432 2019 Universal registration document and annual financial report - BNP PARIBAS

5 risks and CaPital adequaCy Pillar 3

5

Operational risk

SPECIFIC COMPONENTS LINKED TO OPERATIONAL RISK

By its nature, operational risk covers numerous areas related with the Group s usual business activity and is linked to specific risks such as compliance, reputation, legal, fiscal and cyber security risks which are monitored in specific ways.

COMPLIANCE AND REPUTATION RISK Compliance risk is defined in French regulations as the risk of legal, administrative or disciplinary sanctions, of significant financial loss or reputational damage that a bank may suffer as a result of failure to comply with national or European laws and regulations, codes of conduct and standards of good practice applicable to banking and financial activities, or instructions given by an executive body, particularly in application of guidelines issued by a supervisory body.

By definition, this risk is a sub-category of operational risk. However, as certain implications of compliance risk involve more than a purely financial loss and may actually damage the institution s reputation, the Bank treats compliance risk separately.

Reputation risk is the risk of damaging the trust placed in a corporation by its customers, counterparties, suppliers, employees, shareholders, supervisors and any other stakeholder whose trust is an essential condition for the corporation to carry out its day-to-day operations.

Reputation risk is primarily contingent on all the other risks borne by the Bank, specifically the potential materialisation of a credit or market risk, or an operational risk, as well as a violation of the Group s code of conduct.

In accordance with international standards and French regulations, Compliance manages the system for monitoring compliance and reputation risks for all of the Group s businesses in France and abroad. Compliance reports to the Chief Executive Officer and has direct, independent access to the Board s Internal Control, Risk and Compliance Committee.

Integrated globally, Compliance brings together all Group employees reporting to the function. Compliance is organised based on its guiding principles (independence; integration and decentralisation of the function; dialogue with the business lines; accountability of each of the Group s stakeholders; a culture of excellence) through three operating areas, three regions, six fields of expertise and five cross-functional activities.

All Compliance Officers in the various operational areas, regions, business lines and territories, fields of expertise and Group functions report directly to the Compliance Function.

This management of compliance and reputation risks is based on a system of permanent controls built on four components:

■ general and specific procedures;

■ coordination of action taken within the Group to guarantee the consistency and effectiveness of monitoring systems and tools;

■ deployment of tools for detecting and preventing money laundering, terrorist financing and corruption, detecting market abuses, etc.;

■ training, both at Group level and in the divisions and business lines.

During 2019, the Group continued implementing this system, through the following initiatives:

■ strengthening its Financial Security mechanism;

■ continually increasing human and financial resources;

■ continuation of its transformation by creating a committee dedicated to the industrialisation of IT compliance processes and the strengthening of its capacities;

■ strengthening its resources in banking law and customers tax compliance;

■ continuing remediation plans launched as part of its settlements with French and U.S. authorities concerning international financial sanctions and foreign exchange.

(See chapter 2 Corporate governance and internal control in the Internal Control section.)

More specifically, reputation risk control is based on the following items: