dispute management; Legal Risk Management), in line with the RISK function s procedure and in accordance with the General Inspection s expectations;

■ defining an appropriate RCSA (Risk and Control Self-Assessment) methodology, followed by a centralised exercise, across the entire operational scope of the function;

■ a growing role in the RCSA s check and challenge of the Businesses and functions, which will continue in 2021 to ensure more systematic involvement of the LEGAL function;

■ continuous educational support for the first lines of defence of the Businesses and functions and close collaboration with the various RISK ORC teams at the Central, Division and Business level;

■ issuing guidelines (transposition of an existing procedure) for non- legal teams, on the management of the legal risk that may arise from certain processes under their responsibility and the controls to be implemented;

■ contributing to the review of the Group s operational risk incidents identified as giving rise to a legal risk.

■ continued development of tools:

■ defining and implementing the reporting tables in the internal LEGAL tool identifying the major legal risks;

■ designing and testing the Matter Management application, which is scheduled to go live in the first half of 2021.

■ lastly and more recently, implementing transactional and cross- functional platforms as part of the Quality and Lean program:

■ they will contribute to strengthening controls on specific risk areas identified by the legal experts of the said platforms, regardless of the scope within the Group;

■ they will make it possible to improve the flexibility, anticipation and consistency of the controls carried out, and to operate within the Group, as part of the management of legal risk.

2021 will see the continuation of the various actions undertaken. In this respect, the developments planned for the tools made available by RISK ORC are particularly key. Finally, the LEGAL function s ability to continue industrialising its processes is also essential.

RISK AND PERMANENT CONTROL

Operational risk management

The operational risk management model from the point of view of the second-line RISK team is based on both decentralised teams within the Businesses, under the responsibility of the RISK managers of these Businesses, close to the processes, operational staff and systems, and on a central structure (RISK ORC Group) with a steering and coordination role providing local teams on subjects requiring specific expertise (for example: anti-fraud or managing risks related to products and services supplied by third parties).

All of the components of the procedural system for operational risk have been significantly overhauled since 2018:

■ Risk and Control Self-Assessment (RCSA);

■ Controls;

■ Collection of Historical Incidents;

■ Analysis and quantification of operational risk scenarios ( potential incidents );

■ Action plans;

■ Outsourcing risk management.

Work on the taxonomy of risks as well as the mapping of processes and organisational structures has also been completed to further standardise guidelines supporting the assessment and management of operational risk.

In addition to these methodological changes, a new integrated operational risk management tool ( 360 Risk Op ), composed of various interconnected modules, was rolled out in the fourth quarter of 2019. After the roll-out of the first of these modules, dedicated to the data collection on Historical Incidents, data on RSCAs, Potential Incidents and outsourcing arrangements were delivered in 2020. The last remaining modules (Controls and Action Plans) will be implemented gradually starting in 2021.

The review of first-level controls by Group entities, begun in 2019, also continued in 2020 with the contribution of the control functions. It will be further developed in 2021.

Information and Communication Technology and data protection risk management

The ongoing implementation of the Bank s digitisation initiatives intended to create streamlined channels for its customers and partners as well as new ways for employees to collaborate, introduced new technologies and new risks. This underlines the need to continue to monitor the Bank s technological risk profile and to ensure the effectiveness of controls.

In 2020, the RISK teams continued to improve the risk management framework related to Information and Communication Technologies (ICT) through the following actions:

■ implementing crisis plans related to pandemic scenarios to provide long-term solutions, in response to the Covid-19 crisis and the requirements of local authorities. In addition, the Group strengthened the overall monitoring of operational resilience, provided to both the Bank s management and regulators, with updated information on the measures implemented internally;

■ incorporating ICT risk elements into the entire IT and cyber risk reference framework, thus completing the risk management framework;

■ formalising a cloud security baseline encompassing controls to protect against the risks of data leaks, intrusions and ransomware. In addition, RISK has put in place a dedicated cloud security governance to strengthen the alignment of cloud-related projects with the guidelines set by the Group (Cloud Blueprint);