2018 Registration document and annual fi nancial report - BNP PARIBAS 105
2CORPORATE GOVERNANCE AND INTERNAL CONTROL
2
Internal Control
■ The Legal Function has had a number of achievements in terms of legal risk management, notably:
■ defi nition of a taxonomy of legal risks and a specifi c methodology for assessing legal risks and the control environment;
■ roll-out of a mandatory module for training and raising employee awareness of competition law;
■ roll-out of a mandatory employee awareness module on personal data protection in the context of the European General Data Protection Regulation, which came into force on 25 May 2018;
■ implementation of a Legal digital expertise plan focusing on the increasing importance of digital legal expertise, the key point of which was the development of a skills centre for training corporate lawyers on the legal issues relating to digitalisation to support the Group in its transformation plan and to understand these new issues. This skills centre was developed in collaboration with Assas University and an international law fi rm, and has already trained 60 lawyers. This plan is supported by a new cross-functional governance of IT and Intellectual Property issues within Legal;
■ the implementation of a Knowledge Management programme for Legal, whose fi rst achievements included the mapping of Legal knowledge, a collection of best practices, a methodology to ensure the transmission of at risk expertise and the creation of a digital directory of lawyers based on their legal knowledge and expertise.
■ Several projects will be completed during 2019, including:
■ implementation of the Quality & Lean programme to optimise the Legal Function and improve the quality of its services, steered by the Group General Counsel;
■ roll-out of second-level controls on legal processes in accordance with the Target operating model defi ned by the RISK ORC Function for operational risks;
■ roll-out of controls on legal risks in the operational activities of the business lines;
■ implementation of a standard contracts management procedure;
■ defi nition of a mission letter for the Territory legal offi cers and the Business line legal offi cers;
■ roll-out of the legal risk assessment exercise and the control environment;
■ commissioning of a reporting and legal risk consolidation application across the Group.
RISK AND PERMANENT CONTROL In 2018, the Risk Function completed the strengthening of its vertical organisational integration through a number of different projects and by creating and/or restructuring certain departments.
The new operational risk management model was rolled out in the Group s entities. This model is based on a hybrid and complementary structure with, on the one hand, decentralised teams within the businesses, under the responsibility of the Risk Offi cers of these businesses, working closely with the processes, operational staff and systems and on the other, a
central structure with a steering and coordination role providing support to the local teams on subjects requiring specifi c expertise (for example: fraud prevention or the management of risks related to the supply of products and services by third parties).
In this context, the headcount of the Group RISK ORC and RISK ORC ICT core teams (set up in 2017 and responsible for matters relating to technological risks and data protection) was increased to be able to carry out these missions.
The implementation of this system received special attention in 2018, to make any adjustments needed to ensure its uniformity and effi ciency.
A signifi cant part of the body of operational risk procedures (in particular the collection of operational risk incidents and the Risk and Controls Self Assessment methodology) was revised to incorporate the impact of the new model presented above.
The RISK ORC ICT teams continued to work on the general improvement of the technological risk management system. This resulted, inter alia, in:
■ a review of the Risk Appetite Statement parameters on cyber and IT matters;
■ a CIS 20 campaign (based on the 20 key controls defi ned by the international Center for Internet Security standard) to assess the Group s risk profi le;
■ the preparation and dissemination of additional instructions on how to manage issues such as intrusions or incidents;
■ the issue of global recommendations or recommendations to certain entities to raise our level of protection
Furthermore, personal data protection was also a major focus of attention in 2018, with the entry into force of the General Data Protection Regulation (Regulation no. 2016/679) on 25 May 2018. Together with the players involved, Risk worked on strengthening the system around data confi dentiality. In particular, the Data Protection Offi cer network is now incorporated into Risk and the associated governance has been set up across the Group.
2018 was also marked by sustained regulatory activity, notably with:
■ the exercise of stress testing conducted by the European Banking Authority;
■ the fi rst application of IFRS 9;
■ developments concerning the framework around non-performing loans and more generally on aspects related to the quality of bank assets.
Work related to this activity involved teams from Group Finance, Risk and ALM Treasury.
Moreover, in 2018 Risk was given responsibility for the second line of defence on environmental, social and governance (ESG) risks. This project led to the formalisation of guiding principles to evolve the framework, processes and governance of credit committees in order to include an ESG risk analysis on the Group s non-fi nancial corporate clients. The mission entrusted to Risk will begin in January 2019, while continuing with the necessary adjustments throughout 2019, as well as the training of the fi rst and second lines on these risks for effective implementation.