Universal registration document and annual financial report 2020

2020 Universal registration document and annual financial report - BNP PARIBAS 463

5risks and CaPital adequaCy Pillar 3

Operational risk

OPERATIONAL RISK EXPOSURE

■ change-related risks:

the Group s information systems are changing rapidly in the light of digital transformation. These risks, identified during the systems design or modification phases, are regularly assessed to ensure that the proposed solutions are consistent with the needs of the Group s business lines;

■ data integrity risks:

confidentiality of customer data and transaction integrity are areas covered by the same systems set up in response to Regulation (EU) No. 2016/679 of 27 April 2016 (General Data Protection Regulation GDPR) intended to provide the Group s customers with a service that meets their expectations;

■ third-party information systems risks:

the Bank is exposed to risks of financial default, breaches or operational capacity constraints when it interacts with third parties, including

customers, financial intermediaries and other market operators. The Group s three lines of defence constitute the management framework of these risks at every step of integration until the end of the relationship with such third parties.

The Group deploys significant resources to identify, measure and control its risks and implements various techniques to manage its risk profile. The health crisis, which prevailed in 2020, increased the Group s dependence on digital technologies. In order to have the capacity to work remotely and to allow the Group to continue operating despite the high risk of cyber-crime, the Group invested in IT upgrades to quintuple the bandwidth of the network and ensure the stability of the remote access infrastructure. At the same time, Cyber Security Operations teams have strengthened their surveillance capabilities to improve detection and respond to threats more quickly. The processes and tools in place were complemented with cyber security reviews and specific support to businesses along with communication of actions to employees.

The chart below shows the losses linked to operational risk, according to the event classification defined in the current regulation.

➤ FIGURE 14: OPERATIONAL LOSSES BREAKDOWN BY EVENT TYPE (AVERAGE 2012-2020)(*)

62% (2019: 63%) Clients, products and

business practices

2% (2019: 2%) Employment practices and

workplace safety

14% (2019: 13%)

3% (2019: 3%) Business disruption and system failures

1% (2019: 1%) Damage to physical assets

External fraud

17% (2019: 17%) Execution, delivery and process management

1% (2019: 1%) Internal fraud

(*) Percentages in brackets correspond to average loss by type of event for the 2011- 2019 period.

In the period 2012-2020, even though decreasing, the main type of operational risk falls within the category of Clients, products and business practices , representing on average more than half of the Group s financial impacts. The magnitude of this category is related to the financial terms of the comprehensive settlement concluded in June 2014 with the U.S. authorities with respect to the review of certain U.S. dollar transactions. Process failures, mainly including execution or transaction processing errors, and external fraud are the types of Group incidents with the second and third highest financial impact, respectively.

BNP Paribas Group pays the utmost attention to analysing its operational risk incidents in order to continuously improve its control system.