2020 Universal registration document and annual financial report - BNP PARIBAS460

5 risks and CaPital adequaCy Pillar 3

5

Operational risk

SPECIFIC COMPONENTS LINKED TO OPERATIONAL RISK

By its nature, operational risk covers numerous areas related with the Group s usual business activity and is linked to specific risks such as compliance, reputation, legal, fiscal and cyber security risks which are monitored in specific ways.

COMPLIANCE AND REPUTATION RISK Compliance risk is defined in French regulations as the risk of legal, administrative or disciplinary sanctions, of significant financial loss or reputational damage that a bank may suffer as a result of failure to comply with national or European laws and regulations, codes of conduct and standards of good practice applicable to banking and financial activities, or instructions given by an executive body, particularly in application of guidelines issued by a supervisory body.

By definition, this risk is a sub-category of operational risk. However, as certain implications of compliance risk involve more than a purely financial loss and may actually damage the institution s reputation, the Bank treats compliance risk separately.

Reputation risk is the risk of damaging the trust placed in a corporation by its customers, counterparties, suppliers, employees, shareholders, supervisors and any other stakeholder whose trust is an essential condition for the corporation to carry out its day-to-day operations.

Reputation risk is primarily contingent on all the other risks borne by the Bank, specifically the potential materialisation of a credit or market risk, or an operational risk, as well as any violation of the Group s Code of conduct.

Compliance is primarily responsible for the activities and business lines. In this context, and in accordance with international standards and French regulations, Compliance Function manages the system for monitoring compliance and reputation risks for all of the Group s businesses in France and abroad. Compliance reports to the Chief Executive Officer and has direct, independent access to the Board s Internal Control, Risk and Compliance Committee.

Integrated globally, Compliance brings together all Group employees reporting to the function. Compliance is organised based on its guiding principles (independence; integration and decentralisation of the function; dialogue with the business lines; a culture of excellence) through three operating areas, two regions, five fields of expertise and businesses.

All Compliance Officers in the various operational areas, regions, business lines and territories, fields of expertise and Group functions report directly to the Compliance Function.

This management of compliance and reputation risks is based on a system of permanent controls built on four components:

■ general and specific procedures;

■ coordination of action taken within the Group to guarantee the consistency and effectiveness of monitoring systems and tools;

■ deployment of tools for detecting and preventing money laundering, terrorist financing and corruption, detecting market abuses, etc.;

■ training and advocacy both at Group level and in the divisions and business lines.

During 2020, the Group continued implementing this system, through the following initiatives:

■ detailing the risk management system relating to rules of conduct. The Compliance Function, together with the Risk and Legal Functions, is responsible for the second line of defence against these risks. In addition, Compliance is centrally responsible for the coordination of conduct of business initiatives, for steering these cross-functional initiatives with the relevant stakeholders and for monitoring key priorities related to the rules of conduct in order to provide management with a cross-functional and comprehensive view of these initiatives;

■ reinforcing of the principle of decentralisation in accordance with the Charter of the Territory Manager: the Territory Compliance Officer has an additional functional reporting line to the Territory Manager;

■ enriching of its Financial Security mechanism;

■ optimising in a continued manner human and financial resources;

■ continuing its transformation through the industrialisation of IT compliance processes and finalising the Focus & Simplify project, which will result in the deployment of all the transformation projects from 2021 onwards;

■ continuing remediation plans launched as part of its settlements with French and U.S. authorities concerning international financial sanctions and foreign exchange.

(See chapter 2 Corporate governance and internal control in the Internal Control section.)