2020 Universal registration document and annual financial report - BNP PARIBAS 113

2CorPorate GovernanCe and internal Control

2

Internal control

■ developing the data protection framework to include privacy impact assessments, Register of processing operations, procedures and guidelines for reporting personal data breaches and data sharing.

Regulatory changes

In terms of regulations, 2020 was marked by:

■ the acceleration, approved by the European Parliament in June 2020, of the applicability of certain provisions of CRR2, from 30 June 2020;

■ the publication on 29 May 2020 of the guidelines of the European Banking Authority (EBA) on the granting and monitoring of loans, applicable from 30 June 2021.

The work related to these changes involved the RISK teams as well as other Group teams (Group Finance ALMT, businesses, etc.).

Changes to the RISK function

The RISK function continued its industrialisation, notably via the reinforcement of its shared operational platforms in Lisbon and Mumbai and the roll-out of new platforms in Madrid and Montreal. A number of initiatives have also continued and new ones have been launched to simplify, automate and pool certain internal processes and contribute to the end-to-end review of customer processes, whilst ensuring that the control system is at the highest level. In addition, the RISK function continued to introduce new technologies into the key risk management processes in terms of granting and monitoring loans, in particular around alerting and the identification of weak signals. This was done with the support of a dedicated artificial intelligence team and in close collaboration with various Group businesses.

Environmental, social and governance risk management

As shown by its commitments in this area, the BNP Paribas Group pays particular attention to environmental, social and governance ( ESG ) issues and their growing role in the conduct of business and related risk management.

Since the Paris Agreement of 2015, the Group has taken several steps to support the energy transition, in line with this Agreement, and to further incorporate climate change risks into risk management. ESG criteria, and in particular those related to greenhouse gas emissions, have been strengthened in sectoral policies and specific credit policies. The energy mix financed by the Group is calculated each year and the related indicators are included in the Risk Appetite Statement.

In 2020, continued strengthening of the Group s ESG system was structured within a specific multi-year program, the ESG Action Plan, led by the Heads of Engagement and RISK function. The main objectives of this program are to:

■ define Group ESG norms and standards in order to have a common framework of ESG concepts, transaction classification principles, indicators and reporting;

■ establish an approach to analyse the performance and specific ESG risk of the Group s customers, in order to identify companies whose ESG weakness could translate into credit, investment, reputational risks, and negative environmental and social impacts. As the second line of defence on ESG risks, the RISK function will continue, as in 2020, work to include analyses of these ESG risks in the credit process, while gradually incorporating changes to the system;

■ strengthen portfolio analysis methodologies, by using the PACTA methodology (Paris Agreement Capital Transition Assessment) to lead the work to align the loan portfolio with the Paris Agreement and by actively participating in market exercises, such as those led by the ACPR, on the analysis of climate scenarios;

■ provide the Group with an ESG data platform comprising internal and external extra-financial information shared within the Group.

Further information on climate change risk management can be found in Commitment 3 described in chapter 7 of the Universal registration document.

2021 Projects

In 2021, the RISK function s main projects will be:

■ the delivery and roll-out of the new operational risk information system within the Group, and the support of operational entities as part of this roll-out;

■ work on finalising the implementation of the Third Party Risk Management system;

■ strengthening the system around business continuity and crisis management, especially for aspects relating to technological risks;

■ enhancing the data protection system for the Group;

■ continued incorporation of ESG risks into the Group s overall risk management system;

■ supporting the transformation of the Group s business by continuing with its own industrialisation and improving its integration into the Businesses processes, as well as integrating new technologies to further advance and improve the efficiency of the Group s risk management system;

■ the implementation of new sites and/or projects enabling the Group to fully meet the expectations of its regulators and supervisory authorities.

PERIODIC CONTROL 2020 was marked by the coronavirus pandemic, which necessarily impacted the activity of the General Inspection. During the lockdown phases, the inspectors and auditors carrying out missions far from their bases returned to their home countries. Work was completed remotely whenever possible. During the year, audit plan missions requiring a physical presence on site were postponed and replaced by missions that could be carried out remotely. New collaboration methods have also been adapted between the central General Inspection teams and those of the