278 2019 Universal registration document and annual financial report - BNP PARIBAS

5 risks and CaPital adequaCy Pillar 3

5

Annual risk survey

In addition, fraud or misconduct by financial market participants can have a material adverse effect on financial institutions due in particular to the interrelated nature of the financial markets. An example is the fraud perpetrated by Bernard Madoff that came to light in 2008, as a result of which numerous financial institutions globally, including the BNP Paribas Group, announced losses or exposure to losses in substantial amounts. The BNP Paribas Group remains the subject of various claims in connection with the Madoff matter; see note 8.b Contingent liabilities: legal proceedings and arbitration to its consolidated financial statements for the period ended 31 December 2019.

Losses resulting from the risks summarized above could materially and adversely affect the BNP Paribas Group s results of operations.

See Table 63: Counterparty credit risk exposure at default by asset class (excl. CVA risk charge) in section 5.6.

2. OPERATIONAL RISK BNP Paribas Group s operational risk is the risk of loss resulting from failed or inadequate internal processes (particularly those involving personnel and information systems) or external events, whether deliberate, accidental or natural (floods, fires, earthquakes, terrorist attacks, etc.). BNP Paribas Group s operational risks cover fraud, human resources risks, legal and reputational risks, non-compliance risks, tax risks, information systems risks, risk of providing inadequate financial services (conduct risk), risk of failure of operational processes including credit processes, or from the use of a model (model risk), as well as potential financial consequences related to reputation risk management. From 2011-2019, BNP Paribas Group s main type of incidents involving operational risk were in Clients, products and business practices , which represents 63% of the total financial impact, largely as a result of the BNP Paribas Group s agreement with U.S. authorities regarding its review of certain dollar transactions concluded in June 2014. The next largest category of incident for the BNP Paribas Group in operational risk was in Execution, delivery and process management , accounting for 17% of the financial impact. Between 2011-2019, other types of risk in operational risk consisted of external fraud (13%), business disruption and systems failure (3%), employment practices and workplace safety (2%), internal fraud (1%) and damage to physical assets (1%).

The risk-weighted assets subject to this type of risk amounted to EUR 69 billion at 31 December 2019, or 10% of the total risk-weighted assets of the BNP Paribas Group.

See Figure 14: Operational losses Breakdown by event type (average 2011-2019) in chapter 5.9 Operational risk.

2.1 The BNP Paribas Group s risk management policies, procedures and methods may leave it exposed to unidentified or unanticipated risks, which could lead to material losses

The BNP Paribas Group has devoted significant resources to developing its risk management policies, procedures and assessment methods and intends to continue to do so in the future. Nonetheless, the

BNP Paribas Group s risk management techniques and strategies may not be fully effective in mitigating its risk exposure in all economic and market environments or against all types of risk, particularly risks that the BNP Paribas Group may have failed to identify or anticipate. The BNP Paribas Group s ability to assess the creditworthiness of its customers or to estimate the values of its assets may be impaired if, as a result of market turmoil such as that experienced in recent years, the models and approaches it uses become less predictive of future behaviour, valuations, assumptions or estimates. Some of the BNP Paribas Group s qualitative tools and metrics for managing risk are based on its use of observed historical market behaviour. The BNP Paribas Group applies statistical and other tools to these observations to arrive at quantifications of its risk exposures. The process the BNP Paribas Group uses to estimate losses inherent in its credit exposure or estimate the value of certain assets requires difficult, subjective, and complex judgments, including forecasts of economic conditions and how these economic predictions might impair the ability of its borrowers to repay their loans or impact the value of assets, which may, during periods of market disruption, be incapable of accurate estimation and, in turn, impact the reliability of the process. These tools and metrics may fail to predict future risk exposures, e.g. if the BNP Paribas Group does not anticipate or correctly evaluate certain factors in its statistical models, or upon the occurrence of an event deemed extremely unlikely by the tools and metrics. This would limit the BNP Paribas Group s ability to manage its risks. The BNP Paribas Group s losses could therefore be significantly greater than the historical measures indicate. In addition, the BNP Paribas Group s quantified modelling does not take all risks into account. Its more qualitative approach to managing certain risks could prove insufficient, exposing it to material unanticipated losses.

2.2 An interruption in or a breach of the BNP Paribas Group s information systems may cause substantial losses of client or customer information, damage to the BNP Paribas Group s reputation and result in financial losses

As with most other banks, the BNP Paribas Group relies heavily on communications and information systems to conduct its business. This dependency has increased with the spread of mobile and online banking services, and the development of cloud computing. Any failure or interruption or breach in security of these systems could result in failures or interruptions in the BNP Paribas Group s customer relationship management, general ledger, deposit, servicing and/or loan organization systems or could cause the BNP Paribas Group to incur significant costs in recovering and verifying lost data. The BNP Paribas Group cannot provide assurances that such failures or interruptions will not occur or, if they do occur, that they will be adequately addressed.

In addition, the BNP Paribas Group is subject to cybersecurity risk, or risk caused by a malicious and/or fraudulent act, committed virtually, with the intention of manipulating information (confidential data, bank/insurance, technical or strategic), processes and users, in order to cause material losses to the BNP Paribas Group s subsidiaries, employees, partners and clients. An increasing number of companies (including financial