1012019 Universal registration document and annual financial report - BNP PARIBAS
2CorPorate GovernanCe and internal Control
2
Internal control
The functions exercising the second and third lines of defence are so-called Functions exercising independent control. They report directly to the Executive Officers and with respect to Compliance, Legal, Risk and General Inspection, they report on the performance of their duties to the Board of directors.
KEY PLAYERS IN INTERNAL CONTROL ■ The operational entities are the first line of defence: the operational entities are primarily responsible for managing their risks and are the front-line in permanent control. They act within the framework defined by the Group s Executive Officers and reviewed by its Board of directors, transcribed in the form of policies and procedures and to the extent necessary, tailored by the corporate bodies of the Group s entities.
■ The risk control system operated by the first line of defence forms what is called the first-level control system. It is implemented by employees and/or their reporting line and/or control teams that do not operate the processes under their control.
The operational entities cover:
■ all Operating divisions and Business Lines, whether these concern profit-centre entities and their associated support functions, or all entities of Domestic Markets, International Financial Services and Corporate & Institutional Banking;
■ all cross-divisional functions, including the control functions for the processes that they operate directly and not under the responsibility of the second line of defence;
■ all the Territories, attached to an operating division.
■ The functions exercising second-level control (second line of defence):
■ functions exercising second-level control are responsible, under the delegation given by the Executive Officers, for the organisation and functioning of the risk control system and its compliance with laws and regulations on a range of areas (subjects and/or processes), as defined in their responsibility charter;
■ as such, in their field of expertise and, where appropriate, after having consulted the operational entities, they define the general normative framework in which the risk management under their responsibility is to be carried out, the methods of their intervention (thresholds, delegations, escalation, etc.), implement this system in those aspects that concern them and for which they are responsible, in their area of expertise, for first-level and second-level permanent control. They challenge and provide an independent view of risk identification and assessment vis-à-vis operational entities. They also contribute to spreading a culture of risk and ethics within the Group;
■ those responsible for these functions provide the Executive Officers and Board of directors with a reasoned opinion on the level of risk control, current or potential, in particular regarding the Risk Appetite Statement as defined and propose any actions for improvement that they deem necessary;
Key players in Internal Control
Three lines of defence
Compliance** LEGAL**
RI SK **
Gr ou
p Ta x D
ep ar
tm ent
*
Group Finance*
Operational Entities
Level 1 controls (L1Cs)
L1Cs L2Cs
L3Cs
Level 2 controls (L2Cs)
Permanent control
Period control
Supervisory Board
(*) 2nd level non-integrated functions (**) 2nd level integrated functions
Management body
Direct hierarchical reporting Reports to (for the integrated control functions)
The Compliance, LEGAL, RISK and General Inspection functions report on the performance of their duties to the Board of directors.
Level 3 controls (L3Cs)
General inspection