4312019 Universal registration document and annual financial report - BNP PARIBAS

5risks and CaPital adequaCy Pillar 3

5

Operational risk

ORGANISATION AND OVERSIGHT MECHANISM

KEY PLAYERS AND GOVERNANCE The general internal control system at BNP Paribas underpins management of operational, compliance and reputation risks as part of its dual-level system to ensure periodic and permanent control.

Compliance, LEGAL, RISK and General Inspection form the Group s four supervision and control functions, with direct reporting of all their teams worldwide, guaranteeing their independence and resource autonomy.

The governance of the Group s internal control system is described in the section Internal control in chapter 2 Internal Control and Corporate Governance.

A second-level control function is tasked with defining and supervising the operational risk management system. Accordingly, the Operational Risk and Control (RISK ORC) teams are now the second line of defence within RISK. In addition, a dedicated team (RISK ORC Information and Communication Technology), reporting to the Head of RISK, is in charge of the second line of defence on technology risks and data protection (cyber security).

The operational risk management and control system for the Group as a whole is structured ,around a two-level system with the following participants:

■ on the first level of defence: operational staff, notably the Heads of operational entities, business lines and functions, who are on the front- line of risk management and implementation of systems to manage these risks;

■ on the second line of defence: specialist decentralised teams (domains, divisions, operational entities, business lines, functions and regions) coordinated centrally by the RISK ORC Group team involved in managing the Group s risks.

These teams are, in particular, responsible for:

■ coordinating, throughout the areas within their remit, the definition and implementation of the permanent control and operational risk identification and management system, its standards and methodologies, reporting and related tools;

■ acting as a second pair of eyes, independently of the Heads of operational entities, to scrutinise operational risk factors and the functioning of the operational risk and permanent control system, and issuing warnings, where appropriate.

Issues relating to operational risk, permanent operational control and the emergency plan to ensure business continuity in those situations specified in the regulatory standards are regularly submitted to the Group s Executive Committee. The Group s operational entities and subsidiaries implement this governance structure within their organisations, with the participation of Executive Management.

For its part, Compliance is in charge of supervising the compliance and reputation risk control system (see section 5.3).

OBJECTIVES AND PRINCIPLES To meet this dual requirement of the management and control of operational risk, BNP Paribas has developed a permanent iterative risk management process based on the following elements:

■ identifying and assessing operational risks;

■ formalisation, implementing and monitoring the risk mitigation system, including procedures, checks and all organisational elements designed to help to control risk, such as segregation of tasks, management of access rights, etc.;

■ producing measures of known and potential risks and calculating the capital requirement for operational risk;

■ reporting and analysing oversight information relating to operational risk and the permanent control system;

■ managing the system through a governance framework that involves members of management, preparing and monitoring action plans.

This system rests on two major pillars:

■ the identification and assessment of risk and of the control system based on the libraries of risks and controls defined by the Group s business lines and functions, and which each entity must take into consideration and enhance, if necessary, for their own underlying and residual risk mapping and for the standardised impact assessment grid applicable across the Group;

■ the risk management system is underpinned by procedures, standards and generic control plans consistent with the above-mentioned risk libraries, and which each entity must apply, unless an exception is authorised, and enhance according to their own characteristics.

SCOPE AND NATURE OF RISK REPORTING AND MEASUREMENT Group Executive Committees, and those of operational entities (business lines, functions and subsidiaries) are tasked with monitoring the management of operational and non-compliance risk and permanent control in the areas falling within their remit, in accordance with the Group s operational risk framework. The committees validate the quality and consistency of reporting data, examine their risk profile in light of the tolerance levels they have set in keeping with the Group Risk Appetite Statement, and assess the quality of risk control procedures according to their objectives and the risks they incur. They monitor the implementation of risk mitigation techniques.

Operational risk management has developed a system of data collection of actual or potential incidents using an approach structured by organisational process and business unit (activities in a country and a single legal entity) focusing on the cause-and-effect chain behind events. This information is used as the basis for risk mitigation and prevention measures.

The most significant information is brought to the attention of staff at various levels of the organisation, up to and including executive managers and supervisory bodies, in line with a predefined information reporting process.