Your browser is not up to date and is not able to run this publication.
Learn more

2018 Registration document and annual fi nancial report - BNP PARIBAS100

2 CORPORATE GOVERNANCE AND INTERNAL CONTROL

2

Internal Control

■ a structured risk identifi cation, assessment and management system (involving, among others, a decision-making system, delegation, organisational principles, controls, reporting and alert mechanism, etc.);

■ control and oversight that is independent of risk: the heads of the operational activities have the ultimate responsibility for those risks created by their activities, and as such, the foremost responsibility of implementing and operating a system that identifi es, assesses and manages risk. The internal control system provides for mandatory intervention, and as early as possible, of Functions exercising independent control under a second level of control. This intervention takes the following forms:

■ defi ning the overall normative framework for risk identifi cation, assessment and management,

■ defi ning cases where a second prior review by a function exercising a second-level control shared with the operational entity is necessary for decision-making,

■ independent controls, called second-level controls, carried out by said function on the system implemented by the heads of the operational activities and on their operation (result of the risk identifi cation and assessment process, relevance and conformity of the risk control systems and in particular, compliance with the limits set);

■ separation of duties: it is a key element of the risk control system. It consists of assigning certain operational tasks that contribute to the performance of a single process to stakeholders at various hierarchical levels or to separate these tasks by other means, in particular by electronic means. Thus, for example, tasks related to transaction initiation, confirmation, accounting, settlement and accounts reconciliation must be performed by different parties;

■ proportionality of risks: the internal control system must be implemented under an approach and with an intensity that is proportionate to the risks involved. This proportionality is determined based on one or more criteria:

■ risk intensity as identifi ed in the context of assessment programmes ( Risk ID , RCSA, etc.),

■ amount of allocated capital and/or ratios in terms of solvency and liquidity,

■ criticality of activities with regard to systemic issues,

■ regulatory conditions governing the exercise of business activities, size of business activities carried out,

■ customer type and distribution channels,

■ complexity of the products designed or marketed and/or services provided,

■ complexity of the processes carried out and/or the level of use of outsourcing with internal/external entities of the Group,

■ sensitivity of the environment where the activities are located,

■ legal form and/or presence of minority shareholders;

■ appropriate governance: the internal control system is subject to governance involving the different stakeholders and covering the various aspects of internal control, both organisational and monitoring and oversight; the internal control committees are a key instrument in this system; the system is part of the decision-making processes

managed through a system of delegations in the management reporting lines. They may involve the input of a third party belonging to another reporting line, whenever the systems defined by the Operational Entities and/or the functions exercising a second-level control so provide. The escalation process allows for disagreements between the operational entities and functions exercising second-level control, especially those related to decision-making, to be escalated to the higher hierarchical and possibly functional levels, to which the two parties report, and at the end, when these disputes cannot be resolved in this way, to arbitration conducted by the Group s Executive Offi cers. This process is implemented in accordance with the powers conferred to the Group Risk Offi cer, who may exercise his right of veto under the conditions set out in the Risk charter;

■ a requirement for formalisation and traceability: Internal Control relies on the instructions of Executive Offi cers, written policies and procedures and audit trails. As such, the controls, their results, their implementation and the feedback from the entities to the higher levels of the Group s governance are documented and traceable;

■ a duty of transparency: all Group employees, irrespective of their position, have a duty to communicate, in a transparent manner, that is, spontaneously and promptly, to a higher level within the organisation to which they belong:

■ any information required for a proper analysis of the situation of the entity in which the employee operates, and which may impact the risks or the reputation of the entity or the Group,

■ any question that the employee could not resolve independently in the exercise of his duties,

■ any anomaly of which he becomes aware.

In addition, he has a duty to alert, under the protection of confi dentiality, as provided for by the Group code of conduct and exercised within the framework of the whistleblowing system established by Compliance;

■ a human resources management taking into account internal control objectives: the internal control objectives to be considered in employee career management and remuneration (including: as part of the employee evaluation process, training, recruitment for key positions, and in determining remuneration);

■ continuous adaptation of the system in response to changes: the internal control system must be actively managed by its various stakeholders. This adjustment in response to changes of any kind that the Group must face must be done according to a periodic cycle defi ned in advance but also continuously as soon as events so justify.

Compliance with these principles is verified on a regular basis, in particular through assignments carried out by the periodic control teams (General Inspection).

ORGANISATION OF INTERNAL CONTROL BNP Paribas Group s internal control system is organised around three lines of defence, under the responsibility of Executive Offi cers and under the oversight of the Board of directors.

Permanent control is the ongoing implementation the risk management system and is provided by the fi rst two lines of defence. Periodic control, provided by the third line of defence, is an audit and assessment function that is performed according to a clean audit cycle.