106 2019 Universal registration document and annual financial report - BNP PARIBAS

2 CorPorate GovernanCe and internal Control

2

Internal control

■ continuation of training for new lawyers in subjects relating to digitalisation as part of the Legal Function s digital expertise plan;

■ acceleration of the implementation of the Quality & Learn programme.

RISK AND PERMANENT CONTROL The new operational risk management model from the point of view of the second line risk team has now been deployed in all of the Group s entities. This model is based on a hybrid and complementary structure with, on the one hand, decentralised teams within the businesses, under the responsibility of the Risk Officers of these businesses, working closely with the processes, operational staff and systems and on the other, a central structure Risk ORC Group with a steering and coordination role providing support to the local teams on subjects requiring specific expertise (for example: fraud prevention or the management of risks related to the supply of products and services by third parties).

All of the components of the procedural system for operational risk have been significantly overhauled since 2018:

■ Risk and Control Self Assessment (RCSA);

■ Controls;

■ Collection of Historical Incidents;

■ Analysis and quantification of operational risk scenarios ( potential incidents );

■ Action plans.

Work on the taxonomy of risks as well as the mapping of processes and organisational structures has also been completed to further standardise guidelines supporting the assessment and management of operational risk.

In addition to these methodological changes, the deployment of a new integrated operational risk management tool ( 360 Risk Op ) began in the fourth quarter of 2019. This tool comprises different interconnected modules, the first of which is dedicated to the collection of Historical Incidents, and entered operation on 4 November 2019. The other modules (RCSA, Potential Incidents, Controls and Action Plans) will be delivered gradually between 2020 and 2021.

In terms of technological risks, the Risk ORC ICT teams have continued to work to improve the risk management system, resulting in:

■ evaluation of the capacity to protect against and detect risks by performing in-depth technical tests for the Group s entities and independent tests in the operating environment (under the form of Red Team missions);

■ the joint definition of reference standards in terms of protection, detection and crisis management;

■ reinforced surveillance of the position adopted to address the Group s residual IT risks and regulatory reporting;

■ the joint definition of IT and Security risks for the Group s shared services (for example CyberSOC, Cloud services, etc.);

■ the performance of crisis simulations based on complex operational resilience scenarios.

The global network of Data Protection Officers and the framework for data protection have also been reinforced this year. The main initiatives

in terms of data protection in 2019 include the following activities, which are aimed at streamlining data protection requirements within the Group s global control system:

■ the addition of requirements relating to the General Data Protection Regulation in the cybersecurity programme;

■ increased work in providing advice and performance management by the Group Data Protection Office.

2019 was also marked by sustained regulatory activity, notably with:

■ the introduction of a new prudential policy on securities issues;

■ the passing of the new European CRR2 Regulation whose prudential requirements will enter into force in 2021;

■ developments concerning the framework around non-performing loans and more generally on aspects related to the quality of bank assets.

Work related to this activity involved teams from Group Finance, Risk and ALM Treasury.

In 2019, the Risk Function, as the second line of defence against environmental, social and governance (ESG) risks, also continued its work to adapt the framework, processes and governance of credit committees with the aim of including an ESG risk analysis of the Group s non-financial corporate clients. The teams have also continued with the effective deployment of the second line of defence in the Group s main corporate businesses.

The Risk Function continued its industrialisation, notably via the reinforcement of its shared operational platforms in Lisbon and Mumbai. A number of initiatives have also continued and new ones have been launched to simplify, automate and pool certain internal processes and contribute to the end-to-end review of customer processes, whilst ensuring that the control system is at the highest level. The Risk Function also continued to insert new technologies into the key risk management systems, either via partnerships with fintechs on credit granting and monitoring processes or via the creation of a dedicated artificial intelligence team for the function.

In 2020, the Risk Function s main projects will be:

■ the delivery and roll-out of the new operational risk information system in the businesses and functions, and the support of operational entities as part of this roll-out;

■ work on finalising the implementation of the Third Party Risk Management system;

■ strengthening the system around business continuity and crisis management, especially for aspects relating to technological risks;

■ enhancing the data protection system for the Group;

■ integrating of ESG risks, particularly climate risks, into the Group s global risk management system;

■ supporting the transformation of the Group s business by continuing with its own industrialisation improving its integration into the businesses processes, as well as integrating new technologies to further advance and improve the efficiency of the Group s risk management system;

■ the implementation of new sites and/or projects enabling the Group to fully meet the expectations of its regulators and supervisory authorities.