3172019 Universal registration document and annual financial report - BNP PARIBAS

5risks and CaPital adequaCy Pillar 3

5

Risk management [Audited]

The other main bodies at Group level have the following roles:

■ the General Management Credit Committee (CCDG) is the Group s highest authority concerning credit and counterparty risks. This Committee decides on risk-taking and conducts annual reviews of authorisations for customers or groups, beyond certain authorisation thresholds, in line with their ratings or the Bank s activities. Transactions of a special nature may also be presented to the CCDG. Lastly, a Compliance Officer may attend CCDG meetings when an opinion on financial security is needed;

■ the General Management Doubtful Loan Committee (CDDG) is the Group s highest level decision-making committee in terms of specific provisioning and recognitions of losses relative to the Group s customer exposures;

■ the Capital Markets Risk Committee (CMRC) is the body which governs the Group s risk profile of the capital markets activities; its tasks

include, among others, analysing market and counterparty risks and setting limits for capital market activities;

■ the Country Envelope Committees determine the BNP Paribas Group s Risk Appetite by setting limits for medium-to-high-risk countries in view of risk in relation to country, market conditions, business strategies and aspects of risk and compliance;

■ the Risk & Development Policy Committees (RDPC) have the dual objective of defining an appropriate risk policy for any given subject which may be a business activity, a product, a geographic area (region or country), a customer segment or economic sector, and of investigating development opportunities in relation to the subject in question;

■ the Group IT Risk Committee (GITRC) defines and oversees the BNP Paribas Group s IT risk profile. This is the highest authority in terms of technological and cybersecurity risk management.

RISK MANAGEMENT ORGANISATION

POSITION OF THE CONTROL FUNCTIONS Risk management is central to the banking business and is one of the cornerstones of operations for the BNP Paribas Group. BNP Paribas has an internal control system covering all types of risks to which the Group may be exposed, organised around three lines of defence (see the Internal Control section in chapter 2 Corporate Governance and Internal Control):

■ as the first line of defence, internal control is the business of every employee, and the heads of the operational activities are responsible for establishing and running a system for identifying, assessing and managing risks according to the standards defined by the functions exercising an independent control in respect of a second level of control;

■ the main control functions within BNP Paribas ensuring the second line of defence are the Compliance, RISK and LEGAL Functions. Their Heads report directly to Chief Executive Officer and account for the performance of their missions to the Board of directors via its specialised committees;

■ General Inspection provides a third level of defence. It is responsible for the periodic control.

GENERAL RESPONSIBILITIES OF THE RISK AND COMPLIANCE FUNCTIONS Responsibility for managing risks primarily lies with the divisions and business lines that propose the underlying transactions. RISK continuously performs a second-line control over the Group s credit, market, banking book interest rate, liquidity, operational risks, including technological and cybersecurity risks, over data protection, social and environmental responsibility risks and insurance risks. As part of this role, it must ascertain the soundness and sustainability of the business developments and their overall alignment with the risk appetite target set by the Group. RISK s remit includes formulating recommendations on risk policies, analysing the risk portfolio on a forward-looking basis,

approving corporate loans and trading limits, guaranteeing the quality and effectiveness of monitoring procedures and defining or validating risk measurement methods. RISK is also responsible for ensuring that all the risk implications of new businesses or products have been adequately assessed.

Compliance has identical responsibilities as regards compliance and reputation risks. It plays an important oversight and reporting role in the process of validating new products, new business activities and exceptional transactions.

ORGANISATION OF THE RISK AND COMPLIANCE FUNCTIONS

Approach

The RISK organisation fully complies with the principles of independence, vertical integration, and decentralisation issued by the Group s Management for the Group s main control functions (Compliance, RISK, LEGAL, and a third line of defence, General Inspection). Hence within RISK:

■ all the teams in charge of risks, including those in operational entities have been integrated in the function with reporting lines to the Chief Risk Officers of these entities;

■ the Chief Risk Officers of the entities report to RISK.

Moreover, this organisation enabled the governance of risk management activities to be strengthened, especially regarding model risk management, through RISK Independent Review and Control (RISK IRC) team, reporting directly to the Chief Risk Officer (CRO) which groups together the teams in charge of the independent review of the risk methodologies and models, and in the area of operational risk, with the organisation described in section 5.9 Operational risk.